Previous ISG Research Seminars

Speaker: Danny De Cock (K.U. Leuven)

Title: Overview of the Belgian Identity Management
Infrastructure and eID Cards Architecture

Abstract: In this presentation, we will give an overview of
the main components of the eGovernment systems in Belgium. This includes the
milestones of the Belgian eID card project, the eID card's issuing process, and
examples of their use.

After the presentation, you will know details about:

- the eID card content (key pairs, certificates, identity data, etc.)
- the certificate hierarchy and details on the individual
certificates (citizen, CA, government, etc.)
- certificate revocation lists management
- typical use scenarios to generate signatures, verify signatures,
key pair properties, certificate (chain) validation procedures, etc.
- issues with respect to long-term validity of digital signatures
relying on certificates which may have been revoked at some moment.

Speaker: Nils Aschenbruck (Communication Systems Group at the
University of Bonn)

Title: Modelling Mobility in Disaster Area Scenarios

Abstract: When creating a scenario for performance evaluation
of a communication system, modelling the mobility is an important task, since
the results of the evaluation strongly depend on the model used. Typical
assumptions of many models are uniform selection of destinations, nodes are
allowed to move over the whole simulation area, and nodes are part of the
network all the time (are not switched off and do not leave the network).

An analysis of tactical issues in civil protection provides characteristics
influencing network performance in public safety communication networks like
heterogeneous area-based movement, obstacles, and joining/leaving of nodes.
These characteristics differ significantly from the typical assumptions. The
talk will present a new model that realistically represents the movements in a
disaster area scenario. The new model shows specific characteristics like
heterogeneous node density. These characteristics do also have specific impact
on the results of simulative network performance analysis. Finally, future
work is presented focusing on performance evaluation of several intrusion
detection detectors for tactical mobile networks.

Speaker: Ben Smith (ISG, RHUL)

Title: Isogenies and the DLP on Jacobians of genus three
curves

Abstract: In this talk, we describe the use of isogenies (a
special type of homomorphism) to reduce DLPs on Jacobians of hyperelliptic
genus 3 curves to DLPs on non-hyperelliptic Jacobians, which are generally
regarded as being cryptographically weaker. This exposes hyperelliptic
Jacobians to the faster index-calculus algorithms available for
non-hyperelliptic Jacobians, reducing the time required to solve DLPs from
$\softO(q^{4/3})$ to $\softO(q)$. We will give an
algorithm which quickly constructs an explicit reduction for around 17% of (randomly chosen) hyperelliptic genus three curves. We conclude that the DLP on hyperelliptic genus three Jacobians is not intrinsically harder than the DLP in the non-hyperelliptic case.

Speaker: Bruce Beckles (University of Cambridge)

Title: The PKI don't work: Using PKI appropriately in grid
environments

Abstract: In this talk I shall outline some of the problems
encountered with the existing public key infrastructure (PKI) used in most
current computational grid environments. The nature of these problems means
that PKI is unsuitable for use by end-users, and, if it is to be used in the
grid environment, end-users must have minimal direct interaction - in fact,
preferably no interaction - with the PKI mechanisms. I will discuss two
approaches to "removing PKI from the end-user's experience of the grid
environment" currently being explored by a research project with which I am
associated. These approaches have the potential to significantly improve the
usability of the security infrastructure of the grid environment, thus removing
(or lowering) one of the major hurdles faced by new grid users, as well as
substantially improving the security of these environments.

Speaker: Jens Jensen (Rutherford Appleton Laboratories)

Title: e-Science and Grid Security

Abstract: The Grid ties together heterogeneous and distributed
computing and storage resources on a global scale. With its growth in size and
popularity comes security issues, ranging from low level machine security to
managing dynamic virtual organisations, and from practical implementations to
security research. This talk introduces introduces Grid security with an
overview of this range, and will then look at recent developments and open
issues. The talk will be of interest to anyone with an interest in Grid
security and applied security research.

Speaker: James Birkett (ISG, RHUL)

Title: Identity Based Key Encapsulation with Wildcards

Abstract: We propose new instantiations of chosen-ciphertext
secure identity-based encryption schemes with wildcards (WIBE). Our schemes
outperform all existing alternatives in terms of efficiency as well as
security. We achieve these results by extending the hybrid encryption (KEM-DEM)
framework to the case of WIBE schemes. We propose and prove secure one generic
construction in the random oracle model, and one direct construction in the
standard model.

Speaker: Matt Barrett

Title: Towards an Open Trusted Computing Framework

Abstract: I will give a brief introduction to trusted
computing, for those not familiar. I will discuss my master's thesis, which was
concerned with open trusted computing frameworks. An analysis of two secure
operating system frameworks built upon the Trusted Computing Group's Trusted
Platform Module will be given, and the security implications of the respective
design decisions discussed. The complexity and difficulty in providing assured
computation, while keeping the flexibility of general purposes computers, is
highlighted.

I will discuss in some detail a novel insertion attack against certain trusted
computing frameworks built upon the TCG's TPM. Our insertion attack makes use
of a vulnerability that arises due to the architecture of the TPM itself, and
was published at COMPSAC 2006.

Speaker: Kenny Paterson (ISG, RHUL)

Title: Attacking the IPsec Standards in Encryption-only
Configurations

Abstract: We describe new attacks which break any
RFC-compliant implementation of IPsec making use of encryption-only ESP in
tunnel mode. The new attacks are both efficient and realistic: they are
ciphertext-only and need only the capability to eavesdrop on ESP-encrypted
traffic and to inject traffic into the network. We report on our experiences in
applying the attacks to a variety of implementations of IPsec. Joint work with
Jean Paul Degabriele (currently with Hewlett-Packard Labs).

Speaker: Imad Abbadi (ISG, RHUL)

Title: Digital Rights Management using a Mobile Phone

Abstract: This paper focuses on the problem of preventing
illegal copying of digital assets without jeopardising the right of legitimate
licence holders to transfer content between their own devices, which make up a
domain. Our novel idea involves the use of a domain-specific mobile phone and
the mobile phone network operator to authenticate the domain owner before
devices can join a domain. This binds devices in a domain to a single owner,
that, in turn, enables the binding of domain licences to the domain owner. In
addition, the way in which we control domain membership, and the use of the
domain-specific mobile phone that enables a domain owner to add devices
wherever he/she is physically present, ensures that devices joining the domain
are in physical proximity to the mobile phone, preventing illicit content
proliferation.

Speaker: Søren Thomsen (visiting ISG, RHUL)

Title: Grindahl - a family of hash functions

Abstract: In this paper we propose the Grindahl family of hash
functions, which is based on components of the Rijndael algorithm. To make
collision search sufficiently difficult, this design has the important feature
that no low-weight characteristics form collisions, and at the same time it
limits access to the state. We also propose two instances of the Grindahl hash
family, Grindahl-256 and Grindahl-512 with claimed security levels with respect
to collision, preimage and second preimage attacks of 2^{128} and 2^{256},
respectively. Both proposals have lower memory requirements than other hash
functions at comparable speeds and security levels.

Speaker: Hoon Wei Lim (ISG, RHUL)

Title: A Certificate-free Grid Security Infrastructure
Supporting Password-based User Authentication

Abstract: Password-based authentication is still the most
widely used authentication mechanism, largely because of the ease with which it
can be understood by end users and implemented. We propose a security
infrastructure for grid applications, in which users are authenticated using
passwords. Our infrastructure allows users to perform single sign-on based only
on passwords, without requiring a public key infrastructure. Nevertheless, our
infrastructure supports essential grid security services, such as mutual
authentication and delegation, using public key cryptographic techniques.
Moreover, hosting servers in our infrastructure are not required to have public
key certificates, meaning mutual authentication and delegation of proxy
credentials can be performed in a lightweight and efficient manner.

Speaker: Sean Murphy (ISG, RHUL)

Title: Forgery Attacks on HMAC

Abstract: HMAC is a message authentication code based on an
n-bit hash function. The generic forgery attack attack on HMAC requires 2^{n/2}
message-MAC pairs. We describe a attack against a generic HMAC requiring less
than 2^{n/2} message-MAC pairs.

Speaker: Carlos Cid (ISG, RHUL)

Title: An Analysis of the Hermes8 Stream Ciphers

Abstract: Hermes8 is one of the 34 stream ciphers submitted to
the ECRYPT Stream Cipher Project (eSTREAM). In this talk we will present an
analysis of the Hermes8 stream ciphers. In particular, we show an attack on the
latest version of the cipher (Hermes8F), which requires very few known
keystream bytes and recovers the cipher secret key in less than a second on a
normal PC. Furthermore, we make some remarks on the cipher's key schedule and
discuss some properties of ciphers with similar algebraic structure to Hermes8.

This is a joint work with Steve Babbage, Norbert Pramstaller and Haavard
Raddum, and parts of it were presented at the SASC 2007 workshop in Bochum.

Speaker: Adrian Leung (ISG, RHUL)

Title: Ninja : Non Identity Based, Privacy Preserving
Authentication for Ubiquitous Environments

Abstract: Most of today's authentication schemes are based on
authenticating the identity of a principal in one way or another. This method
of authentication is commonly known as entity authentication. In emerging
computing paradigms which are highly dynamic and mobile in nature, such as a
ubiquitous environment, entity authentication alone may not be sufficient or
even appropriate, especially if a principal's privacy is to be protected. In
order to preserve the privacy of a principal, other attributes (such as
location or trustworthiness) of the principal may need to be authenticated to a
verifier. In this paper, in the context of a mobile ubiquitous environment, we
propose Ninja: a non identity based authentication scheme, whereby the
trustworthiness of a user's device is authenticated anonymously to a remote
Service Provider (verifier), during the service discovery process. We show how
this can be achieved using the functionalities of Trusted Computing.

Speaker: Patrick Baier

Title: Special purpose hardware for integer factorisation

Abstract: I would like to discuss the use of reconfigurable
hardware (FPGAs) to speed up some of the sub-algorithms of the number field
sieve, in particular the relation collection step. I intend to focus on the
implementation of Lenstra's Elliptic Curve Method in hardware, which can be
used as an efficient smoothness test and a tool for factoring the sieving
reports. A significant improvement over microprocessors can be achieved in
terms of performance to cost.

Speaker: Qiang Tang (ISG, RHUL, and ENS Paris)

Title: Biometric cryptosystems: issues, challenges, and
possible solutions

Abstract: Biometrics, such as fingerprint and iris, have been
used to a higher level of security in order to cope with the increasing demand
for reliable and highly-usable information security systems, because they have
many advantages over cryptographic credentials. However, in practice, there are
some obstacles (or concerns) in a wide adoption of biometrics. Biometric
features are volatile over the time, and they are also sensitive data. In this
talk, we have a review of the security issues and challenges faced by biometric
cryptosystems. We then highlight some possible solutions in identification,
authentication, and biometric-based key release systems.

Speaker: Jiqiang Lu (ISG, RHUL)

Title: Related-key rectangle attack on 42-round SHACAL-2

Abstract: Based on the compression function of the hash
function standard SHA-256, SHACAL-2 is a 64-round block cipher with a 256-bit
block size and a variable length key of up to 512 bits. In this paper, we
present a related-key rectangle attack on 42-round SHACAL-2. This is the best
currently known attack on SHACAL-2 in terms of the numbers of attacked rounds.

Speaker: David Chadwick (University of Kent)

Title: Building a Modular Authorisation Infrastructure

Abstract: Authorization infrastructures manage privileges and
render access control decisions, allowing applications to adjust their behavior
according to the privileges allocated to users. This talk describes the
conceptual authorisation, access control, and trust models that are required
for a modular authorisation infrastructure. I will then say how we have
implemented this model in Open PERMIS (www.openpermis.org). PERMIS has the
novel concept of a credential validation service, which verifies a user's
credentials prior to access control decision making and enables the distributed
management of credentials. Details of the design and the implementation of
PERMIS are presented along with details of its integration with Globus Toolkit,
Shibboleth and GridShib. A comparison of PERMIS with other authorization and
access control implementations is given, along with our plans for the future.

Speaker: Po Yau (ISG, RHUL)

Title: Secure packet delivery reporting in ad hoc networks

Abstract: Selfish nodes pose a threat to the availability of
communications in mobile ad hoc networks. Many schemes proposed to deal with
this threat rely on passive acknowledgements, a mechanism that relies on the
properties of wireless communication. We will show that inherent problems
exist when using passive acknowledgements to detect selfish or non-forwarding
behaviour. We propose an efficient protocol that uses explicit network layer
acknowledgements to provide a means of detecting non-forwarding nodes with
stronger assurances.

Converting a system of polynomials to a CNF-SAT problem results in an
exponentially long logical sentence if done naively. However, simple tricks can
be used to make the logical sentence linear in length compared to the original
polynomial system, and the conversion runs in LOGSPACE not PSPACE. Since
SAT-solvers are also LOGSPACE, this method of polynomial system solving
requires very little memory.

In the end, this means that with a suitable converter, much larger polynomial
systems can now be solved than was previously thought possible. In fact, it was
precisely this method that allowed algebraic cryptanalysis of the Data
Encryption Standard out to six rounds, an example which I will describe in
extended detail.

Previous talks presented in 2006:

• 12 Dec: "Experiences Developing Secure, User-oriented Grid
  Infrastructures at the National e-Science Centre (NeSC)", Richard Sinnott
  (Glasgow).
  Abstract: Security underpins Grids and e-Research.
  Without a robust, reliable and simple Grid security infrastructure combined
  with commonly accepted security practices, large portions of the research
  community and wider industry will not engage. The predominant way in which
  security is currently addressed in the Grid community is through Public Key
  Infrastructures (PKI) based upon X.509 certificates to support authentication.
  Whilst PKIs address user identity issues, authentication does not provide fine
  grained control over what users are allowed to do on remote resources
  (authorisation). Users are also uncomfortable with the whole process of
  obtaining and using X.509 certificates. In this talk we outline problems with
  existing Grid security models and outline how Shibboleth technology offers a
  new paradigm which can simplify the user experience of interacting with Grid
  infrastructures. We show that when combined with a suitable authorisation
  infrastructure, Shibboleth can improve the overall security needed for
  multi-discipline, multi-organisational e-Research. We demonstrate this through
  practical examples of different security focused e-Science projects being
  conducted at the National e-Science Centre (NeSC) at the University of Glasgow.
  We believe that this model will become the de facto way in which future
  e-Research resources are accessed by a wide variety of researchers, not just
  the existing (and small) Grid-savvy community.

• 5 Dec: "Steganography, Steganalysis, and Capacity", Andrew
  Ker (Oxford).
  Abstract: Steganography is a branch of information
  hiding aiming to transmit a message concealed in some digital media object, so
  that its presence cannot be deduced by a third party. In the talk I will
  propose a new model for steganography and the competing aim of steganalysis, in
  which we allow the payload to be split between multiple cover objects. This
  model sheds light on the fundamental question of the capacity of covert
  steganographic channels, which has resisted analysis until now. Given the new
  model, and some fairly general assumptions about the nature of steganalysis in
  single objects, we can show that the capacity of a batch of N objects is
  asymptotically of the order of the square root of N.

• 28 Nov: "Differential and Rectangle Attacks on
  Reduced-Round SHACAL-1", Jiqiang Lu.
  
  Abstract: SHACAL-1 is an 80-round block cipher with a 160-bit
  block size and a key of up to 512 bits, which is based on the well known hash
  function standard SHA-1. In this paper, we mount rectangle attacks on the first
  51 rounds and a series of inner 52 rounds of SHACAL-1, and also mount
  differential attacks on the first 49 rounds and a series of inner 55 rounds of
  SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1
  in a single key attack scenario.

• 21 Nov: "A Web Services Shopping Mall for Mobile Users",
  Kalid Elmufti (City University).
  Abstract: We present a platform
  for the direct consumption of web services by a Mobile Station. We give an
  architectural solution where Mobile Operators play the role of Trusted Third
  Parties supplying service credentials that allow a co-located 3GPP Network
  Application Function and Liberty-enabled Identity Provider entity to implement
  a controlled Shopping Mall service to Mobile Stations from multiple trust
  domains. We are using 3GPP Generic Authentication Architecture (GAA) and SSO to
  develop a mobile Web services solution.

• 24 Oct: "The Fourth Game Hop: A More Efficient Proof Of
  Waters Encryption", Alex Dent.
  
  Abstract: Game hopping has become a popular tool to simplify security
  proofs. It easily allows a researcher to prove the security of a complex
  algorithm one step at a time. The literature describes three types of game hop:
  bridging steps, transitions based on (small) error events, and transitions
  based on indistinguishability. In this talk, we present a new, fourth type of
  game hop (transitions based on large events) and use it to re-prove the
  security of the Waters based encryption scheme in a more efficient way.

• Friday, 29 Sep: "Pairing Based Threshold Cryptography,
  Improving on Libert-Quisquater and Baek-Zheng", Yvo Desmedt (University College
  London).
  

  Abstract:

  We apply techniques from secret sharing and threshold decryption to show how to
  properly design an ID-based threshold system in which one assumes no trust in
  any party.
  In our scheme:
  

  • We avoid that any single machine ever knew the master secret s of the
    trusted authority (TA). Instead only shares of it will be known by parties of
    the distributed TA and it can be seen as a virtual key.
  • The threshold
    t_{TA} and the number of shareholders n_{TA} used by the distributed TA do not
    need to be identical to the ones used by user ID. Moreover, each user ID can
    use its own values for the threshold t_{i} and the number of parties n_{i} that
    will acquire shares.
  • No single machine will ever know the secret key of
    the user -- this means no single machine in the distributed TA and no
    shareholder of the user ID.
  Like Baek and Zheng suggest, such a scheme
  can be turned into a mediated system.
  This is joint work with Tanja
  Lange and was presented at Financial Cryptography 2006 (February, not yet
  published).

• 29 Aug: "Universal Designated Verifier Signatures Without
  Random Oracles or Non-Black Box Assumptions", Benoit Libert.
  
  Abstract: Universal designated verifier signatures (UDVS) were
  introduced in 2003 by Steinfeld et al. to allow signature holders to monitor
  the verification of a given signature in the sense that any plain signature can
  be publicly turned into a signature which is only verifiable by some specific
  designated verifier. Privacy issues, like non-dissemination of digital
  certificates, are the main motivations to study such primitives. In this work,
  we propose two efficient UDVS schemes which are secure (in terms of
  unforgeability and anonymity) in the standard model (i.e. without random
  oracles). Their security relies on algorithmic assumptions which are more
  classical than assumptions involved in the two only known UDVS schemes in
  standard model to date. The latter schemes, put forth by Zhang et al. in 2005
  and Vergnaud in 2006, rely on the Strong Diffie-Hellman assumption and the
  strange-looking ``knowledge of exponent assumption'' (KEA). Our schemes are
  obtained from Waters's signature and they do not need the KEA assumption. They
  are also the first random oracle-free constructions with the anonymity
  property.
  

  joint work with F. Laguillaumie and J.-J. Quisquater

• 14 Aug: "On the Evolution of Adversary Models in Security
  Protocols - from the Beginning to Sensor Networks", Virgil D. Gligor,
  (University of Maryland).
  Abstract: Invariably, new technologies
  introduce new vulnerabilities which often enable new attacks by increasingly
  potent adversaries. Yet new systems are more adept at handling well-known
  attacks by old adversaries than anticipating new ones. Our adversary models
  seem to be perpetually out of date: often they do not capture adversary attacks
  and sometimes they address attacks rendered impractical by new technologies.
  
  In this talk, I provide a brief overview of adversary models beginning
  with those required by program and data sharing technologies ('60-'70s),
  continuing with those required by computer communication and networking
  technologies ('70s-'90s), and ending with those required by and sensor network
  technologies ('00s ->). I argue that sensor, ad-hoc, and mesh networks require
  new models, different from those in common use, namely those of the Dolev-Yao
  and Byzantine adversaries. I illustrate this with adversaries that attack
  perfectly sensible and otherwise correct protocols of sensor networks. These
  attacks cannot be countered with traditional security protocols using
  end-to-end design arguments and require emergent security properties as
  countermeasures.

• 15 Aug: "A Challenging But Feasible Blockwise-Adaptive
  Chosen-Plaintext Attack on SSL", Greg Bard.
  Abstract: The purpose
  of this paper is to explain a cryptanalytic vulnerability in SSL 3.0 and TLS
  1.0, which can be exploited to recover plaintexts of low entropy with
  probability approaching one. The method is an example of a blockwise-adaptive
  chosen-plaintext attack, exploiting the insecurity of the CBC encryption mode
  in that model. An example of a low entropy plaintext would be a selection from
  a list of 2--1000 items, such as a stock ticker or city name. While the
  vulnerability has been closed in later editions of the TLS protocol, this paper
  hopes to motivate system administrators that use SSL to switch to TLS 1.1 or
  later; demonstrate that the blockwise-adaptive chosen-plaintext model is not
  sterile and purely academic; highlight the importance of the location of secret
  data among block boundaries; provide an example of how an attacker can achieve
  the chosen-plaintext capability in practice; show the hurdles that must be
  crossed in implementing a cryptanalytic attack of this type; emphasize the
  importance of using a separate key for each channel of communications;
  highlight serious flaws in the encryption mode known as CBC; and demonstrate
  the need for more dialog between the cryptologic and protocol security worlds.

• 27 Jun: "Protecting Privacy with the MPEG-21 IPMP
  Framework", Nicholas Sheppard (University of Wollongong).
  

  Abstract: A number of authors have observed a duality between privacy
  protection and copyright protection, and, in particular, observed how digital
  rights management technology may be used as the basis of a privacy protection
  system. In this talk, we describe our experiences in implementing a privacy
  protection system based on the Intellectual Property Management and Protection
  ("IPMP") components of the MPEG-21 Multimedia Framework. Our approach allows
  individuals to express their privacy preferences in a way enabling automatic
  enforcement by data users' computers. This required the design of an extension
  to the MPEG Rights Expression Language to cater for privacy applications, and
  the development of software that allowed individuals' information and relevent
  privacy preferences to be securely collected, stored and interpreted.

• Friday, 2 Jun: "Mediated Cryptography without
  Certificates", Prof. Colin Boyd (Queensland University of Technology).
  
  Abstract: Mediated cryptography was designed by Boneh, Ding and Tsudik
  to accommodate applications that require instant revocation. We introduce the
  notion of certificateless mediated cryptography. This allows more lightweight
  versions of mediated cryptography while maintaining the ability for
  instantaneous revocation of keys. Moreover, our solution avoids key escrow,
  which has been a property in all previous mediated cryptography algorithms. The
  idea is related to certificateless cryptography and to certificate-based
  encryption. We present a concrete algorithm for certificateless mediated
  encryption based on bilinear maps together with a security proof.
  This is
  joint work with Sherman Chow and Juan Gonzalez.

• 6 Jun: Trustwise Seminar.
  This
  week's seminar is being devoted to the HREF="http://www.trustguide.org.uk/">Trustguide Project, which is run by HP
  Labs and BT Research.
  

  The project is a DTI sponsored project as part of the HREF="http://www.sciencewise.org.uk/">Sciencewise programme.
  

• 30 May: "Trust is a holistic property (?)", HREF="mailto:Stephane.Lo-Presti@rhul.ac.uk">Stephane Lo Presti.
  
  Abstract: Research on the topic of trust has gained momentum in the
  last decade, culminating nowadays in plethora of conference/workshops and works
  including this buzzword. One can find many definitions of this concept, usually
  highlighting one or several of its many facets that are closest to the domain
  at hand. I will first show the approach we have taken in the T-SAS project to
  tackle the issue of trust in the design of pervasive computing systems. We
  devised a methodology that starts from expert-validated scenarios and analyzes
  the application under development according to a trust analysis grid, enabling
  designers to spot potential problems and to try to understand the suitability
  of technology solutions. I will then move on to a more general account of the
  current multidisciplinary research efforts on trust, concluding on the
  description of trusted computing.

• 23 May: "Improved cryptanalysis of Py", Paul Crowley.
  
  Abstract: RC4 is one of the most widely used stream ciphers in the
  world, thanks to its appealing speed and simplicity, but it has important
  theoretical shortcomings; certain "events" in the internal state cause a bias
  in the output detectable given a few gigabytes of keystream. Cryptographers
  Eli Biham and Jennifer Seberry have built a new cipher, Py, which uses the
  ideas underlying RC4 but is both faster and more secure; it is by far the
  fastest software cipher entered into the eSTREAM competition. However, a team
  of cryptographers from Belgium and India have found internal events which
  result in several biases in the output stream. The strongest of these biases
  can be detected given 2^84 bytes of plaintext. In this talk, we describe the
  cipher and their results, and show how we can reduce the plaintext requirements
  by a factor of 2^16 by looking for the combined influence of all of these
  biases, and using a Hidden Markov Model to model the bitwise state of the
  cipher when these events take place.

• 16 May: "e-EMV: Emulating EMV for Internet payments using
  Trusted Computing technology", Shane
  Balfe.
  Abstract: The introduction of EMV for use in card
  present transaction has resulted in a dramatic reduction in the levels of fraud
  seen at POS (Point of Sale) terminals. However, with this reduction has come an
  increase in the level of fraud associated with CNP (Card Not Present)
  transactions. This increase is largely attributable to the fact that CNP based
  processing has difficulty integrating EMV into its transaction architecture.
  This talk aims to demonstrate how Trusted Computing technology can be used to
  emulate EMV for use in Internet-based CNP transactions. Through a combination
  of TPM (Trusted Platform Module), OS and processer support we show how we can
  replicate the functionality of standard SDA/DDA/CDA compliant EMV cards. In
  this respect, we will show how we can securely establish a software-based e-EMV
  card within a Trusted Platform. We show how we can accomplish secure delivery
  of card applications and account activation as well as demonstrating how to
  securely port an e-EMV card from one Trusted Platform to another. Customer to
  Merchant interaction in this setting mirrors transaction processing at
  traditional POS terminals. In this regard, we build upon the services offered
  by Trusted Computing in order to provide a secure and extensible architecture
  for Internet-based CNP transactions.

• 9 May: "New Attacks on Old RFCs", HREF="mailto:Kenny.Paterson@rhul.ac.uk">Kenny Paterson.
  
  Abstract: In recent work (Paterson and Yau, "Cryptography in Theory
  and Practice: The Case of Encryption in IPsec"), we developed some attacks
  showing that the Linux kernel implementation of IPsec in "encryption-only"
  configurations is very weak. Unfortunately, the attacks don't apply more
  generally to implementations of IPsec that faithfully follow the IPsec
  standards. In this talk, I will show new attacks that should apply to any
  standards-compliant implementation of IPsec. The attacks are not as efficient
  as the earlier ones against Linux, but are still practical.

• 2 May: "Modeling of Critical Infrastructure
  Interdependencies", Stephen
  Wolthusen.
  

  Abstract: This seminar provides a brief introduction to concepts and
  terminology used in critical infrastructure protection and proceeds to discuss
  a simple multigraph-based model for the identification and analysis of
  dependencies among infrastructure elements. Subsequent discussion also covers
  the coupling of this model with underlying sensor and database components and
  concludes with the applicaton of a security model which is also based on the
  graph abstraction.

• 28 Mar: "Identity-based signatures secure in the standard
  model", Jacob Schuldt.
  
  Abstract: The only known construction of identity-based signatures
  that can be proven secure in the standard model is based on the approach of
  attaching certificates to non-identity-based signatures. This folklore
  construction method leads to schemes that are somewhat inefficient and leaves
  open the problem of finding more efficient direct constructions. We present the
  first such construction. Our scheme is obtained from a modification of Waters'
  recently proposed identity-based encryption scheme. It is computationally
  efficient and the signatures are short. The scheme's security is proven in the
  standard model and rests on the hardness of the computational Diffie-Hellman
  problem in groups equipped with a pairing.

• 21 Mar: "Introducing PKI at VOLKSWAGEN - Lessons learned
  the hard way", Tilman Schulz.
  Abstract: The VOLKSWAGEN AG
  introduced a large scale industrial PKI starting beginning of 2000, with the
  aim of issuing X.509-certificates mainly for employees for the use of
  encryption and strong authentication. The talk will outline the current PKI
  installation at VOLKSWAGEN, together with some "historical" information. We
  also discuss the changes that had to be made to the original concept, as well
  as the drawbacks that had to be faced. This should in summary outline an
  improved PKI installation.
  Dr. Tilman Schulz is an employee of VOLKSWAGEN
  AG, where he spent around 3 years working in the implementation of the
  company's PKI solution. He is currently working in the system planning for
  Unix-systems, mainly involved with security issues. Tilman holds a PhD in
  Mathematics from RWTH-Aachen, Germany.

• 14 Mar: "Hidden pairings", HREF="mailto:steven.galbraith@rhul.ac.uk">Steven Galbraith.
  

  I will talk on joint work with Alex Dent.
  Abstract: We suggest a
  new building block for cryptographic protocols and give two instantiations of
  it. The concept is to generate two descriptions of the same group: a public
  description that allows a user to compute a restricted set of operations, and a
  private description that allows a greater set of operations to be computed. We
  concentrate on the case where the public description allows a user to perform
  group operations, and the private description also allows a user to compute a
  bilinear pairing on the group. A user who has the private information can
  therefore solve decision Diffie-Hellman problems, and potentially also discrete
  logarithm problems. Some possible cryptographic applications of this idea are
  given.
  Both of our instantiations are based on elliptic curves. The first
  relies on the factoring assumption for hiding the pairing. The second relies
  on the hardness of solving a system of multivariate equations. The second
  method also gives rise to a practical trapdoor discrete logarithm system,
  thereby solving an important problem in cryptography.

• 9 Mar: "Polynomial Equivalence Problems: Algorithmic and
  Theoretical Aspects", Ludovic Perret (Universite Catholique de Louvain).
  
  Abstract: The Isomorphism of Polynomial (IP), which is the main
  concern of this talk, originally corresponds to the problem of recovering the
  secret key of a C* scheme. Besides, the security of various other schemes (e.g.
  signature, authentication, traitor tracing) also depends on the practical
  hardness of IP. Due to its numerous applications, the Isomorphism of Polynomial
  is thus one of the most fundamental problems in multivariate cryptography. In
  this paper, we address two complementary aspects of IP, namely its theoretical
  and practical difficulty. Firstly, we present an upper bound on the theoretical
  complexity of "IP-like" problems, i.e. a problem consisting in recovering a
  particular transformation between two sets of multivariate polynomials.
  Concerning the practical aspect, we present a new algorithm for solving IP. In
  a nutshell, the idea is to generate a suitable algebraic system of equations
  whose zeroes correspond to a solution of IP. From a practical point of view, we
  employed a fast Grobner bases algorithm, namely F5, for solving this system.
  This approach is efficient in practice and obliges to modify the current
  security criteria for IP. We have indeed broken several challenges proposed in
  the literature.
  This is a joint work with J-C Faugere, and will be
  presented at Eurocrypt 2006.

• 7 Mar: "Privacy-Protecting Coupon System Revisited", Lan
  Nguyen.
  Abstract: At FC'05, Chen et al. introduced an elegant
  privacy protecting coupon (PPC) system, CESSS05, in which users can purchase
  multi-coupons and redeem them unlinkably while being prevented from
  overspending or sharing the coupons. However, the costs for issuing and
  redeeming coupons are linear to the redeeming limit. Security of the system is
  not proved and only some arguments on system properties are provided. Coupons
  last indefinitely and can not be terminated. In this paper, we propose the
  first PPC system with constant costs for communication and computation. Coupons
  are revokable and the system is provably secure.

• 23 Feb: "Taonity: Grid Security from Trusted Computing",
  Wenbo Mao (HP Labs, China).
  Abstract: Grid computing is a new
  direction to advance distributed computing featuring large scale, dynamic and
  service oriented sharing of resource.
  Grid security is a key component in
  grid computing. However, in all grid architectures which mainly follow Globus,
  a grid middleware standard, grid security is considered as plain and
  conventional applications of the standard PKI authentication framework and
  makes little impact on enhancing the grid feature of advanced resource sharing.
  
  A useful security service from Trusted Computing Group (TCG) is behaviour
  conformation which can confine the users including the owner of a computing
  platform to behaviour desired by a remote user. This security service is
  practically achievable because a platform has a tamper protection hardware
  module Trusted Platform Module (TPM) to set the desired behaviour of the
  platform users. We consider that a TPM, even sparsely deployed in an initial
  stage, can be a shared security resource to enable strong grid security
  solutions. In this talk I will report the work of Project Taonity to advance
  grid security with TPM as shared security resource. This work leads a grid
  security standard track under the grid standard organisation Global Grid Forum.

• 21 Feb: "Identity-Based Encryption with Wildcards.", HREF="mailto:a.dent@rhul.ac.uk">Alex Dent.
  Abstract: An
  identity-based encryption (IBE) scheme allows you to send a message to a party
  using their identity like a public key. This means that you do not have to
  check the authenticity of someone's public key with a CA before trusting that
  it belongs to them. An extension of this idea is hierarchical identity-based
  encryption (HIBE). Here we think of an identities that might consist of several
  parts (for example, my identity might consist of three parts "Royal Holloway",
  "Mathematics Department" and "Alex Dent"). They key feature of a hierarchical
  identity-based encryption scheme is that people higher up the "tree" can create
  keys for "lower" members. In other words, in the above example, any person with
  the "Royal Holloway" decryption key can create the decryption key for the
  "Mathematics Department", and any person with the "Mathematics Department"
  decryption key can create a decryption key for "Alex Dent". This allows for
  delegated key management.
  

  However, with a HIBE, you cannot do broadcast encryption. For example, you
  cannot encrypt a message so that it can be read by anybody in the Mathematics
  Department at Royal Holloway.
  We propose a new primitive, called Wildcard
  Identity-Based Encryption (WIBE), that is similar to hierarchical identity
  based encryption, but the user can set certain fields to be wild, i.e. any
  value for that field is valid. For example, if I wanted to send a message to
  everybody in the Mathematics Department at Royal Holloway, then I would encrypt
  the message using the identity "Royal Holloway", "Mathematics Department" and
  *, where * is the wildcard symbol. This talk will present the details of the
  new primitive plus one construction based on the Waters HIBE scheme.

• 24 Jan: "An Analysis of the XSL Algorithm", HREF="mailto:Carlos.Cid@rhul.ac.uk">Carlos Cid.
  This is joint work
  with Gaetan Leurent from ENS, Paris, and was presented at Asiacrypt 2005, in
  Chennai, India.
  Abstract: The XSL algorithm is a method for
  solving systems of multivariate polynomial equations based on the linearization
  method. It was proposed in 2002 as a dedicated method for exploiting the
  structure of some types of block ciphers, for example the AES and Serpent.
  Since its proposal, the potential for algebraic attacks against the AES has
  been the source of much speculation. Although it has attracted a lot of
  attention from the cryptographic community, until recently very little was
  known about the effectiveness of the XSL algorithm. In this talk we present an
  analysis of the XSL algorithm. We show that the algorithm cannot solve the
  system arising from the AES. By discussing some alternatives for the algorithm,
  we come to the conclusion that, in its current form, it is unlikely that the
  XSL algorithm can provide an efficient method for solving the AES system of
  equations.

Previous talks presented in 2005:

• 13 Dec: "LASH: A Lattice Based Hash Function", Dan Page
  (University of Bristol).
  Joint work with K. Bentahar, J. Hoffstein,
  J.H. Silverman and N.P. Smart
  Abstract: We present a
  practical cryptographic hash function for which the difficulty of finding
  collisions and preimages is related to hard problems in lattices. The hash
  function is based on ideas of Goldreich, Goldwasser and Halevi. We show that by
  suitable parameter choices we can produce a hash function which is comparable
  in performance to existing deployed hash functions such as SHA-1 and SHA-2.

• 9 Dec: "Privacy vs. Security?", Alf Zugenmaier (Docomolab
  Europe).
  Abstract: Security and privacy are often seen as
  contradicting concepts. The impression is that it is necessary to sacrifice
  privacy for the sake of security. Looking at information and communications
  security it can be seen that this is not necessarily the case. For example, the
  concept of separating authentication and authorization has been known for a
  long time. Then, are security and privacy orthogonal concepts? Again, the
  answer is no. Some mechanisms from information security can be employed to
  enhance privacy, some mechanisms go against. Sometimes privacy is even equated
  to confidentiality, an information security concept, e.g. in the case of WEP
  (wire equivalent privacy). This definition is too restricted as shown by the
  general use of the term privacy in respect of electronic communications, which
  also includes the idea of "no spam, please". It seems necessary for a
  definition of information privacy to refer to the semantics of the information.
  In fact, the negative effect of information is cause of concern for privacy.
  This effect can range from time lost sifting through junk email to denied
  services because of a personal profile.
  

  The aim of this talk is to present a coherent definition of information privacy
  and relate it to security. It will also point out some directions of future
  research. I will present two mechanisms that can enhance information service
  users' privacy. The first one is an anonymity mechanism for mobile users. The
  second one shows how privacy can be enforced for a service that requires
  personal data, rendering it impossible to employ anonymity for privacy
  protection. These mechanisms will be embedded into a proposed taxonomy that
  reflects the different aspects of information privacy. Finally, I will show
  that security usually is a much easier sell than privacy due to the nature of
  the incentives. However, if the concept of privacy is extended from persons to
  corporations, it becomes clear that most content providing business relies on
  the concept of privacy.
  Maybe not all is lost for the cause of privacy?

• 6 Dec: "Random Oracles and the OAEP Encryption Scheme",
  Marc Fischlin (ETH Zurich, Switzerland).
  Abstract: The random
  oracle methodology is a widely deployed design method to build protocols
  meeting efficiency levels as required by real-world applications, but without
  sacrificing "too much" of best practices in security. Nowadays most practical
  cryptographic protocols like the OAEP encryption scheme rely on this approach.
  Yet, a sequence of works implies that this method is not sound: There are
  somewhat contrived protocols which are provably secure in the random oracle
  model, but no matter how one of these protocols is implemented it becomes
  completely insecure.
  In this talk we present approaches for a better
  understanding of the situation in light of the OAEP encryption scheme. Do the
  negative results about the methodology apply there? Or can we give an
  instantiation of OAEP yielding a provably secure scheme? We will not a give a
  definite answer to the problem but provide re-assuring results about the
  security of OAEP, albeit indicating that instantiations will not be easy to
  achieve.
  This talk is based on recent and ongoing work with Sasha
  Boldyreva (Georgia Tech). Parts of the talk have been published at Crypto 2005.

• 22 Nov: "Identity-Based Cryptography for Grid Security",
  Hoon Wei Lim.
  

  Abstract: The majority of current security architectures for grid
  systems use public key infrastructure to authenticate identities of grid
  members and to secure resource allocation to these members. Identity-based
  cryptography has some attractive properties which seem to align well with the
  demands of grid computing. This talk presents an investigation of the use of
  identity-based techniques to provide an alternative grid security architecture.
  We propose a customised identity-based key agreement protocol which fits nicely
  with the Grid Security Infrastructure and provides a more lightweight secure
  job submission environment for grid users. Single sign-on and delegation
  services are also supported in a very natural way in our identity-based
  architecture.

• 15 Nov: "Cryptographic proofs of work", HREF="mailto:c.mitchell@rhul.ac.uk">Chris Mitchell.
  Abstract:
  The notion of a cryptographic proof of work has found a number of applications
  in recent years, in particular with addressing threats arising from various
  types of DoS attack. For our purposes, a cryptographic proof of work (cpow) is
  a means by which one party can demonstrate to another that it has performed a
  certain amount of computation. A number of different types of cpow can be
  identified, and in this talk we review some of the types that have been
  introduced. For example, 'client puzzles' introduced to prevent computational
  overload on servers, involve the client solving a one-off puzzle produced by
  the server, and the cpow is usable only once with a specific server.
  Alternatively, if an entity wishes to prove that it is entitled to use a
  certain value, e.g. an address, it may produce a cpow related to the address
  which can be shown to many other parties over and over again. In this talk a
  variety of classes of cpow will be introduced, and some research questions will
  be raised.
  (Download slides.)

• 8 Nov: "PKI Challenges: An Industry Analysis", HREF="mailto:geraint.price@rhul.ac.uk">Geraint Price.
  

  Abstract: In this talk we categorise some of the challenges facing
  those building, deploying and using Public Key Infrastructures (PKIs). Our work
  is based upon a series of in-depth interviews and analysis. The aim of this
  work is twofold: to present the conclusions drawn from work that is based on
  years of practical experience of those in the field; to analyse those
  conclusions in order to highlight research avenues that will answer the
  challenges raised by those in industry.

• 1 Nov: "Understanding and developing role-based
  administrative models", Jason
  Crampton.
  Abstract: Access control data structures generally
  need to evolve over time in order to reflect changes to security policy and
  personnel. An administrative model defines the rules that control the state
  changes to an access control model and the data structures that model defines.
  We present a powerful framework for describing role-based administrative
  models.
  It is based on the concept of administrative domains and criteria
  that control state changes in order to preserve certain features of those
  domains. We define a number of different sets of criteria, each of which
  control the effect of state changes on the set of administrative domains and
  thereby lead to different role-based administrative models. Using this
  framework we are able to identify some unexpected connections between the
  ARBAC97 and RHA administrative models and to compare their respective
  properties. In doing so we are able to suggest some improvements to both
  models.

• 25 Oct: "Data structures for constraint enforcement in
  role-based systems", Hemanth
  Khambhammettu.
  Abstract: Constraints are an important aspect
  of role-based models. Although the specification of constraints has received
  significant research interest, there has been little work on the development of
  an efficient constraint enforcement model. In particular there does not exist a
  model for the data structures that are referenced and maintained by the
  constraint enforcement mechanism.
  

  We develop a model for such data structures that record salient information to
  be used by the constraint enforcement mechanism. We introduce the concept of a
  'constraint evaluation structure' that is used by the constraint enforcement
  mechanism to determine whether granting a request would violate a constraint.
  Two particular constraint evaluation structures form part of the run-time model
  we introduce in order to enforce dynamic constraints.

• 18 Oct: "A Key Encapsulation Mechanism for NTRU", Martijn
  Stam (University of Bristol).
  Abstract: In this talk we present a
  key encapsulation mechanism (KEM) for NTRU. The KEM is more efficient than a
  naive approach based on NAEP and resistant against the decryption failures that
  may occur when using NTRU. We also introduce plaintext awareness for KEMs and
  use it to tighten a security result by Dent.

• 11 Oct: "Modular Security Proofs for Key Agreement
  Protocols", Caroline Kudla.
  
  Abstract: The security of key agreement protocols has traditionally
  been notoriously hard to establish. We present a modular approach to the
  construction of proofs of security for a large class of key agreement
  protocols. The technique involves the use of a decisional oracle and the
  security of this class of protocols commonly reduces to some form of Gap
  assumption. We believe that the technique will enable simpler and less
  error-prone analysis and proofs, and it is compatible with Bellare-Rogaway
  style models as well as the more recent models of Bellare et al. and Canetti
  and Krawczyk.

• 4 Oct: "Recovering multiple routes using the Path From
  Loop Recovery Protocol", Po Yau.
  

  Abstract: Reactive routing protocols for ad hoc networks typically
  flood the network with request packets, but only discover one route from the
  network flood. Multipath routing protocols have been proposed to increase the
  efficiency of request flooding by discovering several routes from one request
  flood. Multiple routes, from a security viewpoint, enhances the availability
  of communication. The Path From Loop Recovery (PFLR) protocol is proposed, to
  recover additional link-disjoint routes from topological loops. PFLR operates
  as a sub-layer beneath either a single or multipath reactive route discovery
  protocol. Simulation studies have revealed that the PFLR protocol is at its
  most efficient when recovering additional paths from small topological loops.

• 28 June: "Security Flaws in Tunnel Mode IPsec", HREF="mailto:a.yau@rhul.ac.uk">Arnold Yau.
  Abstract: We
  present a variety of practical attacks that efficiently extract plaintext data
  from IP datagrams that are protected using the IPsec protocol ESP in tunnel
  mode. The attacks apply in situations where the IP datagrams are not integrity
  protected, or where integrity protection is supplied only by a higher layer
  protocol. While strongly discouraged, these configurations of IPsec are still
  allowed by the relevant IPsec RFCs. In addition, we believe that these
  configurations are widely used in practice. Our attacks even apply in some
  cases where integrity protection is provided by IPsec itself. We report on
  successful implementation of the attacks against the native implementation of
  IPsec in Linux.

• 21 June: "A New ID-based Aggregate Signature Scheme", HREF="mailto:kenny.paterson@rhul.ac.uk">Kenny Paterson.
  
  Abstract: Signature aggregation is an attractive property for a
  signature scheme to possess; it allows multiple signatures to be represented by
  a shorter string and enables batch verification of signatures. Here we
  introduce an ID-based signature scheme supporting aggregation. It is an
  ID-based analogue of the BLS signature scheme. The scheme is simple to
  describe, efficient to implement, and avoids the use of per-signature
  randomness. Our new scheme has an interesting connection to the hierarchical
  ID-based encryption scheme of Gentry and Silverberg, and hence enjoys a
  surprisingly simple security proof.

• 16 June: "Efficient Publicly Verifiable Mix-net for Long
  Inputs", Jun Furukawa (NEC Corporation).
  

  Abstract: We propose here the first efficient publicly verifiable
  hybrid mix-net. In order to achieve this goal, we have newly developed an
  IND-ME-CCA secure scheme of multiple encryption using hybrid encryption and a
  perfect zero-knowledge argument for shuffle-and-decryption of ElGamal
  ciphertexts. Although the resulting mix-net does not provide full public
  verifiability of the hybrid decryption in the case when a user and a mixer
  collude, the best adversary can do is to switch the input between a valid and
  an invalid one. The resulting scheme is efficient enough to treat large scale
  electronic questionnaires of long messages as well as voting with write-ins.
  The scheme is provably secure if we assume random oracles, semantic security of
  a one-time symmetric-key cryptosystem, and intractability of decision
  Diffie-Hellman problem.

• 14 June: "Tunable Balancing of RSA", HREF="mailto:c.heneghan@rhul.ac.uk">Chris Heneghan.
  Abstract:
  We propose a key generation method for RSA moduli which allows the cost of the
  public and private operations to be balanced according to application
  requirements. Our method is a generalisation of using small public exponents
  and small Chinese remainder(CRT) private exponents.
  We look at the
  security of using such a system and present parameters such that the system is
  secure against currently known attacks.

• 17 May: "An open framework for simplifying the use of
  source code analysis tools", Nessim
  Kisserli.
  Abstract: Source code analysis is a tedious, error
  prone activity which relies to a large extent on individual auditors'
  expertise. Various tools have been developed in attempts to ease the task and
  perhaps inject an added measure of objectivity to it, including automated
  static analysis tools. However, anyone who has attempted to use any of the
  freely available ones for Unix/ Linux such as ITS4, Splint, RATS, etc. will be
  only too aware of their shortcomings, including inflexible filtering of
  warnings and high rate of false positives. We outline a Framework for improving
  the use of source code analysis tools and illustrate parts of it by devising a
  taxonomy of insecure programming practises for C (specifically those resulting
  in two of the most widespread vulnerabilities; buffer overflows and string
  format errors). The taxonomy is then used to rate each tool's suitability at
  detecting the various errors, enabling a user to prioritise those warnings
  emitted by the most accurate tool for the particular type of error. The
  Framework is still a work in progress, but we present some encouraging evidence
  that it may lower the entry barrier for using automated source code analysis
  tools sufficiently to encourage less seasoned auditors to investigate the
  security of programmes installed on their systems.

• 3 May: "Small Scale Variants of the AES", HREF="mailto:carlos.cid@rhul.ac.uk">Carlos Cid.
  Abstract:
  Although the potential for algebraic attacks on the AES has been the source of
  recent speculation, it is currently unknown whether the proposed methods of
  solution work on the cipher. While for most types of cryptanalysis it is quite
  straightforward to perform experiments on reduced versions of the cipher to
  understand how an attack might perform, this has not been so easy for algebraic
  attacks on block ciphers. With this goal in mind, we define small scale
  variants of the AES, which inherit many of its design features and should
  provide a suitable framework for comparing different cryptanalytic methods. In
  particular, we provide some preliminary results and insights when using
  off-the-shelf computational algebra techniques to solve the systems of
  equations arising from these small scale variants. This is a joint work with
  Sean Murphy and Matt Robshaw, and was presented at the FSE'05 conference in
  Paris in February 2005.

• 26 April: "A reference monitor for workflow systems with
  constrained task execution", Jason
  Crampton.
  Abstract: We describe a model, independent of any
  underlying access control paradigm, for specifying authorization constraints
  such as separation of duty and cardinality constraints in workflow systems. We
  present a number of results enabling us to simplify the set of authorization
  constraints. These results form the theoretical foundation for an algorithm
  that can be used to determine whether a given constrained workflow can be
  satisfied: that is, does there exist an assignment of authorized users to
  workflow tasks that satisfies the authorization constraints? We show that this
  algorithm can be incorporated into a workflow reference monitor that guarantees
  that every workflow instance can complete. We derive the computational
  complexity of our algorithm and compare its performance to comparable work in
  the literature.

• 22 March: "An application of NP-completeness to
  confidentiality, authentication and commitment", Alexei Vernitski (University
  of Essex).
  

  Abstract: Applications of zero-knowledge protocols to user
  authentication are restricted to users possessing nontrivial computational
  power (for example, in the Fiat-Shamir authentication scheme, the user should
  be able to calculate square roots in finite fields). I shall present an
  implementation of zero-knowledge-based user authentication, based on an
  NP-complete problem, which requires only trivial computational power and,
  therefore, can be used to authenticate human users. I shall speak about both
  theory and usability experiments. I shall also show how the same NP-complete
  problem can be applied to establishing confidential communication and
  commitment.

• 15 March: "Investigating Windows Malware", Fauzan Mirza
  (Prosoft Research Ltd).
  Abstract: Malware is defined as malicious
  software, which encapsulates viruses, worms, trojans, and spyware. This talk
  explains how to detect and analyse malicious software on a PC running the
  Windows operating system. An overview of the Windows program model will be
  given, followed by some more details on the components of Windows that are used
  by malware (registry, filesystem) and some general clues and features that can
  help detect their presence. A brief introduction to reverse engineering Windows
  software is presented, followed by a disassembly of the MSBlast worm.

• 8 March: "Dynamic Frameproof Codes", HREF="mailto:m.b.paterson@rhul.ac.uk">Maura Paterson.
  
  Abstract: Dynamic traitor tracing was proposed by Fiat and Tassa in
  1999 in order to combat piracy in environments such as pay TV systems, where
  intellectual content is broadcast to subscribers. In this talk we introduce
  the related concept of dynamic frameproof codes and describe certain
  constructions of these schemes, as well as discussing bounds on the parameters.

• 15 February: "Padding Oracle Attacks on CBC-mode
  Encryption with Secret and Random IVs", HREF="mailto:a.yau@rhul.ac.uk">Arnold Yau.
  

  Abstract: In a previous paper, Paterson and Yau presented padding
  oracle attacks against a committee draft version of a revision of the ISO
  CBC-mode encryption standard. Some of the attacks in the previous papaer
  require knowledge and manipulation of the initialisation vector (IV). The
  latest draft of the revision of the ISO standard recommends the use of IVs that
  are secret and random. This obviates most of the attacks of the previous paper.
  In this paper we consider the security of CBC-mode encryption against padding
  oracle attacks in this secret, random IV setting. We present new attacks
  showing that several ISO padding methods are still weak in this situation.

• 8 February: "Spontaneous Anonymous Group Cryptography",
  Joseph Liu (The Chinese University of Hong Kong).
  Abstract: We
  introduce a new notion called Spontaneous Anonymous Group (SAG) Cryptography.
  It allows one to spontaneously form a group of users without any collaboration
  from other parties. It does not require any Trusted Third Party (TTP). Another
  great advantage is the setup-freeness property. Without any over-powered
  manager and setup stage, the spontaneous formation of a group is essentially
  done by specifying a list of public keys associated with the identities of
  group members. Ring Signature is a kind of cryptographic protocols in SAG
  cryptography. Our research focuses on SAG cryptography. We have proposed
  various ring signature schemes with additional properties, such as separability
  and linkability. Besides, a new verifiable encryption for a group of uses is
  proposed. For each of these protocols, we further suggest some practical
  applications or scenario which may require these protocols to facilitate.

• 1 February: "A Dynamic Key Infrastructure for GRID", HREF="mailto:h.lim@rhul.ac.uk">Hoon Wei Lim.
  Abstract: This
  paper introduces the concept of a dynamic key infrastructure for Grid. It
  utilises the properties of Identity-based Cryptography (IBC) to simplify key
  management techniques used in current Public Key Infrastructure (PKI) settings
  for Grid environments. We propose a new concept called master-public-key mould.
  It provides a user with permanent credentials which can be used as his
  long-term credentials and also to derive proxy credentials on-the-fly for the
  purpose of rights delegation. This approach can offer greater simplicity and
  flexibility in key management to Grid users.

• 25 January: "Musings on the random oracle model", HREF="mailto:a.dent@rhul.ac.uk">Alex Dent.
  

  Abstract: This focuses on the technical issues surrounding the use of
  the random oracle model in proving the security of asymmetric cryptosystems. We
  focus on the so called separation results given by Canneti, Goldreich and
  Halevi, and other authors. These results show that there are cryptosystems that
  are provably secure in the random oracle model, and yet insecure when the
  schemes are used in the real world.
  We examine the common themes in these
  separation results, and consider methods whereby we may attempt to prove that
  these separation results are limited to certain classes of cryptosystems.

• 18 January: "Cipher Machines before World War II", Richard
  Walton ( HREF="http://www.isg.rhul.ac.uk/people/academic.shtml#visitor">Visiting
  Professor).
  Abstract: This is a short introduction to cipher
  machines of the 1930's as a precursor to the examination by members of the ISG
  of some actual machines of the period belonging to John Alexander which he has
  loaned to the Bletchley Park Museum and made available to the ISG. Machines of
  the era fall into 2 quite different (but often confused)technology classes,
  Rotor Machines and Pinwheel Machines. I will explain the basic principles of
  these classes of machine with particular reference to ENIGMA (Rotor - the
  mainstay of the German Forces) and M209 (Pinwheel - widely deployed by the U.S.
  Army). The first machine for study will then be made available. This will be
  the Hagelin C36 which was the first Pinwheel Machine and was used extensively
  by the French.

Previous talks presented in 2004:

• 14 December: "Escrow Free Cryptographic Workflow", Nigel
  Smart (University of Bristol).
  Joint work with S.S. Al-Riyami and J.
  Malone-Lee.
  Abstract: Cryptographic workflow is a term
  coined by Paterson for the use of ID based cryptography in a system where the
  recipient encrypts to keys whose private component may not yet exist. The idea
  is that the recipient has to then engage in a "workflow" to obtain the keys by
  performing some acts, or showing posession of data, for the relevant
  authorization authorities. The basic idea having been introduced by Chen,
  Harrison, Soldera and Smart (later generalized by Smart) and a related concept
  having been introduced by Li, Du and Boneh in the context of trust negotiation
  for PKI's.
  In this talk we present a full security model for such schemes
  for arbitrary policies and present a provably secure scheme within the model.
  In addition our scheme is escrow free, by which we mean that the authorization
  authorities can determine no information about the actual message being
  encrypted, a property not holding for prior work in this area.

• 7 December: "Secure content management using trusted
  computing", Allan Tomlinson.
  
  

  Abstract: This presentation describes two protocols for the secure
  download of content protection software to mobile devices. The protocols apply
  concepts from trusted computing to demonstrate that a platform is in a
  sufficiently trustworthy state before any application or associated keys are
  securely downloaded. The protocols are designed to allow mobile devices to
  receive broadcast content protected by proprietary conditional access
  applications. They may also be applied in the general case where demonstration
  of a secure execution environment is required before an application is
  downloaded.

• 23 November: "Web Services Platform for Smart Card enabled
  stations", Will Sirett and HREF="mailto:j.a.macdonald@rhul.ac.uk">John Macdonald.
  
  Abstract: Today's review will be somewhat practical in nature and
  review an all java based "proof of concept" test bed. The test bed was
  developed by John and Will over the last few months and first presented at the
  recent Smart Card Open Day. It implements a web services security platform
  using Mobile Operator endorsed credentials.

• 16 November: "Modelling the security of two-party key
  agreement protocols", Caroline Kudla.
  
  

  Abstract: We present an overview of security models for 2-party key
  agreement from the pioneering model of Bellare and Rogaway in 1993 to more
  recent models by Canetti and others which favour a more modular approach and
  consider issues such as composability.
  We consider some of the
  difficulties with modelling the security of key agreement protocols and the
  problems encountered when trying to prove actual protocols secure, especially
  in the older Bellare-Rogaway style model. We provide some concrete example
  protocols which illustrate some of these issues.
  We then discuss the main
  advantages of the newer appraches, compare them to the older models, and look
  at some remaining open problems in the field.

• 9 November: "Cryptanalysis of a combined
  encryption/integrity mode", Chris
  Mitchell.
  Abstract: The PCBC (plaintext-ciphertext block
  chaining) mode of use for a block cipher was first proposed over 20 years ago
  by Meyer and Matyas (1982) - it is also described in Example 9.91 of the
  Handbook of Applied Cryptography. One particular version of PCBC was used in
  version 4 of Kerberos (1987/88) to provide both origin authentication and
  confidentiality for protocol messages - however, it was shown by Kohl (1990)
  that this approach is completely insecure, and subsequent versions of Kerberos
  took a different approach. It would appear that Meyer and Matyas knew of the
  insecurity of the version of PCBC used in Kerberos back in the early 1980s,
  i.e. before Kerberos v4 was produced, and in their 1982 book they proposed a
  different version of PCBC for use when protecting both integrity and
  confidentiality. In this talk we show that the Meyer-Matyas scheme PCBC
  variant is also insecure by demonstrating an existential forgery attack. Scope
  for further improvement of the attack remains, and some outstanding problems
  will be described.

• 2 November: "Demonstration of the Magma computer algebra
  system", Steven Galbraith.
  
  

  Abstract: I will give a short demonstration of the Magma computer
  algebra system. This system has a number of features which are not available
  in Maple or Mathematica and is very useful for working with problems in number
  theory, cryptography, algebraic geometry and algebra. The mathematics
  department has a licence for the software and it can be provided for PhD
  students who would benefit from using it. Hence the demonstration should be
  attended by all PhD students whose research involves some computational
  mathematics.

• 19 October: "Applying Hierarchical and Role-Based Access
  Control to XML Documents", Jason
  Crampton.
  Abstract: Standards such as XML Encryption and
  XML-Digital Signature can be used to protect the confidentiality of and provide
  assurances about the integrity of XML documents transmitted over an insecure
  medium. The focus of this paper is how to control access to XML documents,
  once they have been received. This is particularly important for services
  where updates are sent to subscribers. We describe how certain access control
  policies for restricting access to XML documents can be enforced by encrypting
  specified regions of the document. These regions are specified using XPath
  filters and the policies are based on the hierarchical structure of XML
  documents. We also describe how techniques for assigning keys to a security
  lattice can be adapted to minimize the number of keys that are distributed to
  users and compare our approach with a similar access control framework.
  Finally we consider how role-based access control can be used to enforce more
  complex access control policies.

• 12 October: "Applying Inductive Logic Programming to the
  learning of intrusion strategies", Steve Moyle (Oxford University Computing
  Laboratory).
  Abstract: Inductive Logic Programming (ILP) is a
  form of machine learning that can utilize background knowledge to propose first
  order rules to explain examples of phenomena (e.g. hacking attempts). It is
  well suited to learning from examples that contain rich structure (e.g. byte
  streams).
  Intrusion detection is the identification of potential breaches
  in computer security policy. The objective of an attacker is often to gain
  access to a system that they are not authorised to use. The attacker achieves
  this by exploiting a (known) software vulnerability by sending the system a
  particular input.
  

  In this talk, a gentle introduction to the curious world of ILP will be given,
  along with an overview of a common intrusion exploit -- the buffer overflow. It
  will be shown how ILP can learn rules to detect intrusion strategies that
  exploit buffer overflows.
  This talk reports on joint work with John
  Heasman.

• 14 September: "A security model for anonymous credential
  systems", Andreas Pashalidis.
  
  Abstract: This talk will introduce a complexity theoretic security
  model for anonymous credential systems. It captures three security notions and
  three privacy notions by means of games between two Turing machines: a
  Challenger and an Adversary. An associated problem, which we call the
  "Linkability" problem is also defined. The security model follows the
  Bellare-Rogaway style, as opposed to the alternative "Simulatability" approach.
  It potentially allows reductionist security arguments (or "proofs of security")
  to be constructed for cryptosystems that satisfy the definitions.
  

  Feedback is strongly solicited. You are encouraged to download and read the
  paper from here: HREF="http://www.isg.rhul.ac.uk/~xrtc/cv/credModel.pdf">http://www.isg.rhul.ac.uk/~xrtc/cv/credModel.pdf.
  You are also encouraged to ask any questions / exercise critique.

• 6 July: "Using Encryption to Enforce an Information Flow
  Policy", Jason Crampton
  

  Abstract: An information flow policy assumes the existence of a
  partially ordered set of (security) labels and a function that assigns a label
  to users and data items. The policy requires that all information flow should
  respect the ordering on the labels: in particular, if a user reads a data
  object (causing information to flow from the object to the user), then the
  user's label should be greater than or equal to the object's label. A variety
  of cryptographic methods have been proposed for implementing this "no read
  down" aspect of an information flow policy. We will describe and compare some
  of these methods, and suggest some areas for future research.

• 29 June: "Digital Watermarking and Authentication of
  Images", Anthony Ho (Nanyang Technological University (NTU), Singapore)
  
  Abstract: The tremendous growth of digital multimedia content in the
  past few years has led to the growing concern and requirement for copyright
  protection for proof of ownership and content authentication. In this talk I
  will give an overview on digital watermarking and authentication of images and
  highlight the differences as well as applications between robust, fragile and
  semi-fragile watermarking. Instead of the conventional transforms used in
  digital watermarking such as Cosine, Fourier and wavelet, I will describe two
  novel unconventional orthogonal transforms for robust and fragile watermarking,
  namely the Slant transform and Pinned Sine transform (PST). Some commercial
  applications of using digital watermarking and a software demonstration of
  fragile watermarking and robust watermarking that can survive print-and-scan
  processes will also be presented.

• 22 June: "Of Elections and Electrons", Peter Ryan
  (University of Newcastle)
  Abstract: Digital voting technologies
  is currently very topical and various systems are being proposed, trialed and
  even deployed around the world. Assurance and public confidence in such systems
  is essential. In this talk I discuss the key dependability and security
  requirements that digital voting systems should fulfill. I then give an outline
  of a variant of a scheme due to David Chaum and discuss the extent to which it
  meets these requirements.

• 15 June: "Digitally Signed Documents - Ambiguities and
  Solutions", Adil Alsaid
  

  Abstract: Digitally signing a digital document is a straightforward
  procedure; however, when the digital document contains dynamic content, the
  digital signature may remain valid but the viewed document may not be the same
  as the document when viewed by the signer. Other similar problems exist even
  with 'static' documents, if the appearance of a document can be changed. In
  this paper, we consider previously proposed solutions for such problems, and
  propose a new solution. Unresolved issues and problems are also discussed.

• 8 June: "The Personal Distributed Environment - new
  challenges in network security", HREF="mailto:Scarlet.Schwiderski-Grosche@rhul.ac.uk">Scarlet
  Schwiderski-Grosche
  Abstract: In our Mobile VCE Core 3 work,
  we investigate the Personal Distributed Environment, or PDE. The PDE
  encompasses a user perspective of multiple devices (both local and remote)
  accessing multiple services via multiple networks, all of which can be changing
  dynamically. On the network side, it is a purely virtual network representing a
  user-centric view of devices around the global Internet. In this talk, I want
  to motivate the work on PDEs by discussing different kinds of networks. I'll
  then talk about how the PDE is set up in the first place, namely the procedure
  for initialising it. This step by step procedure serves as a basis for
  developing a PDE security architecture.

• 1 June: "A General Attack Model on Hash-Based Client
  Puzzles", Geraint Price
  
  Abstract: We present a general attack model against hash-based client
  puzzles. Our attack is generic in that it works against many published
  protocols. We introduce a new protocol and subsequently attack our new
  construction as well. We conclude by drawing two requirements of client puzzle
  protocols that would overcome our attack.

• 25 May: "On the Security of PKCS #11", Jolyon Clulow
  (University of Cambridge)
  

  Abstract: Public Key Cryptography Standards (PKCS) #11 has gained wide
  acceptance within the cryptographic security device community and has become
  the interface of choice for many applications. The high esteem in which PKCS
  #11 is held is evidenced by the fact that it has been selected by a large
  number of companies as the API for their own devices. In this paper we analyse
  the security of the PKCS #11 standard as an interface (e.g. an
  application-programming interface (API)) for a security device. We show that
  PKCS #11 is vulnerable to a number of known and new API attacks and exhibits a
  number of design weaknesses that raise questions as to its suitability for this
  role. Finally we present some design solutions.

• 18 May: "Some Algebraic Aspects of the Advanced Encryption
  Standard (AES)", Carlos Cid
  
  Abstract: Since been officially selected as the new Advanced
  Encryption Standard (AES), Rijndael has continued to receive great attention
  and had its security continuously evaluated by the cryptographic community.
  Rijndael has a simple and elegant structure; given its careful design criteria,
  it seems unlikely that its security can be affected by conventional methods of
  cryptanalysis. At the same time, Rijndael has also a highly algebraic
  structure, and its selection as the AES has led to a growing interest in the
  study of algebraic properties of block ciphers, as well as algebraic techniques
  that can be used in their cryptanalysis. We will consider a number of algebraic
  aspects of the AES, and examine few computational and algebraic techniques that
  could be used in the analysis of cipher. In particular, we will consider the
  representation of the cipher as a large, though surprisingly simple, system of
  multivariate quadratic equations over the finite field GF(256), which was
  introduced by Murphy and Robshaw at Crypto'02, and examine some approaches that
  can be used to solve this system.

• 11 May: "Security APIs: The last words on ATM security,
  The first words on TC?", Mike Bond (University of Cambridge)
  
  Abstract: In the last four years, the speaker has worked to kickstart
  academic research into Security APIs. A Security API is the interface to a
  tamper-resistant device that uses cryptography to enforce policies on its
  users. The speaker first encountered these in banking networks used to protect
  and verify PINs from cash machines, and uncovered a raft of weaknesses and
  failures. The talk charts the discovery of these failures, right from the first
  crude attacks of a decade ago to sophisticated new statistical attacks on the
  deeply ingrained storage formats for PINs -- discovered in the last six months,
  and not yet published.
  The speaker speculates whether or not this is the
  last word on conventional ATM security, as the curtain lowers on the current
  designes, and new arhictecutres and buzzwords like "EMV" and "Chip and PIN"
  come to the foreground. The talk finishes by proposing that the knowledge and
  wisdom acquired from the previous study of Security APIs can be put to good
  use: describing how it is being applied to APIs for tomorrow's Trusted
  Computing systems, and how it is catalysing the development of formal tools.

• 4 May: "Efficient variants of RSA", HREF="mailto:steven.galbraith@rhul.ac.uk">Steven Galbraith
  

  Abstract: Several versions of RSA have been proposed which give
  efficiency improvements by using small decryption exponents etc. I will survey
  some of these ideas and discuss their security. I will then describe a new
  variant of RSA which seems to give very good efficiency.

• 20 April: "Finding small roots of bivariate integer
  polynomial equations Revisited", Jean-Sébastien Coron (Gemplus).
  
  Abstract: At Eurcorypt '96, Coppersmith proposed two algorithms for
  finding small roots of polynomial equations, based on lattice reduction
  techniques. Those algorithms have numerous applications in cryptanalysis. The
  first algorithm enables to find small roots of univariate polynomial equations
  modulo an integer of unknown factorization (p(x)=0 mod N), and was further
  simplified by Howgrave-Graham in 1997. The second algorithm enables to find
  small roots of bivariate polynomial equations over the integers (p(x,y)=0 over
  Z), but the approach is difficult to understand. In this talk, I will present
  a much simpler algorithm for solving the same problem. The simplification is
  analogous to the simplification brought by Howgrave-Graham to Coppersmith's
  first algorithm. As an application, I will illustrate the new algorithm with
  the problem of finding the factors of $n=pq$ if we are given the high order 1/4
  \log_2 n bits of p.

• 6 April: "On Reusable Proofs for Cryptographic Protocols",
  Colin Boyd (Queensland University of Technology).
  Abstract: The
  number of protocols with a computational proof of security is slowly growing.
  However, most of these proofs are monolithic and cannot be re-used in proofs
  for other protocols. Some recent proof models do allow component re-use, but so
  far few new protocols have resulted. We review such models and show that there
  are already sufficient components to begin an engineering approach for the
  design of provably secure protocols. We examine the limitations of current
  approaches and discuss the possibilities for use of formal methods and tool
  support.

• 23 March: "Concurrent Signatures", HREF="mailto:c.j.kudla@rhul.ac.uk">Caroline Kudla.
  

  Abstract: This talk will introduce the concept of Concurrent
  Signatures and concurrent signature protocols. Concurrent signatures fall just
  short of providing a full solution to the problem of fair exchange of
  signatures, but we discuss some applications in which concurrent signatures
  suffice. In contrast to all previous approaches, our ``near solution'' using
  concurrent signatures is highly efficient and requires neither a trusted
  arbitrator nor a high degree of interaction between the parties.

• 16 March: "Provable Prime Generation", HREF="mailto:a.johnston@rhul.ac.uk">Amy Johnston.
  Abstract:
  Prime numbers are essential for many cryptographic tools. They are used in
  public key cryptography, random number generation, and for certain large
  integer arithmetic techniques. Most algorithms for generating prime numbers are
  probabilistic: generate a random number then use a probabilistic test for
  primality; repeat tests with varying inputs to reduce the chance of a composite
  number passing. Probabilistic prime generation is simple, fast and good enough
  for most applications. With a bit more effort a provable prime can be
  generated. A provable prime comes with a certificate of primality (proof) and
  can be generated to suit most users needs (designer primes). This talk briefly
  covers some of the issues in generating prime numbers and describes the
  algorithm for generating provable primes.

• 2 March: "Security and trust service provision in Near
  Term Digital Radio ad hoc networks", HREF="mailto:keith.martin@rhul.ac.uk">Keith Martin.
  Abstract:
  NTDR networks are one of the few examples of deployed cluster-based ad hoc
  networks. We explain what they are, discuss possible security architectures and
  examine the options for providing trust services within distributed networks of
  this type.

• 24 February: "The Broadcast Blackout Problem: Providing
  Trustworthy Time and Location Data to Mobile DRM Applications", HREF="mailto:allan.tomlinson@rhul.ac.uk">Allan Tomlinson.
  

  Abstract: Digital Rights Management (DRM) systems often require
  knowledge of the location where content is to be accessed and the time that the
  content is being accessed. This information must be provided from a source that
  the DRM application, and ultimately the content provider, can trust. In mobile
  systems, with many potential content rendering devices, providing trustworthy
  time and location information presents a challenge. This paper presents two
  protocols that provide such information in a secure and trustworthy manner.

• 17 February: "MAC Attack", HREF="mailto:kenny.paterson@rhul.ac.uk">Kenny Paterson.
  Joint work
  with Simon Blackburn
  Abstract: A cryptanalysis is given of a
  MAC proposal presented at CRYPTO 2003 by Cary and Venkatesan. Our attacks find
  collisions for the MAC and yield MAC forgeries, both faster than a
  straightforward application of the birthday paradox would suggest. For the
  suggested parameter sizes (where the MAC is 128 bits long) we give a method to
  find collisions using about 2^{48.5} MAC queries, and to forge MACs using about
  2^{55} MAC queries. We emphasise that our results do not contradict the lower
  bounds on security proved by Cary and Venkatesan. Rather, they establish an
  upper bound on the MAC's security that is substantially lower than one would
  expect for a 128-bit MAC.

• 10 February: "Padding Oracle Attacks on the ISO CBC Mode
  Encryption Standard", Arnold Yau.
  

  Abstract: In 2002 Vaudenay presented an attack on block cipher CBC
  mode encryption when a particular padding method is used. In this paper, we
  employ a similar approach to analyse the padding methods of the ISO CBC-mode
  encryption standard. We show that, for several of the padding methods referred
  to by this standard, we can exploit an oracle returning padding correctness
  information to efficiently extract plaintext bits.

• 3 February: "International Data Transfer", Mark Lomas.
  
  Abstract: The scope of the talk is somewhat broader than the
  title in that I aim to cover all of your obligations under the European Data
  Protection Directive in an environment where you expect to transfer data
  internationally. The talk was originally written for a law conference, where I
  was invited to give a technologist's perspective on the legislation. However,
  I also think it instructive for technologists to understand their legal
  obligations. Of particular relevance, data processors are obliged to take
  'appropriate security measures' to protect personal or 'sensitive' information.
  I shall discuss those measures suggested by the Information Commissioner's
  Office. I invite attendees to consider what additional measures might help
  achieve the underlying objectives of the legislation.

• 27 January: "Verifier Specified Signatures", HREF="mailto:geraint.price@rhul.ac.uk">Geraint Price.
  
  Abstract: The recent trend in increase in Identity (or Identifier)
  Based cryptography has largely been based around encryption mechanisms. At
  first glance, Identity based signatures offer little advantage in practise over
  their certificate-based counterparts. This is largely down to the fact that the
  signature needs to be generated on a document or message before it can be
  verified, allowing the signer to attach the certificate at the same time. In
  this talk, we begin exploring whether there are any potential benefits to be
  had from using ID-Based signatures in different ways.

• 20 January: "Hybrid Encryption" HREF="mailto:a.dent@rhul.ac.uk">Alex Dent
  

  Abstract: This talk will cover the recent developments in hybrid
  encryption focusing on the Shoup KEM/DEM constructions. It will explain the
  construction and the properties required of the KEM and DEM, some KEM
  constructions and some future problems.

• 13 January: "Methods for computing MACs - are provably
  secure schemes best?", Chris
  Mitchell.
  Abstract: NIST is currently trying to establish a
  series of standards governing how AES is to be used. One part of this process
  inovlves the formulation of a standard method of using a block cipher to
  compute a MAC. The current favourite would appear to be the OMAC scheme, due
  to Iwata and Kurosawa. This has the advantage that it has a formal proof of
  security. However, it has been shown that, once use parameters go outside the
  scope of the security proof (e.g. if more than a certain number of MACs are
  computed with a single key), then the security collapses dramatically. This
  contrasts with other schemes whose security appears to degrade more gracefully
  when the limits of the proof domain are reached. A simple modification to OMAC
  has been proposed which appears to improve its resistance to attacks outside
  the scope of the security proof - however, Iwata and Kurosawa have shown that
  this modified scheme CANNOT be provem secure inside the usual model. Thus we
  are now faced with a choice between a scheme with a security proof, and another
  scheme which appears to offer greater resistance to attack which which does
  not, and cannot, have a security proof. What does this mean?
  (Download href="slides/13_01_04_CM.ppt">slides.)

Previous talks presented in 2003:

• 5 December: "A Cautonary Note on Automatic Proxy
  Configuration", Andreas
  Pashalidis.
  Abstract: Web proxies can be used for a variety
  of services. Web browsers typically offer the option not only to statically
  configure a web proxy, but also to download proxy settings dynamically from the
  Internet. Unfortunately, the supporting infrastructure does not enable the
  browsers to properly authenticate the origin of these proxy settings. This
  inadequacy provides an opportunity for an attacker to interpose his own proxy
  between a client device and the web. The scope of potential harm includes
  wholesale or selective interception of web traffic, and web spoofing. In a
  practical setting the attack works even in the presence of SSL/TLS channels
  that are supposed to protect against interception and modification. Depending
  on the presence and configuration of a firewall, attacks can be launched by
  outsiders as well as by insiders. In this talk I will try to present various
  attack scenarios and I will also try to demonstrate how SSL/TLS interception
  works 'in the real world', i.e. by actually doing it live on the Internet (on
  my own traffic in order to avoid infringing any law(s)).

• 7 October: "An Introduction to Braid Group Cryptography",
  Roger Henderson.
  
  Abstract: This talk will provide a brief introduction to braid theory
  and discuss the hard problems relating to braids. Then it will describe the
  burau matrix attacks of Lee and Park presented at Eurocrypt' 2002 on the Braid
  Group PKC proposed by Ki Hyoung Ko et al. at Crypto 2000.

• 30 September: "Single Sign-On using Trusted Platforms", HREF="mailto:a.pashalidis@rhul.ac.uk">Andreas Pashalidis.
  
  Abstract: Network users today have to remember one username/password
  pair for every service they are registered with. One solution to the security
  and usability implications of this situation is Single Sign-On, a mechanism by
  which the user authenticates only once to an entity termed the 'Authentication
  Service Provider' (ASP) and subsequently uses disparate Service Providers (SPs)
  without necessarily re-authenticating. The information about the user's
  authentication status is handled between the ASP and the desired SP in a manner
  transparent to the user. This paper demonstrates a method by which the
  end-user's computing platform itself plays the role of the ASP. The platform
  has to be a Trusted Platform conforming to the Trusted Computing Platform
  Alliance (TCPA) specifications. The relevant TCPA architectural components and
  security services are described and associated threats are analysed.

• 23 September: "Protecting Personal Location Information",
  Anand Gajparia.
  
  Abstract: To offer location based services, service providers need to
  have access to Location Information (LI) regarding the users which they wish to
  serve; this is a potential privacy threat. Constraints, i.e. statements about
  limiting the use and distribution of LI, which are securely bound to the LI
  have been proposed as a means to reduce this threat. However, constraints may
  themselves reveal information to any potential LI user - that is, the
  constraints themselves may also be a privacy threat. To address this problem we
  introduce the notion of a LI Preference Authority (LIPA). A LIPA is a trusted
  third party which can examine LI constraints and make decisions about their
  distribution without revealing the constraints to the entity requesting the LI.
  This is achieved by encrypting both the LI and the constraints with a LIPA
  encryption key. This ensures that the LI is revealed, only at the discretion of
  the LIPA. We will also discuss how this mechanism may be enhanced by using
  trusted platforms.

• 8 July: "Heterogeneous Internet Access via PANA/IKEv2", HREF="mailto:p.s.pagliusi@rhul.ac.uk">Paulo Pagliusi.
  

  Abstract: Currently there are no Internet access authentication
  protocols available that support both symmetric and asymmetric cryptographic
  techniques, can be carried over arbitrary access networks, and are flexible
  enough to be re-used in all the likely future ubiquitous mobility access
  contexts. This presentation is based on an article that I wrote with Chris that
  proposes the PANA/IKEv2 authentication protocol for heterogeneous network
  access as a step towards filling this gap. A security analysis of the
  PANA/IKEv2 protocol is also provided.

• 1 July: "Enforcing node cooperation in mobile ad hoc
  network routing", Po Yau.
  
  Abstract: Mobile ad hoc networks will inherently include selfish nodes
  unwilling to cooperate in distributed operations such as routing. The CORE
  scheme is a reputation mechanism which looks at addressing this issue. I shall
  be talking about this and highlighting the flaws in the scheme because I am a
  nasty man.

• 24 June: NB: This week's seminar was shared
  between two first year PhD talks
  "Attacks on Fixed Padding RSA
  Signatures", Chris Heneghan.
  

  Abstract:Fixed padding of messages have been used in RSA signature
  schemes to break the multiplicative property of RSA which allows basic RSA
  signatures to be easily forged. Several attacks have appeared against these
  fixed padding schemes. In this talk I will present two of these attacks and
  give an overview the types of fixed padding broken by the other attacks.
  
  "The development of Practice Oriented Provable Security" , HREF="mailto:s.jantarapatin@rhul.ac.uk">Peng Jantarapatin.
  
  Abstract: The presentation will talk about a new sub-area of
  cryptography called "practice-oriented provable security". It is about applying
  the ideas of "provable security" to the derivation of practical secure
  protocols. The presentation will begin with the basic idea of provable
  security, and then introduce the roughly idea about Practice Oriented Provable
  Security through the works of Bellare and Rogaway. This presentation is based
  on the article, Practice Oriented Provable Security, written by Mihir Bellare

• 17 June: "The Hidden Number problem over extension
  fields", Herbie Hopkins.
  
  Abstract: Boneh and Venkatesan proposed a polynomial time algorithm
  for solving the Hidden Number problem over a prime field. That is to recover a
  hidden number a in F_p, where p is prime, from the most significant bits of the
  residue of a*t mod p for several randomly chosen t in F_p. Using this algorithm
  they showed that computing the most significant bits of the Diffie Hellman
  secret is as hard as computing the secret key itself. I will show how this
  algorithm can be extended to the case of an arbitrary extension field and
  applied to The Bilinear Diffie Hellman problem, an important tool in modern
  cryptography.

• 10 June: "Identity based authenticated key agreement
  protocols from Pairings", Caroline
  Kudla.
  

  Abstract: We investigated a number of issues of Identity-based
  authenticated key agreement protocols from pairing on elliptic curves. We
  present a protocol more efficient than previous work and also modify the
  protocol to give two additional properties: namely TA forward secrecy and the
  ability of users to use sepatate Trusted (Key issuing) Authorities. We also
  present security proofs for our protocols and their modifications in the
  Bellare-Rogaway model.

• 3 June: "First thoughts on Grid computing and its
  relevance to future mobile telecommunication systems", HREF="mailto:Scarlet.Schwiderski-Grosche@rhul.ac.uk">Scarlet
  Schwiderski-Grosche.
  Abstract: I've just started to look in
  to Grid computing because I think it may help us solve some of the problems in
  future mobile telecommunication systems. Especially, I hope to find some ideas
  how to implement PDEs (Personal Distributed Environments, the work we do in the
  Mobile VCE project) and solve some of their inherent security problems. I'm
  pretty much at the starting point of this work, but I'd like to give you an
  introduction in to Grid computing concepts, especially the security aspects,
  and possibly some first thoughts on how this can be applied to PDEs.

• 28 May: "Iterated Block Ciphers of Various Block Lengths",
  Laurence O'Toole.
  
  Abstract: Triple-DES has a lot in common with DESX. You start with
  some plaintext, perform some function (DES or XOR), perform another function
  (DES-1 or DES) and finally perform a third function (DES or XOR) to get the
  ciphertext. From this a generalised form of triple encryption (where the three
  functions are arbitrary ciphers) can be inferred. There are certain attacks
  (notably the Meet-In-The-Middle attack) that will always work against such
  systems more efficiently than a brute force search. However, this system still
  has a large underlying assumption. This is identified and then removed, giving
  rise to a much more general method of encryption. We will then discuss the most
  efficient way(s) to use this and look at it's effect on the Meet-In-The-Middle
  attack.

• 13 May: "Key Distribution Patterns with Disenrollment", HREF="mailto:j.c.bate@rhul.ac.uk">Julia Bate.
  

  Abstract: Key Distribution Patterns (introduced by Mitchell and Piper
  in 1987) are public patterns of subgroups produced using incidence structures.
  They provide an efficient solution to the main key storage problem, allowing
  secure communication between every pair of users in a large network. Extending
  this concept to allow for the disenrollment of any untrustworthy participants
  will compromise the security of the KDP unless certain measures are taken and
  changes made to the standard KDP. I will discuss Key Distribution Patterns,
  motivation and methods of disenrollment and the trade off between efficiency
  and security.

• 7 April: "One-way functions for chain-based micropayment",
  Siaw-Lynn Ng.
  Abstract:
  Micropayment schemes are electronic payment systems tailored to transactions of
  a very small financial value. One popular approach to micropayment design uses
  the idea of chaining a one-way function. We examine the precise notion of
  "one-wayness" required for such an application.

• 31 March: "Cryptology and Non-Computer Security", Matt
  Blaze (AT&T - Research)
  Abstract: Computer security and
  cryptology takes much of its basic philosophy and language from the world of
  mechanical locks, and yet we often ignore the possibility that physical
  security systems might suffer from the same kinds of attacks that plague
  computers and networks. This talk examines mechanical locks from a computer
  scientist's viewpoint. We describe attacks for amplifying rights in mechanical
  pin tumbler locks. Given access to a single master-keyed lock and its
  associated change key, a procedure is given that allows discovery and creation
  of a working master key for the system. No special skill or equipment, beyond
  a small number of blank keys and a metal file, is required, and the attacker
  need engage in no suspicious behavior at the lock's location. We end with
  future directions for research in this area and the suggestion that mechanical
  locks are worthy objects of our attention and scrutiny.
  

  The paper on which this talk is based is available at: HREF="http://www.crypto.com/masterkey.html">http://www.crypto.com/masterkey.html

• 25 March: "Broadcast Encryption and Subset Covers", HREF="mailto:t.a.martin@rhul.ac.uk">Thomas Martin.
  Abstract:
  We look to the Broadcast Encryption solution to the problem of a center sending
  a message over a broadcast channel to a dynamically changing group of users.
  It's applications include Pay-per-view and subscription services over the
  internet and on TV. The Stateless Receiver variety of the problem requires that
  the users need retain no information from previous transmissions (apart from
  their own secret keys) to access the current broadcast. We look at two schemes
  by Naor, Naor and Lotspiech, and discuss improvements and variations.

• 17 March: "Server v. client side protocols, interfaces and
  storage", Geraint Price.
  

  Abstract: The analysis of security protocols has been the mainstay of
  security research for the past 20 years. This analysis has primarily been
  focused on the ability of the protocols to share keys between communicating
  parties, or to convince one party of another's identity. We discuss the
  possibility of extending the work from the protocols themselves to the
  interfaces that shape the interactions between parties and the data that is
  both shared across and affected by those interfaces.

• 11 March: "Invisibility and anonymity of undeniable
  signatures", Steven Galbraith.
  
  Abstract: Undeniable signatures are public key signatures which
  can be verified only with some interaction with the signer. Essentially, the
  signer controls who can verify the signature.

  I will discuss two notions of security of undeniable signatures: invisibility
  and anonymity. I will present an undeniable signature scheme based on RSA
  which has good security and efficiency properties. The talk will assume
  familiarity with RSA signatures and Diffie-Hellman key exchange. This is joint
  work with Wenbo Mao at Hewlett-Packard labs in Bristol.

• 4 March: "Truncation attacks on CBC-MACs", HREF="mailto:c.mitchell@rhul.ac.uk">Chris Mitchell.
  Abstract:
  A new type of attack is introduced which takes advantage of MAC truncation to
  simplify key recovery attacks based on MAC verifications. One example of the
  attack is described which, in certain circumstances, enables a more efficient
  attack than was previously known to be launched against the ANSI retail MAC.
  The existence of this attack means that truncation for this MAC scheme should
  be used with greater care than was previously believed, and very short MACs
  should be avoided altogether.

• 21 January: "On the plausible deniability feature of
  IKEv2",
  Kenny Paterson .
  

  Abstract: We begin with an examination of the "plausible deniability''
  design feature which has been adopted in the current version of IKE v2, version
  2 of the IPSec Internet Key Exchange protocol. We expose an authentication flaw
  in a mode of IKEv2 which has this feature and diagnose the cause. We then
  propose several methods for fixing the flaw while at the same time
  strengthening the deniability feature. Joint work with Wenbo Mao,
  Hewlett-Packard Laboratories.
  

Previous talks presented in 2002:

• 10 December: "Integrating XML Trust and PKI in Web
  Services",
  Hemanth Khambhammettu .
  

  Abstract: Interoperability amongst Public Key Infrastructures is a major
  concern, and a crucial need to be addressed, for the businesses executing
  online- commerce transactions. This talk looks at XML-based Trust Services and
  observes its integration with PKIs, in Web Services domain. The main aim of the
  talk is to introduce the integration of XML- based services with PKI. This talk
  examines XML Key Management Specification (XKMS), laying a backdrop of new
  XML-based standards, which implement PKI concepts to provide security
  characteristics for XML documents. We also observe how XKMS addresses the
  issues that stand as a hindrance for the wide-spread deployment of PKI
  applications. Following, it addresses a few vital security concerns while
  implementing XML-based Trust services in Web Services domain.
  

• 3 December: "Constraints in Role-Based Access Control",
  Jason Crampton .
  
  Abstract: Separation of duty has been an important theoretical area of
  research in access control for many years. However, it has rarely been
  implemented in commercial operating systems and applications. We will review
  the history of and concepts behind separation of duty constraints and
  role-based access control. We then introduce a simple method for specifying
  constraints and discuss a potential method of implementation. The
  implementation model is based on history-based access control techniques that
  have been used to implement certain kinds of access control policies for mobile
  code.
  

• 19 November: "Public Key Infrastructures: where next?",
  Geraint Price .
  

  Abstract: With Public Key Infrastructures seemingly falling out of favour in the
  industry we ask the question: Does PKI have a future? Our analysis will be
  split in two. In the first section we concentrate on the technology behind PKI.
  At the heart of current PKI offerings is the certificate and we look at the
  different means by which certification can be achieved, emerging
  infrastructures that do not use certificates and how we see the technology
  surrounding their use evolving. In the second section we look at the business
  issues driving the evolution of PKI. We consider such factors as cost and
  legislation. We conclude our discussion by bringing together threads from both
  the previous sections through an analysis of non-repudiation.
  

• 5 November: "Certificate-less Public Key Cryptography",
  Sattam Al-Riyami .
  
  Abstract: I will give an overview of freshly conducted research into
  constructing a new type of asymmetric cryptosystem based on the Bilinear
  DiffieHellman problem. This work should lead to a practical alternative to
  certificate based or identity based cryptography. The goal of the talk is to
  introduce the concept and benefits of a certificate-less public key
  cryptography and stimulate possible ideas.
  

• 22 October: "Security in Mobile Agent-based Network
  Management",
  Andreas Pashalidis .
  

  Abstract: In this talk the usage of Java mobile agents, called Aglets,
  for network management is investigated. The solution proposed is a hybrid
  environment where network management applications can make use of the mobile
  agents as well as the SNMP protocol. The talk focuses on the security aspects
  involved with the use of mobile agents in this context, and proposes a security
  model which addresses actively some of these aspects. Finally, a Java
  implementation of the proposed security model will be demonstrated.
  

• 15 October: "Non-commutative Cryptography",
  Ki Hyoung Ko .
  
  Abstract: We will survey on cryptosystems using non-commutative
  algebraic structures and on cryptoanalyses of some of these systems.
  

• 24 September: "A Contemporary Foreword on GSM Security ",
  Paulo S. Pagliusi .
  

  Abstract: This talk contains a current outline of the GSM system security,
  with focus on the air interface protocol. It presents the terminology and
  describes the GSM security operation, including its principles and features.
  This talk also discusses the effectiveness of GSM authentication and the
  strength of GSM encryption. It includes therefore the most significant physical
  and cryptanalytic attacks on GSM security mechanisms, such as the up to date
  optical fault induction and partitioning attacks. GSM security features
  retained and enhanced for the 3G Security and further applications in network
  (Internet) remote access are also contemplated. This seminar aims primarily at
  contributing to a progressive research in mobile systems security and at
  reviewing the security solutions implemented in this area for further
  applications.
  

• 10 September: "Algebraic Structure in the AES",
  Matt Robshaw.
  
  Abstract: After a review of the design and status of the Advanced Encryption
  Standard (AES) we describe some recent research results. These results provide
  an alternative setting in which to research the fundamental properties of the
  algorithm.
  

• 9 July: "Denial of Access in Biometrics-based
  Authentication Systems",
  Luciano Rila.
  

  Abstract: Biometrics has been widely recognised as a powerful tool for
  problems requiring personal identification. Unlike traditional authentication
  methods, however, biometrics-based authentication systems may reject valid
  users or accept impostors. The accuracy of a biometric system could be defined
  as its combined ability to reject impostors and accept valid users. The
  biometrics industry places heavy emphasis on security issues relating to the
  rejection of impostors while denial of access remains largely neglected in the
  evaluation of biometric systems. In this talk, I will discuss how denial of
  access may impact on all major aspects of a biometric system and propose
  solutions to reduce the probability of denial of access based on more
  sophisticated authentication decision-making strategies.
  

• 25 June: "Triple-X Cryptography: A Generalisation Of A
  Generalisation",
  Laurence O'Toole.
  
  Abstract: This talk, inspired by one given by Chris Mitchell, is a report on
  the ongoing work for my Ph.D. The meet-in-the-middle attack works in a very
  similar way on both Triple-DES and DESX. In fact, both of these ciphers are
  merely special cases of a more general model that this attack can be applied
  to. I will propose an even more generalised version that could potentially
  cause problems for the meet-in-the-middle attack and then, using this, a
  variation on DESX that could be more secure against certain attacks despite no
  increase in the keyspace.
  

• 18 June: "Design of an Authentication Protocol for GSM
  Javacards",
  Vorapranee Khu-Smith (Dao).
  

  Abstract: I will be presenting a paper titled 'Design of an Authentication
  Protocol for GSM Javacards' by S. Cimato. In this work, an authentication
  protocol is derived by the integration of the Kerberos and Lamport
  authentication schemes. The protocol is targeted to the GSM network, involving
  users that interact through a mobile phone, and the network provider acting as
  trusted authority. A prototype application which implements parts of the
  protocol interaction phases,has been developed in the Javacard framework and is
  also discussed.
  

• 11 June: "Alternative Access to Mobile Networks - Beyond
  3G",
  Scarlet Schwiderski-Grosche.
  
  Abstract: In this talk, I present results from the SHAMAN project.
  Access to 2G (i.e. GSM) and 3G (i.e. UMTS) networks is based on subscription to
  a home network. For post-3G networks, we have investigated the use of
  alternative access techniques, i.e., there is no home network but the user pays
  ad hoc for the telecommunication services received from a foreign access
  network. A new architecture for alternative access is presented and different
  payment mechanisms are reviewed. The presentation slides represent a first
  version of the slides that will be presented at the SHAMAN workshop in July.
  
  

• 28 May: "Composition of Block Ciphers - More Secure?",
  Peter Wild.
  

  Abstract: This talk concerns analysis of the security of the
  composition of block ciphers in the random oracle model.
  

• 21 May: "Posets and protocols - picking the right
  three-party protocol",
  Siaw Lynn Ng.
  
  Abstract: In this talk we introduce a framework in which we can investigate
  the possibility of adapting a security protocol in order to obtain optimal
  efficiency according to the communication channels available. This method is
  based on the observation that there is a partial order imposed upon the actions
  of the various parties involved in a protocol. We define operations permitted
  on the partially ordered set associated with the protocol and obtain
  transformations of the original protocol while preserving the security
  properties. Performing these operations on the protocol we enumerate the
  options available to a system.
  

• 14 May: "Group Signatures and Their Applications",
  Steven Galbraith.
  

  Abstract: Group signatures are a type of "anonymous" signature. A group
  signature can be generated by any member of a specified group and can be
  verified by anyone with the public key of the group, but the identity of the
  actual signer is hidden. There is a trusted authority (group manager) who can
  identify which individual member of the group generated a given signature. This
  talk will introduce some group signature schemes and discuss some applications
  in which they might be used (particularly, electronic auctions).
  

• 7 May: "Probabilistic Packet Marking for IP Traceback",
  Keith Martin.
  
  Abstract: I will give a high level overview of recent research into
  providing traceback capabilities for tracing network packets back to anonymous
  sources. The goal of the talk is to highlight this research area and stimulate
  possible research problems.
  

• 30 April: "Non-malleability - do we really need it?",
  Chris Mitchell.
  

  Abstract: In this talk I will briefly discuss the notion of non-malleability,
  as applied to public key encryption. The context of its definition, i.e.
  certain formal models of security, will be briefly and informally described.
  The impact of these formal notions on the development of public key encryption
  standards will then be outlined. Finally some questions will be raised about
  whether the current approach to standardisation of public key encryption is the
  correct one.
  

• 23 April: "WHAT AUCTIONS",
  Arnold Yau.
  
  Abstract: Online and offline auctions, how to do it and how not to, and
  why they are doing it anyway.
  

• 16 April: "Public Key Infrastructures: A Technical
  Overview",
  Geraint Price.
  

  Abstract: We present joint work on reviewsing the state of PKIs from a
  technical perspective. We start by tracing the history of asymmetric
  cryptography, then overview what we believe to be the constituent parts of a
  PKI. Finally we overview some of the alternatives to asymmetric cryptography.
  
  

• 19 March: "Building & Attacking Elliptic Curve Based
  Protocols",
  Sattam Al-Riyami.
  
  Abstract: The talk covers a paper that was produced as a result of joint
  work with Kenny Paterson. It takes the pairing-based tripartite key agreement
  protocol of Joux and develops it to produce three-party key agreement protocols
  offering additional security properties. We present a number of tripartite, one
  round, authenticated protocols related to the MTI and MQV protocols. We also
  present pass-optimal authenticated and key confirmed tripartite protocols that
  generalise the station-to-station protocol. The security properties of the new
  protocols are examined using heuristic methods. Applications for the protocols
  are also provided.
  

  (Download slides. Check out the
  paper.)

• 12 March: "Security analysis of smartcard to card reader
  communications for biometric cardholder authentication",
  Luciano Rila.
  
  Abstract: The use of biometrics, and fingerprint recognition in particular,
  for cardholder authentication in smartcard systems is growing in popularity.
  In such a biometric-based cardholder authentication system, sensitive data may
  be transferred between the smartcard and the card reader. In this talk we
  identify and classify possible threats to the communications link between card
  and card reader during cardholder authentication. We also analyse the impact of
  these threats. We consider four different architectures and use the threat
  analysis to indicate the relative security of the various possible
  architectures.
  

  (Download slides.)

• 5 March: "On the security of the Digital Signature
  Algorithm",
  Theo Garefalakis.
  

  Abstract: We present a key recovery attack to the DSA,
  when sufficiently many bits of the nonces are exposed.
  

• 26 February: "A high level introduction to RADIUS and
  DIAMETER Protocols",
  Paulo Pagliusi.
  
  Abstract: Historically, the RADIUS protocol has been used to provide
  authentication, authorization and accounting (AAA) services for dial-up PPP and
  terminal server access. Over time, routers and network access servers (NAS)
  have increased in complexity and density, making the RADIUS protocol
  increasingly unsuitable for use in such networks. The Diameter protocol was not
  designed from the ground up. Instead, the basic RADIUS model was retained while
  fixing the flaws in the RADIUS protocol itself. The basic concept behind
  Diameter is to provide a base protocol that can be extended in order to provide
  AAA services to new access technologies, in large-scale systems with provisions
  for congestion control. Currently, the protocol only concerns itself with
  Internet access, both in the traditional PPP sense as well as taking into
  account the ROAMOPS model, and Mobile-IP.
  

  (Download slides.)

• 19 February: "The security of two-key DESX",
  Chris Mitchell.
  
  Abstract: DESX, proposed by Rivest a number of years ago, is an efficient,
  but apparently neglected, way of improving the security of a block cipher. It
  achieves levels of security comparable with triple DES but only requires one
  block cipher encryption to process a block of data, as compared with three for
  triple DES. Moreover it possesses a proof of security. The proof of security
  applies to both the two-key and three-key variants of DESX. However in this
  talk we exhibit a new kind of attack which only applies to the two-key variant.
  Whilst it by no means rules out the use of two-key DESX, there does appear to
  be a difference in security level between the two-key and three-key variants.
  It is also throws an interesting light on the interpretation of proofs of
  security.
  

• 12 February: "Security vulnerabilities in event-driven
  systems",
  Simos Xenitellis.
  
  Abstract: If you use Windows (tm) or the X Window system
  (these are the most common event-driven systems), then this talk is for you.
  Software applications communicate using events and there are typically no
  restrictions as to who can send/receive them. The absence of restrictions
  causes security vulnerabilities with similar characteristics to buffer
  overflows.
  

• 22 January: "de Weger's Extension of Wiener's continued
  fraction attack for RSA with small (N^0.25>) d",
  Namhyun Hur.
  
  Abstract: This talk is about de Weger's extension of Wiener's attack to RSA
  with small private key d. You will see me struggling to explain things like
  RSA, continued fraction, Wiener's attack, de Weger's extension, and an
  implementation of de Weger's attack.
  

• 15 January: "Cryptographic Primitives from the Weil and
  Tate pairings",
  Kenny Paterson.
  
  Abstract: We consider constructive applications of the Weil
  and Tate pairings in cryptography. We will review the identity-based
  encryption scheme of Boneh and Franklin from Crypto 2001. We next
  look at Joux's tri-partite Diffie-Hellmann key exchange protocol
  from ANTS in 2000. Then we construct several new cryptographic
  primitives based on the Weil/Tate pairing. We will not assume
  the audience has any specialist knowledge in number theory.
  

  (Download slides. Check out the
  paper.)