Security research within the Systems and Security (SAS) theme has been primarily driven by tackling real-world security problems. Some of our research works have had a societal impact and have been deployed in practical applications. The following are a few selected examples.

Key exchange

• J-PAKE: Authentication Key Exchange Without PKI (Hao, Ryan, Springer Trans. on Computer Science, 2010). This paper presents a password-authenticated key exchange protocol called J-PAKE. Ten years later, J-PAKE has been adopted as a de facto standard in the IoT industry for device commissioning and built into many millions of Google Nest, ARM, NXP, Qualcomm, Texas Instruments, Samsung IoT products (see Thread Certified Products and OpenThread for a full range of products).
• Analysing and Patching SPEKE in ISO/IEC (Hao, Metere, Shahandashti, Dong, IEEE TIFS, 2018) - This paper presents two novel attacks against the SPEKE protocol and a countermeasure that provably fixes the identified flaws. SPEKE had been standardized by ISO/IEC for more than 10 years and used in many applications, and it was the first time such attacks were uncovered. This work has led to the revision of the standard with the inclusion of the proposed countermeasure (published in ISO/IEC 11770-4:2017).

E-voting

• DRE-ip: A Verifiable E-Voting Scheme without Tallying Authorities (Shahandashti, Hao, ESORICS'16) - This paper presents a new "self-enforcing e-voting" system called DRE-ip. A prototype of the DRE-ip system was successfully trialed in a polling station in Gateshead during the 2019 United Kingdom local elections. The e-voting trial was reported on BBC News.
• Real-World Electronic Voting: Design, Analysis and Deployment (Hao, Ryan, Eds. CRC, 2016) - This book consolidates the state-of-the-art in the research field of verifiable e-voting in a real-world setting as of 2016.
• Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting (Hao, Kreeger, Randell, Clarke, Shahandashti, Lee, USENIX JETS, 2014) - This paper proposes a radically new research direction called "self-enforcing e-voting". This paper laid the foundation for a €1.5m ERC starting grant on and a €150K ERC Proof of Concept grant.

Biometrics/PUF

• Texture to the Rescue: Practical Paper Fingerprinting based on Texture Patterns (Toreini, Shahandashti, Hao, ACM TOPS, 2017) - This paper presents a new technique to authenticate a paper document by analyzing the random interleaving of wooden articles during the production of paper. This paper is featured in The Economist, Wall Street Journal, Chronicle Live, Digital Trends, DNA India, ITV News, New Atlas, Phys.org, Science Daily, Zee News India, 36Kr, Correio Braziliense, Mehr News, PlayTech, Sohu.
• Combining Crypto with Biometrics Effectively (Hao, Anderson, Daugman, IEEE TC, 2006) - This paper proposes the first practical and secure way to integrate the iris biometric into cryptographic applications. Ten years later, in 2017, this paper was ranked No. 1 in the Google Scholar Classic Papers in the category of Computer Security & Cryptography.

Cryptocurrency/blockchain

• Refund Attacks on Bitcoin's Payment Protocol (McCorry, Shahandashti, Hao, FC'16) - The paper presents two attacks on the standard BIP70 Bitcoin Payment protocol and a countermeasure. Both attacks and the countermeasure have been acknowledged by the two largest Bitcoin processors, Bitpay and Coinbase. As of 2020, BIP70 is being de-standardized.
• A Smart Contract for Boardroom Voting with Maximum Voter Privacy (McCorry, Shahandashti, Hao, FC'17) - This paper presents the first implementation of a decentralized Internet voting protocol with maximum voter privacy over Ethereum's blockchain. It lays the technical basis for a submission that won 3rd place in the 2016 Economist Cybersecurity Challenge. This work is featured in CoinDesk.

Sensor/IoT security

• TouchSignatures: Identification of User Touch Actions and PINs Based on Mobile Sensors via JavaScript (Mehrnezhad, Toreini, Shahandashti, Hao, Elsevier JISA, 2016) - This paper reports a significant security flaw in the specification of W3C regarding the JavaScript's unrestricted access to the sensor data in a browser on a mobile phone. The identified flaw was acknowledged by W3C and the browser industry as seen in Mozilla advisory, Apple patch in iOS 9.3, Bugzilla tracker, Chromium bug tracker, W3C revision. The research work was also reported in The Guardian, The Telegraph, The Independent, Dailymail, New York Post, The Sun, The Australian, The Economic Times, TechCrunch, Engadget, Popular Science, Science Friday CBC News, German Public Radio Deutschlandfunk, Die Welt (German national daily newspaper), Sina (Chinese), Sohu (Chinese), Masjable (French), Lavoz (Spanish), Khorasan (Iranian), ars Technica.

People

Projects