International Association
for Cryptologic Research

This talk will make the case, on behalf of a group of authors of many of the recent results on commitment in AEAD, that the community should prioritize and standardize AEAD designs that achieve commitment to the key, associated data, and nonce. We call this context commitment. The main benefit of such schemes is that they preclude practitioners from having to make choices about what parts of the context should be committing. While context commitment has not yet seen the same kind of attacks in practice as key commitment, we expect them to be discovered and, to get ahead of attackers, standardization efforts should therefore target context commitment. We will start our presentation by defining context commitment [BH22], highlighting in particular how it is not formally implied by key commitment. We next discuss new attacks that exploit this gap, including showing context-commitment attacks on recently proposed key commitment-secure schemes [Kra19, §3.1.1], [ADG+22, §5.3], and [D+22]. These hint at a rich landscape of possible attacks, and we briefly discuss frameworks that explore this landscape [BH22,CR22,MLGR22]. Finally, we provide an overview of recent proposals for new AEAD schemes that achieve context commitment, and discuss avenues for future work.

EDHOC is a lightweight authenticated key exchange protocol for IoT communication, currently being standardized by the IETF. Its design is a trimmed-down version of similar protocols like TLS 1.3, building on the SIGn-then-MAc (SIGMA) rationale. In its trimming, however, EDHOC notably deviates from the SIGMA design by sending only short, non-unique credential identifiers, and letting recipients perform trial verification to determine the correct communication partner. Done naively, this can lead to identity misbinding attacks when an attacker can control some of the user keys, invalidating the original SIGMA security analysis and contesting the security of EDHOC. In this talk we present a computational analysis capturing the potential attack vectors introduced by non-unique credential identifiers. We show that EDHOC, in its latest draft version 17, indeed achieves the intended key exchange security with user authentication even in a strong model where the adversary can register malicious keys with colliding identifiers, given that the employed signature scheme provides so-called exclusive ownership. Through our security result, we confirm cryptographic improvements integrated by the IETF working group in recent draft versions of EDHOC based on recommendations from our and others' analysis. We will comment on these fruitful interactions with the IETF LAKE working group in the talk, as an encouraging example of how proactive security analyses accompanying standardization efforts benefit real-world cryptography.

Historically, the cryptographic algorithms used for ciphering and integrity-protection between mobile phones and cell towers intended to protect SMS, voice calls, etc ... have been shrouded in mystery. Additionally, there is a history of mobile phones accepting cellular connections with no or improperly configured cryptography (the “null cipher” problem, as it’s called in the field of cellular security) with users having little control over this. In an upcoming Android release, users will be able to choose to disable connecting to cell towers with no ciphering and integrity protection. This will be a talk about the history of null ciphers in cellular standards, their real life use in the field, how this problem space overlaps with fake base stations (aka “IMSI-catchers” or “Stingrays”), and an overview of how we’ve addressed these issues in an upcoming Android release, and some of the engineering challenges we faced.

No abstract

In this talk we will present challenges Google faces with key management, and how we built a system to instrument our cryptographic libraries to gain extensive observability into how our services use cryptographic key material in practice. This allows us to enforce best practices like key rotation, deleting old keys and respecting data limits, across global large scale distributed systems. Within Google, our tooling covers thousands of internal teams with diverse use cases, improving both security and reliability on a large scale. This talk also shows how we deployed post-quantum cryptography to Google's internal transport layer security protocol (ALTS), and made it the default option. We will talk about the challenges, both technical and organisational when making such a large-scale change to a global infrastructure as run by Google. We will share insights on the performance impact and discuss our design decisions and trade-offs.

Grassroots organizers are people who work from within communities to effect economic, environmental, social, or political change. Engagement, communication, and trust between community members are vital to the success of grassroots movements. Grassroots organizers have therefore developed long-standing community-based trust and communication protocols that are grounded in physical community spaces such as schools, libraries, town halls, community centers, places of worship, parks, and streets. Digital networking tools afford organizers the ability to engage more people, quickly disseminate important information, and decentralize movements for change. However, they also increase the level of personal risk that communities face by organizing, since the visibility of personal information and communication on social media facilitates surveillance, disinformation, infiltration, and ultimately physical violence from law enforcement, hate groups, and foreign governments. In this talk, we will explore the question: How might we use cryptographic tools to adapt the existing trust and communication protocols of grassroots organizers from physical to digital spaces, without increasing the risk of surveillance, disinformation, and infiltration of grassroots movements?

Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best-known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is practical, e.g. producing new fastest-known implementations for the relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1.

Investigative journalists collect large numbers of digital documents during their investigations. These documents can greatly benefit other journalists' work. However, many of these documents contain sensitive information. Hence, possessing such documents can endanger reporters, their stories, and their sources. Consequently, many documents are used only for single, local, investigations. We presented DatashareNetwork, a decentralized and privacy-preserving search system that enables journalists worldwide to find documents via a dedicated network of peers, as the first search engine designed by journalists for journalists in 2020 to address this problem. We start the talk by introducing real-world problems that investigative journalists face and describe DatashareNetwork as a possible solution. Then, we discuss the practical challenges of moving forward from an academic prototype to deploying DatashareNetwork for the International Consortium of Investigative (ICIJ). This talk covers (1) our joint requirement gathering and (2) design with journalists, (3) a user study to help ICIJ with presenting the privacy property of our system to journalists and making utility/privacy trade-off decisions, (4) deployment challenges to integrate DatashareNetwork into ICIJ's IT infrastructure, and finally (5) open problems that require more attention from the community.

No abstract

Several cryptographic constructions that aim to preserve privacy (such as Privacy Preserving Measurement –PPM–, or Private Information Retrieval –PIR–) schemes incur in computational, bandwidth, and consequent financial overheads on standard, cloud-based infrastructure that make them expensive to run at scale. Furthermore, they sometimes require specialized costly hardware. In practice, these overheads and constraints make them unusable for small organizations that cannot handle the large computational or financial costs. Here, we explore two alternative schemes (as an example) that can work for small organizations in the real-world, by looking both at the constrains they have to work on, and the impact of this type cryptography in the real-world. We conclude by asking whether the research community has done enough to take into the account the cases of organizations with financial, network or hardware constraints, and how we can design future cryptography for them.

No abstract

Wi-Fi devices routinely queue frames at various layers of the network stack before transmitting, for instance, when the receiver is in sleep mode. In this work, we investigate how Wi-Fi access points manage the security context of queued frames. By exploiting power-save features, we show how to trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key. We demonstrate resulting attacks against several open-source network stacks. We attribute our findings to the lack of explicit guidance in managing security contexts of buffered frames in the 802.11 standards. The unprotected nature of the power-save bit in a frame’s header, which our work reveals to be a fundamental design flaw, also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack. Furthermore, we demonstrate how an attacker can override and control the security context of frames that are yet to be queued. This exploits a design flaw in hotspot-like networks and allows the attacker to force an access point to encrypt yet-to-be-queued frames using an adversary-chosen key, thereby bypassing Wi-Fi encryption entirely. Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic. Overall, we highlight the need for transparency in handling security context across the network stack layers and the challenges in doing so.

At RWC in 2019, Gregory Neven presented seminal work on a range of two-round multisignature schemes, all of which proved to be insecure against ROS attacks. At that time, it appeared doubtful if concurrently secure two-round multi-party Schnorr signatures could exist. In 2020, this research question was answered in the affirmative, and we saw the emergence of several two-round multi-party Schnorr signature scheme secure under concurrent sessions, namely FROST on the threshold side, MuSig2 (presented at RWC 2021) and DWMS on the multisignature side. Three years have passed since these schemes were first published, and we have learned a lot in their transition from theory to practical use. In this talk, we will review these lessons learned, and how the field has since progressed. We will then introduce a range of open research questions that, if solved, would dramatically improve the practicality and applicability of these schemes in real-world systems.

Recent years have seen several landmark results in the formal verification of high-performance cryptographic libraries, leading to verified crypto code being adopted by mainstream projects like Chrome, Firefox, and Linux. Despite these successes, the secure integration and composition of verified cryptographic components within larger unverified applications remains an open challenge. The first problem is that each verification project uses its own formal specification language (F*, EasyCrypt, Coq), making its guarantees and assumptions hard for an application developer to read and understand. Second, each verified implementation presents its own low-level API that is easy to misuse. Third, when verified code is embedded within an application written in an unsafe language like C, any memory safety error in the surrounding unverified code may be used to attack the crypto code, potentially nullifying the formal guarantees of verification. In this talk, we propose a new approach that closes these gaps by integrating specification and verification within the cryptographic software development workflow. Our approach is built around HACSPEC, a new language for writing succinct, executable, formal specifications for cryptographic constructions, which aims to be equally accessible to developers, cryptographers, and verification experts. We describe translations from HACSPEC to F*, Coq, and EasyCrypt. We also present the first release of LIBCRUX, most comprehensive high- assurance cryptographic provider to date, combining verified code from HACL*, Fiat-Crypto, Vale, Jasmin, and AUCurves.

In this talk we look at all the different techniques we employ to keep the Go cryptography standard library safe. These libraries ship with the Go language and power millions of applications, including most of the “cloud”. They have a stellar security track record when compared with most other mainstream cryptography libraries. The talk will be focused on practical examples of strategies in current use in our Go codebases, from low level to general principles. Naturally, we’ll talk about testing. We especially like large, reusable sets of test vectors like those provided by the Wycheproof or CCTV projects. For higher level code, we’ll talk about the value of building robust test frameworks that make it easy to produce many complex test scenarios. For example, the acmetest package, the age testkit, and BoringSSL’s BoGo. Finally, we’ll look at fuzzing. Fuzzers often struggle with the large unstructured value distributions of cryptography, so we’ll look at how we can weight the dice to make edge cases more likely. Testing is about finding bugs. We can also try not to write them in the first place. We’ll look at how safe internal interfaces like our unexported elliptic curve packages make it easier to reason about our own code and prevent mistakes in the first place. We’ll also look at how we use code generation to produce especially tricky code. We got a lot of value out of the fiat-crypto formally-verified generator, and out of the avo assembly generator. The real secret behind the Go standard library’s security track record though is how aggressively it limits its complexity. Our Cryptography Principles help us decide what to implement, so that we address 95% of the use cases with 5% of the complexity. Our Assembly Policy focuses extra effort in the parts of the codebase that is more likely to be wrong. Finally, we are constantly deprecating and reducing exposed settings that aren’t necessary anymore, while maintaining a strict Compatibility Promise. The last trick is maybe the most underrated in cryptography engineering: we believe cryptographic code, being more complex, needs to be *more* readable than average, not less, and invest a lot in readability. We’re not done, and we’ll mention techniques we wish to experiment more with, like interface tests, mutation testing, and reusing other projects test suites.

We propose a new cryptographic primitive called verifiably encrypted threshold key derivation (VETKD) that extends identity-based encryption with a decentralized way of deriving decryption keys. We show how VETKD can be leveraged on modern blockchains to build scalable decentralized applications (or dapps) for a variety of purposes, including preventing front-running attacks on decentralized finance (DeFi) platforms, end-to-end encryption for decentralized messaging and social networks (SocialFi), cross-chain bridges, as well as advanced cryptographic primitives such as witness encryption and one-time programs that previously could only be built from secure hardware or using a trusted third party. And all of that by secret-sharing just a single secret key...

CRYSTALS-Kyber has been recently selected by the NIST as a post-quantum public-key encryption and key-establishment algorithm to be standardized. This makes it important to assess how well CRYSTALS-Kyber implementations withstand side-channel attacks. The first-order masked implementations of CRYSTALS-Kyber have been already analyzed. In this talk, we will present a side-channel attack on a higher-order masked implementation of CRYSTALS-Kyber. We will show how to recover messages from up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU by a deep learning-based power analysis. The talk is expected to be of interest to industry which is currently preparing for a shift to quantum-resistant cryptographic algorithms.

The US Defense Advanced Research Project Agency (DARPA) has been investing in cryptographic technologies for the last 10+ years, starting with the PROCEED program in fully homomorphic encryption. This talk will be about new, late-breaking results and insights gleaned by leading and managing DARPA’s cryptography and privacy programs over the last five years, with particular focus on our many applications. Specific technical highlights will be on recent RACE (secure, anonymous messaging) and SIEVE (zero knowledge) program results, especially those that have broad applications, instead of defense-only.

No abstract

The recently passed EU Digital Markets Act (DMA) will require large “gatekeeper” companies like Meta and Apple who run widely used end-to-end encrypted (E2EE) messaging apps to allow interoperability with other smaller E2EE apps, on request. Users will be able to communicate with each other across providers: for example, a user on Signal would be able to chat with a user on WhatsApp. The law itself is light on details or concrete requirements, leading to both its supporters and detractors arguing based more on speculation rather than hard evidence. One thing these opposing sides agree on is that the DMA’s interoperability mandate will require fundamental changes to the design of existing E2EE messaging. But what changes will the law require, exactly? How will these requirements be translated into new designs? Will these new designs have new security challenges? These and other critical technical questions lack clear answers today; since legal interoperability requirements under the DMA could take effect as soon as March 2024, and similar legislation has been proposed in the US, it is imperative that the community starts trying to answer these questions now. The purpose of this talk is to introduce E2EE messaging interoperability to the broader cryptography community. Our first task will be to interpret -- guided by existing legal analyses, where available -- the text of the DMA’s interoperability mandate for the community, highlighting requirements and identifying key pieces we believe will have the biggest impact on new designs. Next, we will break down the specific challenges of interoperability in three key areas: identity, protocols, and abuse prevention. For each area, we will briefly survey the landscape of possible designs, critically evaluate proposed solutions, identify novel cryptography-focused questions where more research is needed, and elaborate a minimal list of properties we believe any solution should satisfy. We also identify a set of overarching principles that should guide new designs, e.g. limiting cross-platform metadata leakage. Our goal is to bring the cryptography community into the ongoing dialogue between regulators, policy scholars, industry practitioners, and users about what interoperable E2EE messaging will look like.

Interoperable Private Attribution (IPA) is a proposed web standard that enables aggregate and differentially private cross site measurement that is purpose constrained to prevent its use for cross site tracking of individuals. IPA is proposed within the Private Advertising Technology Community Group (PATCG) within the World Wide Web Consortium (W3C). Our proposed implementation of IPA uses multi-party computation (MPC) that is performed across a small set of independent organizations and companies who are trusted to not collude. In this talk, we will present the motivation behind our proposal, comparisons to other relevant proposals, progress on the standardization effort, and open problems for extended research.

NIST recently announced Kyber and Dilithium as first winners of their post-quantum cryptography (PQC) standardization effort. While the two are more suitable for constrained applications relative to other PQC schemes, their implementation in commercial embedded platforms still poses a non-trivial challenge, especially since many embedded use cases require hardening against physical attacks. As any delay in the transition to this new standard could have severe consequences for security critical use cases which require certified hardened designs, e.g., payment or automotive, the industrial and academic communities are actively investigating and solving issues that could arise. While for Kyber there is already an extensive list of such issues, Dilithium has been significantly less explored in the context of physical security. As there are multiple variants (deterministic, randomized, hedged) of Dilithium of which only a subset might be included in the standard, it is of utmost importance to quantify and understand the implications of each type on physical security. In this talk, we present the dos and don’ts of hardening Dilithium against a side-channel adversary, which were acquired during a detailed and lengthy analysis inside NXP. To this end, we first list the issues of each Dilithium variant regarding side-channel hardening, quantify the resulting implementation costs and highlight the noticeable overhead introduced by deterministic approaches. By exploring minor modifications to the underlying algorithm, we demonstrate that standardizing a variant, which is not optimized for physical security, would have a significant negative impact on the performance of hardened Dilithium on embedded devices. Instead, we propose that a slightly-modified randomized Dilithium should be considered during the standardization effort and recommended as the default choice for constrained platforms. It is our expectation that this would immensely support the transition to the future PQC standard on embedded devices.

In this talk, we first systematically analyze the privacy offered by Signal and MLS and observe a critical shortcoming of MLS compared to Signal. In short, MLS leaks much more _metadata_ than Signal. In privacy-critical scenarios, dismissing this metadata leakage puts at risk the users who may otherwise believe that MLS offers the exact same level of security as Signal. We then propose an efficient and provably secure solution to bootstrap the current MLS to be as metadata-hiding (or, in some metrics, even more) as Signal. Our key insight is to leverage the existence of a _unique_ continuously evolving group secret key shared by the group to perform an anonymous membership authentication protocol.

The paradigm of threshold cryptography allows for decentralization of trust across multiple parties, regarding the creation, storage and use of the private/secret keys required by cryptographic primitives. The "NIST First Call for Multi-Party Threshold Schemes" (NISTIR 8214C ipd) [initial public draft published in January 2023] promotes a process toward a structured collection and analysis of threshold schemes for multiple primitives, to help support future NIST recommendations and processes. The call is organized in two categories: - Cat1, for selected NIST-standardized primitives, will help assess threshold friendliness and develop future recommendations and guidelines for their threshold schemes. - Cat2, open to primitives not standardized by NIST, includes primitives for "regular" schemes (e.g., signatures and encryption schemes threshold-friendlier than NIST standardized ones), other schemes with advanced functional features (e.g., homomorphic, identity-based or attribute-based), and certain zero-knowledge proofs of knowledge, as well as auxiliary gadgets. Their analysis will help assess new interests on primitives not standardized by NIST, and develop future recommendations. Submissions should include security characterization, technical description, open-source implementation, and performance evaluation. The community participation can be helpful across three phases: - 1. Providing feedback about the draft call (till 2023-April-10). - 2. Submitting schemes (after the final call is published). - 3. Participating in the ensuing public analysis of submitted schemes.

Dual EC DRBG is widely believed to have been backdoored by the U.S. National Security Agency. But there was another number theoretic PRG proposed alongside Dual EC that has seen surprisingly little attention: the Micali-Schnorr generator, standardized as MS DRBG, which is based on the hardness of RSA. It appears in early drafts of the ANSI X9.82 standard (but was eventually removed in favor of Dual EC) and the final version of ISO 18031 (alongside Dual EC). The MS DRBG standard follows a pattern eerily reminiscent of Dual EC: it incorporates a series of recommended public parameters that are intended to be used in production as the RSA modulus N. Given the known vulnerabilities in Dual EC and the identical provenance, it is reasonable to ask whether MS DRBG is vulnerable to an analogous attack: Does knowledge of the factors of (or malicious construction of) the recommended moduli imply a practical attack on the MS DRBG generator? Surprisingly, this question is not easy to answer. The security proofs of course do not go through if the factors are known, but all obvious attack strategies fail. In this talk, we give historical background on MS DRBG and describe progress toward finding the backdoor (or proving it doesn't exist). We show that any backdoor must somehow exploit the algebraic structure of RSA, rather than just the attacker's ability to invert the RSA operation. We exhibit two such backdoors in related constructions. Ultimately we were unsuccessful in fully finding a plausible backdoor in MS DRBG (or proving one doesn't exist), but we hope this talk will bring more attention to this interesting open problem with potential real-world impact.

This talk presents Portunus, a global system used by Cloudflare to restrict where in the world a customer's TLS private keys can be accessed based on some policy. It is an RBAC system built using ciphertext-policy attribute-based encryption, a variant of public-key cryptography introduced in 2005, that enables access control to be enforced with minimal dependence on a central authority. Using Portunus as an example, we discuss the benefits of employing attribute-based encryption (ABE) to construct access control systems for distributed settings. Portunus evolved from an earlier system, Geo Key Manager, previously presented at RWC 2018. Prompted by a question from the audience, we attacked the inflexible policies and vulnerability to collusion by replacing a home-grown simulation of an ABE-like scheme using Identity Based Encryption and Broadcast Encryption, with an established ABE scheme by TKN. This shortcoming was validated when customers demanded richer data restriction policies to reflect the increasing balkanization of the Internet in response to regulations such as GDPR. However, it is not enough to drop in a new scheme: real-world systems have to deal with attribute changes, key rotation, performance needs, and high loads. It also needs to address the needs of real users. This talk will discuss the translation of a ciphertext-policy ABE scheme from theory to practice and the hurdles along the way, as well as show how successful application of an imperfect cryptographic solution paved the way for adoption of a theoretically more satisfying and more capable solution.

We introduce PQNoise, a post-quantum variant of the Noise framework. We demonstrate that it is possible to replace the Diffie-Hellman key-exchanges in Noise with KEMs in a secure way. A challenge is the inability to combine key pairs of KEMs, which can be resolved by certain forms of randomness-hardening for which we introduce a formal abstraction. We provide a generic recipe to turn classical Noise patterns into PQNoise patterns. We prove that the resulting PQNoise patterns achieve confidentiality and authenticity in the fACCE-model. Moreover we show that for those classical Noise-patterns that have been conjectured or proven secure in the fACCE-model our matching PQNoise-patterns eventually achieve the same security. Our security proof is generic and applies to any valid PQNoise pattern. This is made possible by another abstraction, called a hash-object, which hides the exact workings of how keying material is processed in an abstract stateful object that outputs pseudorandom keys under different corruption patterns. We also show that the hash chains used in Noise are a secure hash-object. Finally, we demonstrate the practicality of PQNoise delivering benchmarks for several base patterns.

It is known that one can generically construct a very flexible post-quantum anonymous credential scheme, supporting the showing of arbitrary predicates on its attributes using general-purpose zero-knowledge proofs secure against quantum adversaries [Fischlin, CRYPTO 2006]. Traditionally, such a generic instantiation is thought to come with impractical sizes and performance but recent advances in succinct proofs warrant a reconsideration. We show that with careful choices and optimizations, such a scheme can perform surprisingly well. In fact, it can even perform competitively against state-of-the-art post-quantum blind signatures, for the simpler problem of post-quantum unlinkable tokens, required for a post-quantum version of \emph{privacy pass}. To wit, a post-quantum privacy pass constructed in this way using zkDilithium, our proposal for a STARK-friendly variation on Dilithium2, allows for a trade-off between token size (76--172 kB) and generation time (0.25--4.5s) with a target proof security level of 115 bits. Verification of these tokens can be done in ~30ms. We argue that these tokens are reasonably practical, adding less than a second upload time over traditional tokens, supported by a measurement study. We also discuss how our construction enables an improved version of rate-limited privacy pass that does not require an attester and hides usage patterns of clients.

Inventory matching is a standard mechanism for trading financial stocks by which buyers and sellers can be paired. In the financial world, banks often undertake the task of finding such matches between their clients. The related stocks can be traded without adversely impacting the market price for either client. If matches between clients are found, the bank can offer the trade on advantageous rates. If no match is found, the parties have to buy or sell the stock in the public market, which introduces additional costs. A problem with the process as it is presently conducted is that the involved parties must share their order to buy or sell a particular stock, along with the intended quantity (number of shares) to the bank. Clients are concerned that if this information ``leaks'' somehow, other market participants will become aware of their intentions, and thus cause the price to move adversely against them before their transaction is concluded. We provide a solution that enables the clients to match their orders efficiently with reduced market impact while maintaining privacy. In the case where there are no matches, no information is revealed. Our main cryptographic innovation is a secure linear comparison protocol for computing the minimum between two quantities with malicious security. We report benchmarks of our Prime Match system, which runs in production, and is adopted by a large bank in the US (J.P. Morgan). Prime Match is the first MPC solution running live in the financial world.

It all started with ECDSA nonces and keys duplications in a large amount of X.509 certificates generated by Cisco ASA security gateways, detected through TLS campaigns analysis. After some statistics and black box keys recovery, it continued by analyzing multiple firmwares for those hardware devices and virtual appliances to unveil the root causes of these collisions. It ended up with "keygens" to recover RSA keys, ECDSA keys and signatures nonces. The current presentation describes our journey understanding Cisco ASA randomness issues through years. More generally, it also provides technical and practical feedback on what can and cannot be done regarding entropy sources in association with DRBGs and other random processing mechanisms.

No abstract

This work discuss real world deniability in messaging. We highlight how the different models for cryptographic deniability do not ensure practical deniability. To overcome this situation, we propose a model for real world deniability that takes into account the entire messaging system. We then discuss how deniability is (not) used in practice and the challenges arising from the design of a deniable system. We propose a simple, yet powerful solution for deniability: applications should enable direct modification of local messages; we discuss the impacts of this strong deniability property.

We conduct a security analysis of the e-voting protocol used for the largest political election using e-voting in the world, the 2022 French legislative election for the citizens overseas. Due to a lack of system and threat model specifications, we built and contributed such specifications by studying the French legal framework and by reverse-engineering the code base accessible to the voters. Our analysis reveals that this protocol is affected by two design-level and implementation-level vulnerabilities. We show how those allow a standard voting server attacker and even more so a channel attacker to defeat the election integrity and ballot privacy due to 6 attack variants. We propose and discuss 5 fixes to prevent those attacks. Our specifications, the attacks, and the fixes were acknowledged by the relevant stakeholders during our responsible disclosure. Our attacks are in the process of being prevented with our fixes for future elections. Beyond this specific protocol, we draw general conclusions and lessons from this instructive experience where an e-voting protocol meets the real-world constraints of a large-scale and political election.

Intel's Software Guard Extensions (SGX) promises an isolated execution environment, protected from all software running on the machine. As such, numerous works have sought to leverage SGX to provide confidentiality and integrity guarantees for code running in adversarial environments. In the past few years however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, in this paper we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments. To that aim, we study two commercial SGX applications. First, we investigate the Secret network, an SGX-backed blockchain aiming to provide privacy preserving smart contracts. Next, we also consider PowerDVD, a UHD Blu-Ray Digital Rights Management (DRM) software licensed to play discs on general purpose computers. We show that in both cases vendors are unable to meet security goals originally envisioned for their products, presumably due to SGX's long mitigation timelines and a difficult manual update process. This in turn forces vendors into making difficult security/usability trade offs, resulting in severe security compromises.

No abstract

We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models. As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. As another, we demonstrate a compression-based side-channel attack that recovers users' long-term private keys through observation of the size of Threema encrypted backups. From our analysis, we draw three wider lessons for developers of secure protocols.

Since the publication of the initial 2018 paper, the DKLs protocols [Doerner et al., IEEE S&P 2018 and 2019] have been deployed to secure cryptocurrency assets at considerable scale. In this time, much has changed in our understanding of industry needs, perspectives on protocol design, as well as the theory underlying our protocols. There is not at present an academic venue to announce such changes to the broader community as they do not constitute technical novelty, but they are important to communicate nonetheless. Until this point, we have communicated updates of this nature privately to developers on an ad-hoc basis. While this has been effective in supporting---and learning from---the developers with whom we have interacted directly, a more systematic approach is required for a dialogue with the broader community. We have therefore synthesized the information that is relevant to developers who wish to deploy and maintain our protocols today, and made the necessary resources available on a dedicated website. In this talk, we will give a summary of the resources that developers can expect to find on our site. Highlights include 1. Conservative Design Principles: We discuss standard vs non-standard functionalities for ECDSA, and what it takes to realize them. In response to criticism of our non-standard ideal functionality in our two-party paper, we provide a three-round version of our signing protocol that realizes the standard F_ECDSA functionality, along with recommendations for modes of operation. We additionally discuss the marginal cost of achieving UC security; in particular the efficiency of signing remains the same even with this improved security guarantee, due to an approach that avoids the use of zero-knowledge proofs. 2. Security of primitives: We make important recommendations for the instantiation of underlying primitives including Oblivious Transfer, and Secure Multiplication. Such recommendations include crucial non-obvious implementation details such as enforcing sequentiality of statistical checks on shared state, and random oracle tagging, as well as higher level advice in choice of protocols for building blocks. 3. Efficiency: We compare and contrast the efficiency profiles of homomorphic encryption based approaches to ECDSA, and OT based ones such as ours. Through benchmarks on diverse hardware and points of comparison in broadly relatable terms, we make the case that OT based threshold ECDSA achieves the best tradeoffs in many scenarios. Additionally, we present optimizations to our protocol that provide noticeable improvements in bandwidth. 4. Modes of operation: We discuss how to achieve proactive security---an industry best practice today---when using our protocols. Additionally, we discuss non-interactive signing in the preprocessing model, which is a mode of operation that has received much interest in the industry recently. 5. We discuss our experiences in helping several companies that have implemented, tested internally, and ultimately deployed our protocol to their users.

We present a practical method to achieve timelock encryption, where a ciphertext is guaranteed to be decrypted only after a specified amount of time has passed or a date has been reached. We use an existing threshold network implementing the BLS signature scheme and use it in the context of Boneh and Franklin's identity-based encryption (IBE) scheme. The threshold network acts as a decentralised Private Key Generator in the IBE scheme where identities are the round numbers and secret keys are the randomness associated with this round output by the beacon. Therefore anyone can encrypt a message towards a specific round, which can be only be decrypted when the threshold network releases the associated randomness. A noticeable advantage of this scheme is that only users (senders and recipients) are required to perform additional cryptographic operations; the threshold network does not need to be aware of any encryption happening and does not require any change to support this scheme. We also release an open-source implementation of our scheme and a live web page that can be used in production now relying on the existing League of Entropy (LoE) network acting as a distributed public randomness beacon service using threshold BLS signatures. The LoE is a threshold BLS network producing random beacons at a frequency of 30 seconds and has been running in production without missing a single beacon for the past two years, ensuring very high availability to any user of our timelock solution.

Although the newest versions of TLS are considered secure, flawed implementations may undermine the promised security properties. Such implementation flaws result from the TLS specifications’ complexity, with exponentially many possible parameter combinations. Combinatorial Testing (CT) is a technique to tame this complexity, but it is hard to apply to TLS due to semantic dependencies between the parameters and thus leaves the developers with a major challenge referred to as the test oracle problem: Determining if the observed behavior of software is correct for a given test input. In this work, we present TLS-Anvil, a test suite based on CT that can efficiently and systematically test parameter value combinations and overcome the oracle problem by dynamically extracting an implementation-specific input parameter model (IPM) that we constrained based on TLS specific parameter value interactions. Our approach thus carefully restricts the available input space, which in return allows us to reliably solve the oracle problem for any combination of values generated by the CT algorithm. We evaluated TLS-Anvil with 13 well known TLS implementations, including OpenSSL, BoringSSL, and NSS. Our evaluation revealed two new exploits in MatrixSSL, five issues directly influencing the cryptographic operations of a session, as well as 15 interoperability issues, 116 problems related to incorrect alert handling, and 100 other issues across all tested libraries.

Verifying where and when a digital image was taken has become increasingly difficult; this issue of image provenance is especially concerning in the realm of news media. While fact-checking services can identify misinformation, enabling individuals to personally verify the provenance of photos would prevent them from having to rely on third-parties and empower them to protect themselves. The Coalition for Content Provenance and Authenticity (C2PA) has developed a standard to verify image provenance that relies on digital signatures produced by cameras; however, photos are often edited (cropped, resized, converted to grayscale, etc.) before being included in a news story, and the public cannot validate signatures on the original photo given only the published image. The C2PA standard addresses this issue by having C2PA-enabled editing applications sign the edits that have taken place, but this solution requires trusting the C2PA applications. In contrast, we propose using zk-SNARKs to prove which edits have been applied to a given photo. The completeness and soundness of these proofs mean that the verifier need not trust the prover, which solves the trust problem posed by the C2PA standard. We implemented Circom programs to generate proofs for various common photo edits, and we demonstrate the practicality of these proofs through timing experiments. Witness and proof generation take only a few minutes for realistically sized pictures; verification time is around 10 ms; and proof sizes are around 800 bytes.

No abstract

In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is, we induce the FrodoKEM software to output a higher-error PK, (A,B=AS+E), where the error E is modified by Rowhammer. Then, we perform a decryption failure attack, using a variety of publicly-accessible supercomputing resources running on the order of only 200,000 core-hours. We delicately attenuate the decryption failure rate to ensure that the adversary's attack succeeds practically, but so honest users cannot easily detect the manipulation. Achieving this public key "poisoning" requires an extreme engineering effort, as FrodoKEM's KeyGen runs on the order of 8 milliseconds. (Prior Rowhammer-assisted attacks against cryptography require as long as 8 hours of persistent access.) In order to handle this real-world timing condition, we require a wide variety of prior and brand new, low-level engineering techniques, including e.g. memory massaging algorithms -- i.e. "Feng Shui" -- and a precisely-targeted performance degradation attack on SHAKE.

As privacy-awareness rises, demand for end-to-end encrypted (E2EE) services is increasing. However, not all systems live up to their advertised security guarantees. MEGA—the largest provider of E2EE cloud storage with over 260 million users—failed to protect the confidentiality and integrity of their customers’ data, as our recent paper “MEGA: Malleable Encryption Goes Awry” showed. In this talk, we take a step back and discuss why it is surprisingly challenging to design a privacy-preserving cloud storage protocol that is secure even when the cloud provider is actively malicious. Recent academic effort focused on building file sharing systems which hide metadata. However, systems in practice still face much more fundamental challenges including key management, asynchronously coalescing updates stemming from collaboration on shared E2EE files, and cryptographic agility. We briefly discuss the approach of MEGA and how it was susceptible to a key recovery attack that allowed a malicious cloud provider to decrypt user files, among other vulnerabilities. Based on the attacks on MEGA, we suggest best practices for designing secure E2EE cloud storage systems. Unfortunately, it is infeasible for MEGA to completely redesign their system due to scale and backward compatibility. Even if a redesign was possible, the security they currently aim to provide still falls short of offering desirable properties like post-compromise security, forward security, and key rotation. With this in mind, we point out open questions for future work and advocate for a standardization process for a cloud storage design.