Due to the immense deployment of wireless mobile networks, cloud computing has recently evolved as the battle field of big players, such as Microsoft, Google, Youtube, Amazon, and Facebook. Cloud computing offers the virtualization of networks, applications, and data storage. In the pervasive computing environment, mobile users can access personal data and application through wireless networks, such as Wi-Fi, WiMax, and 3.5G. The new computing evolution intrigues us to reevaluate the security aspects of network applications. In this talk, we will give a brief introduction to the recent progress of cloud computing, and investigate its security challenges.

Online Social Networks (OSN) such as Facebook are growing rapidly, especially in Taiwan lately. On one hand, OSN is invaluable in supporting communication for our Internet-based community, as an example, if we consider stealing vegetables from your friends is also one form of communication. On the other hand, the illness of OSN design is the root cause for losing its value. In this talk, we will address how to leverage OSN infrastructure to solve security problems and how to protect the value of OSN such that we might not introduce new security problems. I will discuss the rationale and design principles behind the Davis Social Links (DSL) project, a FIND (Future INternet Design) and GENI (Globel Environment for Network Innovation) effort sponsored by NSF.

Pairing based cryptography is a new and important research area in security. It has a significant property, bilinearity, and using this property, a lot of useful protocols have been proposed so far. The progress of the pairing based cryptography is very fast. Computation speed is almost doubled in this year, for instance. In this talk, up-to-date pairing based cryptography is introduced.

Pairing-based cryptography is an extension of conventional public-key cryptography such as RSA cryptosystem and elliptic curve cryptography. The EtaT pairing on supersingular curve over finite field GF(3^n) is known as one of the most efficient pairings. The security of pairing-based cryptography using the EtaT pairing is based on the difficulty of the discrete logarithm problems (DLP) over GF(3^n). The most efficient algorithm for solving the DLP over finite fields of small characteristic is the function field sieve. In this talk, we report that we succeeded solving the DLP over GF(3^n) of 676 bits using the function field sieve in the medium prime-power case proposed by Joux and Lercier at EUROCRYPT 2006. To the best of our knowledge, this is currently the top-record bit-size of the function field sieve over GF(3^n).

The security of cryptographic systems deeply depends on the complexity of the underlyiing cryptographic problems and it is important to clarify the complexity of cryptographic problems and their relationships.

In this talk we take a look at some fundamental cryptographic problems and discuss their computational theoretic relationships.

AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2^{128} complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^{176} and 2^{119} time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.

In this talk we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2^{39} time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2^{120} time). Another attack can break a 10 round version of AES-256 in 2^{45} time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES-128 along with the larger key size from AES-256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems.

This is joint work with Alex Biryukov, Nathan Keller, Dmitry Khovratovich, and Adi Shamir.

Elliptic curve cryptography bases its security on the intractability of computing discrete logarithms on elliptic curves over finite fields. As is customary, elliptic curves are usually expressed by a Weierstrass equation. However, although secure from a mathematical point of view, the resulting cryptosystem may succumb to implementation attacks. With the Weiertrass model, the group law is given by the chord-and-tangent rule, leading to separate formulas for point addition and for point doubling. This different behavior (i.e., addition of different points or of equal points) may be distinguished by observing a suitable side channel such as the power consumption or electro-magnetic emanations. This in turn may reveal the secret value of scalar k in the computation of kP, where P denotes an input point on an elliptic curve over a finite field.

In order to prevent side-channel attacks, implementers began to investigate other ways to evaluate point addition formulas and other models for representing elliptic curves, including the Hessian model, the Jacobi model (both as a quartic curve or as the intersection of two quadrics), and the Edwards model. Interestingly, it was shown that the point addition formulas may, up to some extent, become unified, that is, that they are valid for both the point addition and the point doubling. In certain cases, stronger results were obtained, namely complete point addition formulas. A point addition formula is said to be complete when it is not only unified but also valid for the neutral element. These unified curve models revealed useful for cryptographic implementations as they offer a natural protection against side-channel attacks based on simple power analysis (SPA) or simple electromagnetic analysis (SEMA). In this talk, we will review all unified models considered so far and present new ones. We will also show that, in addition to side-channel attacks, the unified models are also useful to protect against another class of implementation attacks, namely the fault attacks. We will present new countermeasures against fault attacks, making use of unified addition formulas.

After decades of remarkable growth, the performance of single-thread processors has slowed down, hitting both the power and ILP walls. To respond, the entire industry is now moving to the multi-core/many-core paradigm to exploit the increasing transistor budget offered by the Moore's law in semiconductor fabrication technologies. Graphics processing units (GPUs) are an example of computing devices with many simple cores, which we have demonstrated to be useful and cost-effective for computing stage-1 ECM in a recent paper "ECM on Graphics Cards."

In this sequel talk, we will provide an update and in-depth introduction on using many-cores to compute elliptic curve scalar multiplication, the core computation of ECM as well as ECC. We will report and compare state-of-the-art performance of scalar multiplication using various computing devices including GPU (NVIDIA CUDA), Cell (both Playstation 3 and the newer QS 22), and the latest 64-bit x86 processors (Intel Core 2 and AMD Phenom II). We will also explain how to achieve high computational throughput with these devices, e.g., by carefully managing the scarce on-die memories while having enough threads of computation for latency hiding.