Talk at #days

I am fortunate enough to give a talk at #days, a security conference organized by the DEFCON Switzerland association and scheduled November 3-6, 2010, at the Radisson BLU hotel in Lucerne (Switzerland).Hashdays Logo

My talk will focus on the security of open-source cryptography libraries, mainly when used on embedded platforms. Here is its abstract:

In this talk, we will discuss the (low-level) security of common open-source general-purpose cryptographic libraries, like OpenSSL and sisters, towards various types of side-channel attacks. Although bringing a rather adequate practical security when used on high-end architectures, like desktop and server ones, using such libraries to secure applications running on embedded platforms is more than problematic, as we will show using several practical examples. For instance, we will demonstrate that most open-source cryptographic code runs in time dependent on secret values, like RSA private keys, for instance. We propose to discuss how an attacker can leverage this knowledge by mounting practical timing attacks, or by exploiting other physical leakages, which is information that is most of the time quite easily to obtain on embedded platforms. Finally, we will describe several best-practice techniques of secure programming that are currently almost never applied in common open-source cryptographic libraries.

ACM-DRM 2010 Paper

A paper, co-written with Alexandre Karlov of Nagravision SA and titled “An efficient public-key attribute-based broadcast encryption scheme allowing arbitrary access policies“, has been accepted for presentation at the ACM-DRM 2010 workshop (list of accepted papers), which will be held in conjunction with the 17th ACM-CCS in Chicago (USA) on October 4th, 2010. The final version of our paper is not ready yet, but here is at least its abstract:

We describe a new public-key and provably secure attribute-based broadcast encryption scheme which supports complex access policies with AND, OR and NOT gates. Our scheme, especially targeting the implementation of efficient Pay-TV systems, can handle conjunctions of disjunctions (CNF) by construction and disjunctions of conjunctions (DNF) by concatenation, which are the most general forms of Boolean expressions. It is based on a modification of the Boneh-Gentry-Waters broadcast encryption scheme in order to achieve attribute collusion resistance and to support complex Boolean access policies. The security of our scheme is proven in the generic model of groups with pairings. Finally, we compare our scheme to several other Attribute-based Broadcast Encryption designs, both in terms of bandwidth requirements and implementation costs.

On the funny side, the DRM field looks like to adopt more and more zero-knowledge techniques: the first e-mail received from the program committee is a good illustration thereof (the ambiguity has then been corrected very quickly by the PC chairs):

Dear Pascal Junod:

Thank you very much for submitting your paper "An efficient public-key attribute-based broadcast encryption scheme allowing arbitrary access policies" to ACM-DRM 2010. We are very pleased to inform you that your submission was not among the selected ones.

Please revise your paper according to the reviewers's comments (see below). You should prepare your camera-ready version according to the ACM proceedings format ( You will be contacted by Lisa Tolles (Sheridan Printing) with detailed instructions and guidelines. The deadline for submitting your revised version is August 16 (this is a firm deadline).

Yours sincerely,

Hongxia Jin, Marc Joye ACM-DRM 2010 Program Chairs