Bart Preneel

iMinds, Ledeberg, Flanders, Belgium

Are you Bart Preneel?

Claim your profile

Publications (616)108.3 Total impact

  • Source

  • Source
    H. Massias · J. -j. Quisquater · Bart Preneel · Bart Van Rompay ·

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Anonymous E-Cash was first introduced in 1982 as a digital, privacy-preserving alternative to physical cash. A lot of research has since then been devoted to extend and improve its properties, leading to the appearance of multiple schemes. Despite this progress, the practical feasibility of E-Cash systems is still today an open question. Payment tokens are typically portable hardware devices in smart card form, resource constrained due to their size, and therefore not suited to support largely complex protocols such as E-Cash. Migrating to more powerful mobile platforms, for instance, smartphones, seems a natural alternative. However, this impliesmoving computations from trusted and dedicated execution environments to generic multiapplication platforms, which may result in security vulnerabilities. In this work, we propose a new anonymous E-Cash system to overcome this limitation. Motivated by existing payment schemes based on MTM (Mobile Trusted Module) architectures, we consider at design time a model in which user payment tokens are composed of two modules: an untrusted but powerful execution platform (e.g., smartphone) and a trusted but constrained platform (e.g., secure element). We show how the protocol's computational complexity can be relaxed by a secure split of computations: nonsensitive operations are delegated to the powerful platform, while sensitive computations are kept in a secure environment. We provide a full construction of our proposed Anonymous Split E-Cash scheme and show that it fully complies with the main properties of an ideal E-Cash system. Finally, we test its performance by implementing it on an Android smartphone equipped with a Java-Cardcompatible secure element.
    ACM Transactions on Embedded Computing Systems 09/2015; 14(4). DOI:10.1145/2783439 · 0.47 Impact Factor
  • Filipe Beato · Stijn Meul · Bart Preneel ·

  • Elena Andreeva · Bart Mennink · Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: A cryptographic hash function compresses arbitrarily long messages to digests of a short and fixed length. Most of existing hash functions are designed to evaluate a compression function with a finite domain in a mode of operation, and the compression function itself is often designed from block ciphers or permutations. This modular design approach allows for a rigorous security analysis via means of both cryptanalysis and provable security. We present a survey on the state of the art in hash function security and modular design analysis. We focus on existing security models and definitions, as well as on the security aspects of designing secure compression functions (indirectly) from either block ciphers or permutations. In all of these directions, we identify open problems that, once solved, would allow for an increased confidence in the use of cryptographic hash functions.
    Designs Codes and Cryptography 05/2015; 77(2-3). DOI:10.1007/s10623-015-0096-0 · 0.96 Impact Factor
  • Bart Mennink · Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: A well-established method of constructing hash functions is to base them on non-compressing primitives, such as one-way functions or permutations. In this work, we present \(S^r\) , an \(rn\) -to- \(n\) -bit compression function (for \(r\ge 1\) ) making \(2r-1\) calls to \(n\) -to- \(n\) -bit primitives (random functions or permutations). \(S^r\) compresses its inputs at a rate (the amount of message blocks per primitive call) up to almost 1/2, and it outperforms all existing schemes with respect to rate and/or the size of underlying primitives. For instance, instantiated with the \(1600\) -bit permutation of NIST’s SHA-3 hash function standard, it offers about \(800\) -bit security at a rate of almost 1/2, while SHA-3-512 itself achieves only \(512\) -bit security at a rate of about \(1/3\) . We prove that \(S^r\) achieves asymptotically optimal collision security against semi-adaptive adversaries up to almost \(2^{n/2}\) queries and that it can be made preimage secure up to \(2^n\) queries using a simple tweak.
    International Journal of Information Security 04/2015; DOI:10.1007/s10207-015-0288-7 · 0.96 Impact Factor
  • Atul Luykx · Bart Mennink · Bart Preneel · Laura Winnen ·
    [Show abstract] [Hide abstract]
    ABSTRACT: We consider the generic design of compression functions based on two n-bit permutations and XOR-based mixing functions. It is known that any such function mapping n+α to α bits, with 1≤α≤n, can achieve at most min{2α/2 ,2n/2-α/4} collision security. Using techniques similar to Mennink and Preneel [CRYPTO 2012, Lecture Notes in Comput. Sci. 7417, Springer, Heidelberg (2012), 330-347], we show that there is only one equivalence class of these functions achieving optimal collision security, and additionally min{2α,2n/2} preimage security. The equivalence class compares well with existing functions based on two or three permutations, and is well-suited for wide-pipe hashing.
    Journal of Mathematical Cryptology 01/2015; 9(3). DOI:10.1515/jmc-2015-0015
  • Jens Hermans · Roel Peeters · Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: We approach RFID privacy both from modelling and protocol point of view. Our privacy model avoids the drawbacks of several proposed RFID privacy models that either suffer from insufficient generality or put forward unrealistic assumptions regarding the adversary's ability to corrupt tags. Furthermore, our model can handle multiple readers and introduces two new privacy notions to capture the recently discovered insider attackers. We analyse multiple existing RFID protocols, demonstrating the easy applicability of our model, and propose a new wide-forward-insider private RFID authentication protocol. This protocol provides sufficient privacy guarantees for most practical applications and is the most efficient of its kind, it only requires two scalar-EC point multiplications.
    IEEE Transactions on Mobile Computing 12/2014; 13(12):2888-2902. DOI:10.1109/TMC.2014.2314127 · 2.54 Impact Factor
  • Source
    Michael Herrmann · Alfredo Rial · Claudia Diaz · Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Location-sharing-based services (LSBSs) allow users to share their location with their friends in a sporadic manner. In currently deployed LSBSs users must disclose their location to the service provider in order to share it with their friends. This default disclosure of location data introduces privacy risks. We define the security properties that a privacy-preserving LSBS should fulfill and propose two construc-tions. First, a construction based on identity based broad-cast encryption (IBBE) in which the service provider does not learn the user's location, but learns which other users are allowed to receive a location update. Second, a construc-tion based on anonymous IBBE in which the service provider does not learn the latter either. As advantages with respect to previous work, in our schemes the LSBS provider does not need to perform any operations to compute the reply to a location data request, but only needs to forward IBBE ciphertexts to the receivers. We implement both construc-tions and present a performance analysis that shows their practicality. Furthermore, we extend our schemes such that the service provider, performing some verification work, is able to collect privacy-preserving aggregate statistics on the locations users share with each other.
    WiSec 2014, Oxford, UK; 07/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: Public key Kerberos (PKINIT) is a standard authentication and key establishment protocol. Unfortunately, it suffers from a security flaw when combined with smart cards. In particular, temporary access to a user’s card enables an adversary to impersonate that user for an indefinite period of time, even after the adversary’s access to the card is revoked. In this paper, we extend Shoup’s key exchange security model to the smart card setting and examine PKINIT in this model. Using this formalization, we show that PKINIT is indeed flawed, propose a fix, and provide a proof that this fix leads to a secure protocol.
    International Journal of Information Security 06/2014; 13(3). DOI:10.1007/s10207-013-0213-x · 0.96 Impact Factor
  • Kota Ideguchi · Elmar Tischhauser · Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: We analyze the Grøstl-0 hash function, that is the version of Grøstl submitted to the SHA-3 competition. This paper extends Peyrin’s internal differential strategy, that uses differential paths between the permutations P and Q of Grøstl-0 to construct distinguishers of the compression function. This results in collision attacks and semi-free-start collision attacks on the Grøstl-0 hash function and compression function with reduced rounds. Specifically, we show collision attacks on the Grøstl-0-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities 248 and 2112 and on the Grøstl-0-512 hash function reduced to 6 out of 14 rounds with time complexity 2183. Furthermore, we demonstrate semi-free-start collision attacks on the Grøstl-0-256 compression function reduced to 8 rounds and the Grøstl-0-512 compression function reduced to 9 rounds. Finally, we show improved distinguishers for the Grøstl-0-256 permutations with reduced rounds.
    Designs Codes and Cryptography 03/2014; 70(3). DOI:10.1007/s10623-012-9674-6 · 0.96 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The tremendous popularity of Online Social Networks (OSNs), such as Facebook and Google+, has accustomed people to an easy and reliable process of social interactions. Inherently, the huge amount of information disseminated and the sensitive information possessed by OSNs prompted several privacy concerns. In order to increase the privacy of OSNs users, several solutions proposed the use of encryption and masking techniques to conceal profile information or the content of exchanged messages. Unfortunately, even when such countermeasures are in place, the OSNs can still infer sensitive information based on the social network structure and the behavior of users. In this paper, we present VirtualFriendShip, a novel solution that allows users to hide their real social network structure, and to browse the OSNs while keeping their actions anonymous. To do so, we introduce the concept of routing friends, which are build upon the social trust and relay other users traffic throughout a decentralized channel. We demonstrate the feasibility of our solution via a prototype implementation of VirtualFriendShip for Facebook. Alongside with a set of experiments we show that the additional costs are tolerable to end users.
    In Proceedings of the IEEE Conference on Communications and Network Security; 01/2014
  • Bart Preneel ·
    [Show abstract] [Hide abstract]
    ABSTRACT: Cryptographic hash functions play a central role in cryptography: they map arbitrarily large input strings to fixed length output strings. The main applications are to create a short unique identifier to a string, to transform a string with a one-way mapping, and to commit to a string or to confirm its knowledge without revealing it. Additional applications are the mapping of group or field elements to strings, key derivation and the extraction of entropy. The main security requirements are preimage and second preimage resistance, collision resistance and indifferentiability from a random oracle. During the last three decades, more than 200 hash functions designs have been published; many of those have been cryptanalyzed, including widely used schemes such as MD5 and SHA-1. Moreover, there was a lack of theoretical understanding of their constructions; as a consequence, structural flaws were identified in widely used designs. These concerns also undermined to some extent the confidence in the SHA-2 hash functions, that have been designed for long term security. As a consequence, the US National Institute for Standards and Technology has organized an open competition. The competition started in November 2007; after five years of intense design, analysis and debate the Keccak function was announced as the winner in October 2012. The new FIPS standard is expected to be published in 2014. This extended abstract will identify some lessons learned during this competition.
    Proceedings of the 6th International Conference on Security of Information and Networks; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications. In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third-party-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identifiable Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting.
    Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Various Location Privacy-Preserving Mechanisms (LPPMs) have been proposed in the literature to address the privacy risks derived from the exposure of user locations through the use of Location Based Services (LBSs). LPPMs obfuscate the locations disclosed to the LBS provider using a variety of strategies, which come at a cost either in terms of quality of service, or of resource consumption, or both. Shokri et al. propose an LPPM design framework that outputs optimal LPPM parameters considering a strategic adversary that knows the algorithm implemented by the LPPM, and has prior knowledge on the users' mobility profiles [23]. The framework allows users to set a constraint on the tolerable loss quality of service due to perturbations in the locations exposed by the LPPM. We observe that this constraint does not capture the fact that some LPPMs rely on techniques that augment the level of privacy by increasing resource consumption. In this work we extend Shokri et al.'s framework to account for constraints on bandwidth consumption. This allows us to evaluate and compare LPPMs that generate dummies queries or that decrease the precision of the disclosed locations. We study the trilateral trade-off between privacy, quality of service, and bandwidth, using real mobility data. Our results show that dummy-based LPPMs offer the best protection for a given combination of quality and bandwidth constraints, and that, as soon as communication overhead is permitted, both dummy-based and precision-based LPPMs outperform LPPMs that only perturb the exposed locations. We also observe that the maximum value of privacy a user can enjoy can be reached by either sufficiently relaxing the quality loss or the bandwidth constraints, or by choosing an adequate combination of both constraints. Our results contribute to a better understanding of the effectiveness of location privacy protection strategies, and to the design of LPPMs with constrained resource consumption.
    Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: When middlebox devices should be able to adapt an encrypted video stream in the network without having the decryption key, format-compliant partial encryption schemes should be applied. In this paper, we propose such encryption schemes for the recently standardized High Efficiency Video Coding (HEVC) standard. By encrypting specific syntax elements like the sign of the residual information, the sign of the motion vector (MV) difference, the MV prediction index, and the MV reference index, format compliance and the possibility for adaptation are offered. Scrambling performance gradually increases when shifting from encrypting the motion information to encrypting the residual sign and finally to the combination thereof. Applying all these techniques has a negligible impact on the compression efficiency.
    2013 20th IEEE International Conference on Image Processing (ICIP); 09/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Attribute-based credentials systems offer a privacy-friendly solution to access electronic services. In this field, most research has been directed into optimizing the prover operations and exploring the usability boundaries on mobile platforms like smart cards and mobile phones. This research assumes that the verification of credential proofs occur at a powerful back end. However, a broad range of (embedded) applications lack this powerful back end. This article shows that hardware accelerators for modular exponentiations, greatly reduce the run time of applications that require credential verification in an embedded context. In addition, when verification requires a considerable amount of the total run time (i.e., communication included), the use of dual-base (simultaneous) exponentiation hardware further increases the overall performance. All tests have been performed in a practical setup between a smartphone and an embedded terminal using NFC communication.
    14th IFIP TC 6/TC 11 International Conference, CMS 2013, Magdeburg, Germany; 09/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we propose Sancus, a security architecture for networked embedded devices. Sancus supports extensibility in the form of remote (even third-party) software installation on devices while maintaining strong security guarantees. More specifically, Sancus can remotely attest to a software provider that a specific software module is running uncompromised, and can authenticate messages from software modules to software providers. Software modules can securely maintain local state, and can securely interact with other software modules that they choose to trust. The most distinguishing feature of Sancus is that it achieves these security guarantees without trusting any infrastructural software on the device. The Trusted Computing Base (TCB) on the device is only the hardware. Moreover, the hardware cost of Sancus is low. We describe the design of Sancus, and develop and evaluate a prototype FPGA implementation of a Sancus-enabled device. The prototype extends an MSP430 processor with hardware support for the memory access control and cryptographic functionality required to run Sancus. We also develop a C compiler that targets our device and that can compile standard C modules to Sancus protected software modules.
    Proceedings of the 22nd USENIX conference on Security; 08/2013

  • Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Burnaby, BC, Canada; 08/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present a flexible hardware design for performing Simultaneous Exponentiations on embedded platforms. Simultaneous Exponentiations are often used in anonymous credentials protocols. The hardware is designed with VHDL and fit for use in embedded systems. The kernel of the design is a pipelined Montgomery multiplier. The length of the operands and the number of stages can be chosen before synthesis. We show the effect of the operand length and number of stages on the maximum attainable frequency as well as on the FPGA resources being used. Next to scalability of the hardware, we support different operand lengths at run-time. The design uses generic VHDL without any device-specific primitives, ensuring portability to other platforms. As a test-case we effectively integrated the hardware in a MicroBlaze embedded platform. With this platform we show that simultaneous exponentiations with our hardware are performed 70 times faster than with an all-software implementation.
    Proceedings of the 9th international conference on Reconfigurable Computing: architectures, tools, and applications; 03/2013

Publication Stats

9k Citations
108.30 Total Impact Points


  • 2015
    • iMinds
      Ledeberg, Flanders, Belgium
  • 1993-2014
    • University of Leuven
      • • Department of Computer Science
      • • Department of Electrical Engineering (ESAT)
      Louvain, Flemish, Belgium
  • 2008
    • Katholieke Hogeschool Limburg
      Limburg, Walloon Region, Belgium
  • 2007
    • Ecole Supérieure d'Aéronautique et des technologies
      L’Ariana, Ariana, Tunisia
  • 2005
    • Universitair Psychiatrisch Centrum KU Leuven
      Cortenberg, Flanders, Belgium
  • 2002
    • Technical University of Denmark
      • Department of Mathematics
      Copenhagen, Capital Region, Denmark
  • 1999
    • University of Bergen
      • Department of Informatics
      Bergen, Hordaland, Norway
  • 1997
    • University of London
      Londinium, England, United Kingdom
  • 1992
    • Leuven University College
      Louvain, Flemish, Belgium