In the beginning of 2018, the popular media was rife with news articles describing Meltdown and Spectre, two devastating attacks that affected millions of computers worldwide. This talk will provide a technical overview of these attacks. The talk will show how two age-old performance-enhancing tricks---out-of-order execution and speculative execution---by now considered mundane in the computer architecture community were put to spectacular use by the designers of the attacks.

In recent years, private search over encrypted data has garnered significant interest in the community with works focusing on supporting more complex structures and queries. In this talk, we focus on the problem of secure wildcard search over encrypted data. The setting consists of three entities viz. the data owner, the server and the client. The data owner outsources the encrypted data to the server, who obliviously services the clients' queries. In our proposed solution, the Blind Seer protocol is extended to support wildcard queries. We provide a reasonable security guarantee, by describing a leakage profile which captures all the information leaked by the protocol to the respective parties. Asymptotically, the solution is sub-linear in the number of keywords and the initial implementation results look promising.

Aadhaar is the national identities project of the Government of India. The main benefit of Aadhaar is expected to be better decision making using modern analytics (for eg, detecting fraud) as citizens can only use such an identity to avail of services from various government as well as private service providers; this necessarily involves building a huge store with necessary information on citizens such as mapping of ids to biometrics. Such stores raise many security and privacy concerns and therefore should be designed and analyzed very carefully. The threat model for such systems should address both internal and external attackers. Previous writings in the press and research work in this area have discussed many issues such as unwanted profiling and tracking of individuals, authentication without consent, collusion between multiple service providers leading to correlation of user data that may result in loss of privacy, suitability of biometrics chosen and the use of fake biometrics. While some analyses have suggested use of certain types of cryptographic operations to provide a solution, a comprehensive and workable solution for, say, avoiding profiling, has been lacking till recently, and there are also many problems from a larger systems perspective that need to be addressed such as access control models to constrain the access to sensitive data during collection and update of data as well as integrity of its metadata.

While “bullet proof” security is not possible for such a large system in principle, it is also not the case that certain aspects such as profiling cannot be handled through technical solutions; currently only legal provisions are available post facto for handling breaches. In this talk, we discuss our solution on how to avoid profiling and then discuss newer features in Aadhaar system wrt security.

Almost all the deployed public key cryptosystems will become insecure once a full scale quantum computer becomes a reality. This is because, quantum algorithms, like that of Shor proposed in 1994 can solve, for example, the factoring problem and discrete log problem in poly time. This algorithm can be used to break the widely used cryptosystems like RSA, Elliptic curve cryptography and Diffie-Hellman key-exchange using a quantum computer. Does it mean an end to cryptography once quantum computers become practical. The answer is affirmatively no as there are many candidates, called post-quantum crypto candidates, available which are believed to be secure against attacks by a quantum computer. Post-quantum cryptography deals with cryptosystems that run on conventional computers and are secure against attacks by quantum computers. In this talk, we will focus on post-quantum security notions and some candidate cryptosystems.

Machine learning based system are increasingly being used for sensitive tasks such as security surveillance, guiding autonomous vehicle, taking investment decisions, detecting and blocking network intrusion and malware etc. However, recent research has shown that machine learning models are venerable to attacks by adversaries at all phases of machine learning (e.g., training data collection, training, operation). All model classes of machine learning systems can be misled by making them wrongly classify inputs that are carefully crafted. Maliciously created input samples can affect the learning process of a ML system by either slowing the learning process, or affecting the performance of the learned model or causing the system make error only in attacker’s planned scenario.