Papers by Siamak F Shahandashti
SPDH-Sign: Towards Efficient, Post-quantum Group-Based Signatures
Lecture Notes in Computer Science, 2023
We consider designing broadcast encryption schemes with constant-size secret keys and ciphertexts... more We consider designing broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our proposed scheme has constant-size secret keys and ciphertexts and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie-Hellman exponent and the knowledge of exponent assumptions. We prove both of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time.
In applications such as end-to-end encrypted instant messaging, secure email, and device pairing,... more In applications such as end-to-end encrypted instant messaging, secure email, and device pairing, users need to compare key fingerprints to detect impersonation and adversary-in-the-middle attacks. Key fingerprints are usually computed as truncated hashes of each party's view of the channel keys, encoded as an alphanumeric or numeric string, and compared out-of-band, e.g. manually, to detect any inconsistencies. Previous work has extensively studied the usability of various verification strategies and encoding formats, however, the exact effect of key fingerprint length on the security and usability of key fingerprint verification has not been rigorously investigated. We present a 162-participant study on the effect of numeric key fingerprint length on comparison time and error rate. While the results confirm some widely-held intuitions such as general comparison times and errors increasing significantly with length, a closer look reveals interesting nuances. The significant rise in comparison time only occurs when highly similar fingerprints are compared, and comparison time remains relatively constant otherwise. On errors, our results clearly distinguish between security non-critical errors that remain low irrespective of length and security critical errors that significantly rise, especially at higher fingerprint lengths. A noteworthy implication of this latter result is that Signal /WhatsApp key fingerprints provide a considerably lower level of security than usually assumed. CCS CONCEPTS • Security and privacy → Usability in security and privacy; Software security engineering; • Human-centered computing → Empirical studies in HCI .
arXiv (Cornell University), Sep 6, 2022
Group-based cryptography is a relatively unexplored family in post-quantum cryptography, and the ... more Group-based cryptography is a relatively unexplored family in post-quantum cryptography, and the so-called Semidirect Discrete Logarithm Problem (SDLP) is one of its most central problems. However, the complexity of SDLP and its relationship to more well-known hardness problems, particularly with respect to its security against quantum adversaries, has not been well understood and was a significant open problem for researchers in this area. In this paper we give the first dedicated security analysis of SDLP. In particular, we provide a connection between SDLP and group actions, a context in which quantum subexponential algorithms are known to apply. We are therefore able to construct a subexponential quantum algorithm for solving SDLP, thereby classifying the complexity of SDLP and its relation to known computational problems.
Journal of Mathematical Cryptology, 2022
All instances of the semidirect key exchange protocol, a generalisation of the famous Diffie-Hell... more All instances of the semidirect key exchange protocol, a generalisation of the famous Diffie-Hellman key exchange protocol, satisfy the so-called telescoping equality; in some cases, this equality has been used to construct an attack. In this report, we present computational evidence suggesting that an instance of the scheme called "MOBS (matrices over bitstrings)" is an example of a scheme where the telescoping equality has too many solutions to be a practically viable means to conduct an attack.
IACR Cryptology ePrint Archive, 2016
Bitcoin as deployed today does not scale. Scalability research has focused on two directions: 1) ... more Bitcoin as deployed today does not scale. Scalability research has focused on two directions: 1) redesigning the Blockchain protocol, and 2) facilitating 'off-chain transactions' and only consulting the Blockchain if an adjudicator is required. In this paper we focus on the latter and provide an overview of Bitcoin payment networks. These consist of two components: payment channels to facilitate off-chain transactions between two parties, and the capability to fairly exchange bitcoins across multiple channels. We compare Duplex Micropayment Channels and Lightning Channels, before discussing Hashed Time-Locked Contracts which enable Bitcoin-based payment networks. Finally, we highlight challenges for route discovery in these networks.
Conference on Electronic voting technology/workshop on trustworthy elections, Jul 1, 2014
Online Security Attack Experience and Worries of Young Adults in the Kingdom of Saudi Arabia
IFIP advances in information and communication technology, 2023
A novel attack on McEliece's cryptosystem
International Journal of Computer Mathematics: Computer Systems Theory, Jul 3, 2023
arXiv (Cornell University), Apr 25, 2023
In this paper, we present a new diverse class of post-quantum group-based Digital Signature Schem... more In this paper, we present a new diverse class of post-quantum group-based Digital Signature Schemes (DSS). The approach is significantly different from previous examples of group-based digital signatures and adopts the framework of group action-based cryptography: we show that each finite group defines a group action relative to the semidirect product of the group by its automorphism group, and give security bounds on the resulting signature scheme in terms of the grouptheoretic computational problem known as the Semidirect Discrete Logarithm Problem (SDLP). Crucially, we make progress towards being able to efficiently compute the novel group action, and give an example of a parameterised family of groups for which the group action can be computed for any parameters, thereby negating the need for expensive offline computation or inclusion of redundancy required in other schemes of this type.
arXiv (Cornell University), May 30, 2019
In this paper, we address an unsolved problem in the real world: how to ensure the integrity of t... more In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. However, the importance of the "integrity" of the web content has received little attention. We implement two attacks on real-world online banking websites and show that ignoring the "integrity" of the web content can fundamentally defeat two-factor solutions. To address this problem, we propose a cryptographic protocol called DOMtegrity to ensure the end-to-end integrity of the DOM structure of a web page from delivering at a web server to the rendering of the page in the user's browser. DOMtegrity is the first solution that protects DOM integrity without modifying the browser architecture or requiring extra hardware. It works by exploiting subtle yet important differences between browser extensions and in-line JavaScript code. We show how DOMtegrity prevents the earlier attacks and a whole range of man-inthe-browser (MITB) attacks. We conduct extensive experiments on more than 14,000 real-world extensions to evaluate the effectiveness of DOMtegrity.
International Journal of Information Security, Feb 12, 2013
We consider designing broadcast encryption schemes with constant-size secret keys and ciphertexts... more We consider designing broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our proposed scheme has constant-size secret keys and ciphertexts and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie-Hellman exponent and the knowledge of exponent assumptions. We prove both of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time.
2022 13th International Symposium on Communication Systems, Networks and Digital Signal Processing (CSNDSP)
Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that c... more Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that current security solutions cannot effectively stop the spread of IoT attacks. Machine Learning (ML) techniques are promising in improving protection against such attacks. In this work, three supervised ML algorithms are trained and evaluated for detecting rank and blackhole attacks in RPL-based IoT networks. Extensive simulations of the attacks are implemented to create a dataset and appropriate fields are identified for training the ML model. We use Google AutoML and Microsoft Azure ML platforms to train our model. Our evaluation results show that ML techniques can be effective in detecting rank and blackhole attacks, achieving a precision of 93.3%.
A systematic framework for categorising IoT device fingerprinting mechanisms
The popularity of the Internet of Things (IoT) devices makes it increasingly important to be able... more The popularity of the Internet of Things (IoT) devices makes it increasingly important to be able to fingerprint them, for example in order to detect if there are misbehaving or even malicious IoT devices in one’s network. However, there are many challenges faced in the task of fingerprinting IoT devices, mainly due to the huge variety of the devices involved. At the same time, the task can potentially be improved by applying machine learning techniques for better accuracy and efficiency. The aim of this paper is to provide a systematic categorisation of machine learning augmented techniques that can be used for fingerprinting IoT devices. This can serve as a baseline for comparing various IoT fingerprinting mechanisms, so that network administrators can choose one or more mechanisms that are appropriate for monitoring and maintaining their network. We carried out an extensive literature review of existing papers on fingerprinting IoT devices – paying close attention to those with machine learning features. This is followed by an extraction of important and comparable features among the mechanisms outlined in those papers. As a result, we came up with a key set of terminologies that are relevant both in the fingerprinting context and in the IoT domain. This enabled us to construct a framework called IDWork, which can be used for categorising existing IoT fingerprinting mechanisms in a way that will facilitate a coherent and fair comparison of these mechanisms. We found that the majority of the IoT fingerprinting mechanisms take a passive approach – mainly through network sniffing – instead of being intrusive and interactive with the device of interest. Additionally, a significant number of the surveyed mechanisms employ both static and dynamic approaches, in order to benefit from complementary features that can be more robust against certain attacks such as spoofing and replay attacks
ICT Systems Security and Privacy Protection, 2021
Cookie banners are devices implemented by websites to allow users to manage their privacy setting... more Cookie banners are devices implemented by websites to allow users to manage their privacy settings with respect to the use of cookies. They are part of a user's daily web browsing experience since legislation in Europe requires websites to show such notices. In this paper, we carry out a large-scale study of more than 17,000 websites including more than 7,500 cookie banners in Greece and the UK to determine compliance and tracking transparency levels. Our analysis shows that although more than 60% of websites store third-party cookies in both countries, only less than 50% show a cookie notice and hence a substantial proportion do not comply with the law even at the very basic level. We find only a small proportion of the surveyed websites providing a direct opt-out option, with an overwhelming majority either nudging users towards privacyintrusive choices or making cookie rejection much harder than consent. Our results differ significantly in some cases from previous smaller-scale studies and hence underline the importance of large-scale studies for a better understanding of the big picture in cookie practices.
Online Security Attack Experience and Worries of Young Adults in the United Kingdom
IFIP advances in information and communication technology, 2022
IACR Cryptol. ePrint Arch., 2016
We give a survey of existing attacks against end-to-end verifiable voting systems in the academic... more We give a survey of existing attacks against end-to-end verifiable voting systems in the academic literature. We discuss attacks on the integrity of the election, attacks on the privacy of voters, and attacks aiming at coercion of voters. For each attack, we give a brief overview of the voting system and a short description of the attack and its consequences.
End-to-end verifiable E-voting trial
On 2 May, 2019, during the UK local elections, an e-voting trial was conducted in Gateshead, usin... more On 2 May, 2019, during the UK local elections, an e-voting trial was conducted in Gateshead, using a touch-screen end-to-end verifiable e-voting system. This was the first trial of verifiable e-voting for polling station voting in the UK, and it presented a case study to envisage the future of e-voting.
Journal of Mathematical Cryptology, 2012
Since their introduction, the notions of indistinguishability and non-malleability have been chan... more Since their introduction, the notions of indistinguishability and non-malleability have been changed and extended by different authors to support different goals. In this paper, we propose new flavors of these notions, investigate their relative strengths with respect to previous notions, and provide the full picture of relationships (i.e., implications and separations) among the security notions for public-key encryption schemes. We take into account the two general security goals of indistinguishability and non-malleability, each in the message space, key space, and hybrid message-key space to find six specific goals, a couple of them, namely complete indistinguishability and key non-malleability, are new. Then for each pair of goals, coming from the indistinguishability or non-malleability classes, we prove either an implication or a separation, completing the full picture of relationships among all these security notions. The implications and separations are respectively supported by formal proofs (i.e., reductions) in the concrete-security framework and by counterexamples.
In this report we survey the various proposals of the key exchange protocol known as semidirect p... more In this report we survey the various proposals of the key exchange protocol known as semidirect product key exchange (SDPKE). We discuss the various platforms proposed and give an overview of the main cryptanalytic ideas relevant to each scheme.
Uploads
Papers by Siamak F Shahandashti