Kemal Bicakci

Kemal Bicakci

Public agencies are beginning to consider large language models (LLMs) as decision-support tools for grant evaluation. This creates a practical governance problem: the model and scoring rubric should not be exposed in a way that allows applicants to optimize against them, yet the evaluation process must remain auditable, contestable, and accountable. We propose a TEE-based architecture that helps reconcile these requirements through remote attestation. The architecture allows an external verifier to check which model, rubric, prompt template, and input representation were used, without exposing model weights, proprietary scoring logic, or intermediate reasoning to applicants or infrastructure operators. The main artifact is an attested evaluation bundle: a signed, timestamped record linking the original submission hash, the canonical input hash, the model-and-rubric measurement, and the evaluation output. The paper also considers a scenario-specific prompt injection risk: applicant-controlled documents may contain hidden or indirect instructions intended to influence the LLM evaluator. We therefore include a canonicalization and sanitization layer that normalizes document representations and records suspicious transformations before inference. We position the design relative to confidential AI inference, attestable AI audits, zero-knowledge machine learning, algorithmic accountability, and AI-assisted peer review. The resulting claim is deliberately narrow: remote attestation does not prove that an evaluation is fair or scientifically correct, but it can make part of the evaluation process externally verifiable.

Kemal Bicakci, Davut Deniz Yavuz, Sezin Gurkan

With the advent of cloud technologies, there is a growing number of easy-to-use services to store files and share them with other cloud users. By providing security features, cloud service providers try to encourage users to store personal files or corporate documents on their servers. However, their server-side encryption solutions are not satisfactory when the server itself is not trusted. Although, there are several client-side solutions to provide security for cloud sharing, they are not used extensively because of usability issues in key management. In this paper, we propose TwinCloud which is an innovative solution with the goal of providing a secure system to users without compromising the usability of cloud sharing. TwinCloud achieves this by bringing a novel solution to the complex key exchange problem and by providing a simple and practical approach to store and share files by hiding all the cryptographic and key-distribution operations from users. Serving as a gateway, TwinCloud uses two or more cloud providers to store the encryption keys and encrypted files in separate clouds which ease the secure sharing without a need for trust to either of the cloud service providers with the assumption that they do not collude with each other. We implemented TwinCloud as a lightweight application and make it available as open-source. The results of our usability study show the prospect of the secure sharing solution of TwinCloud.

Mevlut Serkan Tok, Osman Tufan Tekin, Kemal Bicakci

The F-layout was introduced in 1955 and eventually enforced as a national standard as a replacement to the popular QWERTY keyboard layout in Turkey. In a more recent work, another alternative (E-layout) was developed for Turkish language and argued to be faster and more comfortable than the F-layout. However, there has not been any empirical evidence favouring any of these layouts so far. To fill this research gap in the literature, we have employed a hybrid model and conducted both between-subjects and within-subjects user experiments with twelve freshmen majoring in computer engineering. The experimental results show that there is no significant difference between learning percentage of these two layouts but the completion time of typing a trial passage with the F-layout is significantly lower than the E-layout. The F-layout has also a significantly lower physical demand score, as revealed by the subjective assessments of participants. Based on our user survey data, we also discuss some possible reasons of F-keyboard limited prevalence among Turkish users.

Yusuf Uzunay, Kemal Bicakci

Authentication proxies, which store users' secret credentials and submit them to servers on their behalf, offer benefits with respect to security of the authentication and usability of credential management. However, as being a service that is not in control of users, one important problem they suffer is the trust problem; how users trust that their secrets are handled securely in the proxy and not revealed to third parties. In this paper, we present a solution called Trust-in-the-Middle, a TPM based proxy system which ensures that user credentials are securely stored and submitted without disclosing them even if the proxy is compromised. We build our architecture on a trust chain bootstrapped by TPM DRTM and prevent access to credentials if any entity in the chain is maliciously modified. We use remote attestation to guarantee that all critical operations on the proxy are performed securely and credentials are cryptographically protected when they are not in DRTM-supported isolation.

Yasin Uzun, Kemal Bicakci, Yusuf Uzunay

Significant portion of contemporary computer users are children, who are vulnerable to threats coming from the Internet. To protect children from such threats, in this study, we investigate how successfully typing data can be used to distinguish children from adults. For this purpose, we collect a dataset comprising keystroke data of 100 users and show that distinguishing child Internet users from adults is possible using Keystroke Dynamics with equal error rates less than 10 percent. However the error rates increase significantly when there are impostors in the system.