ERCIM News 106

ERCIM NEWSNumber 106 July 2016

www.ercim.eu

Research and Innovation:

High-Density Data Storage

in Phase-Change Memory

by Haralampos Pozidis, NikolaosPapandreou, Thomas Mittelholzer andEvangelos Eleftheriou

Research and Society:

On the Occasion of Aad vanWijngaardens 100th Birthday

International Informatics

by Gerard Alberts

Also in this issue:

Keynote:

Cybersecurity:

A Key Pillar of the European

Digital Single Market

by Afonso Ferreira and Paul Timmers DG CONNECT, European Commission

Special theme

Cyber-Security

ERCIM News is the magazine of ERCIM. Published quarterly, it reports on

joint actions of the ERCIM partners, and aims to reflect the contribution

made by ERCIM to the European Community in Information Technology

and Applied Mathematics. Through short articles and news items, it pro-

vides a forum for the exchange of information between the institutes and

also with the wider scientific community. This issue has a circulation of

about 6,000 printed copies and is also available online.

ERCIM News is published by ERCIMEEIG

BP 93, F-06902 Sophia Antipolis Cedex, France

Tel: +33 4 9238 5010, E-mail: [email protected]

Director: Jrme Chailloux

ISSN 0926-4981

Contributions

Contributions should be submitted to the local editor of your country

Copyrightnotice

All authors, as identified in each article, retain copyright of their work

ERCIM News is licensed under a Creative Commons Attribution 4.0

International License (CC-BY).

Advertising

For current advertising rates and conditions, see

http://ercim-news.ercim.eu/ or contact [email protected]

ERCIMNewsonlineedition

The online edition is published at http://ercim-news.ercim.eu/

Nextissue

July 2016, Special theme: Cybersecurity

Subscription

Subscribe to ERCIM News by sending an email to

[email protected] or by filling out the form at the ERCIM News

website: http://ercim-news.ercim.eu/

EditorialBoard:

Central editor:

Peter Kunz, ERCIMoffice ([email protected])

Local Editors:

Austria: Erwin Schoitsch ([email protected])

Belgium:Benot Michel ([email protected])

Cyprus: Ioannis Krikidis ([email protected])

Czech Republic:Michal Haindl ([email protected])

France: Steve Kremer ([email protected])

Germany: Michael Krapp ([email protected])

Greece: Eleni Orphanoudakis ([email protected]),

Artemios Voyiatzis ([email protected])

Hungary: Andras Benczur ([email protected])

Italy: Carol Peters ([email protected])

Luxembourg: Thomas Tamisier ([email protected])

Norway:Poul Heegaard ([email protected])

Poland: Hung Son Nguyen ([email protected])

Portugal: Joaquim Jorge ([email protected])

Spain: Silvia Abraho ([email protected])

Sweden: Kersti Hedman ([email protected])

Switzerland: Harry Rudin ([email protected])

The Netherlands: Annette Kik ([email protected])

W3C: Marie-Claire Forgue ([email protected])

Cover photo source: Beeldbank TNO

Editorial Information

ERCIM NEWS 106 July 2016


Keynote

3

AfonsoFerreira(left)andPaulTimmers(right),DGCONNECT,

EuropeanCommission.

who will be able to rely on more secure digital networks andinfrastructure to access or provide essential services online.

The establishment of the NIS Public-Private Platform wasannounced in the Cybersecurity Strategy, to foster theresilience of the networks and information systems whichunderpin the services provided by market operators andpublic administrations in Europe. Its Working Group onsecure ICT research and innovation was tasked with thepreparation of the European Strategic Research Agenda inCybersecurity (SRA), which was delivered by end 2015.

Finally, one of the 16 initiatives set in the Digital SingleMarket Strategy is the launch of an ambitious contractualpublic-private partnership (cPPP) on cybersecurity. It aims tostrengthen the EU cybersecurity industry and make sureEuropean citizens and businesses have access to more inno-vative, secure and user-friendly solutions that take intoaccount European rules and values.

The Cybersecurity cPPP will deliver innovation against aroadmap for research and innovation (based on the SRAdeveloped by the NIS Platform). It will implement: Bottom-up cooperation on research and innovation

between Member States and industrial actors in theupstream part of the innovation life cycle.

Better alignment of demand and supply sectors for cyber-security.

Synergies to develop common, sector-neutral technologicalbuilding blocks.

Engagement of big costumers of cybersecurity solutions todefine common requirements for their sector.

Parts of the DSM Priority Standardisation Plan, asannounced in the Digitising European Industry strategylaunched in April 2016.

Mechanisms to ease access to finance as well as develop-ing human capacities.

The cPPP will maximize the use of Horizon 2020 fundsthrough better focus on a few technical priorities, leveragingfunding from Leadership in Enabling and IndustrialTechnologies and Societal Challenge Secure Societies todeliver societal benefits for users and provide visibility toEuropean Research and Innovation excellence in cybersecurity.

The views expressed in the article are the sole responsibility

of the authors and in no way represent the view of the

European Commission and its services.

Cybersecurity: A Key Pillar

of the European Digital

Single Market

by Afonso Ferreira (European Commission, on leave from theFrench CNRS) and Paul Timmers (European Commission)

In February 2016 one of the largest heists in history wasattempted against a Bangladesh bank. Gangsters tried to robalmost 1 US$ Billion and disappear in the Philippines. At thetime of this writing 81 US$ Million are still unaccounted forand seemingly unrecoverable. This was a crime committedexclusively in cyberspace until electronic orders were trans-formed in cash. The current state of investigations points tothe fact that the computer hackers only had to tamper withtwo bytes twice in the bank software in order to get awaywith the money.

Cybersecurity is an ever-growing challenge for companies,states and individuals, as digital technologies become morewidely used in economic, social and governance matters. Withthe convergence of the cyber and the physical spaces, risks andthreats in the cyberspace may increasingly affect physicalspace and individuals livelihoods. Cyber incidents and attackscan disrupt the supply of essential services for our societies,since digital technologies are complex and underpin other sys-tems and services, like finance, health, energy, transport.

On the positive side, with the fast continuing evolution ofinformation and communication technologies (ICT) and theirintegration into almost every facet of modern society, enor-mous opportunities for innovation are created. Digital tech-nologies and the Internet are the backbone of our society andeconomy; they are key enablers of prosperity and freedom. Ahigh level of network and information security (NIS) acrossthe EU is essential to ensure consumer confidence and to keepthe online economy running. This will, in turn, preserve thewell-functioning of the internal market and will boost growthand jobs. Cybersecurity is therefore an integral part of a muchbroader transformation across society, driven by the digitalrevolution.

Consequently, the European Union works on a number offronts to ensure cybersecurity in Europe, supported by ENISA the European Network and Information Security Agency.

EU Strategies and LegislationThe Cybersecurity Strategy for the European Union providedin 2013 the overall strategic framework for the EU initiativeson cybersecurity. Its goal is to ensure strong and effective pro-tection and promotion of citizens rights so as to make theEUs online environment the safest in the world.

Also in 2013 the European Commission put forward a pro-posal for the NIS Directive, with measures to ensure a highcommon level of network and information security acrossthe Union. It should be adopted in summer 2016 and pro-vides legal measures to boost the overall level of cybersecu-rity in the EU. Once adopted and implemented, the NISDirective will benefit citizens, government, and businesses,


Contents

18 ANewArchitecturefor

DevelopingCryptographic

CloudServices

by Thomas Lornser (AITAustrian Institute of TechnologyGmbH), Daniel Slamanig (TUGraz), Thomas Lnger (Universityof Lausanne) and Henrich C.Phls (Universiy of Passau)

20 DeprecatinganInternet

SecurityStandardwith

Cryptanalysis

by Marc Stevens (CWI)

Data21 ThwartingUniquenessin

DatasetsofSpatiotemporal

Trajectories

by Marco Gramaglia (UC3M andIMDEA Networks) and MarcoFiore (CNR-IEIIT)

22 UsingJavaScriptMonitoringto

PreventDeviceFingerprinting

by Nataliia Bielova, FrdricBesson and Thomas Jensen (Inria)

23 CHERI:AHardware-Software

SystemtoSupportthePrinciple

ofLeastPrivilege

by Robert N. M. Watson, Simon W.Moore (University of Cambridge)and Peter G. Neumann (SRIInternational)

25 Privacy-PreservingIndoor

LocalisationandNavigation

by Andreas Konstantinidis,Georgios Chatzimilioudis andDemetrios Zeinalipour-Yazti(University of Cyprus)

26 SocialFingerprintingorthe

TruthAboutYou

by Stefano Cresci, MarinellaPetrocchi, Maurizio Tesconi (IIT-CNR), Roberto Di Pietro (Nokia BellLabs), and Angelo Spognardi, (DTU)

27 FlexibleDecentralisedAccess

ControlusingInvitation-

ResponseDialogue

by Arthur Melissen (CoblueCybersecurity)

28 DataSharingAgreements:How

toGlueDefinition,Analysisand

MappingTogether

by Carmela Gambardella,(Hewlett Packard EnterpriseItaly), Ilaria Matteucci, andMarinella Petrocchi (IIT-CNR)

RESEARCH AND SoCIEty

6 On the Occasion of Aad vanWijngaardens 100th BirthdayInternationalInformatics

by Gerard Alberts

KEyNotE

3 Cybersecurity:AKeyPillarof

theEuropeanDigitalSingle

Market

by Afonso Ferreira (DGCONNECT, EuropeanCommission, on leave from theFrench CNRS) and Paul Timmers(DG CONNECT, EuropeanCommission)

SPECIAL tHEME

The special theme sectionCybersecurity has beencoordinated by Fabio Martinelli (IIT-CNR) and Edgar Weippl (SBAResearch)

Introduction to the Special Theme8 Cybersecurity

by Fabio Martinelli (IIT CNR) andEdgar Weippl (SBA Research)

Invited contribution9 DigitalWitness:Digital

EvidenceManagement

FrameworkfortheInternetof

Things

by Ana Nieto, Rodrigo Roman andJavier Lopez (University ofMalaga)

Cryptography10 SecurityAssessmentofSoftware

Security:ACloserLookat

White-BoxCryptographic

Implementations

by Joppe W. Bos and Wil Michiels(NXP)

11 CREDENTIAL:SecureCloud

IdentityWallet

by Nicols Notario (Atos),Stephan Krenn (AIT), BerndZwattendorfer (Stiftung SIC ) andFelix Hrandner (TU Graz)

12 GNUTaler:EthicalOnline

PaymentsfortheInternetAge

by Florian Dold and ChristianGrothoff (Inria)

14 ATool-ChainforHigh-

AssuranceCryptographic

Software

by Jos Almeida, Manuel Barbosa,Hugo Pacheco and Vitor Pereira(INESC TEC)

15 Code-BasedCryptography:

NewSecuritySolutionsAgainst

aQuantumAdversary

by Nicolas Sendrier and Jean-Pierre Tillich (Inria)

17 UsingCryptographytoControl

YourDataataDistance

by Colin Boyd, Gareth T. Davies,Kristian Gjsteen (NTNU),Hvard Raddum and MohsenToorani (University of Bergen)

ERCIM NEWS 106 July 2016 5

RESEARCH AND INNoVAtIoN

This section features news aboutresearch activities and innovativedevelopments from Europeanresearch institutes

58 High-DensityDataStoragein

Phase-ChangeMemory

by Haralampos Pozidis, NikolaosPapandreou, Thomas Mittelholzer,Evangelos Eleftheriou

60 CAxMan:DesignforAdditive

ManufacturingMadeEasyand

Cost-effective

by Giulia Barbagelata (STAM),Marco Attene (CNR-IMATI) andTor Dokken (SINTEF)

EVENtS, IN BRIEf

Announcements57ACMCCS201623rdACM

ConferenceonComputerand

CommunicationsSecurity

57STM201612thInternational

WorkshoponSecurityand

TrustManagement

61ERCIMFellowshipProgramme

62ERCIMProgrammeforPhD

Education

62W3CWeb&VirtualReality

Workshop

62 ERCIMMembership

30 DataUsageControl:

IntroducingaNewFramework

forCloudandMobile

Environments

by Paolo Mori, Andrea Saracino(IIT-CNR) and Francesco DiCerbo (SAP Labs France)

Network31 RobustandScalableDTLS

SessionEstablishment

by Marco Tiloca, ChristianGehrmann and Ludwig Seitz(SICS)

33 Client-ServerFrameworkfor

SecurelyOutsourcing

Computations

by Thijs Veugen (TNO)

34 ARootofTrustforthePersonal

Cloud

by Benjamin Andr (Cozy Cloud),Nicolas Anciaux, PhilippePucheral and Paul Tran-Van (Inria)

35 VirtuWindSecurityina

VirtualandProgrammable

IndustrialNetworkPrototype

DeployedinanOperational

WindPark

by Ioannis Askoxylakis, NikolaosPetroulakis, (FORTH), VivekKulkami and Florian Zeiger(Siemens)

Systems37 BypassingMalwareObfuscation

withDynamicSynthesis

by Fabrizio Biondi, SbastienJosse, and Axel Legay (Inria)

38 SPLIT:SecurityProtocol

InteractionTestinginPractice

by Dimitris E. Simos (SBA Research)

39 Gorille:EfficientandRelevant

SoftwareComparisons

by Philippe Antoine, GuillaumeBonfante and Jean-Yves Marion(Loria)

41 VulnerabilityPredictionAgainst

FaultAttacks

by Nisrine Jafri, Axel Legay andJean-Louis Lanet (Inria)

42 ChallengesinAndroidMalware

Analysis

by Valrie Viet Triem Tong(CentraleSupelec), Jean FranoisLalande (INSA Centre Val de Loire)and Mourad Leslous (Inria)

Cyber-Physical Systems44 CybersecurityinRobotic

Systems

by Vicente Matelln, Francisco J.Rodrguez Lera and Jess Balsa(University of Lon)

45 Co-engineeringSecurityand

SafetyRequirementsforCyber-

PhysicalSystems

by Christophe Ponsard, PhilippeMassonet and Gautier Dallons(CETIC)

47 Cyber-PhysicalSystems:

ClosingtheGapbetween

HardwareandSoftware

by Marcel Caria, TUBraunschweig

Cybercrime48 SENTER:ANetworkofthe

EuropeanCentresofExcellence

inCyberCrimeResearch,

Training,andEducation

by Evangelos Markatos (ICS-FORTH), Egidija Verinskienand Evaldas Bru (L3CE)

49 ANetworkofInternetProbes

forFightingCyberAttacks

by Ern Rig and Mihly Hder(MTA SZTAKI)

51 CyberWISER-Light:

SupportingCyberRisk

AssessmentwithAutomated

VulnerabilityScanning

by Ane itnik (XLAB), Antoniolvarez Romero (ATOS) andStephanie Parker (TRUST-IT)

52 CISA:EstablishingNational

CyberSituationalAwarenessto

CounterNewThreats

by Florian Skopik, Maria Leitnerand Timea Pahi (AIT AustrianInstitute of Technology)

54 OnReducingBottlenecksin

DigitalForensics

by Martin Schmiedecker andSebastian Neuner (SBA Research)

55 Multi-ViewSecurityand

SurveillanceatMTASZTAKI

by Lszl Havasi and TamsSzirnyi (MTA SZTAKI)

Research and Society

On the Occasion of Aad van Wijngaardens 100th Birthday

International Informatics

by Gerard Alberts

Building up informatica, as computer science came to

be called in The Netherlands, has been an international

affair. Aad van Wijngaarden, 1916-1987, founding

father of Dutch computer science was responsible for

forging international collaboration and helping to make

informatics an international endeavour. His influence

reached from cooperative efforts in building computers

in the 1940s to Algol68, the epitome of his style of

computing. CWI commemorates his 100th birthday this

year.

LondonIt was in London, February 1946, that Aad vanWijngaardens decision marked the beginning of computerscience for The Netherlands. Sent out by Delft University ofTechnology on assignment to collect all available literatureand reprints on the latest developments in mechanical andnaval engineering that Dutch research might have missedduring the war years, Van Wijngaarden wrote to his super-visor, C.B. Biezeno, that the latest developments in mathe-matical machines were worthy of a separate report. Up to thispoint computing had been an auxiliary activity for fieldssuch as engineering, astronomy and physics, but here was ayoung academic in engineering with his finger on the pulseof international developments and bringing computing intothe limelight.

His two Delft mentors facilitated Van Wijngaardens trip toLondon: Jan Burgers, and Cornelis Biezeno. The first, pro-fessor of fluid dynamics known for the Burgers equation,the latter, professor of Applied Mechanics and known for thebig book with Richard Grammel, Technische Dynamik.Burgers created the scheme that sent out out a dozen youngDelft scholars on a post-war reconnaissance tour to theUnited Kingdom. Biezeno chose Van Wijngaarden to be amember of that team and assigned him two study topics.

During the war years Van Wijngaarden had been calculatingtedious computations in turbulence supervised by Burgers.When in early 1945 Burgers asked him to summarise thework in a dissertation, Aad rejected and threw away theresults because it simply lacked beauty. At this point,Biezeno, for whom he had solved several major problemsraised in Technische Dynamik stepped in and saved the dayby guiding him to a cum laude doctorate on those results,which he completed by December 1945. These two teachersnot only taught him to do sophisticated computations, butperhaps just as importantly raised him in an atmosphere ofinternationally oriented scholarship. Biezeno and Burgershad earlier created the tradition of quadrennial congresses inTheoretical and Applied Mechanics starting in Delft in1924. Now, in 1948, Burgers oversaw the formation of acommittee on computing technology chaired by the Parisianprofessor Auger, with Van Wijngaarden as its secretary.They sent letters to academics throughout northern Europewith the hope of engaging other institutions and although

the responses were sparse, the spark of international cooper-ation was lit.

AmsterdamIt was in Amsterdam, February 11th 1946, that mathemati-cians turned their ambition to put mathematics at the serviceof society into the founding of a research institute, theMathematical Centre, now CWI. Van Wijngaarden wasappointed head of the centres computing department byJanuary 1947. Most of his first year was spent in the UK andthe US. It is likely that anyone in that position would havebeen destined to be considered as the founding father ofinformatica in The Netherlands, but Van Wijngaarden wentwell beyond the call of duty. He was capable of making theleaps of intellect, the reflections that lifted the emerging dis-cipline to new levels of abstraction. In those early years, VanWijngaarden contributed to the field then known as numer-ical analysis with subtle reflections on rounding off errorswhen using the new machine power.

Machines, however, were not readily available. Means andcomponents were scarce in a small country like TheNetherlands, and once again international cooperation wassought with both Belgium and France to no avail. In 1949and 1951 two very promising bids were made for a Unesco-sponsored International Computing Centre (ICC) to beestablished in Amsterdam with the Mathematical Centre.,The dynamics of the Cold War placed the ICC in Rome.Although Amsterdam was on its own now to constructmachines, Van Wijngaarden followed the English andAmerican examples. The 1952 ARRA was largely an emula-tion of Booths ARC in London.

At this time, building computers was one thing, but gettingthem properly programmed, quite another. Van Wijngaardenhad the vision to appoint Edsger W. Dijkstra as an assistantfor the programming of the ARRA, well before thatmachine was dedicated, midsummer 1952. Many Europeanslearnt programming with Maurice Wilkes at CambridgeSummer School. Further reflections on programming wereabsorbed at international conferences, for example,Rutishausers concern about readable formulation and uni-fied notation of computer programs, in Darmstadt 1955.

IFIPInternational exchange intensified and, quite naturallythrough his international presence, Aad van Wijngaardenwas closely involved in preparing under the aegis of Unesco,the International Conference on Information Processing, tobe held in Paris in the summer of 1959. Cold War circum-stances dictated that the envisaged international union couldonly materialise as a federation of national societies oneper country. Hence, in the spring of 1958 on a terrace inParis, it was decided to create a Dutch society for computingmachinery, NRMG.

That summer, August 1958, Van Wijngaardens work cameto a cruel standstill. Being invited to give a talk on theInternational Congress of Mathematicians in Edinburgh wasa highlight of his career. Leaving the conference with hiswife for a holiday in Scotland, his car crashed. His wife diedand he spent time recovering in hospital until November.Rather than pick up the pieces after this disaster, he decided



to start a new life and embark on a new career: he became aspecialist in programming language.

What for him was a new career, was in fact the next step ofabstraction in the emerging discipline of computer science.Stepping up from the Darmstadt concern of program notation,a committee of European and American computing specialistsjoined efforts towards a system of unified notation. The com-mittee was initiated by the German founding father of com-puter science, Friedrich Bauer. Their next step was to call sucha system a language, at first in 1958 International AlgebraicLanguage (IAL), and later Algorithmic Language (ALGOL).The language metaphor had been suggested a few year beforein debates on programming in the US, and was now adopted tobecome the cornerstone of computer science worldwide. Itwas this wagon that Van Wijngaarden, together with hisAmsterdam team, joined in 1959. Computer science was nowstarting to look like a discipline an international discipline.And at the Mathematical Centre, the computing departmenthad set its internationally flavoured research agenda.

CopenhagenFrom 1959 Aad van Wijngaarden joined the ALGOL com-mittee, taking Dijkstra and others to the preparatory meetings,himself voting at the final meeting in Paris, January 1960, andperforming as one of the authors of the ALGOL report.Dijkstra and Zonneveld joined him on a subsequent trip toCopenhagen to meet Peter Naur, acting editor of the ALGOLreport, and left with the invitation to come see a workingALGOL compiler in half a year in Amsterdam, August 16th1960. Van Wijngaarden, prompted by Dijkstra on his side,changed the ALGOL agenda by calling Peter Naur on the tele-phone and convincing him of phrasing the call for proce-dures in the defining report in such a way that it would allowrecursive procedures, a sharply controversial issue forFriedrich Bauers German team. Writing the ALGOL com-piler in time and in a novel style, Dijkstra convincingly ful-filled the promises of the amended ALGOL agenda.IFIP, prepared at the 1959 Paris conference, and founded in1960 created the water to swim in for the internationally ori-ented scholar Van Wijngaarden. IFIP adopted the ALGOL

agenda by creating a working group, WG 2.1, for the devel-opment of a successor language. Here Aad van Wijngaardeneffectively took the lead with abstract notions of design oflanguage. He astonished the 1965 meeting of WG 2.1 at St.Pierre de Chartreuse with orthogonality and two level gram-mars later known as Van Wijngaarden grammars. Standingin awe, the meeting decided that whatever the details of thedefinition of the new language, it should be formulated alongthese lines. The successor language came to be ALGOL 68,presented at the IFIP congress in Edinburgh and finalized inDecember 1968, in a report dense with mottos, intellectualpuns, and literary references. As if the personal mark neededfurther emphasis, Aad van Wijngaarden garned the backcover of the report with a small hidden @, his personal book-mark symbol.

As a piece of art, ALGOL 68 had, and still has, a small com-munity of admirers. As a programming language, as a tool, itwas a failure. It realised the ALGOL agenda set in 1958, inthe most beautiful and least practical way. Ten years on,however, the agenda had shifted to software engineeringwith new pressing questions and a new generation of brightspirits.

The true influence of Van Wijngaarden internationally, apartfrom his avid cooperation and cooperative spirit, was that hefuelled the intellectual fire in WG 2.1 to such an extent that itspun off in all directions, one deriving from it new principlesof language design yet a level of abstraction higher, anotherturning orthogonality into SIMULA and object thinking, athird bringing the inspiration down to earth resulting in thedevelopment of the language Pascal that educated genera-tions of computer scientists. To The Netherlands VanWijngaarden left a discipline following research agendas,with a bias for theoretical directions and daring abstractions.In his footsteps, informatica was naturally an internationalendeavour.

Pleasecontact:

Gerard Alberts, University of Amsterdam, The [email protected]

7

AadvanWijngaardenat

theMathematischCentrum

inAmsterdamin1951.

Picture:CWI.


Special theme: Cybersecurity

Public interest in cyber security is on the rise, owing largelyto the increasingly pervasive nature of cyber technologiesand their ability to enhance our quality of life, affecting mostof our activities (either visibly or in an invisibly). In the past,our interactions with PCs were limited to particular workingactivities. Now, even during our daily commutes, in our carswe are surrounded by hundreds of electronic control units(ECU), our mobile phones are next to us, and our smartwatches observe and record every breath.

Indeed, the digital revolution spreads information and com-munication technologies anywhere, anytime. More applica-tion fields open up more opportunities for attack, and themotivations and the possible scale of attacks change, nolonger being restricted to economically motivated attacks,but also to cyber terrorism (cyber crime is also mentioned inthe Keynote in this special issue). As technologies evolve,the security situation thus becomes far more complex,necessitating new enhanced cyber security methods andapproaches.

There is the need for increased effort, covering the newfields, and addressing the new data economy that new tech-nology such as the Internet of Things (IoT) is creating.Unprecedented amounts of data are being collected bydevices, cameras, sensors, and ICT services and can be usedto analyse, predict, inform and influence digital and evenphysical and social behaviour (just consider the increasingrelevance of social networks). The protection of data is thusa paramount objective from both technical and social per-spectives. We need to empower users to define how data arecollected, analysed, transferred, and aggregated and ulti-mately used. Privacy concerns are increasingly relevant andthe relationships between surveillance and privacy should becarefully considered.

The increased networking capabilities allow the creation ofsystems of systems and cyber-physical systems where thedigital and physical worlds meet; thus merging safety issueswith security issues. Consequently, it is vital that we developways of addressing both safety and security in complemen-tary ways when analysing, designing and engineering sys-tems. While achieving zero vulnerabilities is a holy grail inour community, their reduction should be a constant aim,which is reflected in the articles featured in this issue.

In our highly interconnected world, we require new methodsand approaches to risk assessment, that can exploit data in acooperative manner, ideally whilst preserving the privacy ofprosumers (producers and consumers). Collectively sharinginformation and benefiting from it is an increasing trend that

should be fostered by means of technical and policy means(e.g., the NIS directive).

From a technical perspective, European researchers havesignificant expertise in cryptography that lies at the core ofmany security technologies, and several articles featured inthis special issue cover areas ranging from cryptographyimplementation to crypto techniques for data control.

Cyber crime is undoubtedly a recurrent major concern in ourinterconnected world, and efforts to prevent cyber crimeneed to be ongoing. Cyber protection is one of the mecha-nisms along with the creation of frameworks that facilitateforensic activities that can involve all relevant stakeholders.The new revolution of e-currencies with their technologiesas block chain will create new issues as well as new opportu-nities for the growth of the digital civilisation we are experi-encing.

Thus, not surprisingly, this ERCIM News special issue oncyber security has attracted a significant number of contri-butions grouped within the following areas: Cryptography Data Network Systems Cyber-physical systems Cyber crime.

Overall these articles present a variety of research resultsthat show the richness and range of cyber security issues andtheir application domains. The ERCIM community andEuropean stakeholders, including industry, are currentlymerging their efforts to successfully address the challengesof cyber security.

Pleasecontact:

Fabio Martinelli, IIT CNR, [email protected]

Edgar Weippl, SBA Research, [email protected]

Introduction to the Special Theme

Cybersecurity

by Fabio Martinelli (IIT-CNR) and Edgar Weippl (SBA Research)


The growing density of net-works formed by devices withheterogeneous capabilities andusers with different profilesposes new challenges to cyber-security. One clear example ofthis is the Internet of Things(IoT) paradigm, where cyber-offenses not only cyber-attacks take place in verydynamic, polymorphic andeven isolated scenarios [1].There are too many devices tobe controlled, and any devicewith minimal computing andcommunications capabilitiescan perpetrate cyber-attackswithout leaving a trace. In sucha scenario, and in order to clarify thefacts of a cyber-crime scene, it is essen-tial to collect and handle electronic evi-dence within a Chain of Custody (CoC).Yet this is a problem that is impossible tosolve only with existing tools.

The IoTest project [L1] aims to helpsolve this problem by introducing a secu-rity solution that is drastically differentfrom those that have been used to date.This project proposes the design anddevelopment of the digital witness, atrusted electronic device capable ofobtaining and safeguarding electronicevidence. More specifically, a digitalwitness: (i) binds the users identity tohis/her personal device, (ii) has a core oftrust that is able to protect the integrity ofone or more electronic pieces of evi-dence according to the law, within atrusted execution environment, (iii)ensures that only authorised entities haveaccess to the evidence, and (iv) is able towitness the traceability of the evidence.

Furthermore, a digital witness (v) is ableto send digital evidence to other digitalwitnesses or any other entity with theauthority to safeguard the electronic evi-dence. The users identity and the capa-bilities of his device determine the typeand role of a digital witness, whichopens the door to the creation of digitalwitnesses with different profiles (e.g.,

police cars as mobile custodians). Theseand other properties enable the creationof a digital chain of custody in IoT (IoT-DCoC) environments (see Figure 1).IoTest defines and works with this nat-ural evolution to digital chains of cus-tody [2].

These five basic requirements help todefine a robust digital witness, andcomply with several existing challengesin the emerging IoT-forensics paradigm[3]. In order to fulfil these requirements,the project will explore various novelconcepts, such as the notion of bindingcredentials (BC). In this context, a BC isdefined as any mechanism that providesa link between a user and a device,based on the users identity. In addition,BCs can be used in conjunction withbiometric capabilities in personaldevices to ensure the presence of theuser at the key moments within the life-cycle of the digital evidence.

IoTest is a novel project recently fundedby the Spanish Ministry of Economyand Competitiveness under theEXPLORA Programme, a complemen-tary action that encourages frontierresearch. Precisely, this project also willinvestigate the viability of more radicalideas in the context of future networkenvironments, such as the implementa-tion of the concept of digital witness in

local clouds of personal IoTdevices, the deployment ofvirtual digital witnesses thatare linked to the identity of aprivileged digital witnessdevice, and the implementa-tion of binding credentialsassociated to these virtualwitnesses.

By using digital witnesses asa foundation for the creationof a digital chain of custodywithin IoT scenarios, theIoTest project aims to offer adynamic solution that willrecord events on heteroge-neous, unpredictable and

uncertain scenarios. Moreover, sinceexisting digital evidence processes andregulations are not prepared to deal withthe new cybersecurity issues created bythese highly dynamic and distributedscenarios, we expect that the deploy-ment of digital witnesses will result in aqualitative advancement in the evolu-tion of electronic evidence managementsystems, improving their ability todetect attacks and identify cybercrimi-nals.

Links:

[L1]https://www.nics.uma.es/projects/iotest

References:

[1] A. Kasper, E. Laurits: Challengesin Collecting Digital Evidence: ALegal Perspective, The Future of Lawand eTechnologies, 195233, 2016.[2] Y. Prayudi, S. Azhari: Digitalchain of custody: State of the art,International Journal of ComputerApplications, 114 (5), 19, 2015.[3] E. Oriwoh et al.: Internet of thingsforensics: Challenges and approaches,9th IEEE Collaboratecom, 608615,2013.

Pleasecontact:

Ana Nieto, University of Malaga, Spain+34 951 952914 [email protected]

Digital Witness: Digital Evidence Management

framework for the Internet of things

by Ana Nieto, Rodrigo Roman and Javier Lopez (University of Malaga)

We define the concept of digital witness; personal devices able to actively acquire, store and

transmit digital evidence to an authorised entity, reliably and securely.

Figure1:DigitalWitnessforCybersecurityinIoT.

Owing to the widespread use of smartdevices, which allow users to access alarge variety of ubiquitous services,these platforms have become a valuabletarget to compromise. There are variousways to protect cryptographic secret keymaterial, which might be used to secureyour mobile payment transactions,decrypt streaming media content, or pro-tect your fare during transit. Solutionsrange from using unprotected softwareimplementations to tamper-resistanthardware implementations. In order tosupport as many devices as possible,there has been a trend in the last coupleof years towards using secure crypto-graphic software implementations.

Note, however, that in many realisticscenarios the user of the device might bethe adversary. In the streaming contentscenario, for instance, a user might wantto give a friend access to his or her sub-scribed content. This adversary controlsthe platform where the software is beingexecuted and this allows one to performstatic analysis on the software, inspectand alter the memory used, and evenalter intermediate results during execu-tion. This security model is referred to asthe white-box model, and a softwareimplementation of a cryptographic algo-rithm which is secure in this model is

called a white-box implementation.This model was introduced in [1]. Theidea is to use look-up tables rather thanindividual computational steps toimplement the cryptographic algorithm.The usage of a fixed secret key isembedded in these tables that are filledwith pseudo-random data.

A well-known attack on hardwareimplementations is to collect powertraces: a collection of power measure-ments over time when executing thecryptographic implementation givenknown input. The statistical behaviourof a power trace might correlate to, andhence reveal information about, thesecret key material used (see [2]). Inorder to assess the security of white-boximplementations we applied this side-channel information paradigm to thesoftware implementation setting. Tocollect information we have used freelyavailable dynamic binary instrumenta-tion tools. In such tools additionalanalysis code is added to the originalcode of the client program at run-time inorder to aid memory debugging,memory leak detection, and profiling.This allows one to monitor, modify andinsert instructions in a binary exe-cutable. We have developed plugins forthese tools which can collect software

traces: a trace which records the readand write accesses made to memory.These software traces are used todeduce information about the secretembedded in the look-up tables of awhite-box implementation in the sameway as this is done with power tracesfor hardware in differential poweranalysis techniques. This means that wecorrelate key guesses with the measure-ments in the software traces. We namedthis approach differential computationanalysis (DCA).

We have demonstrated in [3] that DCAcan be used to efficiently extract thesecret key from all publicly availablewhite-box implementations. In contrastto the current cryptanalytic methods toattack white-box implementations, thistechnique does not require any knowl-edge about the implementation strategyused, can be mounted without muchtechnical cryptographic knowledge inan automated way, and extract the keysignificantly faster. We have created atool which can visualize the traces(accesses to memory). Figure 1 showsan example of a software executiontrace of a white-box implementation ofthe advanced encryption standard(AES). The virtual address space is rep-resented on the x-axis while the y-axis



Security Assessment of Software Security:

A Closer Look at White-Box Cryptographic

Implementations

by Joppe W. Bos and Wil Michiels (NXP)

Secure software implementations in the white-box attack model (where the user can be the adversary)

are being used to secure smart devices. At NXP we have created a new technique for security

assessment which allows one to efficiently extract the secret key from all publicly available white-box

implementations. This highlights the risk of using such solutions for certain use-cases in practice.

Figure1:AnexampleofasoftwaretracewheretheenlargedpartoftherightshowstheusageoftheAESalgorithm.Source:NXP.

is a temporal axis going from top tobottom. The entire execution is on theleft while the enlarged part on the rightshows 9 times 4 rows of instructionsindicating the usage of AES: AES is aten round block cipher where the lastround differs slightly from the first nine.Once the target cryptographic cipherhas been discovered with the help ofthis visualization tool, the embeddedsecret key can be extracted without anytechnical knowledge by collecting soft-ware traces and performing the statis-tical analysis in an automated fashionusing our publicly available tools.

Although we could extract the secretkeys from all publicly available white-box challenges we did not investigatethe strength of commercially availablewhite-box products since no company,

as far as we are aware, has made a chal-lenge publicly available. Unfortunatelythe well-studied countermeasures fromthe cryptographic hardware communitydo not directly apply since they rely onusing randomly generated masks. In oursecurity model an adversary can simplydisable the entropy of the system ren-dering the random number generatormute. With this work we have high-lighted the risks of relying on pure soft-ware implementation for certain use-cases and hope this security assessmentwill eventually increase the overalllevel of security for the end-users.

Link:

https://github.com/SideChannelMarvels

References:

[1] S. Chow, P. A. Eisen, H. Johnson,

P. C. van Oorschot: White-boxcryptography and an AESimplementation, in SAC 2002, LNCSvol. 2595, pp. 250-270, Springer.[2] P. C. Kocher, J. Jaffe, B. Jun:Differential power analysis, inCRYPTO99, LNCS vol. 1666, pp.388-397, Springer.[3] J. W. Bos, C. Hubain, W. Michiels,P. Teuwen: Differential ComputationAnalysis: Hiding your White-BoxDesigns is Not Enough, CryptologyePrint Archive, Report 2015/260,IACR, 2015. Source code:https://github.com/SideChannelMarvels.

Pleasecontact:

Joppe W. BosNXP Semiconductors, Belgium+32479778631, [email protected]


With rising mobility and internet usage,the demand for digital services isincreasing and has reached critical andhigh assurance domains such as e-Government, e-Health and e-Business.One fundamental building block that isneeded for many such applications issecure data sharing functionality. Themain ambition of the CREDENTIALproject [L1, L2, L3] is therefore todevelop a data sharing platform that pro-vides strong privacy, security, andauthenticity guarantees to its users. As aspecial case, for the sharing of identitydata, a privacy preserving identity man-agement service will be implemented.

The security of the developed serviceswill rely on the combination of threekey technologies (see Figure 1): end-to-end proxy re-encryption, privacy pre-serving technologies such as redactablesignatures, and strong hardware-basedmulti-factor authentication.

The first key technology is proxy re-encryption (PRE) [1], which protects theconfidentiality of personal data andenables secure end-to-end encrypteddata sharing. In general, PRE allows a

proxy to transform a ciphertextencrypted for one recipient A to aciphertext for another recipient B,without getting access to the underlyingplaintext or involved private key mate-rial during intermediate steps. For thisoperation, the proxy requires a re-encryption key that was generated fromBs public key as well as As private key,who thereby grants delegation rights. InCREDENTIAL, users encrypt their sen-sitive data for themselves beforeuploading them to the cloud, whichensures confidentiality. PRE enablesusers to securely share their encrypteddata by providing a re-encryption keythat is used by the cloud system to trans-form the ciphertext for another selectedparticipant. As a result, the confiden-tiality of the users data is protectedeven in a possibly insecure cloud envi-ronment, while the users are still able tosecurely share their data.

The second main technology included inCREDENTIAL are redactable signatureschemes [2], which extend the basicfunctionality of standard digital signa-tures as follows: Upon signing, thesigner can define specific parts of the

message which may later be blanked out(redacted). After receiving the documentand the signature, a party can nowremove any subset of those predefinedparts, and simultaneously modify thesignature such that it is valid for the mod-ified message. This way, the authenticityof the revealed parts of the message canbe guaranteed, while no information isleaked about the redacted blocks.

Within CREDENTIAL, redactable sig-natures will be used for the privacy pre-serving identity management function-ality: an authority can sign the userselectronic identities using redactablesignatures. The users can then choose,from their signed identities, which spe-cific attributes they wish to disclose tothe service provider (e.g., only the birthdata to prove their age).

In order to provide a truthfully securesystem, CREDENTIAL follows aDefence in depth approach, starting byincluding in the CREDENTIAL Walletour third technological pillar, multi-factor authentication protocols that willunivocally biometrically link theauthentication process to an identity,

CREDENtIAL: Secure Cloud Identity Wallet

by Nicols Notario (Atos), Stephan Krenn (AIT), Bernd Zwattendorfer (Stiftung SIC ) and FelixHrandner (TU Graz)

CREDENTIAL (seCuRE clouD idENTIty wALlet) is combining technological advances to create privacy-

preserving data storage, data sharing and identity management services.

without the need of disclosing suchidentity or any personal data to theWallet or to the service providers.

Finally, one important innovative aspectof CREDENTIAL is its design process,which is carefully planned to have amulti-stakeholder point of view, takingspecial consideration for user-centric andprivacy aspects from social, technicaland legal perspectives. On the one hand,and from a functional perspective, stake-holders of three different domains areproviding their own view of the systemand how it can be leveraged in their owndomains. These domain-specific viewsare consolidated into a logical view ofthe to-be system, representing it througha Data Flow Diagram (DFD). This DFDillustrates the systems functionality andsupports the extraction of valuableinsights from a security and privacy per-spective. On the other hand, CREDEN-TIAL combines and leverages bothSTRIDE and LINDDUN methodologies

for security and privacy threat analysis inorder to provide a full security and pri-vacy assessment, based on the consoli-dated view of the system already men-tioned. This view is being systematicallyanalysed, identifying, categorising (e.g.,identifiability, tampering or linkabilitythreats) and prioritising the differentthreats that may challengeCREDENTIALs objectives.

The recently published EU GeneralData Protection Regulation [3] will be acatalyst for the adoption of CREDEN-TIAL. The main objectives of this regu-lation are to strengthen and unify theprotection of personal data processingacross the EU and to give the user fullcontrol of their personal data. Toachieve the requirements outlined inthis regulation, CREDENTIAL followsa data protection-by-design approach,will provide easier access to own per-sonal data, and will facilitate personaldata transfer between service providers.

CREDENTIAL is an EU H2020 threeyear research project which started inOctober 2015. The estimated costs ofthe project are 6.6 million. The con-sortium consists of a well-balancedmixture from six European countriesconsisting of industry partners, univer-sities, and applied research institutions.

Links:

[L1] https://credential.eu/[L2] https://twitter.com/CredentialH2020 [L3] https://www.linkedin.com/in/credential

References:

[1] Matt Blaze, G. Bleumer, M.Strauss: Divertible protocols andatomic proxy cryptography, in Proc.of Eurocrypt 98, volume 1403, pages127144, 1998.[2] A. Kundu, E. Bertino: Structuralsignatures for tree data structures, inProc. of the VLDB Endowment 1(1),138150, 2008.[3] Official Journal of the EU, Regulation(EU) 2016/679 of the European Parliamentand of the Council of 27 April 2016 on theprotection of natural persons with regard tothe processing of personal data and on thefree movement of such data.

Pleasecontact:

Nicols Notario, Atos Spain (AtosResearch & Innovation)[email protected]

Stephan Krenn, AIT Austrian Instituteof Technology GmbH+43 664 [email protected]



Figure1:CREDENTIALhighlevelviewanditsmainpillars.

GNU taler: Ethical online Payments

for the Internet Age

by Florian Dold and Christian Grothoff (Inria)

GNU Taler is a new digital payment system currently under development at INRIA. It aims to strike a

balance between radically decentralised technologies such as Bitcoin -- and traditional payment methods,

while satisfying stricter ethical requirements, for example customer privacy, taxation of merchants and

environmental consciousness through efficiency. GNU Taler also addresses micropayments, which are

infeasible with currently used payment systems owing to high transaction costs.

Addressing the problem of micropay-ments is urgent. The overwhelmingmajority of online journalists, bloggersand content creators currently depend onadvertisement revenue for their income.The recent surge of ad-blocking tech-

nology is threatening to destroy this pri-mary source of income for many inde-pendent online journalists and bloggers.Furthermore the existing advertisementindustry is based on the Big Data busi-ness model, and users do not only pay

with their attention but also with privateinformation about their behaviour. Thisthreatens to move our society towardspost-democracy [1]. Our goal is toempower consumers and content cre-ators by offering the choice to opt for


micropayments instead of advertise-ments.

Unlike many recent developments inthe field of privacy-preserving onlinepayments, GNU Taler is not based onblockchain technology, but on Chaum-style digital payments [2] with addi-tional constructions based on ellipticcurve cryptography. Our workaddresses practical problems thatplagued previous incarnations ofChaum-style digital payments. Thesystem is entirely composed of freesoftware components, which facilitatesadoption, standardisation and commu-nity involvement.

From the consumers perspective, GNUTalers payment model comes closer tothe expectations one has when payingwith cash than with credit cards.Customers do not need to authenticatethemselves with personally identifyinginformation to the merchant or the pay-ment processor. Instead, individual pay-ments are authorized locally on the cus-tomers computing device. This rulesout a number of security issues associ-ated with identity theft. We expect thatthis will also lower the barrier for onlinetransactions due to the lower risk for thecustomer. With current payment solu-tions, the risk of identity theft accumu-lates with every payment being made.With our payment system, the only riskinvolved with each individual paymentis the amount being paid for that singletransaction.

In GNU Taler, the paying customer isonly required to disclose minimal pri-vate information (as required by locallaw), while the merchants transactionsare completely transparent to the stateand thus taxable. Taxable merely meansthat the state can obtain the necessaryinformation about the contract to levycommon forms of income, sales orvalue-added taxes, not that the systemimposes any particular tax code. Whencustomers pay, they use anonymiseddigital payment tokens to sign a con-tract with the merchant. The digitallysigned contract is proposed by the mer-chant and is supposed to contain all theinformation required for taxation which typically excludes the identity ofthe customer. Later, the state can obtainthe contract by following a chain ofcryptographic tokens, starting from atoken in the wire transfer from the GNUTaler payment system operator to the

merchant. The payment system operatoronly learns the total value of a contract,but no further details about the contractor customer.

To pay with GNU Taler, customers needto install an electronic wallet on theircomputing device. Once such a wallet ispresent, the fact that the user does nothave to authenticate to pay fundamen-

tally improves usability. We are alreadyseeing today that electronic wallets likeGooglePay are being deployed to sim-plify payments online. However, thedominant players mostly simplify creditcard transactions without actuallyimproving privacy or security for citi-zens. GNU Taler is privacy-preservingfree software and both technically andlegally designed to protect the interestsof its users.

We plan to use GNU Taler as the basisfor future research that investigates cen-sorship-resistant news distribution indecentralised social networks. In addi-tion to online payments, we eventuallywant to adapt GNU Taler to mobile pay-ments with NFC-enabled devices. Wehope that mobile Taler payments willfurther the proliferation of local curren-cies (such as the Abeille in France),which are currently popular in parts ofEurope, but suffer from practical prob-lems such as easy counterfeiting and thelimitation to physical coupons.

GNU Taler was started at TU Munich inApril 2014 and is now being coordi-nated by the TAMIS team[L1] at INRIARennes, with contributions from the

free software community at large andthe GNUnet project[L2] in particular.The initial research is being funded byARED and the Renewable FreedomFoundation [L3], but we plan to launcha startup to drive the commercial adap-tation of the technology. We encouragereaders to try our prototype for GNUTaler at https://demo.taler.net/.

Links:

[L1] https://www.inria.fr/en/teams/tamis[L2] https://gnunet.org/[L3] https://renewablefreedom.org/

References:

[1] R. Stallman: How MuchSurveillance Can DemocracyWithstand?, Wired, Oct. 2013,http://www.wired.com/2013/10/a-necessary-evil-what-it-takes-for-democracy-to-survive-surveillance/[2] Chaum et al.: Untraceableelectronic cash, in Proc. on Advancesin cryptology, Springer-Verlag NewYork, Inc., 1990.

Pleasecontact:

Florian DoldInria, France+33 2 99 84 25 [email protected]

Christian GrothoffInria, France+33 2 99 84 71 [email protected]

ChristianGrothoff

There is a high risk associated with poorcryptographic implementations, as isshown by frequent (and in some casescatastrophic) security breaches directlyattributed to implementation errors inwidely used cryptographic libraries[L1,L2]. One of the causes of thesebreaches in widely tested software is thesemantic gap between theoretical cryp-tographic specifications and their con-crete implementations. Effectivelyclosing this gap is a huge challenge,especially when attackers may exploitphysical vulnerabilities not covered by

the specification, commonly known asside-channel attacks.

To answer this demand, research in thecrossover area between cryptographyand programming languages has beengrowing steadily in the last decade, asdemonstrated by the Computer AidedCryptography Engineering (CACE)EU/FP7 project that focused on devel-oping tools to automate the productionof high quality cryptographic softwareat a lower cost. The CAO cryptographicdomain-specific language [L3,1,2], ini-

tially developed at the University ofBristol and subsequently re-engineeredwithin CACE, enables the naturaltranslation of cryptographic construc-tions (as found in standards and scien-tific articles) to high-level prototypeimplementations. The driving principlebehind the design of CAO is to supportcryptographic concepts as first-classfeatures.

CAO adopts some features familiar toimperative programmers but has a verysimple programming model by design.For instance, it does not supportinput/output, as it is targeted at imple-menting the core components of crypto-graphic libraries. Conversely, it offers avery rich type system tuned to the spe-cific domain of cryptography. In recentversions of the language, CAO pro-grams can be seen as generic specifica-tions that, like pure theoretical crypto-graphic constructions, are definedabstractly for a set of parameters satis-fying certain base assumptions. TheCAO developer is assisted by an inter-preter that enables fast prototyping anddebugging, and a type-checker thatenforces strong typing and performsextensive preliminary validation of thecode, extracting rich crucial informa-tion for further processing down thechain. CAO specifications can also bevalidated in a fully automatic way forparameter consistency properties inlater versions of the type checker.

The CAO tool chain (Figure 1) also pro-vides an optimising compiler for theautomatic generation of high-securityand high-speed cryptographic C imple-mentations from high-level CAO speci-fications. The inner workings of theCAO compilation process mimic thoseperformed by cryptography practi-tioners.



A tool-Chain for High-Assurance Cryptographic

Software

by Jos Almeida, Manuel Barbosa, Hugo Pacheco and Vitor Pereira (INESC TEC)

Cryptography is an inherently interdisciplinary area and the development of high-quality cryptographic

software is a time-consuming task drawing on skills from mathematics, computer science and electrical

engineering, only achievable by highly skilled programmers. The challenge is to map high-level

cryptographic specifications phrased using mathematical abstractions into efficient implementations at

the level of C or assembly that can be deployed on a target computational platform, whilst adhering to

the specification both in terms of correctness and security. The High Assurance Software Laboratory at

INESC-TEC maintains a domain-specific toolchain for the specification, implementation and verification

of cryptographic software centred on CAO, a cryptography analyses and operations-aware language.

Figure1:TheCAOtoolchain.

The CAO specification is first con-verted into a canonical CAO subsetthrough a series of both general anddomain-specific CAO-to-CAO trans-formation and optimisation steps.

In a second phase, the intermediateCAO code is compiled into C code inwhich CAO native operations areimplemented as a C backend library thatmay be either pre-compiled or dynami-cally generated. This flexibility allowsadapting the CAO compiler to the widevariety of computational platforms inwhich cryptographic code is deployedin the real world. The CAO compileroffers a generic C backend supportingthe entire functionality of the CAO lan-guage and capable of targeting anycomputational platform with a C/C++compiler. In the context of the SMARTENIAC/JU project, a very specificbackend supporting only a limitedsubset of the CAO language has beendeveloped to target a severely con-strained proprietary microcontrollerthat resides in standalone PCM memo-ries, while preserving the remaininghigh-level infrastructure.

Seeing CAO programs as specifica-tions, it becomes natural to express theproperties of CAO programs in the

same abstract setting, i.e., directly in theCAO language. For this reason, theCAO toolchain also incorporates aformal verification tool that permits rea-soning about arbitrarily complex prop-erties of CAO programs (specified asin-code annotations) in a semi-auto-mated environment, by embeddingthem in EasyCrypt [L4,3], a tool-assisted framework for specifying andverifying the security of cryptographicconstructions. Using EasyCrypt, thedeveloper is now able to additionallyperform safety, correctness and securityproofs of cryptographic algorithmswritten in CAO.

The joint effort across two Europeanprojects brought the CAO toolchain tolife and came to fruition by demon-strating that a domain-specific high-level cryptographic language can beused to guide, validate and automate thedevelopment of low-level high-assur-ance cryptographic implementations fordiverse computational platforms.Ongoing and future work will broadenthe applications of the CAO family oftools by further exploring the integra-tion with EasyCrypt and developingnew backends. In particular, we envi-sion the implementation of a backendfor a cryptographyoriented lowlevel

language such as qhasm, in whichassembly level programs are seen asfirst class representations of crypto-graphic computations.

Links:

[L1] http://heartbleed.com/[L2] http://resources.infosecinstitute.com/beast-vs-crime-attack/[L3] https://hackage.haskell.org/package/cao[L4] http://www.easycrypt.info

References:

[1] M. Barbosa, D. Castro, Paulo F.Silva: Compiling CAO: FromCryptographic Specifications to CImplementations. POST 2014: 240-244.[2] M. Barbosa, et al.: Type CheckingCryptography Implementations,FSEN 2011: 316-334.[3] G. Barthe et al.: Computer-AidedSecurity Proofs for the WorkingCryptographer, CRYPTO 2011: 71-90.

Pleasecontact:

Manuel Bernardo Martins BarbosaHASLab, INESC TEC and [email protected]


Since their appearance in the mid sev-enties, public key (or asymmetric)cryptographic primitives have beennotoriously difficult to devise andonly a handful of schemes haveemerged and have survived cryptana-lytic attacks. In particular, the securityof nearly all public key schemes usedtoday relies on the presumed diffi-culty of two problems, namely fac-toring of large integers and computingthe discrete logarithm over variousgroups.

The security of all these schemes wasquestioned in 1994 when Shor showedthat a quantum computer could effi-ciently solve these two problems [1].We do not know when large enoughquantum computers will be built, butthis will have dramatic consequencesbecause it will break all popular public-key cryptosystems currently in use.

Clearly, the cryptographic researchcommunity has to get ready and pre-pare alternatives. Those alternatives

have to be ready, not only for tomorrowin case of a scientific advance (whichmight even be of a different nature thanthose that are foreseen today), but alsofor now, in order to provide long termsecurity i.e., several decades to thedata that is encrypted or digitallysigned today. This effort has startedalready with PQCRYPTO [L1] of theEuropean Horizon 2020 program.Furthermore, in August, 2015, NSAannounced that it is planning to transi-tion in the not too distant future to a

Code-Based Cryptography: New Security

Solutions Against a Quantum Adversary

by Nicolas Sendrier and Jean-Pierre Tillich (Inria)

Cryptography is one of the key tools for providing security in our quickly evolving technological

society. An adversary with the ability to use a quantum computer would defeat most of the

cryptographic solutions that are deployed today to secure our communications. We do not know

when quantum computing will become available, but nevertheless, the cryptographic research

community must get ready for it now. Code-based cryptography is among the few cryptographic

techniques known to resist a quantum adversary.

new cipher suite that is resistant toquantum attacks.

The NIST has also released a report onpost-quantum cryptography [L2]explaining that we must begin now toprepare our information security sys-tems to be able to resist quantum com-puting. During the SeventhInternational Conference on Post-Quantum Cryptography, held inFukuoka, Japan, in February 2016,NIST announced that a call for estab-lishing new public key standards thatare quantum resistant will be issued byfall 2016.

Code based public key cryptographyCode-based cryptography is one of themain post-quantum techniques cur-rently available, together with lattice-based cryptography, multivariate cryp-tography, and hash-based cryptography.The first code-based cryptosystem wasproposed by Robert McEliece in 1978.It belongs to a very narrow class ofpublic-key primitives that so far haveresisted all cryptanalytic attempts.McElieces idea was to use as cryp-togram a word of a linear error cor-recting code (a Goppa code in this case)to which random errors were added.The legitimate user, who knows a fastdecoding algorithm, can remove theerror. The adversary is reduced to a

generic decoding problem, which isbelieved to be hard on averageincluding against a quantum adversary.

France is leader in code-based cryptog-raphy and a working group was formedat the end of 2014 to gather Frenchgroups working on this topic. It includesin particular two Inria project-teams(one in Paris, one in Saclay), the univer-sities of Limoges and Rouen, andTelecom SudParis. Among the projectedactions of this working group, one is todevise a strategy to incite and supportinitiatives to answer to the forthcomingNIST call, in particular by identifyingtopics and primitives of interest.

Code-based systems are inherently fastbut suffer from a rather large public keysize. There have been several recentbreakthroughs which reduce the keysize to a few thousand bits: For instance, systems based on

MDPC codes [2] enjoy a strong andnovel security reduction and requireonly very low computing resources,which make them very attractiveeven for embedded devices.

Rank metric (instead of the usualHamming metric) codes provide newcode-based primitives [3] with veryshort keys, relying on similarly hardcomputational problems, also seemvery promising.

Those, together with other more tradi-tional code-based cryptographic solu-tions, could certainly form part of thenew asymmetric cryptographic stan-dards that will emerge in the comingdecade.

Links:

[L1] http://cordis.europa.eu/project/rcn/194347_en.html[L2] http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf

References:

[1] P.W. Shor: Algorithms forquantum computation: Discretelogarithms and factoring, in FOCS94, IEEE.[2] R. Misoczki, J.-P. Tillich, N.Sendrier, P. S. L. M. Barreto: Newvariants from moderate density parity-check codes, in ISIT 2013, IEEE.[3] P. Gaborit, O. Ruatta, J. Schrek,and G. Zmor: New results for rank-based cryptography, inAFRICACRYPT 2014, Springer.

Pleasecontact:

Nicolas Sendrier, Jean-Pierre TillichInria, [email protected], [email protected]



SuperconductingQuantumCircuit.Photo:MichaelFang,MartinisLab(UCSBandGoogle).


Security of information is an essentialaspect of business and governmentactivity, whether it relates to protectionof corporate knowledge, integrity offinancial transactions, or reliable storageand transmission of data. The transitionto cloud computing necessitates extrasecurity measures to protect valuabledata that is no longer under the directcontrol of its owner. This issue has beenwidely recognized; the industry-ledCloud Security Alliance (www.cloudse-curityalliance.org) was formed in 2008,and the NIST guidelines on cloud secu-rity and privacy were published in 2011[2]. The Snowden revelations of 2013and 2014 have changed the IT securitypriorities and it is now understood that

will lead to theoretical advances as wellas practical outcomes. We are followingthe current important trend in crypto-graphic research to connect rigorousresults strongly to real-world usage.This is now both possible and timelygiven that a level of maturity has beenreached in cloud computing which willallow us to demonstrate the practicaleffectiveness of our proposals, to com-plement the theoretical analysis.

Cryptography has traditionally beenused to protect data while it is beingtransmitted over insecure networks orwhile it is at rest in static storage. Theseservices remain important in the cloudas it is essential to protect both confi-dentiality and integrity of data while itis transmitted between client and cloudserver and while it is at rest in cloudstorage. At the same time, newapproaches are also required for at leasttwo reasons.

Data in cloud storage is frequentlyshared between multiple parties, maybe stored in geographically distrib-uted nodes, and needs to be updatedincrementally. This requires thedevelopment of practical techniquesto allow cloud users to efficientlyverify the integrity and availability oftheir data, including where it is locat-ed.

We often want to process data in thecloud without necessarily trusting thecloud operator. Therefore, we want tobe able to compute on encrypted data.This can include basic operationssuch as searching through encryptedrecords through to full-scale process-ing of any function. Gentrys theoret-ical breakthrough of fully homomor-phic encryption in 2009 remainsimpractical in general, but exploringcompromises which are both efficientand secure is an important theme ofour project.

Using Cryptography to Control your Data

at a Distance

by Colin Boyd, Gareth T. Davies, Kristian Gjsteen (NTNU), Hvard Raddum and Mohsen Toorani(University of Bergen)

Most people and companies store important information using cloud storage services that are

outside their direct control. The information may be personal, such as emails, photos and videos,

medical records and financial information. How can we be sure that our data is safe from the prying

eyes of cloud operators, other cloud users or outside agencies? How can we be sure that our data

will remain available to us when we need it?

there is an urgent need for protection ofpersonal, business, and governmentdata against pervasive monitoring andinfiltration.

The collaborative projectCryptographic Tools for Cloud Security,funded by the Norwegian ResearchCouncil from 2016 to 2019, will studynew cryptographic tools to enable cloudsecurity against powerful attackers. Theresearch involves experts at NorwegianUniversity of Science and Technologyand University of Bergen, in coopera-tion with University of Mannheim.

The new cryptographic primitives, pro-tocol and models that we will develop

Figure1:Simpleclient-sidededuplicationinwhichdifferentclientssequentiallyrequestthe

servertostoredifferentfilesFi.Theclientfirstsendshashesofthefiles,H(Fi).Theserver

checksiffileswiththosehashvaluesarealreadystoredand,ifnot,theclientsendsthefiles.

One main area of focus of our research issecure deduplication. By deduplicationwe mean that the server stores only asingle copy of each file, regardless ofhow many clients asked to store that file,in order to make significant savings inboth storage and bandwidth. Note thatlarge files such as movies and softwareare very likely to be shared by manyusers. Generally, deduplication can be atclient-side (which saves both storageand bandwidth) or server-side (whichonly saves storage). However, dedupli-cation contrasts with users desire forsecurity: if two users A and B upload thesame file encrypted under independentkeys kA and kB, the server will receiveindependent ciphertexts and will thus beunable to perform deduplication.

One possible solution is to derive theencryption key from the file itself [1];but this approach will only give security

against an adversarial server with theunrealistic assumption that files areunpredictable. Other security issues ariseirrespective of any encryption. Forexample, suppose that the cloud serviceprovider (CSP) employs client-sidededuplication (see Figure 1) in which theclient first sends a short identifier to theCSP and the CSP tells the client toupload the full file only if it is not alreadystored. An adversarial user can create atemplate of a file (e.g., an employmentcontract of Bob) and attempt a number ofuploads of files that only differ in onedetail (e.g., salary) and at some point theupload will be halted by the CSP,meaning that this file is already stored(and thus learns Bobs salary) [3]. We areworking on schemes which defendagainst such attacks by differentiatingbetween files that are popular (and thuspromise significant savings from dedu-plication) and those that are not.

References:

[1] J. R. Douceur et al.: Reclaimingspace from duplicate files in aserverless distributed file system, inIEEE Distributed Computing Systems,2002, pp 617624. IEEE, 2002. [2] T. Grance, W. Jansen: Guidelineson Security and Privacy in PublicCloud Computing, SpecialPublication 800-144, National Instituteof Standards and Technology,December 2011. [3] D. Harnik, B. Pinkas, A. Shulman-Peleg: Side channels in cloudservices: Deduplication in cloudstorage, IEEE Security & Privacy,8(6):4047, 2010.

Pleasecontact:

Colin Boyd, NTNU, [email protected]



Relying solely on legal contracts andtrusting the cloud is not a solution to theproblems of security and privacy in thecloud. PRISMACLOUD [L1] [1] tacklesthese issues with the help of strong cryp-tographic primitives. Currently, the useof the cloud is not feasible for manysecurity and privacy conscious purposes,such as eHealth and eGovernment,owing to the low pervasion of existingstrong cryptographic primitives.

In order to tackle and organise the com-plexity involved with the construction ofcryptographically secured services, weintroduce a conceptual model denoted asthe PRISMACLOUD architecture [2],which is organised in four tiers (Figure1). These layers of abstraction help tospecify and analyse security propertieson different levels; they also define con-nection points between the different dis-ciplines involved in the creation ofsecure and privacy preserving cloudservices: cryptographers, software engi-neers/developers and cloud service

architects. On the uppermost (i) appli-cation layer are the end user applica-tions. Applications use the cloud serv-ices of the (ii) services layer to achievethe desired security functionalities. Thecloud services specified there are a rep-resentative selection of possible serv-ices that can be built from the toolsorganised in the (iii) tools layer. In par-ticular, they represent a way to deliverthe tools to service developers andcloud architects in an accessible andscalable way. Together the tools consti-tute the PRISMACLOUD toolbox.Tools encapsulate the required crypto-graphic primitives and protocols fromthe (iv) primitives layer, which is thelowest layer of the PRISMACLOUDarchitecture.

Instead of directly integrating cryptog-raphy into applications or services, thePRISMACLOUD architecture intro-duces the tool layer as an additionallevel of abstraction: A tool represents abasic functionality and a set of require-

ments it can fulfil. It can therefore beregarded as an abstract concept whichcould be realised as a piece of software,e.g., a library, which is composed ofvarious primitives which can be para-metrised in various ways. From thetools of the toolbox, the services of thenext layer can be built. A service cantherefore be seen as a customisation of aparticular tool for one specific applica-tion. It is a way to deliver the tool tosystem and application developers, theusers of the tools, in a preconfiguredand accessible way. They will be able tointegrate the services without a deeperunderstanding of tools and primitivesand ideally without even being an ITsecurity expert. A service provides a fullimplementation of all the required fea-tures as well as concrete interfaces inthe form of an application programminginterface (API), suitable to be deployedas a cloud service. In PRISMACLOUDwe have chosen to specify a selection ofservices that we will develop during theproject that can showcase the suitability

A New Architecture for Developing

Cryptographic Cloud Services

by Thomas Lornser (AIT Austrian Institute of Technology GmbH), Daniel Slamanig (TU Graz), ThomasLnger (University of Lausanne) and Henrich C. Phls (Universiy of Passau)

The EU Horizon 2020 PRISMACLOUD research project is dedicated to enabling secure and

trustworthy cloud-based services by improving and adopting novel tools from cryptographic research.


of the chosen primitives and the toolsconstructed from them within theselected use cases. The use cases alsoprovide a way to validate the new con-cept in real world applications.

With this architecture we encapsulatethe cryptographic knowledge needed onthe lower layer inside the tools and theircorrect usage inside services. Buildingthe tools requires in-depth crypto-graphic and software developmentknowledge. However, once built theycan be used by cloud service designersto build cryptographically secure andprivacy-preserving cloud services.

These cloud services are then exposedto application developers who can com-bine them with other technologies andservices into the real end-user applica-tions.

In addition to the advantages outlinedabove, the PRISMACLOUD architec-ture further facilitates exploitation ofproject results. Each layer provides adedicated project outcome with a spe-cific exploitation path. Researchprogress on the layer of primitives leadsto scientific progress and typically asso-ciated exploitation. Tool developers willbe able to commercialise software

developments and intellectual propertyrights. Service developers are able toquickly transform project results intoproducts. Their services will be almostready for deployment in productionenvironments of cloud providers, hencethey will be accessible to a broadercommunity relatively soon after theprojects end. The project also features aspecific standardisation activity to dis-seminate the tools specifications intostandards to support further adoption.

What we termed the PRISMACLOUDarchitecture can be seen as a recipe tobring cryptographic primitives and proto-cols into cloud services that empowercloud users to build more secure andmore privacy-preserving cloud services.In its core, we encapsulate the crypto-graphic knowledge in specific tools andoffer basic but cryptographicallyenhanced functionality for cloud serv-ices. In PRISMACLOUD we will harvestthe consortium members cryptographicand software development knowledge tobuild the tool box and the services. Theresulting PRISMACLOUD services hideand abstract away from the core crypto-graphic implementations and can then betaken by cloud service designers. On thislevel of cloud services, the PRIS-MACLOUD services will show how toprovision (and potentially market) serv-ices with cryptographically increasedsecurity and privacy.

Links:

[L1] https://prismacloud.eu,https://at.linkedin.com/in/prismacloud,@prismacloud,http://twitter.com/prismacloud, http://cordis.europa.eu/project/rcn/194266_en.html

References:

[1] T. Lornser et al.: Towards a NewParadigm for Privacy and Security inCloud Services, Cyber Security andPrivacy, Vol 530 of CCIS, Springer, 2015.[2] T. Lornser, et al.: PRISMACLOUDTools: A Cryptographic Toolbox forIncreasing Security in Cloud Services,1st Workshop on Security, Privacy, andIdentity Management in the Cloud,ARES 2016, to appear.

Pleasecontact:

Thomas LornserAIT Austrian Institute of TechnologyGmbH+43 664 [email protected]

Figure1:ThePRISMACLOUDArchitecture(Primitivesabbreviations:RDC:RemoteData

Checking;SSS:SecretSharingSchemes;ABC:Attribute-BasedCredentials;PIR:Private

InformationRetrieval;MSS:MalleableSignatureSchemes;FSS:FunctionalSignature

Schemes;GSS:GroupSignatureSchemes;GRS:GraphSignatureSchemes;XPE:Format-and

Order-PreservingEncryption;ZKP:Zero-KnowledgeProofs;kAN:k-Anonymity).



SHA-1 is a cryptographic algorithm tosecurely compute message fingerprints,which was designed by the NSA in1995. It became an industry standardthat is commonly used for digital signa-tures, which secure credit card transac-tions, electronic banking and softwaredistribution. It is fundamental to internetsecurity for HTTPS (SSL/TLS) secu-rity, for example.

SHA-1 is a hash function. It generatesfrom input, such as text or code, a shortstring of letters and numbers (a hash),which serves as a digital fingerprint forthat message. Even a small change in theinput, such as changing one letter in amessage, will generate a very differentand unpredictable output. When two dif-ferent messages lead to the same hash,this is called a collision. Such collisionsallow forgeries of digital signatures acatastrophe for banking transactions,secure e-mails, and software downloads.

The industry standard was already theo-retically broken in 2005 [1] but for along time it remained difficult to make apractical attack. However, theresearchers combined advanced mathe-matical methods by using graphics cardsfor their computations to speed up thecomputations and make the attack muchmore cost effective.

In September, a joint effort by CWI,Inria and NTU Singapore also knownas the SHAppening [L2] led to a suc-cessful freestart collision attack onSHA-1, breaking the full inner layer ofSHA-1. In early autumn, 2015, theresearchers then estimated that it wouldcost only $US75,000-120,000 to rentAmazon EC2 cloud over a few monthsand conduct a full SHA-1 collision [2].This indicated that collisions werealready within the resources of criminalsyndicates, almost two years earlier thanpreviously expected [3], and one yearbefore SHA-1 would be marked as

unsafe in modern internet browsers inJanuary 2017, in favour of its securesuccessor SHA-2.

The team therefore recommended thatSHA-1 based signatures should bemarked as unsafe much sooner. In par-ticular, they strongly urged against aproposal to extend issuance of SHA-1certificates with another year in theCA/Browser Forum, for which thevoting was scheduled briefly after theannouncement. The proposed extensionwas not just because some companieswere not ready yet, but also becausemillions of users with old software,mostly from developing countries,would not be able to access some web-sites anymore. However, owing to thedemonstrated insecurity, the proposalfor extension was withdrawn bySymantec before the meeting. Also theupcoming TLS 1.3 standard deprecatedSHA-1 as a consequence of this teamsresults. Mozilla, Google and Microsoftalso adopted their planning regardingSHA-1.

Although this is not yet a full attack,the current attack is not the usual minordent in a security algorithm, making itmore vulnerable in the distant future,says Ronald Cramer, head of CWIsCryptology group [L1]. The researchteam adds: As SHA-1 underpins morethan 28 percent of existing digital cer-tificates, the results of real-world for-geries could be catastrophic. We hope

the industry has learned from the eventswith SHA-1s predecessor MD5 and inthis case will retract SHA-1 beforeexamples of signature forgeries appearin the near future.

The research team consisted of MarcStevens (CWI), Pierre Karpman (Inriaand NTU Singapore) and ThomasPeyrin (NTU Singapore). The researchwas partially funded by the NetherlandsOrganisation for Scientific ResearchVeni Grant 2014, the DirectionGnrale de lArmement, and theSingapore National ResearchFoundation Fellowships 2012. Theresults have been presented at the 35thAnnual IACR EUROCRYPT 2016 con-ference.

Links:

[L1] https://www.cwi.nl/research-groups/Cryptology [L2] https://sites.google.com/site/itstheshappening/

References:

[1] X. Wang, Y. L. Yin, H. Yu: FindingCollisions in the Full SHA-1,CRYPTO 2005, LNCS, vol. 3621, pp.17-36, Springer, 2005.http://link.springer.com/chapter/10.1007%2F11535218_2[2] M. Steven s, P. Karpman, T. Peyrin:Freestart collision for full SHA-1,EUROCRYPT 2016, LNCS, vol. 9665,pp. 459-483, Springer, 2016,http://link.springer.com/chapter/10.1007%2F978-3-662-49890-3_18[3] M. Stevens: New collision attackson SHA-1 based on optimal jointlocal-collision analysis,EUROCRYPT 2013, LNCS, vol. 7881,pp. 245-261, Springer, 2013.http://link.springer.com/chapter/10.1007%2F978-3-642-38348-9_15

Pleasecontact:

Marc Stevens, CWI, The [email protected]

Deprecating an Internet Security Standard

with Cryptanalysis

by Marc Stevens (CWI)

An international team of cryptanalysts from CWI, Inria and NTU Singapore broke the core of the SHA-1

internet security standard in October 2015. They projected that breaking SHA-1 is much cheaper and

can be achieved earlier than international security experts expected, which gained a lot of attention in

the media. The team urged the industry to retract the standard earlier than planned. Their results

ensured that an industry ballot to extend the issuance of SHA-1 certificates was withdrawn.

GoogleChromeusersreceiveawarning

whenacertificateissignedwithaSHA-1

basedsignatureissuedafter2015.

Picture:MarcStevens.


Collecting data generated by widespreaddigital transactions is an increasinglycommon practice. The likes of telecom-munication network operators, mobileservice providers, app developers andfinancial companies have the possibilityto track the movements, preferences,activities and habits of large populationsof individuals. Mining of such high-dimensional big data paves the way tonew, compelling models across eco-nomic and scientific domains that couldnot be foreseen until a few years ago,and are in some cases becoming part ofour everyday life. The other side of thecoin is the emergence of novel privacyissues related to the collection, storageand exploitation of such sensible infor-mation.

A prominent case study are datasets ofspatiotemporal trajectories collected, forexample, via mobile network recordsavailable to telecommunication opera-tors or geo-referenced time-stampedcheck-ins recorded by mobile applica-tions. They have become an importantinstrument in large-scale analyses acrossa number of disciplines, includingphysics, sociology, demography, epi-demiology, transportation and computer

sciences: a recent survey is available in[1]. These datasets are commonlyanonymised by replacing identifiers(e.g., name, phone number, accountnumber, etc.) with random strings ornon-reversible hashes.

However, this simple solution does notprovide protection against attacks onindividual privacy. Specifically,datasets of spatiotemporal trajectoriessuffer from elevate uniqueness: the dis-tinctive patterns of each user allow himor her to be pinpointed among millionsof other individuals with minimalknowledge, e.g., where he was at anyfive time instants during one year [2].Uniqueness does not imply re-identifi-cation on its own; yet, it can pave theway to cross-database linkage.

Mitigating the uniqueness of spatiotem-poral trajectories is then a very desir-able facility towards robust (and open)datasets. However, attempts at ensuringindistinguishability of spatiotemporaltrajectories through legacy techniqueshave failed. The typical approach isgeneralization: precision in space andtime is reduced for all data up to thepoint where no individual trajectory is

uniquely distinguishable in the dataset.Yet, the high dimensionality of the data(i.e., the large number of spatiotemporalsamples recorded for each user) makesgeneralization ineffective: uniquenessis not removed even under very coarsespatial (i.e., tens of km) and temporal(i.e., days) granularities that disruptdata utility [2].

We perform an extensive analysis of theroot causes behind the high uniquenessand poor anonimisability of datasets ofspatiotemporal trajectories. By studyingreal-world datasets, we observe thattypical human movement patterns areeasily anonymised for most of theirspan (e.g., consider the mass of com-muters sharing the same route on trainsrunning between two cities in themorning and afternoon, every day).Each individual might also feature asmall but not negligible number ofpeculiar movements (e.g., one com-muter goes to play a five-a-side footballgame in a pitch near his workplace onTuesdays, delaying his trip back home).These latter movements result in spa-tiotemporal samples that are extremelyhard to hide, and doom all other sam-ples in the dataset to undergo a very

thwarting Uniqueness in Datasets

of Spatiotemporal trajectories

by Marco Gramaglia (UC3M and IMDEA Networks) and Marco Fiore (CNR-IEIIT)

Pervasive mobile communications make it easy to track individuals, a practice that both fosters new

knowledge and raises privacy concerns. The uniqueness of human mobility patterns is critical to the

latter, as it facilitates user re-identification in naively anonymised datasets. We propose a solution

that guarantees the indistinguishability of spatiotemporal trajectories an important step towards

the open access of privacy-preserving datasets.

Figure1:Spatialaccuracyinadataset2-anonymisedwithGLOVE. Figure2:Temporalaccuracyinadataset2-anonymisedwithGLOVE.

high loss of accuracy if they are to beanonymised.

Documents

ERCIM News 106