Digital Security by Design (DSbD)’s Post

I am glad to share our latest HARDWARE SECURITY research paper from my PhD student Donayam Benti. The paper, titled "Channelizer: Explainable ML Inference for Validating Side-Channel Resistant Systems", will appear next month in the IEEE Int'l Symposium on Secure and Private Execution Environment Design (SEED-2024). Channelizer is a open-source tool for validating the effectiveness of systems that work to stop side channels. Unlike previous tools that look for specific side channels, Channelizer uses machine learning models to identify side-channel leakage in a way that is agnostic to the underlying microarchitecture, compiler, programming style or type of side channel. To help identify the source of leakage, Channelizer utilizes ML explainability techniques to determine if the side channel is from 1) program behavior, 2) compiler transformations, or 3) pure microarchitectural leakage. If you are trying to build secure systems without side channels, this tool is incredibly powerful and useful. It was used it to validate Agita Labs sequestered encryption (SE) technology implemented in the TrustForge Enclave, and we used it to validate that Microsoft SEAL homomorphic encryption was free of server-side side channels. We also found a compiler-introduced side-channel bug in one of VIP-Bench's data-oblivious benchmarks (which was due to a single data-dependent branch executing a single time!). We also disclosed to the vendor a new pure microarchitectural side channel in a commercial TEE. We will release the Channelizer repo soon. Please don't hesistate to leave a note below if you have any questions or comments on this work. You can read the paper here: https://lnkd.in/dHrwChrJ #security #privacy #research #sidechannels #hacking #hardwaresecurity #fhe

Last night I had the pleasure of chatting with the local OWASP® Foundation chapter on AI app sec security. Everything old is new again. In many ways, for example, the problems of prompt injection attacks are not dissimilar to input validation issues and the challenges of running untrusted code. And classically, after the chat people came forward with their bright ideas around heuristic and behavioural detection, suggesting a silver bullet solution. Many younguns are unfamiliar with the Halting Problem: https://lnkd.in/g-yewEE7 In short, when applied to the theory of adversarial detection, it proves that (a) you can always write detection to identify a particular attack and (b) an adversary can always come up with a new attack to avoid your detection. It’s why us old timers insist there is no such thing as a silver bullet in cyber security. A great fictional example of this problem is laid out in author Greg Bear’s Eon where humans load an alien consciousness into a simulation to extract information and the alien is able to realize it is in a simulation using this same mathematical proof. Everything old is new again.

Parallel Cryptography tools are a promising alternative towards efficient implementations of security mechanisms in complex communicating systems. A decade ago, together with one of my PhD students, we proposed : "Generic Parallel Cryptography for Hashing Schemes": https://lnkd.in/eyGqx9uP or https://lnkd.in/edHQtr9T We emphasised that future secure communicating systems, secured mass data storages and their access policies, will require efficient and scalable security algorithms and protocols. Moreover, parallelism will be used at quite low level implementation of software or hardware basic mechanisms for offering efficient support to cryptographic algorithms. We concentrate on a family of generic schemes for efficient implementation of tree based hash functions. The main reason for designing a parallel algorithm based on a hash tree scheme is to obtain optimal performances when dealing with critical applications which can require tuned implementations for security aspects on multi-core target processors. Thanks to Bill Buchanan for sharing also on Medium on the subject.

We've posted a new paper on exploiting secret-dependent division timings in numerous Kyber (ML-KEM) implementions derived from the official reference implementation. Luckily, by now all affected implementations that we know of have been fixed. Read more here: https://lnkd.in/g63J4Udm, https://lnkd.in/ghnxriip. We have demos available for both KyberSlash1 and KyberSlash2. Some history: In November 2023, Bhargavan, Kiefer, and Tamvada discovered that the Kyber reference code contains a piece of code in decryption resulting in secret-dependent division timings with some compilers when optimizing for code size. This was independenly discovered by Bernstein shortly after. We call this timing vulnerability KyberSlash1. Over Christmas, Ravi, and I tried to show that KyberSlash1 is indeed exploitable. We could not quite get it to work at first; our measurements were just not matching what we were expecting. It turned out there was another source of timing variance - this time depending on the ciphertext in (re-)encryption. This sounds harmless because ciphertexts are usually public. Unfortunately, that's not the case inside the re-encryption in decapsulation when using the Fujisaki-Okamoto transformation like in Kyber. Here it's essential that ciphertexts remain secret until they have passed the comparison of the re-encryption and the input ciphertext. If ciphertexts are leaked, this allows to construct a plaintext-checking (PC) oracle which allows breaking the CCA security and recovering the secret key. We call this vulnerability KyberSlash2 and announced it on December 30, 2023 after it had been fixed in the official reference implementation. With this new paper we show that both vulnerabilities reported last year can actually be exploited quite efficiently. We also propose some ways to detect and avoid similar problems in the future.

1. **Origin of the Term "Bug"**: The term "bug" in computing originated in 1947 when a moth caused a malfunction in the Harvard Mark II computer. This incident led to the term "debugging" for fixing software issues. 2. **World's First Computer Programmer**: Ada Lovelace, an English mathematician, is often regarded as the world's first computer programmer. She worked on Charles Babbage's Analytical Engine and wrote the first algorithm for this early mechanical computer. 3. **The First Computer Virus**: The first computer virus, called the "Brain" virus, was created in 1986 by two Pakistani brothers, Basit Farooq Alvi and Amjad Farooq Alvi. It spread through infected floppy disks. 4. **Moore's Law**: Coined by Gordon Moore in 1965, Moore's Law predicts that the number of transistors on a microchip will double approximately every two years, leading to exponential growth in computing power. 5. **ASCII**: The American Standard Code for Information Interchange (ASCII) was developed in the 1960s to standardize character encoding in computers. It laid the foundation for modern character encoding schemes. 6. **The World Wide Web's Inventor**: Tim Berners-Lee, a British computer scientist, invented the World Wide Web in 1989 while working at CERN. His vision revolutionized how information is shared and accessed globally. 7. **Open Source Movement**: The open-source movement promotes free access to software's source code, fostering collaboration and innovation. Examples include Linux, Apache, and Mozilla Firefox. 8. **Big Data Growth**: Every day, approximately 2.5 quintillion bytes of data are created globally. This exponential growth of data fuels advancements in data analytics and machine learning. 9. **Quantum Computing**: Quantum computers leverage quantum mechanics to perform complex calculations exponentially faster than classical computers. They hold immense potential for solving currently intractable problems. 10. **Internet of Things (IoT)**: IoT refers to interconnected devices embedded with sensors and software that communicate and share data over the internet. It's revolutionizing industries like healthcare, transportation, and smart homes. 11. **Cybersecurity Challenges**: With the rise of digital technologies, cybersecurity has become a critical concern. Cyberattacks, data breaches, and ransomware threats highlight the need for robust cybersecurity measures. 12. **Cloud Computing**: Cloud computing enables users to access and store data and applications over the internet, offering scalability, flexibility, and cost-efficiency for businesses and individuals. 13. **Artificial Intelligence (AI)**: AI encompasses technologies like machine learning and natural language processing to mimic human intelligence. It powers innovations such as virtual assistants, autonomous vehicles, and predictive analytics.Debmalya Bhattacharjee #csestudent #funfacts #graduation #computer #programmer

𝗕𝗼𝗼𝘁𝘀𝘁𝗿𝗮𝗽𝗽𝗶𝗻𝗴 𝗶𝗻 𝗙𝗛𝗘 ✨ In cryptography, evaluating the decryption procedure generally requires a ciphertext and secret key as input, ensuring the plaintext as output. In Fully Homomorphic Encryption (FHE), bootstrapping allows us to use an encrypted secret key and a ciphertext to generate an “equivalent” ciphertext on which we can perform further computations. The encrypted secret key, also called a bootstrapping or refreshing key, is generated along with the private key. All common FHE schemes are based on noisy encryptions (the noise is what guarantees the security of fresh encryption) in which evaluating homomorphic operations increases the noise magnitude and lowers the quality, i.e., computational budget, of ciphertexts. Bootstrapping is a crucial process in FHE schemes that helps maintain the security and usability of encrypted data. It involves converting an exhausted ciphertext with high noise levels into a refreshed ciphertext with lower noise, allowing for further homomorphic operations. The main purposes of bootstrapping are: > Noise Reduction: Converting exhausted ciphertexts into refreshed ciphertexts to support further homomorphic operations. > Functional Evaluation: Evaluating a function on the encrypted message during bootstrapping, resulting in an output ciphertext that encrypts a function of the plaintext message. This form of bootstrapping is known as functional or programmable bootstrapping. Without bootstrapping, FHE schemes are typically leveled meaning they support a limited number of operations based on the noise budget. Resources📚 Demystifying Bootstrapping in Fully Homomorphic Encryption: https://lnkd.in/g2AsxVQx Day 25 🚀 #30DaysOfFLCode #SMPC #PETs #DataPrivacy #FHE #FederatedLearning

Published Aticle!! A Novel Approach for Concealed Data Sharing and Data Embedding for Secured Communication Gaurav Prasad and Sujay Narayana, NITK, India ABSTRACT This paper introduces a new method of securing image using cryptographic and steganographic techniques. The science of securing a data by encryption is Cryptography whereas the method of hiding secret messages in other messages is Steganography, so that the secret’s very existence is concealed. The term ‘Steganography’ describes the method of hiding cognitive content in another medium to avoid detection by the intruders. The proposed method uses cryptographic and steganographic techniques to encrypt the data as well as hide the encrypted data in another medium so the fact, that a message being sent is concealed. The image is concealed by converting it into a ciphertext using SDES algorithm with a secret key,which is also an image, and sent to the receiving end securely. KEYWORDS Steganography, Cryptography, image hiding, least-significant bit (LSB) method #Steganography #Cryptography #image hiding #leastsignificant bitmethod #computersciencearticle #researchpapersincomputerscience #universityofIllinois #csitproceedings #NITK Full Text: https://lnkd.in/g4SnQZUu Volume URL: https://lnkd.in/gP9-ay2a Youtube URL: https://lnkd.in/girxVkt4

Fully Homomorphic Encryption (FHE) enables computations on encrypted data without decryption, maintaining data privacy even on untrusted platforms. FHE supports basic operations like addition and multiplication directly on ciphertexts, which encrypt results equivalent to operations performed on plaintexts. However, practical use of FHE is limited by significant computational demands and slow performance compared to non-encrypted operations. Managing noise accumulation in ciphertexts—essential to maintain data integrity—requires complex techniques such as bootstrapping, which refreshes ciphertexts but is computationally intensive. Various encryption schemes like LWE, RLWE, and CGGI provide the foundation for FHE, each with unique approaches to encoding and noise management. Advancements in specialized hardware accelerators and dedicated software libraries aim to mitigate performance issues, enhancing FHE's practical applications in secure cloud computing and sensitive data processing like medical or financial records, with ongoing research focused on improving efficiency and usability. https://lnkd.in/gNBwVu3S

Unlocking Secure Machine Learning Inference with Homomorphic Encryption and ECC ! I'm thrilled to share my latest article that dives into the fusion of homomorphic encryption and Elliptic Curve Cryptography (ECC) to achieve secure machine learning inference. In an era where data privacy and security are paramount, this piece offers a comprehensive look at how we can perform computations on encrypted data without compromising sensitive information. 🔑 Key Highlights: - Homomorphic Encryption: Learn how this revolutionary technique allows computations directly on encrypted data. This means machine learning models can make predictions without ever accessing the raw data, ensuring user privacy is maintained. - Elliptic Curve Cryptography (ECC): Discover how ECC provides robust security with smaller key sizes, making it efficient and secure for encrypting data in machine learning applications. - Detailed Code Walkthrough: The article provides a step-by-step guide with code examples, making it easier to understand and implement secure inference in real-world scenarios. - Mathematical Foundations: Gain a deeper understanding of the mathematical principles that underpin these cryptographic methods, enhancing your grasp of both theory and application. - Use Cases and Results: Explore practical applications and see how these techniques can be applied to protect data integrity and confidentiality in machine learning workflows. For professionals and enthusiasts in cybersecurity, data science, and machine learning, this article is a must-read. It not only explains the concepts but also demonstrates how to implement them effectively. Let's embrace these advanced cryptographic techniques to build more secure and privacy-preserving machine learning models! 👉 Read the full article here #SecureML #HomomorphicEncryption #ECC #DataPrivacy #MachineLearning #Cybersecurity

New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities Researchers from the Graz University of Technology have unveiled a novel side-channel attack, termed SnailLoad, potentially enabling remote inference of a user's web activity. By exploiting a ubiquitous bottleneck in internet connections that influences network packet latency, the researchers demonstrate the evolution of cyber-threats in exploiting inherent network weaknesses.