Algebraic structure lies at the heart of much of Cryptomania as we know it. An interesting question is the following: instead of building (Cryptomania) primitives from concrete assumptions, can we build them from simple Minicrypt primitives endowed with additional algebraic structure? In this work, we affirmatively answer this question by adding algebraic structure to the following Minicrypt primitives: one-way functions, weak unpredictable functions and weak pseudorandom functions. The algebraic structure that we consider is group homomorphism over the input/output spaces of these primitives. We show that these structured primitives can be used to construct several Cryptomania primitives in a generic manner.

Our results make it substantially easier to show the feasibility of building many cryptosystems from novel assumptions in the future. In particular, we show how to realize any CDH/DDH-based protocol with certain properties in a generic manner from input-homomorphic weak unpredictable/pseudorandom functions, and hence, from any concrete assumption that implies the existence of these structured primitives.

Our results also allow us to categorize many cryptographic protocols based on which structured Minicrypt primitive implies them. In particular, endowing Minicrypt primitives with increasingly richer algebraic structure allows us to gradually build a wider class of cryptoprimitives. This seemingly provides a hierarchical classification of many Cryptomania primitives based on the "amount" of structure inherently necessary for realizing them.

Note the changed time.

In this talk, I will revisit a paper Arun Kundnani, Joris van Hoboken and I started writing in 2014 and published in 2016. In the backdrop of our writing sessions in New York were the Black Lives Matter protests that started in Ferguson and spread nationwide, and human rights advocates disputing surveillance programs targeting muslim communities in New York and New Jersey. While counter-surveillance was at the heart of all these developments, they flourished in communities and spoke to constituencies that were mostly distinct from another group that some of us were circling in: privacy advocates, progressive security engineers, and policy makers, who following Edward Snowden’s revelations of US and UK surveillance programs had been seeking to win majority support for countering surveillance. The paper studies this discrepancy by taking a closer look at the activities, discourse and solutions propose by the latter group. It describes the ways in which advocates of privacy framed the problem as the replacement of targeted surveillance with mass surveillance programs, and identified the solutions as predominantly technical and involving the use of encryption – or ‘crypto’ – as a defense mechanism. The paper further illustrated that by raising the specter of an Orwellian system of mass surveillance, shifting the discussion to the technical domain, and couching that shift in economic terms undermined a political reading that would attend to the racial, gendered, classed, and colonial aspects of the US and UK surveillance programs. We asked then: how can this specific discursive framing of counter-surveillance be re-politicized and broadened to enable a wider societal debate informed by the experiences of those subjected to targeted surveillance and associated state violence? During the talk, I hope we can revisit this question anew given how in 2020 COVID-19 has come to normalize surveillance in the name of public health, replacing the "war on terror" with the "war on the virus" and we see the rise of a fresh wave of global protests around Black Lives Matter.

The summer of 2020 saw the largest anti-racist protests in British history. In order to understand how deeply entrenched racism is to British policing, we must look beyond the British mainland and into the colonial policing which shaped racial governance. It is in this context that we can better explore how policing and racism are resisted in 21st century Britain. This postcolonial lens will help analyse spontaneous resistance and organised radical campaigns which envision a world in which state punishment and violence is replaced with solidarity, care and co-operation.

Over the last several years, numerous journalists and news organizations have reported incidents in which their communications have been hacked, intercepted, or retrieved. In 2014, Google security experts found that 21 of the world’s 25 most popular media outlets were targets of state-sponsored hacking attempts, and many journalists have watched helplessly as hackers took control of their social media accounts, targeting confidential information in their internal servers. When journalists’ digital accounts are vulnerable to hacks or surveillance, news organizations, journalists, and their sources are at risk, and journalists’ ability to carry out their newsmaking function is reduced. Yet, some journalists do not believe that hacking and surveillance are significant threats, and they are not adopting information security measures to protect their data, themselves, or their sources. This research study includes 19 interviews with journalists, developers, and digital security trainers to shed light on journalists’ perceptions of information security technologies, including motivations to adopt and barriers to adoption. The findings show that motivations to adopt information security technologies hinge on the idea of protection: protection of self, story, and the journalist’s role—more so than the protection of the source, contrary to contemporary discourse about why journalists need to adopt such technologies.

Note the changed time.

How do technologies mediate security practices and how can we study them? In this talk I draw on my fieldwork in banks to show how banks rely on technologies to detect suspicious transactions that may be connected to money laundering or terrorism financing. Inspired by work at the intersection of (critical) security studies and science and technology studies, I foreground the role of digital technologies in the production of security expertise by compliance officers and intelligence analysts in banks. The research is based on multi-sited ethnography centred around ‘sites of experimentation’.

In this talk I'll give an overview of my research on the security and privacy experiences of at-risk users. The talk will center on two studies with different populations: women in South Asia [1] and survivors of intimate partner abuse [2].

[1] “‘They Don't Leave Us Alone Anywhere We Go’: Gender and Digital Abuse in South Asia.” Nithya Sambasivan, Amna Batool, Nova Ahmed, Tara Matthews, Kurt Thomas, Sane Gaytán, David Nemer, Elie Bursztein, Elizabeth Churchill, Sunny Consolvo. CHI 2019   (Best Paper)

[2] “Stories from survivors: Privacy & security practices when coping with intimate partner abuse.” Tara Matthews, Kathleen O'Leary, Anna Turner, Manya Sleeper, Jill Palzkill Woelfer, Martin Shelton, Cori Manthorne, Elizabeth F Churchill, Sunny Consolvo. CHI 2017   (Best Paper)

Note the changed time.

In the 1990s the US government feared the emergence of encryption technologies that would prevent them from conducting legal intercept and signals intelligence.

To preserve their capabilities, whilst at the same time providing public key encryption to citizens, the government developed a key escrow technology, the Clipper Chip, which would allow warranted recovery of suspect's encryption keys. In parallel, the government used export regulations in an attempt to prevent strong encryption escaping their borders and reaching foreign adversaries.

Opposing government policies were the digital privacy activists, including the Cypherpunks, a group of borderline anarchist technologists. The digital privacy activists developed and disseminated encryption technologies such as PGP to undermine government policies. The privacy activists also challenged the government export regulations in the courts in an attempt to have them declared unconstitutional.

This seminar will explore the main events of the battle between the government and digital privacy activists during the 1990s.

In this work, we consider the computer security and privacy practices and needs of recently resettled refugees in the United States. We ask: How do refugees use and rely on technology as they settle in the US? What computer security and privacy practices do they have, and what barriers do they face that may put them at risk? And how are their computer security mental models and practices shaped by the advice they receive? We study these questions through in-depth qualitative interviews with case managers and teachers who work with refugees at a local NGO, as well as through focus groups with refugees themselves. We find that refugees must rely heavily on technology (e.g., email) as they attempt to establish their lives and find jobs; that they also rely heavily on their case managers and teachers for help with those technologies; and that these pressures can push security practices into the background or make common security “best practices” infeasible. At the same time, we identify fundamental challenges to computer security and privacy for refugees, including barriers due to limited technical expertise, language skills, and cultural knowledge — for example, we find that scams as a threat are a new concept for many of the refugees we studied, and that many common security practices (e.g., password creation techniques and security questions) rely on US cultural knowledge. From these and other findings, we distill recommendations for the computer security community to better serve the computer security and privacy needs and constraints of refugees, a potentially vulnerable population that has not been previously studied in this context.

Note the changed time.

In this talk, I will revisit a qualitative research project examining how digital activists navigate risks posed to them in online environments. I examined how a group of activists across ten different non-Western countries adapted and responded to threats posed by two types of powerful actors: both the state, and technology companies that run the social media platforms on which many activists rely to conduct their advocacy. Through a series of interviews, I examined how resistance against censorship and surveillance manifested in everyday practices, not just the use of encryption and circumvention technologies, but also the choice to use commercial social media platforms to their advantage despite considerable ambivalence about the risks they pose. Much has changed in the digital landscape since I first conducted this work: in the discussion I plan to engage with how these findings prefigured larger concerns about misinformation and digital surveillance, and illustrate the importance of balancing locally contingent interpretations of risk against the larger geopolitical backdrop in which technology companies now play an important role.

Note the changed time.

In this talk we investigate the problem of automating the development of adaptive chosen ciphertext attacks on systems that contain vulnerable format oracles. Rather than simply automate the execution of known attacks, we consider a more challenging problem: to programmatically derive a novel attack strategy, given only a machine-readable description of the plaintext verification function and the malleability characteristics of the encryption scheme. We present a new set of algorithms that use SAT and SMT solvers to reason deeply over the design of the system, producing an automated attack strategy that can entirely decrypt protected messages.

Note the changed time.

Since the 1960s we have been told that new computing technologies are ushering in a new era: the Computer Revolution and Knowledge Economy (1962), Global Village and One-Dimensional Man (1964), the Third (1975) and the Fourth (2015) Industrial Revolutions(s). There was never a consensus on which kind of computational techniques were behind the change. Then in the 1990s a number of humanities academics discovered the Internet. They used their understanding of its technical architecture to define the relevant properties of computation that were behind our emerging network society. Canonical scholarship emerged (Castells 1996) alongside cyberlibertarian visions (Barlow 1996) that told much the same story: computer networks were not only naturally decentralized and liberating, they were welcome solvents on the old, centralized order. When cryptography burst into public (and humanist) consciousness, it could only make things even better by further empowering the individual.

In my talk I want to offer a different characterization of the relationship between computer networks, cryptography, and their consequences for society. To do so, I go back to one of the beginnings, to Paul Baran's Distributed Adaptive Message Block Network, as outlined in his canonical On Distributed Communications--drawing in particular on the formerly classified twelfth volume of this series. Rather than envision networks as naturally distributed and open, Baran can help us better characterize them as naturally closed, encrypted, and at odds with individual liberty. I will discuss other reasons for this claim, as well as its consequences--offering an outline of what networks mean when we build cryptography into their identity and function.

Drawing on the experiences of a novel collaborative project between sociologists and computer scientists, this talk identifies a set of challenges for fieldwork that are generated by this 'wild interdisciplinarity'. Public Access Wi-Fi Service was a project funded by an ‘in-the-wild’ research programme, involving the study of digital technologies within a marginalised community, with the goal of addressing digital exclusion. I argue that similar forms of research, in which social scientists are involved in the deployment of experimental technologies within real world settings, are becoming increasingly prevalent. The fieldwork for the project was highly problematic, with the result that few users of the system were successfully enrolled. I'll analyse why this was the case, identifying three sets of issues which emerge in the juxtaposition of interdisciplinary collaboration and wild setting. I conclude with a set of recommendations for projects involving technologists and social scientists.

This talk will revisit joint work with Harry Halpin and Ksenia Ermoshina, conducted in the frame of the H2020 European project NEXTLEAP (2016-2018, nextleap.eu). Due to the increased and varied deployment of secure messaging protocols, differences between what developers “believe” are the needs of their users and their actual needs can have very tangible and potentially problematic consequences. Based on 90 interviews with both high and low-risk users, as well as with several developers, of popular secure messaging applications, we mapped the design choices made by developers to threat models of both high-risk and low-risk users. Our research revealed interesting and sometimes surprising results, among which: high-risk users often consider client device seizures to be more dangerous than compromised servers; key verification is important to high-risk users, but they often do not engage in cryptographic key verification, instead using other “out of band” means; high-risk users, unlike low-risk users, often need pseudonyms and are heavily concerned over metadata collection. Developers tend to value open standards, open-source, and decentralization, but high-risk users often find these aspects less urgent given their more pressing concerns; and while, for developers, avoiding trusted third parties is an important concern, several high-risk users are in fact happy to rely on trusted third parties ‘protected’ by specific geo-political situations. We conclude by suggesting that work still needs to be done for secure messaging protocols to be aligned with real user needs, including high-risk, and with real-world threat models.

In just a few years, Fully Homomorphic Encryption (FHE) has gone from a theoretical “holy grail” of cryptography to a commercial product. This is in part due to the development of Machine Learning as a Service, and the fact that our society has evolved to be data-driven. As a consequence, secure computation has become more valuable and has seen some great advances. In this talk, we will discuss some of these improvements in FHE, as well as some of the latest implementation results. We will finish by discuss one of the main challenges in FHE, the analysis of the noise growth in an FHE ciphertext.

It is well known that older adults continue to lag behind younger adults in terms of their breadth of uptake of digital technologies, amount and quality of engagement in these tools and ability to critically engage with the online world. Can these differences be explained by older adults’ distrust of digital technologies? Is trust, therefore, a critical design consideration for appealing to older adults? In this talk I will argue that while distrust is not, in fact, determinative of non-use and therefore does not explain these differences in tech usage, it is nonetheless key for designers to understand older adult distrust in developing socially responsible technologies.

Traditionally, “provable security” was tied in the minds cryptographers to public-key cryptography, asymptotic analyses, number-theoretic primitives, and proof-of-concept designs. In this talk I survey some of the work that I have done (much of it joint with Mihir Bellare) that has helped to erode these associations. I will use the story of practice-oriented provable security as the backdrop with which to make the case for what might be called a “social constructionist” view of our field. This view entails the claim that the body of work our community has produced is less the inevitable consequence of what we aim to study than the contingent consequence of sensibilities and assumptions within our disciplinary culture.

Note the changed time.

Distance bounding protocols constitute a special class of authentication protocol, in which participants must verify not only the identity of their partner, but also their physical location. They are important for systems such as contactless card payments or electronic doors, to avoid scenarios in which an attacker might relay messages over a longer distance than intended. This is typically achieved by using a time-sensitive challenge-response phase, where the verifying agent estimates distance by calculating the round trip time of their challenge messages. There are some difficulties in applying traditional security verification approaches to this family of protocols. Symbolic approaches, which aim to abstract away details (such as the nature of the cryptographic primitives used), must deal with the fact that many attack scenarios are intrinsically linked with the location and timing of messages.

In this talk, we present a model for analysing distance bounding protocols. The model of Basin et al., which uses a bespoke implementation in Isabelle/HOL, is adapted to remove speed-of-light calculations for message timings. Instead, a (provably) equivalent security claim is developed that instead focuses on the precise ordering of actions during a protocol execution. This approach enables an embedding into the Tamarin prover tool, allowing for rapid automated verification. Further, we discuss extensions to the model to analyse so-called "dishonest" agents -- who generally follow their specification but are willing to temporarily deviate in order to collaborate with the network adversary. Such agents are particularly relevant for modelling "Terrorist fraud" attacks, where an adversary can be (illegally) granted a one-time key. Finally, the results of an extensive literature survey is presented, discussing common pitfalls in protocol design.

In this talk, I discuss the ethical challenges and dilemmas that arise as a result of state involvement in academic research on ‘terrorism’ and ‘extremism’. I suggest that researchers and research institutions need to be more attentive to the possibilities of co-option, compromise, conflict of interests and other ethical issues. I empirically examine the relationship between academic researchers and the security state. I highlight three key ways in which ethical and professional standards in social scientific research can be compromised: (1) Interference with the evidence base (through a lack of transparency on data and conflicts of interest); (2) Collaboration on research supporting deception by the state which undermines the ability of citizens to participate in democratic processes; and (3) Collaboration on research legitimating human rights abuses, and other coercive state practices. These issues are widespread, but neglected, across: literature on 'terrorism' and 'extremism'; literature on research ethics; and, in practical ethical safeguards and procedures within research institutions. In order to address these issues more effectively, I propose that any assessment of research ethics must consider the broader power relations that shape knowledge production as well as the societal impact of research. In focusing on the centrality of states – the most powerful actors in the field of ‘terrorism’ and ‘extremism’ – our approach moves beyond the rather narrow procedural approaches that currently predominate. I argue more attention to the power of the state in research ethics will not only help to make visible, and combat, ethically problematic issues, but will also help to protect the evidence base from contamination. I conclude by proposing a series of practical measures to address the problems highlighted.

In this talk, I will briefly present both the EasyCrypt interactive proof assistant—whose focus is on the formalization of game-based cryptographic security proofs, before discussing its application to the SHA-3 standard. In combination with the Jasmin language—an "assembly-in-the-head" language with formalized semantics and a certified compiler—our proof is used to produce a complete high-assurance standard, with machine-checked proofs, verified reference implementations, and a verified optimized implementation for a specific platform.

I will discuss some of the challenges encountered in formalizing the security proof, and discuss the techniques afforded by the combined use of "interactive first" technologies such as Jasmin and EasyCrypt, which allow us to produce highly-efficient, yet fully verified, implementations. Some future perspectives may be discussed

Hybrid Authenticated Key Exchange (AKE) protocols combine keying material from different sources (for instance, post-quantum and classical secure key exchange primitives) to build protocols that are resilient to catastrophic failures of the different components. In this talk, I will present the results of a recent work with Torben Hansen and Kenny Paterson: a new hybrid key exchange protocol called Muckle - a simple one-round-trip key exchange protocol that combines preshared keys, post-quantum and classical key encapsulation mechanisms, and quantum key distribution protocols. I will also discuss a general framework HAKE for the analysis of hybrid AKE protocols, and demonstrate the security of our approach with respect to a powerful attacker, capable of fine-grained compromise of different cryptographic components. HAKE is broad enough to allow us to capture forward secrecy, multi-stage key exchange security, and post-compromise security. I will present an implementation of our Muckle protocol, instantiating our generic construction with classical and post-quantum Diffie-Hellman-based algorithmic choices and discuss the results of benchmarking exercises against our implementation.

Mobile sensors have already proven to be helpful in different aspects of people’s everyday lives such as fitness, gaming, navigation, etc. However, illegitimate access to these sensors results in a malicious program running with an exploit path. While the users are benefiting from richer and more personalized apps, the growing number of sensors introduces new security and privacy risks to end users and makes the task of sensor management more complex. In this talk, first, we discuss the issues around the security and privacy of mobile sensors. We investigate the available sensors on mainstream mobile devices and study the permission policies that Android, iOS and mobile web browsers offer for them. Second, we reflect the results of two workshops that we organized on mobile sensor security. In these workshops, the participants were introduced to mobile sensors by working with sensor-enabled apps. We evaluated the risk levels perceived by the participants for these sensors after they understood the functionalities of these sensors. The results showed that knowing sensors by working with sensor-enabled apps would not immediately improve the users’ security inference of the actual risks of these sensors. However, other factors such as the prior general knowledge about these sensors and their risks had a strong impact on the users’ perception. We also taught the participants about the ways that they could audit their apps and their permissions. Our findings showed that when mobile users were provided with reasonable choices and intuitive teaching, they could easily self-direct themselves to improve their security and privacy. Finally, we provide recommendations for educators, app developers, and mobile users to contribute toward awareness and education on this topic.

*** I have a PhD studentship for Sep 2020 on "Cyber Security in Farm and Companion Animal Technologies" (schools of computing and agriculture) at Newcastle University. If you are interested, come and talk to me after the presentation, or email me any time.

This talk will explore the disruptive and transformative effects of digital technology on gendered security asymmetries in Greenland. Through extended ethnographic fieldwork conducted in Greenland and Denmark, research findings emerged through in-depth interviews, collaborative mappings and field observations with 51 participants. Employing a critical feminist lens, the paper identifies how Greenlandic women develop digital security practices to respond to Greenland's ecologically, politically and socially induced transformation processes. By connecting individual security concerns of Greenlandic women with the broader regional context, the findings highlight how digital technology has created transitory spaces in which collective security is cultivated, shaped and challenged. The contribution to security scholarship is therefore threefold: (1) identification and acknowledgement of gendered effects of increased usage of digital technology in remote and hard-to-reach communities, (2) a broader conceptualisation of digital security and (3) a recommendation for more contextualised, pluralistic digitalisation design.

This talk is based on: Wendt, Nicola, Rikke Bjerg Jensen and Lizzie Coles-Kemp. "Civic Empowerment through Digitalisation: the Case of Greenlandic Women." In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems - CHI'20, New York, 2020. ACM Press.

Academic research on machine learning-based malware classification appears to leave very little room for improvement, boasting F1 performance figures of up to 0.99. Is the problem solved? In this talk, we argue that there is an endemic issue of inflated results due to two pervasive sources of experimental bias: spatial bias, caused by distributions of training and testing data not representative of a real-world deployment, and temporal bias, caused by incorrect splits of training and testing sets (e.g., in cross-validation) leading to impossible configurations. To overcome this issue, we propose a set of space and time constraints for experiment design. Furthermore, we introduce a new metric that summarizes the performance of a classifier over time, i.e., its expected robustness in a real-world setting. Finally, we present an algorithm to tune the performance of a given classifier. We have implemented our solutions in TESSERACT, an open source evaluation framework that allows a fair comparison of malware classifiers in a realistic setting. We used TESSERACT to evaluate two well-known malware classifiers from the literature on a dataset of 129K applications, demonstrating the distortion of results due to experimental bias and showcasing significant improvements from tuning.

The main results of this talk are published in: - Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, Lorenzo Cavallaro . TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time. USENIX Security Symposium, 2019.

It is just over ten years since the first academic work on Automatic Exploit Generation (AEG). In this talk I will provide a brief history of the topic, and explain the current state of the art and open problems. I will then discuss our most recent work on greybox exploit generation against language interpreters. Language interpreters, such as those for Python, PHP, Javascript etc., are typically large and complex applications and difficult to analyse using whitebox methods, such as symbolic execution. In this work we have sought to create an entirely greybox pipeline for AEG. To do so we have broken down the exploit generation problem into several subproblems, constructed greybox solutions for each, and chained these solutions together to produce exploits. Our current implementation can produce exploits for the Python and PHP interpreters, and I will outline our ongoing efforts to extend this to Javascript interpreters.

Much attention in cyber security has turned to new technologies and new materialities of information. These overlook the fact that much of security attention in everyday life is oriented around more conventional objects of security, such as documents. In this talk, I discuss why scholars should take documents and other everyday materialities more seriously. I build my argument based on ethnographic fieldwork conducted in the South Korean corporate world between 2011 and 2017. First, I suggest that even as organizations are increasingly paperless, documents nevertheless persist as focal objects, serving as idealised informational containers. Second, I suggest that digital security is not distinct from older material forms, such as paper; in contrast, new digital infrastructures are increasingly developed to protect older forms, such as cloud storage. Third, documents fit within social practices of protection beyond formal demands of information protection. I demonstrate how Korean employees I researched with treated documents with extra protection beyond legal requirements. These arguments point to new ways of thinking about how 'everyday' dimensions of security and securitisation are mediated by specific material objects and practices.

Underground communities attract people interested in illicit activities and easy-money making methods. In this joint talk, we will discuss the role of these forums in two different activities: eWhoring and the use of malware for illicit cryptocurrency mining.

On the one hand, eWhoring is the term used by offenders to refer an online fraud where they imitate partners in cyber-sexual encounters. Using all sort of social engineering skills, offenders aim at scamming their victims into paying for sexual-related material of a third-party person. We have analysed material and tutorials posted in underground forums to sed light into this previously-unknown deviant activity.

On the other hand, illicit crypto-mining uses stolen resources to mine cryptocurrencies for free. This threat is now pervasive and growing rapidly. Our talk will cover how this ecosystem is evolving, how much harm it is causing, and how can it be stopped. Our measurement shows that criminals have illicitly mined about 4.4% of the Monero cryptocurrency (we estimate that this accounts for 58 million USD). We also observe that there is a considerably small number of actors that hold sway this crime. Furthermore, we note that there is an increasing level of support offered by criminals in underground markets, that allow other criminals to run inexpensive malware-driven mining campaigns. This explains why this threat has grown sharply in 2018.

We put forward the notion of subvector commitments (SVC): An SVC allows one to open a committed vector at a set of positions, where the opening size is independent of length of the committed vector and the number of positions to be opened. We propose two constructions under variants of the root assumption and the CDH assumption, respectively. We further generalize SVC to a notion called linear map commitments (LMC), which allows one to open a committed vector to its images under linear maps with a single short message, and propose a construction over pairing groups.

Equipped with these newly developed tools, we revisit the “CS proofs” paradigm [Micali, FOCS 1994] which turns any arguments with public-coin verifiers into non-interactive arguments using the Fiat-Shamir transform in the random oracle model. We propose a compiler that turns any (linear, resp.) PCP into a non-interactive argument, using exclusively SVCs (LMCs, resp.). For an approximate 80 bits of soundness, we highlight the following new implications:

1. There exists a succinct non-interactive argument of knowledge (SNARK) with public-coin setup with proofs of size 5360 bits, under the adaptive root assumption over class groups of imaginary quadratic orders against adversaries with runtime $2^128$. At the time of writing, this is the shortest SNARK with public-coin setup.

2. There exists a non-interactive argument with private-coin setup, where proofs consist of 2 group elements and 3 field elements, in the generic bilinear group model.

In 2018, clinics and hospitals were hit with numerous attacks leading to significant data breaches and interruptions in medical services. An attacker with access to medical records can do much more than hold the data for ransom or sell it on the black market.

In this talk, I will show how an attacker can use deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans, using an autonomous malware. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder. The attack is implemented using a 3D conditional GAN, and the exploitation framework (CT-GAN) is completely automated. Although the body is complex and 3D medical scans are very large, CT-GAN achieves realistic results which can be executed in milliseconds.

To evaluate the attack, we will focus on injecting and removing lung cancer in CT scans. We found that three expert radiologists and a state-of-the-art deep learning screening AI were highly susceptible to this attack. Moreover, I will show how this attack can be applied to other medical conditions such as brain tumors. To evaluate the threat, we will explore the attack surface of a modern radiology network and I will demonstrate one attack vector: a covert pen-test I performed on an active hospital to intercept and manipulate CT scans.

Finally, I will conclude by discussing the root causes of this threat, and countermeasures which can be implemented immediately to mitigate it.

The advent of blockchain protocols brought to light a number of applications that could benefit from a large scale Byzantine resilient consensus system. At the same time a number of significant challenges were put forth in terms of scalability, energy efficiency, privacy, and the relevant threat model that such protocols may be proven secure for. In this talk I will give an overview of recent and ongoing research in the area of designing distributed ledgers based on blockchain protocols focusing on results such as the Ouroboros proof of stake blockchain protocols (Crypto'17, Eurocrypt'18, ACM-CCS'18, IEEE S&P'19) as well as other related constructions aiming to improve the interoperability and the incentive structure of distributed ledgers.

We introduce a formal quantitative notion of “bit security” for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems.

This is joint work with Daniele Micciancio

The problem of making computing systems trustworthy is often framed in terms of ensuring that users can trust systems. In contrast, my research illustrates that trustworthy computing intrinsically relies upon social trust in the operation of systems, as much as in the use of systems. Drawing from cases including the Border Gateway Protocol, DNS, and the PGP key server pool, I will show how the trustworthiness of the Internet's infrastructural technologies relies upon interpersonal and institutional trust within the communities of the Internet's technical operations personnel. Through these cases, I will demonstrate how a sociotechnical perspective can aid in the analysis and development of trustworthy computing systems by foregrounding operational trust alongside user trust and technological design.

Scholars argue that contemporary movements in the age of social media are leaderless and self-organised. However, the concept of connective leadership has been put forward to highlight the need for movements to have figures who connect entities together. This paper presents a qualitative research of grassroots human rights groups in risky context to address the question of how leadership is performed in information and communication technology-enabled activism. The paper reconceptualises connective leadership as decentred, emergent and collectively performed, and provides a broader and richer account of leaders’ roles, characteristics and challenges. These challenges contribute to the critical literature on the role of ICTs in collective action.

Cryptographic operations are generally quite costly when performed only in software. In order to improve the performance of a system, such operations can be performed via hardware accelerators. There are different techniques for hardware acceleration: Hardware/software co-design, instruction set extensions for processors, hardware-only implementations, etc. In addition to hardware acceleration of cryptographic operations, computational complexity of cryptography and cryptanalysis problems can also be decreased by dedicated hardware architectures especially on reconfigurable hardware platforms. The talk will start with an overview of hardware aspects of cryptography (and a bit of cryptanalysis). How and when do we use hardware acceleration in cryptography? What are different design techniques? Following this, two new cryptographic hardware architectures which are specifically designed to be very compact and perform efficiently on reconfigurable platforms will be presented. In the first design, AES-GCM algorithm is implemented using mostly some certain blocks (DSP and BRAM) of a Field Programmable Gate Array (FPGA); and in the second design, the new Troika hash function is implemented nearly only on BRAM blocks of an FPGA for compactness.

Feminist theorists of international relations (IR) have long argued that binaries of public/private reinforce the subsidiary status given to gendered insecurities, so that these security problems are ‘individualised’ and taken out of the public and political domain. This talk will outline the relevance of feminist critiques of security studies and argue that the emerging field of cybersecurity risks recreating these dynamics by omitting or dismissing gendered technologically-facilitated abuse such as ‘revenge porn’ and intimate partner violence (IPV). I will present a review of forty smart home security analysis papers to show the threat model of IPV is almost entirely absent in this literature. I conclude by outlining some suggestions for cybersecurity research and design, particularly my work on “abusability testing”, and reaffirming the importance of critical studies of information architecture.

Vast amounts of information of all types is collected daily about people by governments, corporations and individuals. The information is collected, for example, when users register to or use online applications, receive health related services, use their mobile phones, utilize search engines, or perform common daily activities. As a result, there is an enormous quantity of privately-owned records that describe individuals finances, interests, activities, and demographics. These records often include sensitive data and may violate the privacy of the users if published.The common approach to safeguarding user information, or data in general, is to limit access to the storage (usually a database) by using and authentication and authorization protocol. This way, only users with legitimate permissions can access the user data. However, even in these cases some of the data is required to stay hidden or accessible only to a specific subset of authorized users. Our talk focuses on possible malicious behavior by users with both partial and full access to queries over data. We look at privacy attacks that meant to gather hidden information and show methods that rely mainly on the underlying data structure, query types and behavior, and data format of the database. We will show how to identify the potential weaknesses and attack vectors for various scenarios and data types, and offer defenses against them.

Joint CS/ISG seminar.

Many voter-verifiable, coercion-resistant schemes have been proposed, but even the most carefully designed voting systems necessarily leak information via the announced result. In corner cases, this may be problematic. For example, if all the votes go to one candidate then all vote privacy evaporates. The mere possibility of candidates getting no or few votes could have implications for security in practise: if a coercer demands that a voter cast a vote for such an unpopular candidate, then the voter may feel obliged to obey, even if she is confident that the voting system satisfies the standard coercion resistance definitions. With complex ballots, there may also be a danger of "Italian" style (aka "signature") attacks: the coercer demands the voter cast a ballot with a very specific, identifying pattern of votes.

Here we propose an approach to tallying end-to-end verifiable schemes that avoids revealing all the votes but still achieves whatever confidence level in the announced result is desired. Now a coerced voter can claim that the required vote must be amongst those that remained shrouded. Our approach is based on the well-established notion of Risk-Limiting Audits (RLA), but here applied to the tally rather than to the audit. We show that this approach counters coercion threats arising in extreme tallies and ``Italian'' attacks.

The approach can be applied to most end-to-end verifiable schemes, but for the purposes of illustration I will outline the Selene scheme, that provides a particularly transparent form of voter-verification. This also allows me to describe an extension of the idea to Risk-Limiting Verification (RLV), where not all vote trackers are revealed, thereby enhancing the coercion mitigation properties of Selene.