Conference Location: Main Auditorium, 1F, Intl. Building, National Taiwan University of Science and Technology
Monday, December 14
Due to the immense deployment of wireless mobile networks, cloud computing has recently evolved as the battle field of big players, such as Microsoft, Google, Youtube, Amazon, and Facebook. Cloud computing offers the virtualization of networks, applications, and data storage. In the pervasive computing environment, mobile users can access personal data and application through wireless networks, such as WiFi, WiMax, and 3.5G. The new computing evolution intrigues us to reevaluate the security aspects of network applications. In this talk, we will give a brief introduction to the recent progress of cloud computing, and investigate its security challenges.
Online Social Networks (OSN) such as Facebook are growing rapidly,
especially in Taiwan lately. On one hand, OSN is invaluable in
supporting communication for our Internetbased community, as an
example, if we consider stealing vegetables from your friends is also
one form of communication. On the other hand, the illness of OSN design
is the root cause for losing its value. In this talk, we will address
how to leverage OSN infrastructure to solve security problems and how to
protect the value of OSN such that we might not introduce new security
problems. I will discuss the rationale and design principles behind the
Davis Social Links (DSL) project, a FIND (Future INternet Design)
and GENI (Globel Environment for Network Innovation) effort sponsored
by NSF.
Pairing based cryptography is a new and important research area in security. It has a significant property, bilinearity, and using this property, a lot of useful protocols have been proposed so far.
The progress of the pairing based cryptography is very fast. Computation speed is almost doubled in this year, for instance.
In this talk, uptodate pairing based cryptography is introduced.
Pairingbased cryptography is an extension of conventional
publickey cryptography such as RSA cryptosystem and elliptic curve
cryptography. The EtaT pairing on supersingular curve over finite field
GF(3^n) is known as one of the most efficient pairings. The security of
pairingbased cryptography using the EtaT pairing is based on the
difficulty of the discrete logarithm problems (DLP) over GF(3^n).
The most efficient algorithm for solving the DLP over finite fields of
small characteristic is the function field sieve. In this talk, we report
that we succeeded solving the DLP over GF(3^n) of 676 bits using the
function field sieve in the medium primepower case proposed by Joux
and Lercier at EUROCRYPT 2006. To the best of our knowledge, this
is currently the toprecord bitsize of the function field sieve over
GF(3^n).
08:30  09:00

Registration

Lobby

09:00  09:10

Opening Remarks
Prof. ChinLaung Lei (National Taiwan University, Taiwan)

Auditorium

09:10  10:20

Session Chair:
NaiWei Lo (National Taiwan University of Science and Technology, Taiwan)
Cloud Computing Security
Prof. Shiuhpyng Winston Shieh (Prof. of National Chiao Tung University & TWISC@NCTU Director, Taiwan)

10:20  10:50

Coffee Break (Demo & Poster)

Lobby

10:50  12:00

Session Chair:
ShengWei (KuanTa) Chen (Academia Sinica, Taiwan)
FIND stands for Facebookbased INternet Design?
Prof. S. (Shyhtsun) Felix Wu (University of California, Davis, USA)

Auditorium

12:00  14:00

Lunch

Lobby

14:00  15:10

Session Chair:
RongJaye Chen (National Chiao Tung University, Taiwan)
Recent Research on Pairing based Cryptography
Prof. Eiji Okamoto (University of Tsukuba, Japan)

Auditorium

15:10  15:40

Coffee Break (Demo & Poster)

Lobby

15:40  16:50

Session Chair:
RongJaye Chen (National Chiao Tung University, Taiwan)
PairingBased Cryptography and Its Security Analysis
Prof. Tsuyoshi Takagi (Future University Hakodate, Japan)

Auditorium

18:00  20:00

Reception

12F, Intl. Building, NTUST

Tuesday, December 15
The security of cryptographic systems deeply depends on the complexity of the underlyiing cryptographic problems and it is important to clarify the complexity of cryptographic problems and their relationships.
In this talk we take a look at some fundamental cryptographic problems and discuss their computational theoretic relationships.
AES is the best known and most widely used block cipher. Its three versions (AES128, AES192, and AES256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES128, there is no known attack which is faster than the 2^{128} complexity of exhaustive search. However, AES192 and AES256 were recently shown to be breakable by attacks which require 2^{176} and 2^{119} time, respectively. While these complexities are much faster than exhaustive search, they are completely nonpractical, and do not seem to pose any real threat to the security of AESbased systems.
In this talk we describe several attacks which can break with practical complexity variants of AES256 whose number of rounds are comparable to that of AES128. One of our attacks uses only two related keys and 2^{39} time to recover the complete 256bit key of a 9round version of AES256 (the best previous attack on this variant required 4 related keys and 2^{120} time). Another attack can break a 10 round version of AES256 in 2^{45} time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES128 along with the larger key size from AES256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems.
This is joint work with Alex Biryukov, Nathan Keller, Dmitry Khovratovich, and Adi Shamir.
Elliptic curve cryptography bases its security on the intractability of
computing discrete logarithms on elliptic curves over finite fields. As
is customary, elliptic curves are usually expressed by a Weierstrass
equation. However, although secure from a mathematical point of view,
the resulting cryptosystem may succumb to implementation attacks. With
the Weiertrass model, the group law is given by the chordandtangent
rule, leading to separate formulas for point addition and for point
doubling. This different behavior (i.e., addition of different points or
of equal points) may be distinguished by observing a suitable side
channel such as the power consumption or electromagnetic emanations.
This in turn may reveal the secret value of scalar k in the computation
of kP, where P denotes an input point on an elliptic curve over a finite
field.
In order to prevent sidechannel attacks, implementers began to
investigate other ways to evaluate point addition formulas and other
models for representing elliptic curves, including the Hessian model,
the Jacobi model (both as a quartic curve or as the intersection of two
quadrics), and the Edwards model. Interestingly, it was shown that the
point addition formulas may, up to some extent, become unified, that is,
that they are valid for both the point addition and the point doubling.
In certain cases, stronger results were obtained, namely complete point
addition formulas. A point addition formula is said to be complete when
it is not only unified but also valid for the neutral element.
These unified curve models revealed useful for cryptographic
implementations as they offer a natural protection against sidechannel
attacks based on simple power analysis (SPA) or simple electromagnetic
analysis (SEMA). In this talk, we will review all unified models
considered so far and present new ones. We will also show that, in
addition to sidechannel attacks, the unified models are also useful to
protect against another class of implementation attacks, namely the
fault attacks. We will present new countermeasures against fault
attacks, making use of unified addition formulas.
After decades of remarkable growth, the performance of singlethread
processors has slowed down, hitting both the power and ILP walls. To
respond, the entire industry is now moving to the multicore/manycore
paradigm to exploit the increasing transistor budget offered by the
Moore's law in semiconductor fabrication technologies. Graphics
processing units (GPUs) are an example of computing devices with many
simple cores, which we have demonstrated to be useful and
costeffective for computing stage1 ECM in a recent paper "ECM on
Graphics Cards."
In this sequel talk, we will provide an update and indepth
introduction on using manycores to compute elliptic curve scalar
multiplication, the core computation of ECM as well as ECC. We will
report and compare stateoftheart performance of scalar
multiplication using various computing devices including GPU (NVIDIA
CUDA), Cell (both Playstation 3 and the newer QS 22), and the latest
64bit x86 processors (Intel Core 2 and AMD Phenom II). We will also
explain how to achieve high computational throughput with these
devices, e.g., by carefully managing the scarce ondie memories while
having enough threads of computation for latency hiding.
