About Feng Hao

Reader in Security Engineering, School of Computing Science, Newcastle University

The SPEKE Protocol Revisited

In a forthcoming paper (to be presented at SSR’14), we (with Siamak Shahandashti) present some new attacks on SPEKE, an internationally standardized protocol. The idea originated from a causal chat over coffee with my colleague, Siamak Shahandashti, four days before the SSR’14 submission deadline. But the idea was interesting enough (to us) that we decided to write a paper. It was intensive a few days’ work, but it turned out to an enjoyable experience. A preprint of the paper can be found here (also in the IACR ePrint).

Background: SPEKE is one of the most well-known Password Authentication Key Exchange (PAKE) techniques. It was first designed in 1996 by David Jablon. Over the past twenty years, it seems to have withstood various attacks, and yet no major flaws has been found. To date, the SPEKE protocol has been included into the IEEE P1363.2 and ISO/IEC 11770-4 standards, and deployed in commercial products (for example, Blackberry).

Our findings: However, in our paper, we identity two weaknesses in SPEKE, which seem to have evaded previous efforts of cryptanalysis. First, we show an impersonation attack, in which an attacker is able to impersonate a user by engaging in two parallel sessions with the victim. Second, we show a key-malleability attack, in which a man-in-the-middle attacker is able to manipulate the session key established between two honest users without being detected. We further explain the applicability of the attack to the SPEKE variants defined in IEEE P1363.2 and ISO/IEC 11770-4 and point out deficiencies in both standards.

Suggested changes to standards:  Finally, we propose concrete changes to both the IEEE and ISO/IEC standards. The changes that we propose not only address all currently known attacks against SPEKE, but also improve the round efficiency of SPEKE as it is currently defined in the standards.

For more technical details, please refer to our paper. Any comments are of course most welcome.


  • 2014-10-24: during the ISO/IEC JTC 1/SC 27 Meeting held in Mexico (19-24 Oct, 2014), it has been agreed by the national bodies present in the meeting to revise the SPEKE specification in ISO/IEC 11770-4 to address the two attacks reported in our SSR’14 paper.

Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting

Last week, at USENIX EVT/WOTE’14, in the beautiful city of San Diego, I presented a paper that was jointly co-authored with my former colleague at Thales (Mr Matthew Kreeger) and colleagues at Newcastle University (Prof Brian Randell, Dr Dylan Clarke, Dr Siamak Shahandashti, Peter Hyun-Jeen Lee). The title of our joint paper is “Every Vote Counts: Ensuring Integrity in Large-Scale Electronic Voting” (presentation slides here).

In this paper, we first highlight a significant gap in the e-voting research field that many people seem to have ignored: while the End-to-End (E2E) e-voting systems have been extensively researched for over twenty years and have been commonly heralded as a rescuer to many controversies in e-voting, in practice few of those systems have actually been implemented and almost none of them used in real-world national elections.

We are motivated to find out the root cause and to narrow the gap. Our hypothesis is that the existing E2E systems’ universal dependence on a set of tallying authorities (who are assumed to be from parties of conflicting interests, be expert in cryptographic key management and be expert in computing) presents a significant hurdle towards the practical deployment of those systems.

We then show that the involvement of tallying authorities is not strictly necessary at least in some election scenarios. In particular, we focus on DRE-based (Direct Recording Electronic) elections conducted at supervised polling stations. This is perhaps the most common election scenario in national elections around the world, e.g., USA, India and Brazil.  We present a new cryptographic voting protocol called Direct Recording Electronic with Integrity (DRE-i). The DRE-i protocol provides the same E2E verifiability as other E2E voting protocols, but without involving any tallying authorities. Hence, the system is “self-enforcing”. By comparing with related E2E protocols that are dependent on tallying authorities, we demonstrate that a self-enforcing e-voting system is significantly simpler, earlier to implement, more efficient and has better usability – all of this is achieved without degrading security.

We welcome interested readers to scrutinize our paper, point out any error or discrepancy that you can find, and feel free to write your feedback in the “Comments” below.

CFP: Special issue on security and privacy in cloud computing

The following is a CFP for the special issue on security and privacy in cloud computing, to be published by the Journal of Information Security and Applications (Elsevier) in 2015.

Submission deadline: 15 Jan 2015 (changed to 15 April, 2015).


Research works that contain “new” ideas and are driven by tackling “real-world” security/privacy problems in cloud computing are especially welcome.

How many years it takes to publish a new idea

While the original idea could be traced back to a chapter in my PhD thesis, the actual work on large-scale e-voting started in 2009 when I was still working in Cambridge. With my colleague Matthew Kreeger, we began to critically examine the basic theory underpinning the 20 years research on End-to-End (E2E) verifiable e-voting, and attempted to design a new category of E2E systems that did not rely on any trustworthy tallying authorities. We called the new category “self-enforcing e-voting”.

We first released a technical report in IACR (2010), and then tried to publish it at a conference.


Until its recent acceptance by USENIX JETS (Vol. 2, No. 3, 2014), the paper had been repeatedly rejected by top conferences in the field. The final version of the paper is in the open-access domain (below). The technical protocol in the paper remains unchanged from its 2010 IACR report.


This has been an interesting personal experience, from receiving consistently harsh reviews and repeated rejections from top conferences, to getting surprisingly positive feedback from the ERC panel and a €1.5m starting grant to support my further work, until the final acceptance of the paper just recently.

Getting rejections is always a frustrating experience, but in the end, I feel I learned most from the rejections rather than the acceptance. Today’s top security conferences have developed an extremely rigorous reviewing process, which is good. But perhaps, the process could be slightly adjusted to give a little bit more tolerance to “new” ideas, albeit they may be controversial or have all sorts of shortcomings in the beginning.

Acknowledgement: The co-authors of the paper are Matthew Kreeger, Brian Randell, Dylan Clarke, Siamak Shahandashti and Peter Lee. We especially thank several dozens of anonymous reviewers – who liked or disliked the paper – for the feedback and for helping us improve the paper.

Radio interview with Ehsan Toreini about private browsing

Ehsan was interviewed on a radio show last Thursday (17 July, 2015) by an Australian radio station LifeFM, on the security issues of private browsing in modern browsers. It was related to a recently published paper which Ehsan co-authored: “On the privacy of private browsing – A forensic approach” (2014, ScienceDirect).

The interview recording can be found here.

Verifiable Classroom Voting

In today’s Teaching and Learning 2014 Conference, I presented a talk on “Enforcing Teaching and Learning with Electronic Voting” (Slides). This talk summarizes our last two years’ work on developing a smart-phone based Verifiable Classroom Voting (VCV) system and experience of trialing it in real classroom teaching (with positive student feedback which can be viewed here and here near the bottom of the questions).

The VCV system is built based on a cryptographic protocol called DRE-i, which ensures the integrity of the tallying results without involving any trusted tallying authorities. Voters are able to independently verify if their votes have been actually captured by the system and correctly tallied without compromise on voter privacy. To the best of our knowledge, the developed system is the first in the world – none of the commercially available classroom voting systems permits public verifiability as ours does.

Encouraged by the positive student feedback, our ultimate aim is to make the system freely available to teachers in any university or school worldwide to help enhance teaching and learning in a classroom. At the moment, we are still at a trial stage. Limited by the available resource, the system is currently only available to those who have valid Newcastle University campus accounts.

If you are a member of the teaching staff in the university, and would like to trial the system in your class, follow the brief instructions below.

Before the class:

  • Log on https://evoting.ncl.ac.uk as a coordinator (using your campus ID)
  • Create an election under the “Creation Election” tab
  • Take note of the election ID generated by the system at the end of the election creation. (An example of the election ID is: 4535)

Voting in the class

  • Inform the students the election ID and an optional passcode
  • Ask students to visit https://evoting.ncl.ac.uk with the provided election ID and passcode (if any)
  • Alternatively, students may vote using mobile phone apps (free iPhone app available here and Android app here)

Displaying the results

  • Log on https://evoting.ncl.ac.uk using your campus ID
  • Go to the “Manage Elections” tab. Next to the election ID, choose “End Election” from the “Action” drop-down menu
  • Go to the home page, enter election ID and then choose “View results”

PowerPoint Plug-In: Normally, “Displaying the results” requires the use of a web browser. But that means you need to swap the presentation modes between the PowerPoint and a web browser. For a smoother presentation,  you can install a PowerPoint plug-in (freely available at SourceForge) which inserts an IE browser in one PowerPoint slide, so you can  stay in the PowerPoint slideshow throughout the presentation.

Special-interest group: If you would like to join us to further the trials of classroom voting for pedagogical purposes, please get in touch. We may set up a mailing list for the special-interest group if there is sufficient interest.

Acknowledgement: This research work is kindly supported by Newcastle University UTLSEC Innovation Fund (2012) and ERC Starting Grant (2013-2018). Dylan Clarke developed the back-end server, initial web interface and iPhone app. Carlton Shepherd developed the initial Android app and helped improve the web interface. Ehsan Toreini developed the PowerPoint plugin and helped improve the web interface.

First post

This post is to announce the birth of “Security Upon Tyne” – a blog on security research at the School of Computing Science, Newcastle University, Newcastle-upon-Tyne, UK.

We hope this blog will provide a platform to facilitate two-way communication: 1) to disseminate our research results to people outside the school; 2) more importantly, to allow any reader over the Internet to comment, scrutinize and criticize our work.