Speaker Archive: 2020

This is an archive of weekly meeting talks from 2020. See the speaker archives for the talks from the current year, and links to archives from other years.

Date Speaker Links from talk Summary
2020-01-09 Cecylia

Related links:

How do we measure network level censorship?

1) Usage Metrics (Tor metrics, jumps in usage)
2) Crowd Sourcing (OONI)
3) External Measurements (IC Lab probes)

  • External probing (Augur)
  • Global Data (IODA)

2020-01-09 Ashokan

Related Links/Papers:

In the FBI vs Apple case, based on the technical and implementation details of the iPhone, were Apple's reasons for refusing to unlock the phone justified?
2020-01-16 Douglas

Related Links:

CurveBall a.k.a. Whose Curve is it Anyway? a.k.a. CVE 2020-0601

Full notes (Markdown)
2020-01-16 Francesco

Related Papers:

An overview of thesis work done to date on Sensor-based Gait biometrics
2020-01-23 Simon

Related Papers:

Differential Privacy (a rant)

- it doesn't work for all problems, yet it is applied to (or attempted for) many questionably:

Machine Learning (with epsilon up to 329,000!)

2020-01-23 David

Related Papers:

Overview of eSIDH: the revenge of the SIDH


- Reinventing Rectilinear Steiner Arborescence (the other RSA), using SIDH

- Making SIDH faster using parallelization with more primes

2020-01-30 Akshaya

Related Papers:

Voice controlled Devices attacks & Defences


  • Attack Commands that are decipherable by machines but not humans
  • Stealth--don't want to alert nearby humans that device is triggered


  • Diff Impl SR
  • On the cloud (can't reverse engineer)

Attack Utility:

  • Drive by downloads
  • Pay by service
  • Enumerate Devices in vicinity
  • DoS



  • Beep/buzz
  • Filter
2020-01-30 Mika

Related Papers:

Common attacks on machine learning models and defences including but not limited to:


  • Membership Inference Attack
  • Model Inversion Attack
  • Evasion Attack
  • Poisoning Attacks
  • Model Extraction


  • Adversarial Training
  • Pruning of NN
2020-02-06 Matthew

Related Papers:

Review 50 Ways to Leak Your Data, a Paper by former CrySP student Joel Reardon
  • The authors did a an extensive study of android apps using static and dynamic analysis
  • Identified several new attacks and vulnerabilities related to data leakage
2020-02-06 Urs

Related Papers:

Review of Benchmarking Flaws in System Security

  • Looks at proper benchmarking and performance benchmarking for security papers


  • common pitfalls
  • survey of defence papers
  • best practices


  • completeness
  • relevance
  • soundness
  • reproducability

A. Selective Benchmarking

  1. not evaluating potential performance degradation: Progressive/conservative criterion
  2. benchmarking subsetting without proper justification
  3. selective data sets that hide deficiencies

B. Improper Handling of Benchmark Results

  1. microbenchmarks represeting overall performance
  2. throughput degraded by x%, overhead is x%
  3. bad math (ex 10% overhead, 20% overhead, slowdown from 5s to 20s)
  4. no indication of data significance
  5. incorrect averaging benchmarking scores

C. Using the Wrong Benchmarks

  1. benchmarking of simplified system
  2. inappropriate/misleading machine
  3. same dataset for calibration (training) and validation (testing)

D. Improper Comparison of Benchmarks

  1. no proper baseline
  2. only evaluate against yourself
  3. unfair benchmarking competitors

E. Benchmarking Omissions

  1. not all contributions evaluated
  2. only measure running time (overhead)
  3. no false positives/negatives
  4. elements of solution not tested incrementally
F. Missing information
2020-02-13 Sergey    
2020-02-13 IanM    
2020-02-20 Justin

Related Papers etc.

Signal Private Group System

- not a private messaging system, instead: How do you organize the metadata such that the servers never have access to it?


- Signal doesn't have a conception of "groups" per se, instead message is 'coincidentally' sent to individual users (that are part of the group) at the same time.

- Race conditions and noticeable strange behaviour

Problems with possible Solutions?

- Plaintext single source of truth allows server to have access to sensitive data. Not an option

- Metadata, timing information, etc is difficult to hide

2020-02-20 Stan

Related Papers:

How do experts vs non-experts protect themselves online? With the goal of understanding how best to improve security practices among users.

From a 2013 study. . .

Top 3 Practices for Experts:

- Update their systems
- Use 2FA
- Use password Manager

Top 3 Practices for Non-Experts:

- Use Anti-virus software
- Change passwords
- Visit only known websites

From a 2019 study. . .

Top 3(+) Practices for Experts:

- Update their systems
- Use 2FA
- Use password Manager
- Use script blocker

Top 3 Practices for Non-Experts:

- Use Anti-virus software
- Use strong passwords
- "Don't share private info"

Recommendations: Password security, 2FA, links/attachments in emails, application updates

2020-03-05 Lindsey

Related Papers:

Highlights from the relevant paper which was published in the Journal of Marketing Science and outlines how firms can use conversational agents to "nudge" individuals to disclose their private data through conversation when they would otherwise prefer to keep their private data concealed.

From this paper:

"We are now entering an era of hyper-privacy, where over the next 10-15 years, aspects of the dark web will be increasingly adopted to the overall web and this will have dire consequences for the modern marketing machinery that relies on rich, abundant and timely consumer data, resulting in a hyper-private, more adversarial environment" (for firms)

It is pinned to the wall of shame ("Know your enemies") in the CrySP lab

2020-03-05 Nils

Related Papers:

An overview of the project the speaker is working on:

Exploiting Latent Similarity for Membership Inference on Generative Neural Networks

2020-03-12 Florian

Related Papers:

The presentation reviewed a recent paper for NDSS that, though it seems to have serious flaws, has an interesting premise that builds upon work by IanG and Ryan Henry.
2020-03-12 Chelsea

Related Papers:

Presentation on FROST: Flesible Round Optimized Schnorr Threshold Signatures, upcoming work by the speaker and IanG.

- KeyGen - Pederson DKG
- Signing - no DKG
- Additive Secret Sharing

Important Concepts from the Presentation
Check that the person who computed the signature has knowledge of the private key without revealing what the private key is.
Distributed Key Generation (DKG): Allows n parties to jointly compute public key and secret key shares without anyone actually knowing the secret key.

2020-03-19 Ted

Related Papers:

Theme: Gaps that appear between proofs in papers and how they're actually implemented
Oracle cloning: instantiating many different oracles from a single oracle (more like propagation)
There are bad ways to do this. ex. H1=H2=H3=SHA = BAD. This can result in a total breakage of the scheme.
Common ways to do Oracle cloning badly:
Big Quake (Code-based)
DAGS (Code-based)
Round 2 (Lattice Based)
2020-03-19 Matt

Related Papers:

The paper presents Self-Authenticating Traditional Domain Names.
Traditional domain names: names that exist in the DNS (such as wikipedia.org)
Self-Authenticating name: names that provide a mechanism for authenticating the destination such as public keys (or something derived from a public key). Tor Onion Services are a typical example.

Version 3 onion services embed an entire ed25519 public key directly in the name. This allows a client to validate information about the server (such as how one may connect to it) because the information can be cryptographically signed by the corresponding private key.
Most people who use computers are comfortable using traditional domain names. By associating a traditional domain name with a self-authenticating name, a user can verify they are connecting to the correct destination, gaining the benefits of both systems. This is important because the internet, today, is not a secure system and DNS hijacking, DNS cache poisoning, and BGP hijacking are ways in which malicious parties censor connections and reroute connections to different destination servers. This is extremely problematic with Let's Encrypt, because if an attack on these protocols is executed at the right time, a malicious party can convince the Let's Encrypt CA that the malicious party controls a domain when, really, the connection was transparently rerouted and they only controlled it for a short amount of time.
Self-authenticating traditional domains provide a way for a destination website to give the client a cryptographically signed message that proves the connection was established with the correct/expected destination server and the client can verify the signature with the embedded public key
this also gives a client a way of noticing when their connection was hijacked if the server is not able to provide such a signed message.

2020-03-26 IanG Related Papers:
An overview of Borrowmean Ring Signatures based on the linked relevant paper
From the paper:
"the concept of Borromean ring signatures can be described as a straightforward generalisation. Where ordinary ring signatures take a set of verification keys {v_i }^n, i =1 and describe a signature signed with s_1 OR s_2 OR � � � OR s_n , where s_i is the secret key corresponding to v_i , Borromean ring signatures can describe signatures signed with arbitrary functions of the signing keys."
2020-04-02 Miti    
2020-04-02 Sajin Related Papers: Overview of the Differential Privacy Has Disparate Impact on Model Accuracy paper.
From the paper: "Differential Privacy (DP) amplifies a model's "bias" towards the most popular elements of the distribution being learned. That is to say, if the original model is "unfair" in the sense that its accuracy is not the same across all subgroups, differential privacy exacerbates this unfairness."
2020-04-09 Andre   MaFIA: Mapping the Filesystems in Android
Presentation of a class project for CS858 W20 on Mobile platform security. MaFIA circumvents the challenges faced by current code analysis techniques (static and dynamic) establishing a framework that enables tracking all requests made to the framework layer down to the resource level and in abscence of tainted data. MaFIA works by:
1. Make the IDs available to the kernel
2. Propagates the IDs through the framework messages
3. Propagates the IDs through IPC (Binder calls)
2020-04-09 Ezz Related Papers:
Overview of ATMoS: Autonomous Threat Mitigation in SDN Using Reinforcement Learning which was accepted as a technical session at NOMS 2020 :
ATMoS is a general framework designed to facilitate the rapid design of Reinforcement Learning applications for network security management using SDN.
2020-04-16 Nik   Safehouse : a secure group chat protocol to support groups of people who want to be able to communicate with:
- e2e encryption
- insider security
- non-interactivity
- anonymity preservation
-dynamic membership
In Safehouse the server verifies the state whereas in MLS, the server is blind.
- Coordinated state locking
- Simultaneous messaging
- Reliable/unreliable messaging
- Join queuing
Difficult stuff:
- Verifiable key encapsulation (BRAKE) (Exhaused keys, Proof batching/zk-SNARKs)
- Deniabilitiy
- Identity proofs with anonymity preservation + deniability
- Mass joins
- Post-compromise security and forward secrecy
- Encryption to invitation keys
- Research: comparing key graph performance
- Software engineering: transcript consistency, storage strategies, group video chats, high-performance crypto, etc.
2020-04-23 Jiayi Related Papers:

Device Sharing Awareness: How can we enable device sharing awareness of smartphones and user applications

Security Solutions for Sharing
- Guest account
- Access from lock screen
- Screen pinning

Presentation of a DSA framework that consists of a foreground service and a client library. The foreground service is responsible for detecting sharing events and providing a global sharing mode. The client enables user applications to have an implicit authentication module and communicate with the service. In the talk, we showcased a DSA-IA enabled gallery app to explain how our framework works.

2020-05-12 Navid

Related Papers:

Overview of Convergent Dispersal: Toward Storage-Efficient Security in a Cloud-of-Clouds

2020-05-12 Bailey  

Interactive lecturing for CS

How do we do active learning in CS?

ex) Jupyter Notebooks, lightweight teams, think-pair-share, clickers/polling

Many students have experienced classes where active learning was used, but this is far from the norm.

Why not?

Institutional Support

Convincing Faculty

  1. time & effort
  2. training/mentoring
  3. fit with practices
  4. time to cover content
  5. student perceptions
  6. awareness of techniques (easy to fix!)

Example: Jupyter NotebooksAdvantages vs. Disadvantages

  • interleave lecture notes/activities/examples vs. time
  • student freedom vs. requires computer
  • flipped classrooms (ex. 458 blog task)

2020-05-19 Thomas Related Papers:
An overview of: Boosting the Accurarcy of Differentially Private Histograms Through Consistency
2020-05-26 Jalaj

Related Papers

Differential Privacy under sliding window

Situations exist where analyzing data between two periods of time from a stream of data are preferable. This work shows that you can efficiently (time as well as space wise) perform matrix analysis in the privacy with expiration model.

2020-05-26 Yousra Related Papers: To be added later

Smart TVs Vulnerability Discovery via Log-Guided Fuzzing

- Smart TVs are probably spying on you right now!
- Unfortunately there are not a lot of avenues to analyze them for vulnerabilities
- Android Logs can provide a lot of information about what's going on but extraction is not straightforward
- Deep learning is shown to be an effective tool for log fuzzing in order to detect smart tv vulnerabilities

2020-06-02 Simeon Related Papers:
Side-channel Attack Analysis: A Sample of Approaches
A review of the side-channel attacks presented in the relevant papers linked.
Key Takeaways
Formal model and automated analysis
-Broadly applicable, few assumptions
- Simple model, easy to implement algorithm
Future Directions
- Better approach than exhaustive search?
- Experiments on less trivial types of leakage
Guarding against timing attacks through discretization
- very simple approach
Future Directions
- applicability to decryption depends on how it compares to simply using a smaller key size (security/performance-wise)
2020-06-02 Rasoul Related papers:
Homomorphic Encryption (A short history)
2020-06-09 Cecylia Related papers:

Evading Firewalls By Exploiting State

How do Censors work?
- Deep packet Inspection: search for patterns in application-layer data, are known to be used by censors to detect circumvention systems and HTTP plaintext keywords, can identify and block access to TLS just by looking at the traffic
- TLS Fingerprinting: Censors can examine plaintext messages in the TLS handshake
Client Hello - use one of the ciphersuites, use the ECC params
Every application (+version) has a unique fingerprint which can lead to wholesale blocking of circumvention application systems with minimal collateral damage. Mimicry is an option, but it's very hard to account for slight variations that will identify your system
- Reconstructing TCP Streams
- The Eavesdropper's Dilema: the eavesdropper wants high fidelity understanding which can both: detect evasion and avoid confusion
Perfect sensitivity is impossible and/or expensive:
The censor may not be able to account for weirdness related to: diverse TCP implementations, presence of other middle boxes, unknown network topology

Evasion is possible if the endpoints are more sensitive than the middlebox
TCB Decynchronization Attacks (2013)
- TCB creation attack no longer worked
- TCB teardown mostly worked
Automatically Detecting Evasion Techniques
SymTCP: uses symbolic execution to explore code paths that lead to TCP state changes at endpoints through:
1. manually annotate accept + drop points
2. "offline phase": determine endpoint constraints
3. "online phase": generate packet sequences to test against middle boxes
Geneva: uses a genetic algorithm to duplicate and/or manipulate TCP packets
triggers -> actions
(eg. SYN, RST, ACK) (eg. duplicate, fragment, tamper)
- trained on simulated censors
Discussion: Is it worth the effort to engage in the cat-and-mouse game?
- It is expensive and time consuming for censors to fix every attack
- Can be deployed server-side
- Doesn't defend against endpoint blocking

2020-06-16 Marios

Related links:

  • https://bitonproject.org/

An introduction to Biton

(from the website) a peer-to-peer network built around swarms � groups of peers that store encrypted files and relay requests through one another. biton swarms interconnect in a global network that provides plausible deniability, meaning that adversaries cannot be sure about who originally made a request. In this way, biton can be used for evading information controls and for building community networks around local data and services.

Including a live demo with: https://biton.herokuapp.com/entangled#

2020-06-16 John

Related papers:

Cheaper Private Set Intersection via Differentially Private Leakage paper overview
Allowing differentially private leakage can significantly improve the performance of PSI protocols

Rindal and Rosulek protocol works by first having the parties hash their items into bins. (Fastest malicious-secure PSI protocol prior to this paper)

2020-06-23 Ahmed

Related Papers:

Touch Screens

- residual greasy smudges, fingerprints, termal information from touching the screen
- Allows for a thermal attack
- position of CPU in a mobile phone causes a concentration of heat near the top of a mobile phone radiating out towards the bottom
- when the screen temperature is close to body temperature or above, thermal attacks are ineffectual

2020-06-23 Hans

Related Papers:

  1. Hoare (1969) �An axiomatic basis for computer programming�
  2. Klein et al. (2009) seL4: Formal verification of an OS kernel
  3. Reynolds (2002) Separation logic: a logic for shared mutable data structures
  4. King (1976) Symbolic execution and program testing
  5. Cadar et al. (2008) �KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs�
  6. Yun et al. (2018) �QSYM: A practical concolic execution engine tailored for hybrid fuzzing�
  7. Poeplau and Francillon (2019) �Systematic comparison of symbolic execution systems: intermediate representation and its generation�
  8. Dullien (2018) �Weird machines, exploitability, and provable unexploitability�
  9. Vahldiek-Oberwagner et al. (2019) ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
  10. Necula et al. (2002) �CCured: type-safe retrofitting of legacy code�

Memory Safety and Stuff

The seemingly best way of ensuring memory safety is formal verification [1] and latter extensions such as separation logic [3]. The seL4 microkernel being a notable example of a formally verified low-level systems software [2]. However, due to complexity and deployment constraints, it is impractical, if not impossible, for many projects Instead, memory safety is often augmented using various �hardening� techniques that often amount to ad-hoc changes on program structure based on observed attacks. Such approaches are often incomplete and only address specific security properties (e.g., W⊕X policies that prevent code-injection but do not prevent data-only attacks). Because such incomplete defenses do not prove the absence of errors, it is not clear what a specific set of defenses means in terms of exploitability of a program. For instance, W⊕X policies are clearly powerful and prevent a whole class of errors, but they still allow Turing complete exploitation. This brings up three questions: 1) How can we evaluate and compare different hardening schemes? 2) How can we evaluate the exploitability of a (partially) hardened program, and 3) Can we use the defense schemes themselves to aid analysis or even verification efforts?

One interesting intersection of �practicality� and verification is symbolic execution [4]. Instead of trying to reason about the program as a whole, symbolic execution tracks the sate during execution and results in symbolic expression derived from the inputs and the input constraints that lead to the executed path through the program (e.g., accumulated branch conditions). By capturing all possible paths, symbolic execution could, in principle, serve as a verification. However, an exhaustive search might not be possible. A practical utilization of symbolic execution is fuzzing, where the patch-specific input constraints can be used to generate new inputs for the fuzzer. (Symbolic execution can be implemented, for instance, by interpreting IR [5], instrumenting binaries [6], or instrumenting the IR during compilation [7]).

Fuzzing and static analyses can be compared against known vulnerabilities in reproducible and scalable way. Despite the practice of showing efficacy against specific CVEs, this approach does not scale for hardening defenses, where PoC exploits can fail due to trivial defenses or even arbitrary differences in compiler internals. For specific defenses other metrics can be used, e.g., quantifying ROP gadgets, but this can be problematic unless the usefulness of the gadgets is taken into account (which newer approaches try to do). The concept of weird machines [8] offers an interesting theoretical view on exploitation, but whether it can be used for evaluation purposes is an open question.

The combination of defense mechanisms with analyses or verification is not novel. Fault-isolation (such as in-process isolation [9]) is a common technique that can guarantee correctness of verified code within a larger non-verified program. CCured is an example of combining static analysis with run-time checks for type safety in C [10]. Other defenses, such as pointer integrity could potentially allow more powerful points-to analyses and verification of some properties that otherwise would depend on full memory safety. Nonetheless, verification of specific properties does not (necessarily) address the question of exploitability nor does it (necessarily) provide a means to compare different security mechanisms, in particular when those defenses are incomplete or enforce slightly different properties.

2020-06-30 David   ANTS XIV invited talk (practice talk)
Isogeny based cryptography: past, present and future
2020-07-07 Douglas Related Links :
Post-quantum TLS without handshake signatures

Post-Quantum TLS without Handshake Signatures

Implicitly authenticated KEX is not new, both in theory (DH-based: SKEME, MQC and KEM-based: BCGP09, FXXY12) and in practice (RSA key transport in TLS<=1.2, Signal, Noise, Wireguard, OPTLS)
"KEMTLS" handshake:
- KEM for ephemeral key exchange
- KEM for server-to-client authenticated key exchange
- Combine shared secrets
Algorithm Choices
- KEM for ephemeral key exchange (IND-CCA or IND-CPA, want small public key + ciphertext)
- KEM for authenticated key exchange (IND-CCA, want small public key + ciphertext)
- Signature scheme for intermediate CA (Want small public key + signature)
- Signature scheme for root CA (want small signature)
4 scenarios
1. Minimize size when intermediate certificate transmitted
2. Minimize size when intermediate certificate not transmitted (cached)
3. Use solely NTRU assumptions
4. Use solely module LWE/SIS assumptions
Security Subtleties
Implicit authentication:
-Clients first application flow can't be read by anyone other than intended server, but client doesn't know server is live at the time of sending
- Also provides a form of deniable authentication since no signatures are used
Downgrade resilience:
- Choice of cryptographic algorithms not authenticated at the time the client sends its first application flow (MITM can't trick client into using undesirable algorithm)
Certificate Lifecycle Management for KEM public keys
Proof of possession: How does requester prove possession of corresponding secret keys?
- not really addressed in practice, since RSA and DL/ECDL keys can be used for both signing and encryption/KEX
- Can't sign like in a Certificate Signing Request (CSR)
- Could do interactive challenge-response protocol (or just run KEMTLS), but need online verification (RFC 3210 Sect.
- Send cert to requestor encrypted under key in the certificate (RFC 4210 Sect. - but maybe broken by Certificate Transparency?
- Zero-Knowledge proof of knowledge
Revocation: How can certificate owner authorize a revocation request?
- Put a hash of a signature public key in the cert

2020-07-21 Asokan Related Papers:
A global-scale authentication/authorization infra (a scary story)
Composing two authentication protocols (aka "compound authentication) is a common approach to bootstrap new functionality from already deployed protocol infrastructure, often in the hope of combining security properties from individual protocols. But such composition should (cryptographically) bind the protocol channels together. Absence of proper channel binding can lead to man-in-the-middle attacks. Channel-binding vulnerabilities were discovered ca. 2003 in a bunch of protocols being standardized at that time. They were fixed. Academics think that this is basic stuff. But channel-binding problems recur regularly in several widely used systems.
2020-07-21 Simon Related Papers:

Hiding the access Pattern is Not Enough: Exploiting Search

MLE attack, easy to adapt against defenses, low cost.

Using both access and search pattern leakage is very effective

Current privacy-preserving SSEs do not hide search patterns

Search pattern leakage allows an adversary to get frequency info

Hiding search patterns or frequency info is hard:
- Make access patterns of different keywords identical (expensive of meaningless).
- Hide implicit leakage with fresh access pattern randomness (we can adapt the attack againt this)
- Hide frequency information with dummies:when?how?(we can also adapt the attack against this)

2020-07-28 Akshaya   Abuse Detection of Tor Exit Nodes
Tor Exists are often blacklisted for all the malicious content routed through Tor

Zero Knowledge Based Exit Abuse Detection (ZXAD)
- provides cryptographic tokens which client uses to make connections to destination server
- Aims to provide fine-grained rate-limiting solution
- Attack on malicious middle
- Load placed on DirAuths and exits
2020-07-28 Mika Related Papers:
Supervised Machine Learning
Common assumptions:
- supervised signal (backpropogation)
- IID test data
Inductive bias:
-what decision rules are learnable?
- what decision rules are reachable?
Shortcut learning in DNNs
- unintended decision rules that perform well on benchmarks but fail in more challenging tests
Shortcut Learning Elsewhere
Common phenomena in general learning systems, for example:
- Mice in mazes:
- weak color vision
- orientation by paint odor
Connection to Security of Machine Learning Applications
Out-of-distribution data in Sec of ML:
- Adversarial training
- Model (dataset) watermarking
- Backdoor attacks
- Model extraction attacks
Inductive bias might work against security goals:
- Accuracy on test data drops with adeversarial training/watermarking
- Inductive learning with dataset that is distributionally different than test data
2020-08-04 Andre    
2020-08-04 Urs    
2020-08-14 Matt

Related Papers:

Project H.O.N.K
Harmonized cONtext detection frameworK
Implicit Authentication
Technique to authenticate a device user without explicit authentication
- avoids PIN, Password, etc
- increases usability
Continuous Authentication
- Type of implicit authentication
-Continuously evaluates if the current user is the owner of the device
- Uses biometric and behavioral data to authenticate
Context Detection
- Attempts to determine the user's context
- Uses biometric, behavioural and environment data
Background: See Related papers
- Existing systems are limited to a single application
- Exisiting systems are frequently pessimistic in determining safety
- Context Detection in security is generally limited to geolocational information
- Project H.O.N.K aims to provide a general context detection framework (not limited to geolocational contexts)
- Takes an "optimisitic" approach to context detection (assumes location is safe until proven otherwise?)
- Doesn't aim to provide authentication or other features itself
- Based on the number of people in the current context
- Interested solely in the privacy of the context
- A measure of the number of unfamiliar people in a given context
- Increases as more unfamiliar people are detected
- How close is the device to the owner
- Decreases as the device gets further away
- A method of modifying how the values grow or decay
- Increases the more times a context is visited
What do we do with these values?
- exposes unfamiliarity, proximity, privacy to plugins
Android App Strucure
2020-08-14 Ezz   Variational Auto Encoders (for Anomaly Detection)

Implicit and Continuous Authentication with unsupervised ML to detect anomalies
2020-09-15 Lindsey

Related Papers:

A Brief and Incomplete History of Breakthroughs and Challenges in Decoy Routing

Touched on the creation and iterations of Decoy routing from Telex, Cirripede and Curveball to more recent developments like Waterfall and A Fox in SOCKS in a Box which is our current project (Anna, Cecylia, Lindsey, Renee and Ian)
2020-09-15 Ian    
2020-09-22 Justin Related Papers etc.

Signal and Secure Value Recovery (recent internet drama)
The Problem:
- proliferation of messenging apps with varying degrees of security
- signal is the gold standard with a sizeable user base
- Signal requires that you own a smart phone and valid phone number which isn't a good idea, particularly in some cases eg. whistleblowers
- Other messaging apps do not require this and it has become a sticking point for Signal
Signal's solution: Secure Value Recovery:
- Deus SGX machina (let SGX solve it)
- Mandatory pins were not popular
Main Takeaway:
- Messaging applications come with a good source of parties unlikely to collude against you

2020-09-29 Florian

Related Papers:

Overview of the Pancake Paper and questions about how it works, drawing in ideas from both Tangler and Hiding Individuals and communities in a social network

2020-09-29 Nils

Related Papers etc:

Scalable Privacy Attacks Against Generative Adversarial Networks (GANs)
- GANs can generated sophisticated images that look nearly real
Privacy Threats in GANs
Failures in GAN Training
Mode Collapse
Mode Dropping
2020-10-13 Matt Related Papers:

Self-Authenticating Traditional (SAT) Addresses
- How do you learn the correct public key? You trust someone who tells you where you should be connecting

- responsible for communicating with site owners and validating that a public key is associated with a domain name

2020-10-13 Stan Related Papers: Reputation Systems (How things are rated online)
What do Privacy Preserving Reputation Systems look like?
Different properties for voter and votee
What does "privacy" mean in reputation?
- Vote Confidentiality
- Voter-Vote Unlinkability
- Voter Participation Confidentiality
- Two Vote unlinkability
- Reputation-Usage Unlinkability
- Exact Reputation Blinding
Big Picture Approaches to Providing Privacy in Reputation
- Coin-based
- Signature-based
- Reputation Transfer
- SMC-based
- Ticket-based
PRSONA "Privacy in Reputation Support for Ongoing Networked Activities"
Big Picture Contributions
- Users still get to use their reputations unlinkably
- Individuals get one (changeable) vote per votee
- We support uesrs to demonstrate that their reputation is above some threshold rather than an exact value
- We add no more reliance on third parties than AnonRep uses to gain these extra features
Currently building this with the intention of benchmarking it to see how wide we will need to make epochs, result to come soon
2020-10-20 Sergey Related Papers:

In Proof-of-Stake (PoS) and permissioned blockchains, a committee of verifiers agrees and sign every new block of transactions. These blocks are validated, propagated, and stored by all users in the network. However, posterior corruptions pose a common threat to these designs, because the adversary can corrupt committee verifiers after they certified a block and use their signing keys to certify a different block. Designing efficient and secure digital signatures for use in PoS
blockchains can substantially reduce bandwidth, storage and computing requirements from nodes, thereby enabling more efficient applications.

Pixel, a pairing-based forward-secure multi-signature scheme optimized for use in blockchains, achieves substantial savings in bandwidth, storage requirements, and verification effort. Pixel signatures consist of two group elements, regardless of the number of signers, can be verified using three pairings and one exponentiation, and support non-interactive aggregation of individual signatures into a multi-signature. Pixel signatures are also forward-secure and let signers evolve their keys over time, such that new keys cannot be used to sign on old blocks, protecting against posterior corruptions attacks on blockchains.

2020-10-20 Luna   Half Shadow Research <a brief intermission>
2020-10-20 Ted Related Papers:

A Note on the Instantiability of the Quantum Random Oracle
Random Oracle Model (ROM)
All queries to hash functions are managed in a special way in the proof in order to:
- Extract additional information from adversary
- Program certain points
- Guarantee information is unknown to adversary
Quantum Random Oracle Model (QROM)
Adversary with a quantum computer can run hash function in super position
New methods to manage oracle and establish proofs needed

Generally, there exist schemes secure in the QROM that are insecure in the real world, no matter what hash function you use.
The talk discussed how these separations are shown in general, as well as how this (from the fist related paper) specific one works and what the takeaway from such a result should be.

2020-10-27 Chelsea

Related Papers:

FROST: Flexible Round-Optimized Schnorr Threshold Signatures
Tradeoffs Among Constructions
- Number of Signing Rounds: Required network rounds to generate one signature
- Robust: Can the protocol complete when participants misbehave?
- Requires Number of Signers:
- Parallel Secure: Can signing operations be done in parallel without a reduction in security (Drijvers attacker)?
- Can be performed by either a trusted dealer or a Distributed key Generation (DKG) Protocol
- The DKG is an n-wise Shamir Secret Sharing protocol, with each participant acting as a dealer
- After KeyGen, each participant holds secret share si and public key Yi
- Can be performed in two rounds, or optimized to single round with preprocessing
- We prove the EUF-CMA security of an ainteractive variant of FROST, then extend to plain FROST
- FROST-Interactive generates the binding value pi
Real-World Applications
- Use in cryptocurrency (Zcash) protocols for signing transactions
- Consideration for standardization by CFRG
- Will present FROST at the upcoming NIST workshop on standaradizing threshold schemes
- FROST improves upon prior schemes by defining a single-round threshold signing protocol (with preprocessing)
2020-10-27 Miti

Related Papers:

Cuckoo-hashing in DHTs
Background: Distributed hash tables (DHTs)
- Hash table - (key,value) pairs -- that is distributed across n machines (nodes). Each node is assigned a virtual address, and stores values for keys near that address
- Good properties:
Low path length: Each node would do at most O(ln(n)) looksups to find the value of a key stored in the DHT.
The stored content doesn't need to get moved around a lot as more nodes join the network *network churn).
Joining a SHT: mechanisms and attacks
- Self-chosen virtual addresses:
Exlipse attack: Choose strategic virtual addresses so adversarial nodes are "in path" of the request. These nodes "eclipse" the user's view of the DHT
- Peer node assigns an incoming node a random address.
- Join-leave attack: adversary makes the nodes repeatedly join the network until it gets enough nodes as neighbours of an honest node.
Cuckoo-hashing Defense
Main idea: Every time a node joins the network, its neighbours get rearranged, so new malicious nodes can't stick together around an honest node.
Assume: Adversary controls at most epsilon fraction of nodes in the network
With a high probability, groups contain s nodes. Performance constraint: it must work for small s
Also, w.h.p, each group contains at most b Byzantine nodes
Cuckoo-hashing fails: "with high probability"
- Proofs were not fleshed out enough:
Proofs used concentration inequalities (Chernoff, union bounds) that give loose bounds.
Proofs were asymptotic: they skipped the constants
Our fixes
- Proof constants: bas security (epsilon)/performance (s) trade-off
- Also ran a simulation that backed up the proof with the constants
- Gave up on the trade-off until. . .
Commensal Cuckoo-ing to the rescue!
Joining process:
- Primary join: Assign a new node with an address within a random sub-group
New: The target group will check if it has had enough nodes joining it from the secondary joins
2020-11-03 IanG

Related Papers:

Merkle Trees (and how they're related to voting)
Review of Merkle Trees (an extremely useful data structure)
- Using logarithmic Merkle path, can verify location of a data point in the tree
- Append only data-structure

Application: TLS
- Website has a certificate issued by a CA
- There are 1000s of CAs authorized to create certificates for anywhere in the world
- If any of these CAs are compromised, Adversary can create valid certs for any website
Certificate Transparency:
- Every certificate that is issued is put into a Merkle Tree
- When visiting a website, must give you the Certificate + Merkle path, allows you to verify the certificate

In Elections past. . .
- Political ads were part of the conversation
- In 2016: 20,000 different ads were run by the Trump campaign. No consensus about ads being seen/issues to discuss
- Merkle Trees may be an interesting tool to use to provide such a consensus
2020-11-03 Sajin Related Papers:

Oblivious Tight Compaction algorithms of level 3 obliviousness from the framework of obliviousness provided by Krastnikov et al. The baseline algorithm we considered is Goodrich's Tight Compaction Algorithm. For our purposes, we did not need the order-preserving property of this algorithm, so we designed our own compaction algorithm that has the same asymptotic complexity as Goodrich's algorithm, but non-order preserving and more efficient as it induces only half the number of Oblivious Swap operations compared to Goodrich's. We also cursorily went over some more recent theoretical results on tight compaction and pointed why these aren't practically relevant.
2020-11-17 Nik Related Papers:
  • https://doi.org/10.1007/3-540-44448-3_3
  • https://doi.org/10.1007/11745853_7
A Cautionary Crypto Tale (or. . . The ElGamal Error. . .or One Way to Security. . .or Terms and Conditions May Apply [To Security Proofs]. . .or. . .)
How do we model confidentiality in public key encryption?
OW-CPA (One-way chosen plaintext attack) usually isn't enough in practice
IND-CPA (Indistinguishability under chosen plaintext attack) also usually isn't enough
- padding oracle attacks, etc.
- Always use IND-CCA2
Diffie-Hellman Problems (overview)
ElGamal: do a DH key exchange, use DH shared secret as a mask
Is it OW-CPA? Is it IND-CPA?
"Finite Field" ElGamal
Practical ElGamal

- Preserving homomorphic properties (see papers to the left)
- Hybrid encryption (with IND-CCA) is what everybody actually uses
- ElGamal is DH, then multiply the message
- Security reductions: using new thing attack, break old thing
- ElGamal is only IND-CPA if messages are group elements (Otherwise, it's OW-CPA at best)
- Use IND-CCA2 cryptosystems in practice
- If you skip doing an 'obvious' security proof don't build 2 years of work on top of it >.<
2020-11-17 Jiayi   Multi-User Implicit Authentication
- Implicit Authentication (IA)
- Authenticate the owner based on their behaviours
- Common behavioural biometrics (keystrokes, touch patterns, gaits)
- Defend against unauthorized access throughout the session
- Enhance explicit authentication mehtods (PIN, passcodes, etc)
Multi-User IA
- Exisiting IA scheme assume only one valid user
- Multi-User: more than one valid user can have access to a shared session
Research Question: How to label the training data?
- Single User IA assumes it is always the owner
- Multi-User IA requires explicit indication of the current user's identity
Possible solutions:
-Explicit enrollment
- In-sharing enrollment
Explicit Enrollment
- Ask each user to complete tasks for model training
-Fast creation of a usable general IA model
- Accurate data labelling
-Extra interactions
In-Sharing Enrollment
- Detect a sharing session and assign collected data to a certain profile
- For the owner-sharee user model
- Natural behavioural data of practical usage
- Auto data segmenting
- Manual profile assignment
- Sufficient data is required for a usable model
Incremental Enrollment
- Identitfy the current user and assign newly collected data to this user automatically
- For existing profiles
- Auto assignment
- Continuous updating
- Possible misidentification
Imbalanced training data
- In the owner-sharee model, the owner contributes significantly more behavioural data than sharees
Possible solutions:
- Oversampling: SMOTE (Synthetic Minority Oversampling Technique)
- Per-user binary classifiers
Authentication & Identification
- Most of the time, the owner is expected to be using the device
1. Use a binary classifier with owner's profile
2. If non-owner detected, use a multi-class classification to identify the current user
3. If no match, block the current user
- Possible user identity changes usually happen after a certain action (ie. sharing action)
- Use contextual information to reduce the classification task complexity
2020-11-24 Bailey Related Papers: Girls Mean Business First (Online) Workshop
(An Introduction to Network Security using Netsim)
- Workshop as part of WICs outreach program which aims to encourage female and non-binary youth to explore technology
Network Security (Goals of the workshop):
- Define foundations of internet computer networks
- Define security and its role in networks
- Identify
- Execute
Start with Basic Definitions:
Packets, Network Layers (a bit), Transport Layer, Application Layer
Activity Facilitation online:
- Harder to track participant progress
- Group interaction varied
- Chat vs. audio
- Screen visibility
- Progress was more varied
- Unsure how much peer teaching occurred
2020-11-24 Thomas

Related Papers:

Cache Me If You Can: Accuracy-Aware Inference Engine for DP Data Exploration
Brief overview of DP:
- PR[A(D1)=o] e^ε Pr[A(D2)=o]
- Controls the degree to which D1 and D2 can be distinguished, a smaller ε gives more privacy (but less utility)
- Interactive DP
- Data owner specifies privacy budget ε
- Data analysts care about accuracy; they do not know DP techniques
- Accuracy: A set of queries (workload) has two accuracy parameters: α, β
Status quo: APEx provides accurate reponses to workloads while minimizing ε
-Does not consider prior noisy responses -> more ε than required
- Analysts may not know how to plan workloads for total ε usage
Proposed System:
- Choosing a cache-aware optimal strategy matrix
- Implementing our algorithm and cache structures
- Evaluating our implementation for the following use-cases
- Entity resolution tasks
- Private spatial data exploration
Proactive Approach:
- Includes disjoint queries within the workload
- Exploits the parallel composition theorem
- Threshold to bound a minor increase in the privacy budget (for meeting the accuracy guarantee of overall workload)
2020-12-01 Navid Related Papers:
Probabilistic Secret Sharing

A secret sharing scheme breaks a secret in to n shares such that any subset of shares that is in the "qualified"/"authorized" set, can reconstruct the secret and any subset of shares that is in the forbidden set cannot obtain any information about the secret. In this paper, D'Arco et al. introduce \alpha-probabilistic secret sharing, where the restriction on the forbidden sets still holds, but the authorized sets may fail; however, they will be able to correctly reconstruct the secret with probability \alpha. For example, the usual secret sharing schemes are 1-probabilistic secret sharing schemes. This talk covered the following parts of the paper:

- Definition of \alpha-probabilistic secret sharing
- An example from visual cryptography, and how it can be modified to an \alpha-probabilistic secret sharing scheme to have smaller shares.
- Definition of evolving secret sharing schemes.
- Definition of \alpha-probabilistic evolving secret sharing schemes.
- A construction for an \alpha-probabilistic evolving secret sharing scheme that any two shares can be used to reconstruct the secret.
- A modified version of Shamir secret sharing scheme (assigning shares by choosing a point randomly with substitution) with constant-size shares and its properties as an \alpha-probabilistic evolving secret sharing scheme that requires k shares to reconstruct the secret.
2020-12-01 Yousra Related Papers:
Probabilistic Protection Recommendation Inference:
Vendor Customization
Mobile OSes are continuously customized into a variety of system images
- More than 2000 device models exist for Samsung devices
Customization parties: Hardware manufacturers, device manufacturers, carriers
- Purposes: Tailoring the devices to different hardware, countries, regions etc.
Security Hazards caused by Access Control Anomalies
Cause: lack of regulation policies that oversee framework-level customization
- totally up to the developer to figure out the access control enforcement at the level of APIs
- highly manual
Prior Approaches for detecting Access Control Inconsistencies
Kratos, Acedroid, ACMiner
- Convergence anaslysis for detecting convergence
Limitations of existing approaches
Inconsistent AC along the paths to a given resource access may not be accurately indicative of a vulnerability
In practice, access control checks proceed access to more than 1 resource:
- it is difficult to point out exactly which resource(s) is the actual target of the protection
Probabilistic Inference
We are motivated by these kinds of stealthy and difficult to detect access control anomalies
- The examples shown require combining multiple information sources (at different entry points) each with a different degree of certainty
-From more certain hints: 1-1 resource to permission enforcement
-To less certain hints: multiple resources are protected by a single AC
We need to draw conclusions based on incomplete or uncertain information
Uncertainty is usually modeled in the form of a probabilistic distribution
Probabilistic Permission Recommendation Inference
In our case, we need to compute he marginal probability that a resource x has a protection p from the probability distribution of all variables with protection p, in a target Android ROM
there are two components for permission recommendation inference
- constraint collector
- inference engine
Constraint Collector
Normalizing Diverse Android Access Control Checks for Inconsistency DetectionPreprocesses the system services to collect all public entries (or public APIs)
Analyzes each entry to identify various types of "primitive" resources
Preprocess the system services to collect all public entries (or public APIS)
- Using static bytecode analysis
- Collect system services reistation points
- identify public entries: identify exposed interfaces classes of each service and extract their public APIs
Analyze each entry to identify various types of "primitive" resources
Infer "certain" protections:
- Using a predefined set of rules
- Rule 1:1-1 resource permission to resource mappings (derived statically)
Constraint Collector: Probabilistic Protection Transfer
Traverse the framework codebase to collect protections
Protection transfer also requires gathering implications
- Implications denote inter-dependences between resource predicates
If a dattaflow dependence is detected between two resources, we add an implication constraint
Inference Engine
Transforms the constraints into a factor graph
- Factor graphs are used to represent the structure of conditional dependences
Performs belief propagation in the graph for each Protection p
- Note that protections are the set of traditional Android permissions and other non-traditional access control attributes
Belief propagation will derive a new probability for each resource R having a protection PR
If there is some hint for a Resource R has a protection PR where p>0.5 and PR is more likely than any other protection, then R is assigned
2020-12-08 John Related Papers:
Efficient Private Record Linkage for the Streaming Data Model (WIP)
Motivation: Create an efficient private record linkage protocol which uses a service provider
Approach: Three possible general methods for three party record linkage in the data streaming model
What is the streaming data model
- Similar to PSI
- Approximate matches
Why the streaming data model?
- Binning not required
- Works well in the offline scenario
There are a few different methods for different scenarios
Method 1 (Protocol 1)
- Paillier encryption
- Berlekamp-Welch to decode reed solomon codes
Method 2 (Protocol 2)
- Cosine similarity
- Records are vectorized
Method 3 (Protocol 3 and 4)
- Inner product predicate encryption
- n-grams
Protocol 3
1: Grams of a record represented as a polynomial - ( (x - id1)(x-id2)......)
2: Polynomial evaluation can be represented as an inner product
Protocol 4
1: Grams of a record hashed into a bloom filter
2: Bloom filters compared using inner product operations
Future (current) work
- Accuracy and performance testing
- Security model and proof
2020-12-08 Rasoul Related Papers:
Scalable PIR using Constant Hamming Weight Encodings (WIP)
Homomorphic Encryption Overview
- Additive HE -> Elgamal, RSA. . . only support one homomorphic operation (addition)
- Somewhat (Leveled) HE
- Fully HE <^ both support 2 homomorphic operations (Lattice based)
Leveled HE & Multiplicative Depth
- Limited sequential multiplications (5 or 6? more likely 3) Additions (almost) free
- Circuit depth, depth = 3 ƒ = AB + C^4
- Multiplicative depth, mult depth = 2
- For HE, mult depth is important
Equality in HE
If we use 2 HE numbers, are they equal or not? How can we determine this?
The circuit we have to derive over two numbers involves large p multiplication which is very expensive
Private Information Retrieval
- Definition ITPIR/ C-PIR
C-PIR: to keep the query private the naive approach of is to download the entire DB
Computation = Ω(IDI)
PIR & Selection Vectors
- Binary vector as big as the DP
- Communication!
Constant Hamming Weight Encoding
- A mapping of numbers to elements with constant hamming weight = K
Example: Order preserving encoding (K = 2)
Equality Circuit for CHaW Encoding
Better asymptotic communication complexity given multiplicative depth
Keyword PIR (Sparse PIR)
- Very large domain/ very few elements
- Retrieve by name instead of index
- Password checkup
2020-12-15 Hans Related Papers:
  • Kuznetsov et al. "Code-Pointer Integrity"
  • Mashtizadeh et al. "CCFI: Cyptographically Enforced Control Flow Integrity"
Pointer Integrity: memory safety for pointers
- Ensure pointers in memory remain unchanged
Code pointer integrity implies CFI: Control- flow attacks manipulate code pointers
- Data pointer integrity: Reduces data-only attack surface
ARMv8.3-A Pointer Authentication
General purpose hardware primitive approximating pointer integrity
- Ensure pointers in memory remain unchanged
Introduced in ARMv8.3-A specification (2016) to be improved in ARM-8.6-A (2020)
ARMv8.3-A PA-PAC Generation
- Adds Pointer Authentication Code . . .
PA-based protection schemes
PA instructions are primitives, assembled to form protection schemes
- Two main components: When are pointers PACed and unPACed? Which modifier is used at a given point?
- What should the modifier be for a given pointer?
2020-12-15 Douglas   My information security goal: academic integrity of MATH 239 exams during remote learning
Some tips and operational strategies for preserving academic integrity in online learning
(Talk to Douglas for details)
Topic revision: r1 - 2021-01-11 - JasonGoertzen
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback