Applied Cryptography and Network Security

Randomized Partial Checking (RPC) [16] was proposed by Jakobsson, Juels, and Rivest and attracted attention as an efficient method of verifying the correctness of the mixing process in numerous applied scenarios. In fact, RPC is a building block for many electronic voting schemes, including Prêt à Voter [6], Civitas [9], Scantegrity II [5] as well as voting-systems used in real-world elections (e.g., in Australia [4]). Mixing is also used in anonymous transfers of cryptocurrencies. It turned out, however, that a series of works [17, 18] showed subtle issues with analyses behind RPC. First, that the actual security level of the RPC protocol is way off the claimed [16] bounds. The probability of successful manipulation of k votes is \((\frac{3}{4})^k\) instead of the claimed \(\frac{1}{2^k}\) (this difference, in turn, negatively affects actual implementations of the notion within existing election systems. This is so since concrete implemented procedures of a given length were directly based on this parameter). Further, privacy guarantees [11] that a constant number of mix-servers is enough turned out [17] to also not be correct. We can conclude from the above that these analyses of the processes of mixing are not trivial.

In this paper, we review the relevant attacks, and we present Mirrored-RPC (mRPC) – a fix to RPC based on “mirrored commitment” which makes it optimally secure; namely, having a probability of successful manipulation of k votes \(\frac{1}{2^k}\).

Then, we present an analysis of the privacy level of both RPC and mRPC. We show that for n messages, the number of mix-servers (rounds) needed to be \(\varepsilon \)-close to the uniform distribution in total variation distance is lower bounded by: This proof of privacy, in turn, gives insights into the anonymity of various cryptocurrencies (e.g., Zerocash [23]) using anonymizing pools. If a random fraction q of n existing coins is mixed (in each block), then to achieve full anonymity, the number of blocks one needs to run the protocol for, is:

Blockchains suffer from scalability limitations, both in terms of latency and throughput. Various approaches to alleviate this have been proposed, most prominent of which are payment and state channels, sidechains, commit-chains, rollups, and sharding. This work puts forth a novel commit-chain protocol, Bitcoin Clique. It is the first trustless commit-chain that is compatible with all major blockchains, including (an upcoming version of) Bitcoin.

Clique enables a pool of users to pay each other off-chain, i.e., without interacting with the blockchain, thus sidestepping its bottlenecks. A user can directly send its coins to any other user in the Clique: In contrast to payment channels, its funds are not tied to a specific counterparty, avoiding the need for multi-hop payments. An untrusted operator facilitates payments by verifiably recording them.

One approach for scaling blockchains is to create bilateral, offchain channels, known as payment/state channels, that can protect parties against cheating via onchain collateralization. While such channels have been studied extensively, not much attention has been given to programmability, where the parties can agree to dynamically enforce arbitrary conditions over their payments without going onchain.

We introduce the notion of a programmable payment channel (\(\textsf{PPC}\)) that allows two parties to do exactly this. In particular, our notion of programmability enables the sender of a (unidirectional) payment to dynamically set the terms and conditions for each individual payment using a smart contract. Of course, the verification of the payment conditions (and the payment itself) happens offchain as long as the parties behave honestly. If either party violates any of the terms, then the other party can deploy the smart contract onchain to receive a remedy as agreed upon in the contract. In this paper, we make the following contributions:

We note that our implementations of \(\mathcal {F}_{\textsf{PPC}}\) and \(\mathcal {F}_{\textsf{SC}}\) depend on the CREATE2 opcode which allows one to compute the deployment address of a contract (without having to deploy it).

A mutual private set intersection protocol (PSI) allows two parties to find the intersection of their private sets without leaking any other information. A mutual PSI protocol achieves complete fairness if a malicious party cannot disadvantage the honest party by using an early abort of the protocol. It has been proved that it is impossible to achieve complete fairness in plain two-party computation, and ensuring fairness needs the inclusion of a trusted third party (TTP). Smart contracts have been used to implement trusted computation in cryptographic protocols. In this paper, we consider fair mutual PSI protocols that use a smart contract as the TTP. We first show that it is impossible to achieve complete fairness by using a smart contract as a TTP in two-party mutual PSI, and consider the (weaker) goal of “fairness with coin compensation”. We design two protocols, \(\varPi \) and \(\varPi ^*\), that achieve this notion of fairness using a smart contract as the TTP. The protocol \(\varPi \) is a redesign of a fair optimistic PSI protocol (Dong et al., DBSec 2013) that replaces TTP with a smart contract. The protocol \(\varPi ^*\) is a more efficient protocol that replaces some of the zero-knowledge proofs of \(\varPi \) with proof of misbehaviour that enables the smart contract to correctly identify the dishonest party and compensate the honest party with coin. We prove the security and privacy of the protocols in an extension of the ideal/real paradigm for non-monolithic adversaries and provide a proof-of-concept implementation of the smart contract in both protocols in a local Ethereum network. We evaluate the performance of the protocols in terms of gas cost for optimistic and pessimistic executions, compare their performance, and discuss our results and directions for future work.

We propose several decentralized ceremonies for constructing a powers-of-tau structured reference string (SRS). Our protocols make use of a blockchain platform to run in a permissionless manner, where anyone can contribute randomness in exchange for paying the requisite transaction fees. The resulting SRS is secure as long as any single party participates honestly. We introduce several protocols optimized for different sized powers-of-tau setups and using an on-chain or off-chain data availability model to store the resulting string. We implement our most efficient protocol on top of Ethereum, demonstrating practical concrete performance.

Electric Vehicles (EVs) are more and more charged at public Charge Points (CPs) using Plug-and-Charge (PnC) protocols such as the ISO 15118 standard which eliminates user interaction for authentication and authorization. Currently, this requires a rather complex Public Key Infrastructure (PKI) and enables driver tracking via the included unique identifiers. In this paper, we propose an approach for using Self-Sovereign Identities (SSIs) as trusted credentials for EV charging authentication and authorization which overcomes the privacy problems and the issues of a complex centralized PKI. Our implementation shows the feasibility of our approach with ISO 15118, meaning that existing roles/features can be supported and that existing timing/size constraints of the ISO standard can be met. The security and privacy of the proposed approach is shown in a formal analysis using the Tamarin prover.

Smart meters provide fine-grained power usage profiles of consumers to utility providers to facilitate various grid functionalities such as load monitoring, real-time pricing, etc. However, information leakage from these usage profiles can potentially reveal sensitive aspects of consumers’ daily routines and their home absence, as state-of-the-art metering strategies lack adequate security and privacy measures. Among various privacy-preserving mechanisms, Differential Privacy (DP) is widely adopted in the literature due to its solid mathematical foundation. Nevertheless, the privacy-utility trade-off problem in smart metering systems limits the amount of privacy protection various instances of DP mechanisms can provide. We demonstrate that the constraints imposed by the privacy-utility trade-off make it possible to launch empirical statistical attacks on the differential private metering data. In this paper, we propose a novel statistical methodology, constructed using the principles of t-test based hypothesis testing, to discover the absence of a consumer in their household upon observing real-time differentially private output traces of sensitive meter readings over successive sampling windows. Additionally, we formally establish that this trade-off is an inherent characteristic of the smart metering problem, implying that any mechanism adhering to this trade-off is susceptible to our attack. We conduct an extensive experimental evaluation using a real-world metering dataset to validate our proposed methodology. We evaluate our scheme against six state-of-the-art DP mechanisms employed in metering infrastructure. Our results demonstrate that the proposed approach attains a success rate exceeding \(90\%\) within a mere six-hour observation interval, highlighting its effectiveness in revealing vulnerabilities within established DP implementations.

Video conferencing systems have become an indispensable part of our world. Using video conferencing systems implies the expectation that online meetings run as smoothly as in-person meetings. Thus, online meetings need to be just as secure and private as in-person meetings, which are secured against disruptive factors and unauthorized persons by physical access control mechanisms.

To show the security dangers of conferencing systems and raise general awareness when using these technologies, we analyze the security of two widely used research and education open-source video conferencing systems: BigBlueButton and eduMEET. Because both systems are very different, we analyzed their architectures, considering the respective components with their main tasks, features, and user roles. In the following systematic security analyses, we found 50 vulnerabilities. These include broken access control, NoSQL injection, and denial of service (DoS). The vulnerabilities have root causes of different natures. While BigBlueButton has a lot of complexity due to many components, eduMEET, which is relatively young, focuses more on features than security. The sheer amount of results and the lack of prior work indicate a research gap that needs to be closed since video conferencing systems continue to play a significant role in research, education, and everyday life.

Software obfuscation techniques are commonly employed to resist malicious reverse engineering. However, recent studies indicate that obfuscation introduces potential vulnerabilities susceptible to code-reuse attacks because the number of code-reuse gadgets in obfuscated programs significantly increases. Understanding how different obfuscation techniques contribute to the emergence of these code-reuse gadgets is crucial for developing secure obfuscation schemes that minimize the risk of code-reuse attacks, but no existing study has investigated this problem.

To address this knowledge gap, we present a comprehensive study on the impact of software obfuscation on code-reuse gadgets in programs. Firstly, we collect and analyze metrics data of gadgets obtained from a benchmark of programs obfuscated using various techniques. By examining the statistical results, we establish quantitative and qualitative relationships between each obfuscation technique and the resulting gadgets. Our key findings reveal how obfuscation techniques introduce significant code-reuse attack risks to a gadget set from different measurement schemes. Secondly, we delve into the underlying mechanisms of each obfuscation technique and elucidate why they contribute to generating specific types of gadgets. Lastly, we propose a mitigation strategy that combines low-risk obfuscation methods. Evaluation results demonstrate that our mitigation strategy effectively reduces the risks associated with code-reuse attacks without compromising obfuscation strength.

Internet of Things (IoT) devices have increased drastically in complexity and prevalence within the last decade. Alongside the proliferation of IoT devices and applications, attacks targeting them have gained popularity. Recent large-scale attacks such as Mirai and VPNFilter highlight the lack of comprehensive defenses for IoT devices. Existing security solutions are inadequate against skilled adversaries with sophisticated and stealthy attacks against IoT devices. Powerful provenance-based intrusion detection systems have been successfully deployed in resource-rich servers and desktops to identify advanced stealthy attacks. However, IoT devices lack the memory, storage, and computing resources to directly apply these provenance analysis techniques on the device.

This paper presents ProvIoT, a novel federated edge-cloud security framework that enables on-device syscall-level behavioral anomaly detection in IoT devices. ProvIoT applies federated learning techniques to overcome data and privacy limitations while minimizing network overhead. Infrequent on-device training of the local model requires less than 10% CPU overhead; syncing with the global models requires sending and receiving \(\sim \)2MB over the network. During normal offline operation, ProvIoT periodically incurs less than 10% CPU overhead and less than 65MB memory usage for data summarization and anomaly detection. Our evaluation shows that ProvIoT detects fileless malware and stealthy APT attacks with an average F1 score of 0.97 in heterogeneous real-world IoT applications. ProvIoT is a step towards extending provenance analysis to resource-constrained IoT devices, beginning with well-resourced IoT devices such as the RaspberryPi, Jetson Nano, and Google TPU.

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as \(39\%\) for Saber and approximately \(23\%\) for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks.

In response to side-channel attacks on masked implementations of post-quantum cryptographic algorithms, a new bitsliced higher-order masked implementation of CRYSTALS-Kyber has been presented at CHES’2022. The bitsliced implementations are typically more difficult to break by side-channel analysis because they execute a single instruction across multiple bits in parallel. However, in this paper, we reveal new vulnerabilities in the masked Boolean to arithmetic conversion procedure of this implementation that make the shared and secret key recovery possible. We also present a new chosen ciphertext construction method which maximizes secret key recovery probability for a given message bit recovery probability. We demonstrate practical shared and secret key recovery attacks on the first-, second- and third-order masked implementations of Kyber-768 in ARM Cortex-M4 using profiled deep learning-based power analysis.

With the advent of secure function evaluation (SFE), distrustful parties can jointly compute on their private inputs without disclosing anything besides the results. Yao’s garbled circuit protocol has become an integral part of secure computation thanks to considerable efforts made to make it feasible, practical, and more efficient. For decades, the security of protocols offered in general-purpose compilers has been assured with regard to sound proofs and the promise that during the computation, no information on parties’ input would be leaking. In a parallel effort, timing side-channel attacks have proven themselves effective in retrieving secrets from implementations, even through remote access to them. Nevertheless, the vulnerability of garbled circuit frameworks to timing attacks has, surprisingly, never been discussed in the literature. This paper introduces Goblin, the first timing attack against commonly employed garbled circuit frameworks. Goblin is a machine learning-assisted, non-profiling, single-trace timing side-channel attack (SCA), which successfully recovers the garbler’s input during the computation under different scenarios, including various garbling frameworks, benchmark functions, and the number of garbler’s input bits. In doing so, Goblin hopefully paves the way for further research in this matter.

HALFLOOP-48 is a 48-bit tweakable block cipher used in high frequency radio to protect automatic link establishment messages. We concentrate on its differential properties. Using the automatic method, we determine the lower bound for the number of active S-boxes and the upper bound for the differential probability for the conventional, related-tweak, and related-key differential attack settings. The newly identified 6-round related-tweak differential is utilised to initiate an 8-round related-tweak differential attack against the cipher. With \(2^{33.27}\) chosen-plaintexts and \(2^{92.71}\) 8-round encryptions, the 128-bit key can be recovered. In addition, we find an 8-round related-key differential with a probability of \(2^{-46.88}\) and employ it to develop a full-round related-key differential attack. The full-round attack is marginal, and the 128-bit key can be retrieved using \(2^{47.34}\) chosen-plaintexts and \(2^{123.91}\) full-round encryptions. Despite the impractical complexity of the newly proposed attacks, the security of HALFLOOP-48 in the related-key attack setting is compromised. Therefore, we assert that caution is necessary to prevent misuse.

Virtual Reality (VR) is becoming increasingly popular with its ability to offer new forms of interaction, user interface, and immersion not only for recreation but also for work, therapy, arts, or education. These new spaces need to be safeguarded by authentication similar to conventional IT systems. However, porting conventional interfaces to VR has often been found to be less than optimal as it fails to fully embrace the technology’s potential and potentially disrupt the immersive experience. This paper evaluates and compares the usability of two major authentication methods for VR: 2D Personal Identification Number (PIN) and gesture-based authentication - with 40 participants. While prior research has shown promising results in authentication security, there is a lack of studies specifically on usability in VR. Our findings indicate that the type of authentication and the user’s experience level affect usability, with gesture-based authentication having a higher usability score than a PIN and having faster authentication times. Hereby, users with less VR experience profited the most from a natural interaction mode for VR. The results suggest that developers should rather choose a native interaction mode in VR than try to port a familiar conventional interaction such as number pads for PINs.

Mobile apps are embracing facial recognition technology to streamline the identity verification procedure for security-critical activities such as opening online bank accounts. To ensure the security of the system, liveness detection plays a vital role as an anti-spoofing component, verifying that a selfie provided is from a live individual. Emerging facial recognition companies offer convenient integration services through mobile libraries that are widely utilized by numerous apps in the market. By analyzing 18 mobile facial recognition libraries, we reveal the protocol design and implementation intricacies of various systems. The investigation leads to the discovery of several system security issues in over half of the libraries, predominantly linked to the liveness detection module. These vulnerabilities can be exploited for low-cost identity forgery attacks without relying on media synthesizing technologies like deepfake. We scan 18,096 apps from an app market and identify 802 apps incorporating recognized facial recognition libraries, with over 100 million total downloads. More than half of the libraries examined exhibit weak security, with about 40% downstream mobile apps being affected. This study emphasizes the importance of system security in mobile facial recognition services, as the practical impact can be on par with or even surpass the extensively studied machine learning attacks.