2018 Research Projects for CS727

Each of you will chose a topic for your research project from the list below. Alternatively you can propose a topic of your choice, as long as it relates to the aims of the course and the lecturers approve your choice.

Email the lecturers on or before Thursday March 22nd with your top 3 choices of project (subject line in email: "CS727 Rresearch Project"). The lecturers will allocate the projects and tell you on or before Thursday March 29.

Projects comprise: • A report of 10 pages max (any format will do). 16 marks. • An oral presentation (15 mins + 10 min questions/discussions) to be done in the second part of the semester. 7 marks. • One example question on your project that could be used in the final exam. There is no particular template or style for the project or presentation.

Projects will be due on Friday of week 11 (May 25th). Presentations will take place on weeks 8-12. There will be no lectures on weeks 6 and 7. During those weeks you should work on your projects and presentations, and get feedback from the lecturers on your projects and presentations.

Students should attend all the talks, if possible. We will keep a record of attendance. The topics in the talks are part of the course material and can be examined in the final exam. Student talks will not be recorded, and student project reports will not be given to the other students. Audience members will complete a review form for each presentation. Each member of the class will be allocated a topic for them to aske a question after the talk. You will be awarded up to 3 marks for your question, depending on its quality and relevance.

For each talk we will allocate one student to ask an interesting question to the presenter. You will get a mark based on the quality of the question (3% of your final mark). Let us know any timetable constraints on when you can be the questioner.

Grading schemes: Assessment of Written Reports (16 marks) • 5 marks: Sources. Does the report contain a thorough review of the literature? Did you find all the important references? Are your sources up-to-date, relevant and professional? • 6 marks: Accuracy. Does the report present a correct summary of the problem? Is it well written? Can your fellow students rely on the information presented in the report? • 5 marks: Depth. Have you understood the topic thoroughly? Is there something new in your analysis or discussion? Would a professional learn anything valuable by reading your report?

Assessment of Presentation (7 marks) • 3 marks: A clear introduction to the problem and summary of the security issues. Communication clear and precise. • 2 marks: Accurate summary of the technical details of the topic. • 2 marks: Confidently answering questions from the audience.

Assessment of Questions (3 marks) • - Is the question relevant to the topic? Does it show you understood the topic and presentation? We draw your attention to the university policy on academic integrity and plagiarism: https://www.auckland.ac.nz/en/students/forms-policies-and-guidelines/student-policies-and- guidelines/academicintegrity-copyright.html

All references used in your report and presentation should be cited carefully. You should clearly identify any text, figures or images that are copied from other references. The discussion should be written in your own words. If you have any doubts about how to reference, or what to write, then discuss with the lecturers.

Technical topics

• Meltdown and Spectre https://meltdownattack.com/

• KRACK attack on WPA2 (key reinstallation attack) https://www.krackattacks.com/

• Heartbleed bug and related topics. Technical description and fixes http://heartbleed.com/ https://en.wikipedia.org/wiki/Cloudbleed

• Lucky 13 attack on TLS http://www.isg.rhul.ac.uk/tls/Lucky13.html http://www.isg.rhul.ac.uk/tls/

• ROCA vulnerability (Return of the Coppersmith Attack/Infineon smart card) https://en.wikipedia.org/wiki/ROCA_vulnerability https://crocs.fi.muni.cz/public/papers/rsa_ccs17

• The ROBOT Attack - Return of Bleichenbacher's Oracle Threat https://robotattack.org/

• Android packers https://en.wikipedia.org/wiki/Executable_compression https://www.ma.rhul.ac.uk/static/techrep/2015/RHUL-MA-2015-10.pdf

• Secure Computation using Intel SGX https://software.intel.com/en-us/articles/innovative-technology-for-cpu-based-attestation- and-sealing https://pdfs.semanticscholar.org/2d7f/3f4ca3fbb15ae04533456e5031e0d0dc845a.pdf https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf

• Using hardware-supported protection for data privacy in the cloud: https://csdl.computer.org/csdl/proceedings/sp/2018/4353/00/435301a405.pdf

• Practical issues with Diffie-Hellman key exchange/Logjam attack https://weakdh.org/ • Practical issues with RSA and random generation “Mining your Ps and Qs: Detection of widespread weak keys in network devices”. N Heninger et al. Usenix Security 2012. https://factorable.net/

• Remote timing attacks http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html https://eprint.iacr.org/2011/232

• Fault attacks on smart cards http://cs.ucsb.edu/~koc/cren/docx/13fault.pdf

• Differential fault analysis of secret key cryptosystems, http://link.springer.com/chapter/10.1007/BFb0052259

• Cold boot attacks “Lest we remember: Cold boot attacks on encryption keys”. J A Halderman et al. Usenix Security 2008 https://www.usenix.org/event/sec08/tech/full_papers/halderman/halderman.pdf

• Post-quantum crypto http://www.springer.com/gp/book/9783540887010 https://pqcrypto.org/ http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016- presentation.pdf http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf

• Hash-based signatures https://en.wikipedia.org/wiki/Merkle_signature_scheme https://sphincs.cr.yp.to/ http://csrc.nist.gov/groups/ST/post-quantum-2015/papers/session5-hulsing-paper.pdf

• Homomorphic encryption https://en.wikipedia.org/wiki/Homomorphic_encryption https://eprint.iacr.org/2015/1192

• Algebraic Aspects of AES http://link.springer.com/book/10.1007%2F978-0-387-36842-9

Less Technical topics

• Overview of PGP/Gnupg http://www.pgpi.org/doc/pgpintro/ https://www.gnupg.org/gph/en/manual.html

• Issues with key management in PGP https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/ • Bitcoin: Crypto building blocks S. Nakamoto: https://bitcoin.org/bitcoin.pdf http://blog.ezyang.com/2011/06/the-cryptography-of-bitcoin/ Andreas M. Antonopoulos, Mastering Bitcoin, https://uplib.fr/w/images/8/83/Mastering_Bitcoin-Antonopoulos.pdf

• Blockchain: Non-currency applications, privacy in blockchain https://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2662660 Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts, https://eprint.iacr.org/2015/675 MedRec: Using Blockchain for Medical Data Access and Permission Management: https://medrec.media.mit.edu/ Decentralizing Privacy: Using Blockchain to Protect Personal Data: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163223

• Storing personal information on blockchain technology and retrieving it: http://papers.www2017.com.au.s3-website-ap-southeast- 2.amazonaws.com/companion/p1431.pdf https://sovrin.org/

• Electronic voting http://link.springer.com/book/10.1007/978-1-4615-0239- http://www0.cs.ucl.ac.uk/staff/J.Groth/VotingScheme.pdf

• Cloud security https://stratus.org.nz/ http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7956.pdf

• Encryption in Smartphones/Android File Encryption: https://blog.cryptographyengineering.com/2016/11/24/android-n-encryption/

• Internet of things https://www.owasp.org/index.php/IoT_Security_Guidance http://www.gsma.com/connectedliving/wp-content/uploads/2016/02/CLP.11-v1.1.pdf https://www.iab.org/wp-content/IAB-uploads/2011/03/Kaftan.pdf

• Signal/Whatsapp secure messaging https://en.wikipedia.org/wiki/Signal_(software) https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping- on-encrypted-messages

• The SHA3 design and standardisation process http://keccak.noekeon.org/ http://csrc.nist.gov/groups/ST/hash/ https://en.wikipedia.org/wiki/NIST_hash_function_competition https://shattered.io/static/shattered.pdf

• The TLS 1.3 design process and technical specification https://kinsta.com/blog/tls-1-3/ https://tlswg.github.io/tls13-spec/ https://www.ietf.org/mail-archive/web/tls/current/maillist.html

• eSTREAM project Matthew Robshaw and Olivier Billet, New Stream Cipher Designs, http://link.springer.com/book/10.1007%2F978-3-540-68351-3

• Authenticated Encryption and the CAESAR competition https://en.wikipedia.org/wiki/Authenticated_encryption https://competitions.cr.yp.to/caesar.html https://aezoo.compute.dtu.dk/doku.php

• Mix networks A Survey on Mix Networks and Their Secure Applications, http://www2.ee.washington.edu/research/nsl/papers/proceedings-06.pdf https://en.wikipedia.org/wiki/Mix_network

• Side channel attacks on crypto http://csrc.nist.gov/groups/STM/cmvp/documents/fips140- 3/physec/papers/physecpaper19.pdf http://www.techdesignforums.com/practice/guides/side-channel-analysis-attacks/ http://www.springer.com/gp/book/9780387718279