Léo Ducas of CWI's Cryptology group has won the 2016 Internet Defense Prize. He was awarded the prize last night with his co-authors Erdem Alkim (Ege University), Thomas Pöppelmann (Infineon Technologies AG) and Peter Schwabe (Radboud University) for their paper 'Post-Quantum Key Exchange Offers New Hope' on post-quantum security. The prize was awarded last night at the 25th USENIX Security Symposium in Austin, Texas.
The team proposed new parameters for providing post-quantum security for TLS. Building on a previously proposed instantiation presented by researchers at IEEE Security & Privacy 2015, this new research identified a better suited error distribution and reconciliation mechanism, analyzed the scheme's hardness against attacks by quantum computers, and identifies a possible defense against backdoors and all-for-the-price-of-one attacks. Using these measures — and for the same lattice dimension — the team was able to increase the security parameter by more than 100 percent, reduce the communication overhead by more than half, and significantly increase computation speed in portable C implementation and current Intel CPUs, all while protecting against timing attacks.
The Internet Defense Prize is designed to reward researchers who combine a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense. It was created in 2014 by Facebook through a partnership with USENIX. The information security industry is in a race against time to innovate faster than the adversaries who wish to harm consumers and businesses. However, most security research over-rotates toward offensive, novelty hacks that have little impact on most people's lives. Exaggerated attention still goes to research that celebrates breaking instead of research focused on protecting people in the real world. Facebook created the Internet Defense Prize to change this incentive.
In the first year, $50,000 was awarded to a pair of German researchers for their work using static analysis to detect “second-order vulnerabilities” in web applications that are used to inflict harm after being stored on the web server ahead of time. Last year, thee award amount was doubled to $100,000 and presented it to a team from Georgia Tech who identified an important emerging class of security issues for C++ programs. They proposed a novel technique for detecting bad type casts by combining both static and dynamic analysis.
[photo of winning team]
For a full news item, including news on the other finalists, please visit https://www.facebook.com/protectthegraph
The paper is available at https://eprint.iacr.org/2015/1092.pdf