Spring 2006

Fall 2005

Spring 2005

Fall 2004

Summer 2004

Spring 2004

Fall 2003

Summer 2003

Spring 2003

Fall 2002

Spring 2002

Fall 2001

Spring 2001

Seminars

Unless indicated otherwise, the CryptoSeminar is being held in the Atwater Kent building on the WPI Worcester campus. The Atwater Kent building is at the intersection of Salisbury Street and the extension of West Street (labeled "Private Way"). See directions to campus.

The talks are 30-45 minutes long and are open to everyone.

Refreshments are usually being served 15 minutes before the talk. There is no fee and no formal registration. If you are attending a Seminar for the first time, a short e-mail to Profs. Berk Sunar or Bill Martin, saying that you would like to attend, would be appreciated.

Lightweight and Resilient Security Design for Wireless Sensor Networks

Kui Ren, WPI, CRIS Laboratory
May 5, 2006, 3:00pm, Atwater Kent Labs, WPI, Room 218

Abstract

Wireless sensor networks (WSNs) have drawn a lot of attention recently due to their broad applications in both military and civilian domains. A WSN usually consists of a large number of ultra-small, low-cost devices that have limited energy resources, computation, memory, and communication capacities. WSNs are often deployed in a vast terrain to detect events of interest and deliver data reports over multi-hop wireless paths to the base station for the applications such as battlefield reconnaissance and homeland security monitoring. Data security is essential for these mission-critical applications to work in unattended and even hostile environments.

However, providing data security in WSNs has never been an easy task due to many reasons. First, sensor nodes are extremely resource-constrained, which leaves very limited space for security design; Second, WSNs are application specific in nature, which has to be carefully considered in the security design; Last but not least, sensor nodes are subject to compromise caused by the adversaries, which expose WSNs to both outsider and insider attacks and makes security design much harder as compared to the conventional networks. In this presentation, we introduce our latest research on data security in WSNs. Our work focuses on providing lightweight, resilient, scalable and comprehensive, security design that is tailored and optimized for WSNs. We developed a suite of security mechanisms customized to different types of data traffic in WSNs, respectively. We demonstrate the effectiveness and efficiency of our design through both extensive analysis and simulations, and comparisons between our design and other popular solutions.

Cryptography for Ultra-Low Power Devices, Securing Ubiquitous Computing

Jens-Peter Kaps, WPI, CRIS Laboratory
May 1, 2006, 11:00am, Atwater Kent Labs, WPI, Room 218

Abstract

Ubiquitous computing describes the notion that computing devices will be everywhere: clothing, walls and floors of buildings, cars, forests, deserts, etc. Ubiquitous computing is becoming a reality: RFIDs are currently being introduced into the supply chain. Wireless distributed sensor networks (WSN) are already being used to monitor wildlife and to track military targets. Many more applications are being envisioned. For most of these applications some level of security is of utmost importance. Common to WSN and RFIDs are their severely limited power resources, which classify them as ultra-low power devices.

Early sensor nodes used simple 8-bit microprocessors to implement basic communication, sensing and computing services. Security was an afterthought. The main power consumer is the RF-transceiver, or radio for short. In the past years specialized hardware for low-data rate and low-power radios has been developed. The new bottleneck are security services which employ computationally intensive cryptographic operations. Customized hardware implementations hold the promise of enabling security for severely power constrained devices.

Most research groups are concerned with developing secure wireless communication protocols, others with designing efficient software implementations of cryptographic algorithms. There has not been a comprehensive study on hardware implementations of cryptographic algorithms tailored for ultra-low power applications. Our goal is to develop a suite of cryptographic functions for authentication, encryption and integrity that is specifically fashioned to the needs of ultra-low power devices.

This presentation gives an introduction to the specific problems that security engineers face when they try to solve the seemingly contradictory challenge of providing lightweight cryptographic services that can perform on ultra-low power devices. We developed a suite of cryptographic functions for ultra-low power devices which is comprised of scalable universal hash functions and several public key and secret key algorithms, covering the services of authentication, integrity, confidentiality and enabling scalable establishment of trust between devices.

Frequency Domain Arithmetic for Cryptography

Selcuk Baktır, WPI, CRIS Laboratory
April 27, 2006, 2:00pm, Atwater Kent Labs, WPI, Room 311

Abstract

Finite fields have many applications in coding theory and cryptography, therefore efficient implementation of finite field arithmetic operations is crucial. The known fastest multiplication algorithm, introduced by Schönhage and Strassen, performs multiplication in the frequency domain using the Fast Fourier Transform (FFT) with complexity O(m log(m) log(log(m))) for multiplication of m-bit integers or m-coefficient polynomials. Unfortunately, the method bears significant overhead due to the conversions between the time and the frequency domains, which makes it impractical for relatively short (160-1024 bit) operands as used in many applications. In this work, we investigate practical frequency domain multiplication techniques for cryptographic operand lengths.

We first propose using the Fermat transform for performing efficient multiplication in Fermat fields using the FFT. We show that, with careful selection of parameters, all multiplications required for the FFT computations can be avoided and polynomial multiplication in finite fields can be achieved with only O(m) multiplications in addition to O(m log(m)) simple shift, addition and subtraction operations. Thus, in constrained devices where multiplication is expensive, multiplication in the suggested finite fields may outperform other efficient methods such as Karatsuba for even small operands, e.g. relevant to elliptic curve cryptography (ECC).

Finally, we introduce "DFT Modular Multiplication" which computes Montgomery products of polynomials in the frequency domain. Thus, both polynomial multiplication and modular reduction are performed in the frequency domain, and costly conversions between the frequency and time domains are avoided. We propose a novel time/area efficient DFT modular multiplier architecture and an ECC processor which achieves ECC in the frequency domain utilizing the proposed multiplier. To our best knowledge, this work presents the first hardware implementation of a frequency domain multiplier for ECC and the first hardware implementation of ECC in the frequency domain. The synthesis results for our ECC processor are presented for custom VLSI CMOS technology for 169, 289 and 361 bit fields. We show that the proposed ECC processor is time/area efficient and is promising for constrained environments such as wireless sensor networks.

The Mathematics of Computer Security

Dr. Burton S. Kalisk, Jr., RSA Security
April 26, 2006, 4:00pm, Campus Center, WPI, Hagglund Room

Abstract

Prime numbers, sometimes thought to be one of the most obscure topics in mathematics, are some of the most useful tools in modern computer security. This session will explore how prime numbers and other aspects of basic number theory like Greatest Common Factor, modular arithmetic, and the Chinese Remainder Theorem are employed in cryptography today. No advanced math background will be assumed.

Fault Tolerance in Cryptography

Gunnar Gaubatz, WPI, CRIS Laboratory
April 25, 2006, 11:00am, Atwater Kent Labs, WPI, Room 311

Abstract

Several classes of attacks on cryptosystem implementations have been grouped under the common term side channel attacks. The name stems from the fact that data dependent variations in timing, power consumption, electromagnetic emanations and behavior in the presence of faults can be exploited by an adversary. The resulting unintentional leakage of secret information thus constitutes a covert channel a side channel. Active attacks like fault injections are a powerful class of attacks since in addition to observation they allow the adversary to influence the behavior of the circuit in a manner that may not have been anticipated by the designer.

Our research into fault tolerance in cryptography has so far been focused on two main aspects:

1. fault tolerant arithmetic for public-key cryptography, and
2. sequential control logic resilient to adversarial faults.

Our contributions to the first aspect are a) a novel approach to fault tolerance based on the homomorphic embedding of finite fields into redundant finite rings, and b) an extension of the idea of non-linear robust block codes to arithmetic codes. We motivate the need for the second aspect by presenting a new type of fault attack that can reveal the secret key from a cryptographic device, even if the data path is protected against side-channel attacks. We therefore propose a new approach to fault resilient state machine design based on large minimum distance error detecting codes to thwart such attacks.

Proving Security Protocols Correct-- Correctly: Cryptographically justifying symbolic analyses of security protocols

Dr. Jonathan Herzog, MITRE Corp.
Wednesday, March 22, 2006, 4:00pm, Atwater Kent Labs, WPI, Room 218

(Slides: PPT, PDF)

Abstract

The analysis of security protocols (e.g., TLS, SSH, or Kerberos) is a surprisingly tricky business. Flaws are often subtle, and attacks can remain undiscovered for years. However, the security of our computer networks rest in large part upon protocols such as these. Clearly, there is a great need to analyze these protocols in a rigorous and reliable way.

The 'symbolic' model (also known as the 'Dolev-Yao' or 'formal' model) is one of the few models widely accepted for this purpose. It represents both the protocol messages and the adversary at a high level, and thus presents an attractive framework in which to express protocol analysis methods. Indeed, this model is amenable to tools from formal methods (such as theorem-provers and model-checkers) and specialized mathematical methods (such as our Strand Space method). Despite undecidability in the general case, further, the proof-methods of this model are actually simple enough in practice to automate.

However, the symbolic model rests on a number of strong yet implicit assumptions regarding the underlying cryptography-- assumptions which must be justified. In this talk, we will explore these cryptographic assumptions in light of two recent developments in the world of cryptography:

• First, we will examine the problem of 'key-cycles': situations that arise when a key is used to encrypt itself. (More generally, a key cycle occurs when key K₁ is used to encrypt K₂, K₂ is used to encrypt K₃, and so on until K_n is used to encrypt K₁.) The symbolic model assumes that key cycles do not weaken the underlying cryptography, but the standard cryptographic definitions of encryption security imply no such thing. We will show that these standard cryptographic definitions in fact -do not- justify the assumptions of the symbolic model, but that newer cryptographic definitions -do-. (This is joint work with Pedro Adao, Gergely Bana, and Andre Scedrov.)
• Second, we will examine how these models represent key secrecy. Both the symbolic model and the field of cryptography formally define 'secrecy,' but the two definitions are very different. The symbolic model assumes that its definition is at least as strong as that from cryptography. We demonstrate, in fact, that the opposite is true: the symbolic definition of 'secrecy' is strictly weaker than the corresponding cryptographic definition, and thus protocol analyses of the symbolic model are not cryptographically sound. We formulate a new definition of symbolic secrecy, however, and demonstrate that our new definition and the cryptographic definition are equivalent.
  We also use this result to demonstrate a surprising corollary: sufficiently strong cryptography can actually -simplify- the symbolic model. We demonstrate that the cryptographic justification of our new symbolic definition also justifies an additional assumption-- one that makes the security of cryptographic protocols into a decidable problem. (This is joint work with Ran Canetti.)

Short Biography

Jonathan Herzog received his B.S. (Math) from Harvey Mudd College in 1997 and his Ph.D. (Computer Science) from Massachusetts Institute of Technology in 2004. He joined the MITRE Corporation in 1997 as an INFOSEC Engineer/Researcher, and continues to work there as a Cryptographer. He is co-developer of the Strand Space method of protocol analysis, and the Cryptographic Protocol Programming Language (CPPL).

Devices Resistant to Attacks and Modular Automated Synthesis for Clockless Circuits.

Alexander Taubin, ECE Department, Boston University
Friday, February 10, 2006, 11:00am, Atwater Kent Labs, WPI, Room 218

Abstract

Strong encryption algorithms have been designed to withstand cryptanalysts that have access to plaintext and ciphertext. However, the physical implementation provides the attacker with important extra information. Attacks have been developed which use implementation specific weaknesses (`side channels') and monitor the power consumption, electromagnetic emission, and behavior under malfunctions to derive the secret keys without even damaging the device. With the help of statistical methods, these so-called side-channel attacks (or non-invasive attacks) amplify and evaluate leaked information to determine the secret keys. Side-channel attack vulnerabilities result from transistor and circuit electrical behaviors. This ultimately compromises cryptography and shifts the top priority in cryptography from further algorithmic improvements to the prevention of such attacks by means of reducing variations in timing, power and radiation. Asynchronous (clockless) circuit design techniques, especially balanced, finely-grained pipelines, are able to play a key role, particularly in making hardware designs inherently resistant to non-invasive attacks.

This talk presents a framework for automated synthesis of clockless circuits. The flow starts from traditional synthesizable or gate-level HDL and separates logic optimization from timing by introducing local clocks at the post-synthesis design stage. It is based on commercial EDA tools and can handle circuits of the same complexity as contemporary synchronous RTL flows. At higher granularity levels, the area overhead for completion detection and handshake circuitry is reduced, while at lower levels of granularity pipelining provides a tremendous increase in circuit performance. The robustness of clockless circuits to delay variations allows them to run at very low voltage levels, even slightly below the transistor threshold. Hence, automated clockless circuit design combines high performance with low power and short time to market.

Short Biography

Alexander Taubin received the M.S. and Ph.D. degrees in computer science and Engineering from Electrotechnical University of St. Petersburg, Russia. From 1993 to 1999, he was with the Department of Computer Hardware at the University of Aizu, Japan, as a Professor. From 1999 to 2001, he was with Theseus Logic, Inc. Sunnyvale, CA as Senior Scientist. In 2002 he joined Electrical and Computer Engineering Department of Boston University. His current research interests include design and design automation of asynchronous fine-grain pipelined systems, high-security, high-speed and low-power system and design automation. Dr. Taubin co-authored two books in asynchronous design and has published more than 50 journal and conference papers.

Maintained by webmaster@wpi.edu
Last modified: Feb 27, 2007, 00:35 EST

Cryptography and Information Security (CRIS) - Department of Electrical and Computer Engineering
Worcester Polytechnic Institute - 100 Institute Road, Worcester, MA 01609-2280
Phone: +1-508-831-5494 - Lab: +1-508-831-5840 - Fax: +1-508-831-5491