Review of the NIST Light-weight Cryptography Finalists

Since 2016, NIST has been assessing lightweight encryption methods, and, in 2022, NIST published the final 10: ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak. At the time that the article was written, NISC announced ASCOn as the chosen method that will be published as NIST'S lightweight cryptography standard later in 2023. In this article, we provide a comparison between these methods in terms of energy efficiency, time for encryption, and time for hashing.Comment: 6 page

Recent Progress in the Quantum-to-the-Home Networks

For secure data transmission to the end users in a conventional fiber-to-the-home (FTTH) network, quantum cryptography (QC) is getting much consideration nowadays. QC or more specifically quantum key distribution (QKD) promises unconditionally secure protocol, the Holy Grail of communication and information security that is based on the fundamental laws of quantum physics. In this chapter, we discuss the design issues in a hybrid quantum-classical communication network, performance of the cost-effective off-the-shelf telecommunication equipment, our latest results on a four-state (Quadrature Phase Shift Keying, ‘QPSK’) RF sub-carrier assisted continuous-variable quantum key distribution (CV-QKD) multiuser network based on ultra-low loss quantum channel (pure silica core fiber, ‘PSCF’) and microelectromechanical systems (MEMS) based add/drop switch. The results are thoroughly compared with the commercially available high-cost encryption modules. It is expected that the discussed cost-effective and energy efficient QKD network can facilitate the practical applications of the CV-QKD protocol on the commercial scale in near future for smart access networks

SklCoin: Toward a Scalable Proof-of-Stake and Collective Signature Based Consensus Protocol for Strong Consistency in Blockchain

The proof-of-work consensus protocol suffers from two main limitations: waste of energy and offering only probabilistic guarantees about the status of the blockchain. This paper introduces SklCoin, a new Byzantine consensus protocol and its corresponding software architecture. This protocol leverages two ideas: 1) the proof-of-stake concept to dynamically form stake proportionate consensus groups that represent block miners (stakeholders), and 2) scalable collective signing to efficiently commit transactions irreversibly. SklCoin has immediate finality characteristic where all miners instantly agree on the validity of blocks. In addition, SklCoin supports high transaction rate because of its fast miner election mechanis

TRUSTD: Combat Fake Content using Blockchain and Collective Signature Technologies

The growing trend of sharing news/contents, through social media platforms and the World Wide Web has been seen to impact our perception of the truth, altering our views about politics, economics, relationships, needs and wants. This is because of the growing spread of misinformation and disinformation intentionally or unintentionally by individuals and organizations. This trend has grave political, social, ethical, and privacy implications for society due to 1) the rapid developments in the field of Machine Learning (ML) and Deep Learning (DL) algorithms in creating realistic-looking yet fake digital content (such as text, images, and videos), 2) the ability to customize the content feeds and to create a polarized so-called "filter-bubbles" leveraging the availability of the big-data. Therefore, there is an ethical need to combat the flow of fake content. This paper attempts to resolve some of the aspects of this combat by presenting a high-level overview of TRUSTD, a blockchain and collective signature-based ecosystem to help content creators in getting their content backed by the community, and to help users judge on the credibility and correctness of these contents.Comment: arXiv admin note: text overlap with arXiv:1812.00315, arXiv:1807.06346, arXiv:1904.05386 by other author

Double Public Key Signing Function Oracle Attack on EdDSA Software Implementations

EdDSA is a standardised elliptic curve digital signature scheme introduced to overcome some of the issues prevalent in the more established ECDSA standard. Due to the EdDSA standard specifying that the EdDSA signature be deterministic, if the signing function were to be used as a public key signing oracle for the attacker, the unforgeability notion of security of the scheme can be broken. This paper describes an attack against some of the most popular EdDSA implementations, which results in an adversary recovering the private key used during signing. With this recovered secret key, an adversary can sign arbitrary messages that would be seen as valid by the EdDSA verification function. A list of libraries with vulnerable APIs at the time of publication is provided. Furthermore, this paper provides two suggestions for securing EdDSA signing APIs against this vulnerability while it additionally discusses failed attempts to solve the issue

iWorm hack shows Macs are vulnerable too

The computer operating systems and applications we use today have often evolved over many years, decades even, and contain tens or hundreds of millions of lines of code. Flaws in that code – and there will always be some – give rise to security problems that, in an internet-connected world, are an increasing problem. Many are found in code written in the C++ programming language – in Microsoft Windows, in Java, in applications such as Abode Flash or Reader, the Outlook email client, browsers such as Internet Explorer and Firefox, and increasingly Linux and OS X. Any issues found to affect Linux and other Unix-like operating systems causes problems for Apple because OS X is Unix-like in nature. Apple’s decision to redevelop a new operating system for the Macintosh based on Unix was a momentous one. A family of related operating systems, Unix has evolved since the early 1970s and continues to be used and developed today. Technically OS X is a “Unix-like” operating system called Darwin; Linux is another Unix-like operating system. This decision meant the company could rely on the stability of Unix and focus on the user experience. Will this decision return to bite Apple, however? The flaws now being discovered in Unix-like operating systems also affect OS X. Many bugs are being found that have gone unnoticed for years – the Heartbleed flaw in OpenSSL for example relates to C++ code written by Eric Young in 1998

Majority Voting Approach to Ransomware Detection

Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection.Comment: 17 page

When amateurs do the job of a professional, the result is smart grids secured by dumb crypto.

Security relies upon good programming and correct adherence to well-designed standards. If the standards are sloppy, then security has been compromised from the outset. Smart grids, which include the smart meters being rolled out to millions of homes and the upstream equipment used by electricity suppliers, are often secured by the Open Smart Grid Protocol (OSGP), developed by the Energy Service Network Association (ESNA). It’s estimated there are more than 4m devices using OSGP. If there’s one rule about cryptography it’s that it is difficult to prove there are no weaknesses. Newly developed ciphers and methods are subjected to thorough cryptanalysis and peer review – and it’s not advisable to try and re-invent the wheel and develop a new form of cryptographic method or cipher. And yet the ESNA did just that. Ever since OSGP was standardised in 2012 ESNA has been under fire for its decision, and now researchers have discovered just how bad that decision was

In cybersecurity, the weakest link is … you

A chain is only as strong as its weakest link. Computer security relies on a great number of links, hardware, software and something else altogether: you. The greatest threat to information security is actually people. Why strive to defeat encrypted passwords stored in computers, when those computers' human users will turn them over willingly? The technique is known as social engineering. It could be a phone call at your desk “from IT” querying problems with your login details, or asking about those of our colleagues'. Or the more common technique of phishing – emails designed to solicit your credit card or login details by passing themselves off as legitimate emails from well-known banks or websites such as PayPal or eBay. This has evolved in spear phishing, in which known details about you personally gives the email even greater credibility

3DES Encryption and Decryption in Microsoft .NET.

This paper outlines the usage of 3DES in Microsoft .NET. It provides a basic overview of the 3-DES method, along with a review of other popular encryption methods and some sample code which can be used to implement 3DES