Radboud University Nijmegen, in the Thomas van Aquino building, room 8.k.16
Prof. dr. Sjouke Mauw
Université du Luxembourg
Title: Attack Trees with Sequential Conjunction
Prof. dr. ir. Bart de Decker
Title: uCentive: An Efficient, Anonymous and Unlinkable Incentives Scheme
A popular way to encourage user actions or contributions in a service are the widely adopted incentives schemes. They represent schemes in which users are offered certain benefits or reputation in return for their actions. However, these systems rely on service providers to manage users' profiles, which record all the activity of the users, the benefits they are entitled to and/or reputation. The service provider thus holds a vast amount of user's private information, even when the user is only known by a pseudonym. In order to address this issue, we present a privacy-preserving incentives scheme that allows earning and redeeming incentives in an unlinkable way. Furthermore, the incentives do not have to be linked to a specific action for which they were issued or to the identity or pseudonym of the user who has earned them. Still, it is possible for the users to prove ownership of the incentives and the service provider is able to verify their validity. The described approach is also efficient and the provided experimental evaluation demonstrates that it is suitable for usage on a mobile device, such as a smartphone.
Dr. Gregory Neven
IBM Research Zürich
Title: Memento: How to Reconstruct your Secrets from a Single Password in a
Passwords are inherently vulnerable to dictionary attacks, but are quite secure if guessing attempts can be slowed down, for example by an online server. If this server gets compromised, however, the attacker can again perform an offline attack. The obvious remedy is to distribute the password verification process over multiple servers, so that the password remains secure as long as no more than a threshold of the servers are compromised. By letting these servers additionally host shares of a strong secret that the user can recover upon entering the correct password, the user can perform further cryptographic tasks using this strong secret as a key, e.g., encrypting data in the cloud. Threshold password-authenticated secret sharing (TPASS) protocols provide exactly this functionality, but the two only known schemes by Bagherzandi et al. (CCS 2011) and Camenisch et al. (CCS 2012) leak the password if a user mistakenly executes the protocol with malicious servers. Authenticating to the wrong servers is a common scenario when users are tricked in phishing attacks. We propose the first t-out-of-n TPASS protocol for any n > t that does not suffer from this shortcoming. We prove our protocol secure in the UC framework, which for the particular case of password-based protocols offers important advantages over property-based definitions, e.g., by correctly modelling typos in password attempts.