Stanford Security Lunch
Winter 2018

Get announcements:

January 10, 2018 No meeting due to Real World Crypto workshop

January 17, 2018 FAME: Fast Attribute-based Message Encryption

Speaker:  Shashank Agrawal

Abstract:  Time and again, attribute-based encryption has been shown to be the natural cryptographic tool for building various types of conditional access systems with far-reaching applications, but the deployment of such systems has been very slow. A central issue is the lack of an encryption scheme that can operate on sensitive data very efficiently and, at the same time, provides features that are important in practice. In this talk I will present the first fully secure ciphertext-policy and key-policy ABE schemes based on a standard assumption on Type-III pairing groups, which do not put any restriction on policy type or attributes. The schemes are implemented along with several other prominent ones using the Charm library, and perform better on almost all parameters of interest.

Joint Work:  Melissa Chase (Microsoft Research)


January 24, 2018 No Talk but Lunch due to BPASE workshop

January 31, 2018 TBA

Speaker:  Juan Benet (Filecoin)


February 07, 2018 Incident highlights and going passwordless

Speaker:  Michael Duff (Stanfords CIO)

Abstract:  Stanford's Chief Information Security Officer, Michael Duff, describes the preparations made to deploy client certificate-based authentication campus-wide, which will transform the way University community members access our online services -- improving user experience while simultaneously addressing some of our greatest cybersecurity risks. Michael also highlights several recent cybersecurity incidents here at Stanford -- how they happened and what we learned from them

February 14, 2018 A scalable computation oracle for blockchains

Speaker:  Jason Teutsch

Abstract:  Ethereum constitutes one of the most powerful computational resources in the history of mankind, but its "on-chain" smart contracts, which process data and money, run for no more than a fraction of a second. A new system called "TrueBit" bypasses this bottleneck. Its WebAssembly-based architecture and cryptoeconomic incentives allow smart contracts to efficiently outsource computational work to "off-chain" agents while the smart contracts themselves process at most logarithmically many bits of input data and computational steps. I will present an overview of the TrueBit protocol, mention some applications, and discuss foreseeable security challenges. This talk is intended for a general audience, and non-CS blockchain enthusiasts are welcome.

February 21, 2018 Flyclient: Super Light Clients for Cryptocurrencies

Speaker:  Benedikt Bünz

Abstract:  To ensure the validity of transactions, Bitcoin and Ethereum rely on a mechanism to verify if particular transactions are included in the blockchain. For example, each node has to check if the inputs to a transaction are valid coins recorded in the blockchain and the current block belongs to the longest chain in case of a fork. To perform these checks, the node has to download all blocks and verify all of them. Currently, syncing all these data blocks in Bitcoin or Ethereum requires a node to send/receive hundreds of Gigabytes of data, taking days for both downloading and verifying. In Bitcoin, a synchronization mechanism called simplified payment verification (SPV) allows clients with limited resources such as mobile phones and tablets to verify transactions without downloading the entire blocks. SPV clients only download block headers, which have much smaller size than the full block (80 bytes vs 1 MB in Bitcoin). However, the storage and bandwidth needed for each light client still increases linearly with the blockchain size. For example, the Ethereum blockchain currently has about 3.5 million blocks, given that each block header is of size 500 bytes, an SPV client in Ethereum would have to download and store more than 1.5 GB to be able to verify any transaction on the Ethereum blockchain. In this paper, we introduce Flyclient, a novel protocol for light clients in public blockchains. Flyclient allows SPV clients to efficiently and securely verify any transaction with only a constant storage and bandwidth requirements. The transaction inclusion proof size is logarithmic in the size of a block and the number of blocks in the chain. At its core, Flyclient utilizes a recently proposed data structure called Merkle Mountain Range which allows SPV clients to verify any transaction with a minimal amount of information. Flyclient also employs an efficient and non-interactive probabilistic verification to reduce the number of block headers needed for the longest-chain verification to a small number that is only logarithmic in the size of the chain. Unlike previous proposed succinct SPV clients, Flyclient resists cheap bribery attacks against miners.

Joint work with::  Loi Luu, Mahdi Zamani

February 28, 2018 Verifiable Delay Functions

Speaker:  Ben Fisch

Abstract:  We study the problem of building a verifiable delay function (VDF). A VDF requires a specific number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirement for VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time.

Joint Work:  Dan Boneh, Joseph Bonneau, Benedikt Bünz

March 07, 2018 Compression Bombs Strike Back

Speaker:  Giancarlo Pellegrino

Abstract:  For performance reason, network services often use data compression to reduce protocol message size. However, if data compression is not properly implemented, it can render entire applications vulnerable to DoS attacks. Abusing data compression to exhaust system resources is an old trick. For example, a zip bomb is a recursively highly-compressed file archive prepared with the only goal of exhausting the resources of programs that attempt to inspect its content. This attack was brought to the community attention in 1996 to mount DoS attacks against bulletin board systems. While this may now seem an old, unsophisticated, and easily avoidable threat, we discovered that developers did not fully learn from prior mistakes. We looked at three protocols (i.e., HTTP, XMPP, and IMAP) and 11 network services including popular ones (e.g., Apache HTTPD, Tomcat, Prosody, and OpenFire) and discovered that the risks of supporting data compression are still often overlooked. In this talk, we will walk through data amplification attacks starting from the ever-green zip bomb and xml bomb attacks until our last results. We will present the current use of data compression in several popular protocol and network services, and a selection of common mistakes that we observed at the implementation, specification, and configuration levels. In this talk, we will also present already patched resource exhaustion vulnerabilities which could have been used to perform Denial of Service attack against popular services.

March 14, 2018 How to prove statements on secret-shared, encrypted, or committed data

Speaker:  Henry Corrigan-Gibbs

Abstract:  In a classical zero-knowledge proof system, a verifier holds an input x (e.g., a SAT formula) and a prover tries to convince the verifier that x has some special property (e.g., that x is satisfiable) without revealing anything else about x. We consider a twist on this problem, in which the verifier does not hold the input x itself, but only holds an "encoding" of it: either a secret-sharing of x, an encryption of x, or a cryptographic commitment to x. For example, the prover might want to convince the verifier that an encrypted vector has low Hamming weight. The general problem of proving statements on encoded data is at the core of scores of cryptographic protocols, and is relevant to systems for secure messaging, verifiable computation, privacy-preserving cryptocurrencies, and private ad-targeting. In this work, we present a new framework for proving statements on encoded data. In particular, we define "fully linear PCPs," a new type of probabilistically checkable proof, and we show how to compile them into proofs on secret-shared, encrypted, or committed data. We demonstrate that many existing such proof systems implicitly construct fully linear PCPs. This view on the problem immediately yields more efficient proof systems for a wide array of practical applications.

Joint Work with:  Dan Boneh, Elette Boyle, Yuval Ishai, and Niv Gilboa

March 21, 2018 IoT Security in Healthcare

Speaker:  May Wang (ZingBox)

Abstract:  The rapid adoption of connected IoT medical devices has both enhanced the quality of care and increased the vulnerability of healthcare organizations. In 2017, increasing amount cyber attacks, such as WannaCry and NotPetya, have severely impacted many healthcare organizations. In this talk, we will share the exclusive research and statistics based on analysis of tens of thousands connected medical devices deployed in real-world environments. Learn the unique new challenges in healthcare IoT security, and how AI can help address issues that many traditional technologies have failed.