International Association
for Cryptologic Research

Today, humanitarian distribution heavily relies on manual processes that can be slow, error-prone, and costly. Humanitarian aid organizations therefore have a strong incentive to digitalize the aid distribution process. This would allow them to scale up their operations, reduce costs, and increase the impact of their limited resources. Digitalizing the aid distribution process introduces new challenges, especially in terms of privacy and security. These challenges are particularly acute in the context of humanitarian aid, where the recipients are often vulnerable populations, and where the aid distribution process is subject to a high degree of scrutiny by the public, the media, and the donors. This is compounded by a very strong threat model, with adversaries ranging from corrupt officials to armed groups, and by the fact that the recipients themselves may not be able to protect their own privacy. This talk we propose is split into three main parts: first, we stress the need for assessments when deploying privacy-preserving applications in the real world, using concrete examples. In particular, we discuss the tension between supporting assessments and the security and privacy of the application's users. Second, we reflect on our experience in designing privacy-preserving applications for various use cases, and discuss how we go from an informal, high-level need expressed by our partners, to a formal model and a concrete protocol. Here, we stress common pitfalls, and outline a methodology that we have synthesized from our experience. Finally, we discuss how we tackled the use case of a privacy-preserving aid distribution system with statistics, in collaboration with partners from the International Committee of the Red Cross. We present a general framework to collect and evaluate statistics in a privacy-preserving way (including one-time functional evaluation, a new primitive that we introduce), and we present three concrete instantiations of this framework (based on trusted execution environments, linear secret sharing, and threshold fully homomorphic encryption, respectively).

Secure group messaging applications have been widely deployed to protect the everyday conversations of billions of users worldwide. These applications use different cryptographic algorithms to provide varying privacy and authenticity guarantees. Due to their widespread use, particularly in sensitive contexts like protests and conflicts, analyzing the security of these applications has been the focus of numerous academic works. Most of these focus on analyzing the more "novel" key agreement primitive. Due to the inherent complexities, few works attempt to rigorously analyze an application as a whole, and even fewer focus on the chat encryption primitive specifically. The latter may be attributed to the assumption that, after decades of cryptographic research, encrypting conversations (using symmetric/asymmetric primitives) is well understood, rendering chat encryption a seemingly trivial or "folklore" primitive. Despite its perceived simplicity, throughout our work across two papers, we find that some widely used group messaging applications implement chat encryption insecurely, potentially exposing them to exploitable attacks. This talk highlights the importance of analyzing the compositions of symmetric encryption and digital signatures used in several group chat encryption algorithms. Isolating chat encryption allows one to systematically identify potential attacks that result from the lack of proper "binding" between the signing and encryption components. This is reflected in our analysis of chat encryption in three widely deployed group messaging applications: Keybase, MLS, and Session. While Keybase had a good intuition for combining symmetric encryption and digital signatures, their solution was brittle; its security relied on non-cryptographic elements such as message serialization formats. MLS and Session did not implement proper binding in their compositions, exposing them to attacks where a group member can impersonate another by replaying their messages. Additionally, Session is susceptible to message re-ordering attacks by non-group members such as the platform server. Independent analysis of chat encryption allowed us to narrowly target the corresponding security goals and specify a set of conditions required for proper binding between the signing and encryption components. Developers of chat encryption algorithms need only check that these conditions are met to ensure that the security goals are achieved.

Anonymous credentials are a type of digital credential that allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a passport credential can prove their “age is >18” without revealing any other attributes such as their date of birth. Despite their inherent value towards privacy-preserving authentication and authorization, anonymous credential schemes have been difficult to deploy and have therefore seen little use in large-scale applications. Part of the difficulty stems from the fact that efficient anonymous credential schemes in the literature, such as the popular BBS+ scheme use pairing-friendly elliptic curve cryptography, and therefore require changes to existing security infrastructure used by issuers before it can be deployed. In addition, state-level identity issuers often require digital identity credentials to be device-bound by incorporating the device’s secure element into the presentation flow. As a result, schemes like BBS+ also require new hardware secure elements on mobile phones to be securely deployed. In this paper, we propose a new anonymous credential scheme for the widely deployed Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme. Producing ZK proofs about ECDSA signatures has traditionally been a bottleneck for other ZK proof systems because standardized curves such as P256 use finite fields which do not support efficient number theoretic transforms. We overcome part of this bottleneck by designing a ZK proof system around sumcheck and the Ligero ZKargument system, by designing efficient methods for Reed-Solomon encoding over the required fields, and by designing specialized circuits for ECDSA and SHA that are more efficient for sumcheck. Our scheme is roughly 50x more efficient than prior work: proofs for ECDSA can be generated in 140ms on mobile phones. By building an efficient NARG for statements about ECDSA signatures, SHA256 hashing, and document format parsing for standardized identity formats such as MDOC, our anonymous credential scheme can be deployed without changing any issuer processes or without requiring any changes to mobile devices. When incorporated into a fully standardized identity protocol such as the ISO MDOC standard, we can generate a zero-knowledge proof for the MDOC presentation flow in 0.7–1.3 seconds on mobile devices depending on the credential size. These advantages make our scheme a promising candidate for privacy-preserving digital identity applications.

The primary objective of this talk is to report to the community about Apple’s successful real-world deployment of efficient Homomorphic Encryption (HE) systems while overcoming key challenges encountered at this scale. Specifically, this talk will walk through the details on Apple’s implementation of HE, Private Information Retrieval (PIR) and Private Nearest Neighbor Search (PNNS) in features such as Photos, Safari, Mail, and the Phone app, addressing key optimizations applied to the algorithms and end-to-end system design.

Banks publish daily axe lists of available securities/assets for selected clients, helping them locate Long or Short trades at reduced financing rates. This list aggregates the bank’s internal inventory, lowering costs but also revealing the bank’s holdings and potentially large client trades, risking competitive exposure. Atlas-X Axe Obfuscation, powered by novel differential privacy methods, obfuscates this list under continuous observation, balancing inventory Profit and Loss (P&L) with reduced client activity leakage. Atlas-X, live for two years across J.P. Morgan’s USA, Europe, and Asia branches, is the first differential privacy tool deployed in finance, with real and synthetic benchmarks confirming its production success."

The Tor network enhances clients' privacy by routing traffic through an overlay network of volunteered intermediate relays. Tor employs a distributed protocol among nine hard-coded Directory Authority (DA) servers to securely disseminate information about these relays to produce a new consensus document every hour. With a straightforward voting mechanism to ensure consistency, the protocol is expected to be secure even when a minority of those authorities get compromised. However, the current consensus protocol is flawed: it allows an equivocation attack that enables only a single compromised authority to create a valid consensus document with malicious relays. Importantly the vulnerability is not innocuous: We demonstrate that the compromised authority can effectively trick a targeted client into using the equivocated consensus document in an undetectable manner. Moreover, even if we have archived Tor consensus documents available since its beginning, we cannot be sure that no client was ever tricked. We propose a two-stage solution to deal with this exploit. In the short term, we have developed and deployed TorEq, a monitor to detect such exploits reactively: the Tor clients can refer to the monitor before updating the consensus to ensure no equivocation. To solve the problem proactively, we first define the Tor DA consensus problem as the interactive consistency (IC) problem from the distributed computing literature. We then design DirCast, a novel secure Byzantine Broadcast protocol that requires minimal code change from the current Tor DA code base. Our protocol has near-optimal efficiency that uses optimistically five rounds and at most nine rounds to reach an agreement in the current nine-authority system. Our solutions are practical: our performance analysis shows that our monitor can detect equivocations without changing the authorities' code in five minutes; the secure IC protocol can generate up to 500 consensus documents per hour in a real-world scenario. We are communicating with the Tor security team to incorporate the solutions into the Tor project.

In 2023, WhatsApp announced its deployment of key transparency, a feature which aims to decrease the trust placed on a centralized server when distributing public keys used for end-to-end encrypted messaging. Similar deployments have been announced for Apple iMessage and ProtonMail.This talk discusses the integration between WhatsApp and Cloudflare to audit the key transparency data structure within a live environment.

The RADIUS protocol is the de facto standard lightweight protocol for authentication, authorization, and accounting for networked devices. It is used to support remote access for diverse use cases including network routers, industrial control systems, VPNs, enterprise Wi-Fi including the Eduroam network, Linux Pluggable Authentication Modules, and mobile roaming and Wi-Fi offload. This talk presents the Blast-RADIUS vulnerability which allows a man-in-the-middle attacker to authenticate themselves to a device using RADIUS. Even in 2024, many of the above-mentioned applications still run RADIUS over UDP within an enterprise network (and in some cases even over the public Internet), and are hence affected by this vulnerability. RADIUS has previously escaped the scrutiny of the cryptography community, likely because it is predominately used in enterprise contexts and hidden from end users. Only deployments using the EAP authentication method or the not-yet-standardized RADIUS over TLS are unaffected. In a typical RADIUS deployment, a user sends their credentials to the RADIUS client, which then contacts the RADIUS server that validates the credentials. On success, the RADIUS server sends an Access-Accept packet back to the RADIUS client (e.g., a router), which will then grant the user access. The RADIUS protocol predates modern cryptographic guarantees and is typically unencrypted and unauthenticated. However, the protocol does attempt to authenticate server responses using an ad hoc construction based on the MD5 hash function and a fixed shared secret between a RADIUS client and server. Our attack exploits an MD5 chosen-prefix collision to produce Access-Accept and Access-Reject packets with identical Response Authenticators. This allows our attacker to transform a reject into an accept without knowledge of the shared secret. We show how to fit the collision blocks within RADIUS attributes that will be echoed back from the server. We improved and optimized the MD5 chosen-prefix attack to produce collisions online in less than five minutes (which could be reduced with further engineering efforts). This talk discusses proof of concept applications of our attack against popular RADIUS implementations, and the large-scale disclosure process and mitigation efforts in collaboration with CERT and IETF.

Most applications that deduplicate data first split said data in smaller blocks, called chunks, using content-defined chunking (CDC). CDC cuts the chunks based on a local context window in the data: this means that chunks boundaries are preserved when the data is changed, and enables significant deduplication efficiency gains across applications dealing with large redundant dataset such as backup solutions, software patching systems, and file hosting platforms like IPFS and HuggingFace. However, CDC also introduces a subtle leakage: the length of each chunk leaks information about the data being chunked. This enables fingerprinting attacks, where adversaries exploit chunk length patterns to infer the presence or structure of specific data. Such attacks threaten confidentiality in scenarios ranging from encrypted backups on untrusted cloud servers to data transmitted over encrypted channels. To address these risks, many systems - mainly in the cloud backup setting - have developed bespoke mitigations by mixing a cryptographic key inside the chunking process. We demonstrate the ineffectiveness of these mitigations by presenting efficient key recovery attacks that rely solely on a known plaintext assumption. These attacks entirely circumvent all folklore mitigations except one, re-enabling fingerprinting attacks. To address this, we introduce a formal treatment for Keyed Content-Defined Chunking (KCDC) schemes and propose a provably secure construction that fulfills a strong notion of security. In doing so, we take a step towards making these real-world systems more resilient against leakage.

The area of modern zero-knowledge proof systems has seen a significant rise in popularity over the last couple of years, with new techniques and optimized constructions emerging on a regular basis. As the field matures, the aspect of implementation attacks becomes more relevant, however side-channel attacks on zero-knowledge proof systems have seen surprisingly little treatment so far. In this paper we give an overview of potential attack vectors and show that some of the underlying finite field libraries, and implementations of heavily used components like hash functions, are vulnerable w.r.t. cache attacks on CPUs. On the positive side, we demonstrate that the computational overhead to protect against these attacks is relatively small.

Key derivation functions (KDFs) are integral to many cryptographic protocols, turning raw (e.g., Diffie-Hellman) key material into strong cryptographic keys. Traditionally KDFs are designed and analyzed, for settings where they take a single key material input. Modern protocol designs, however, regularly need to combine multiple secrets (e.g., in hybrid key exchange for quantum-safe migration) with the guarantee that the derived key is secure as long as at least one of the inputs is good. Complex applications, especially in the setting where keys are user-managed, may even require threshold versions of KDFs. In this talk, we present lessons learned from analyzing such real-world proposals for multi-input KDFs. We first discuss combiner KDFs (aka key combiners), studying the designs in Signal's X3DH protocol, ETSI's TS 103-744 standard for hybrid key exchange, and MLS' combiner for pre-shared keys. Notably, the ETSI standard, widely recognized and recommended for use, for example by the German Federal Agency for IT Security, misuses the underlying HKDF salt input in a way that makes it insecure in its general form. We take the opportunity to revisit the syntax and security model for KDFs (mainly due to Krawczyk's HKDF paper, CRYPTO 2010) to give results on multiple-input KDFs. Taking an assertive stand on syntax, we do away with salts, which are needed in theory to extract from arbitrary sources in the standard model, but in practice, are almost never used (or even available) and sometimes even misused, as we saw. We then turn to the novel threshold primitive, which emerged as part of the multi-factor KDF (MFKDF) design (Nair and Song, USENIX 2023). We show how a naive implementation (such as the one proposed in MFKDF) leaves the scheme open to devastating cryptographic attacks and discuss ways forward.

In this talk, we will describe how we use Multiparty Computation (MPC) to bridge a significant gap in the Account Aggregator (AA) framework in India. Briefly, AA is a regulated Open Finance framework in India that enables users to authorize licensed entities to view their financial information, in order to receive financial services. The AA ecosystem already has tens of millions of users, but suffers a gap in trust: financial data once revealed for one purpose (eg. applying for a loan) may be duplicated and reused by third parties for unauthorized purposes. We present a solution wherein user data is instead secret shared amongst a consortium of independent non-colluding parties, so that they may reveal only explicitly consented functions upon it via MPC. Our solution is designed to be a drop-in replacement—i.e. fully compatible with existing AA standards so that it can be used out of the box—and is currently being deployed by leading financial institutions and digital public infrastructure bodies. The talk will establish what is to our knowledge a new use case for MPC, and explore the technical challenges we faced in designing such a system to be compatible with existing "MPC-unfriendly" standards.

TLS Oracles allow a party to prove the properties of its payload to others without revealing it. The seminal work by Zhang et al. proposed a protocol based on active two-party computation with an overhead too high to be deployed in practice. In this talk, we will talk about the real-world deployment of TLS oracles by using recent interactive zero-knowledge proofs. - We will describe the high-level idea and the deployment of our recent work (Usenix24 Xie et al.). The underlying cryptographic protocol is packaged as a Chrome browser plugin and has successfully proven more than 200,000 TLS sessions so far for blockchain systems like Linea, Scroll, Arbitrum, Optimism and BNB Chain. - We will describe the performance when using the above MPCTLS protocol and a simplified iZKTLS protocol when proving AI-generated content (AIGC). We show that when using state-of-the-art iZK protocol, namely Quicksilver, we are able to prove a 200KB photo is actually generated by ChatGPT in 2 minutes - Finally, we will discuss the challenges that we encountered when deploying and expanding TLS oracle technologies to more context.

The eIDAS regulation of the European Commission establishes a framework for digital identity and authentication. The regulation entered into force in May 2024, and proposes the EU Digital Identity Wallet (EUDI) which shall be a ``fully mobile, secure and user-friendly'' service, enabling users to identify themselves to public and private online services. All member states are now required to offer such an EUDI wallet to all their citizens and residents by end of 2026. The eIDAS regulation mandates several privacy requirements for the EUDI, such as selective disclosure, unlinkability, unobservability and the right to pseudonymous authentication. While this sounds like *the* application anonymous credentials were invented for, they are not considered in the currently proposed Architecture Reference Framework (ARF). Instead, the plan is to use batch issuance of single-use ECDSA credentials with individually hashed attributes. The shortcomings of this approach and the recommendation of anonymous credentials, such as BBS+, have been voiced in the Cryptographers' Feedback on the EU Digital Identity’s ARF. The talk will give an overview of the eIDAS regulation, and the real-world impact this will have. It will also outline the currently proposed technical solution, and the limitations and open challenges therein. For anonymous credentials, a brief overview on their technical advances is given, and why they are not used in the current ARF. We will then look at the remaining challenges in implementing anonymous credentials in EUDI, and how the cryptographic community can contribute to ensuring that our future digital identity system is as privacy-preserving and secure as technically feasible.

In this talk I will present a side-channel vulnerability in the cryptographic library of Infineon Technologies, one of the most important secure element manufacturers. This vulnerability – that went unnoticed for 14 years and about 80 highest-level Common Criteria certification evaluations – is due to a non constant-time modular inversion. The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract an ECDSA secret key. The attack is performed on a FIDO hardware token from Yubico where it allows to create a clone of the FIDO device. Yubico acknowledged that all YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact we show that all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library are vulnerable to the attack.

The Fiat-Shamir transform is a well-known and widely employed technique for converting sound public-coin interactive protocols into sound non-interactive protocols. Even though the transformation itself is relatively clear and simple, some implementations choose to deviate from the specifications, for example for performance reasons. In this work, we present a vulnerability arising from such a deviation in a KZG-based PLONK verifier implementation. This deviation stemmed from the incorrect computation of the last challenge of the PLONK protocol, where the KZG batching proof challenge was computed before, and, hence, independently from the KZG evaluation proofs. More generally, such a vulnerability may affect any KZG implementation where one uses batched KZG proof evaluations for at least two distinct evaluation points. We call an attack enabled by such a deviation a Last Challenge Attack. For concreteness, we show that when a PLONK verifier implementation presents such a deviation, a malicious PLONK prover can mount a Last Challenge Attack to construct verifiable proofs of false statements. The described vulnerability was initially discovered as part of an audit, and has been responsibly disclosed to the developers and fixed. A proof of concept of the vulnerability, in which a proof is forged for an arbitrary public input, was made available. Apart from the above attack, the talk will also describe other implementation vulnerabilities discovered while performing audits for ZK-based cryptographic systems used within the Ethereum ecosystem.

We have conducted a field study on post-quantum DNSSEC [1], involving RIPE ATLAS measurements with around 10,000 probes. Using implementations of post quantum signing schemes (Falcon, Dilithium, SPHINCS+, XMSS) in both BIND and PowerDNS, DNS response success and failure rates depending on the signing scheme and other parameters were investigated. In addition to the above algorithms, we present new results on a novel class of DNSSEC signatures, using Merkle trees for optimizing signature sizes. Besides measurement results, we also provide context on our implementation approach. We find that depending on circumstances, a significant fraction of clients choke. Failure rates are mainly a function of response packet size, which is mediated by parameters such as DNSSEC configuration (KSK/ZSK vs. CSK, NSEC vs. NSEC3, or compact DoE) and DO bit presence, with some variation depending on transport. This is qualitatively in line with the "educated guess", but adds quantitative detail. We also find surprising results, such as that a number of resolvers claim to have validated PQC signatures, even though it is implausible for resolvers to support these algorithms. Between now and RWC 2025 we will be evaluating all of the above algorithms in the context of a large enterprise’s DNS environment, which will further enhance our understanding of the implications of transitioning to quantum safe algorithms. Implementation included adding both signing and validation support to PowerDNS recursor and BIND resolver. Both functions can be tested using a do-it-yourself frontend [2], which the public can use to work and familiarize themselves with our testbed. We hope that this study helps inform future PQC engineering developments not just in the context of DNS but also other UDP based protocols [1]: https://nlnet.nl/project/PQ-DNSSEC-Testbench/ [2]: https://pq-dnssec.dedyn.io/

Recent years have exhibited an increase in applications that distribute trust across n servers to protect user data from a central point of attack using cryptographic primitives such as multi-party computation or private information retrieval. However, these deployments remain limited due to a core obstacle: establishing n distinct trust domains. An application provider, a single trust domain, cannot directly deploy multiple trust domains. As a result, application providers forge business relationships to enlist third-parties as trust domains, which is a manual, lengthy, and expensive process, inaccessible to many application developers. We introduce the on-demand distributed-trust architecture that enables an application provider to deploy distributed trust automatically and immediately without controlling the other trust domains. The insight lies in reversing the deployment method such that each user's client drives deployment instead of the application provider. While at a first glance, this approach appears infeasible due to cost, performance, and resource abuse concerns, our system Flock resolves these challenges. We implement and evaluate Flock on 3 major cloud providers and 8 distributed-trust applications. On average, Flock achieves 1.05x the latency and 0.68-2.27x the cloud cost of a traditional distributed-trust deployment, without reliance on third-party relationships.

In this talk, we report on our experience in producing machine-checked security proofs for cryptographic protocol standards in all their gory detail, and more specifically for Messaging Layer Security (MLS). We outline the methodology we used to tackle this beast of a protocol, talk about the formal verification tools we developed along the way, and give some insights on protocol design, analysis, and standardization that we learned during this journey.

Open sourcing cryptographic code is widely considered to be imperative for security. However, it can be challenging to properly open source software: there are licenses, IP, security reporting, and many other issues that need to be addressed. In this talk, we will discuss the best practices for open source software development learned from almost 25 years of experience at the Linux Foundation. Attendees will learn about how to set up their open source software projects for a variety of potential goals, including things like maximizing security and community building, with a focus on cryptographic code.

We raise concerns for end-to-end encryption (E2EE) security in light of the remarkable recent advances and explosion of interest in large language models and generative artificial intelligence (AI). Apple has already announced an initiative to feed E2EE messages into AI systems, and other major platforms may be considering similar efforts. Combining expertise across cryptography, AI, and law, we (1) examine a wide range of technical configurations that could fall under the broad umbrella of “feeding E2EE content to AI models,” taking into consideration the state of the art in cryptography, privacy technologies, and AI/ML, (2) assess these configurations’ technical compatibility with E2EE; (3) overview potentially relevant areas of law, and provide a detailed analysis of the circumstances under which E2EE service providers are likely to be able to offer AI features which use E2EE content; and (4) offer four key recommendations, which amount to a framework for how to think about offering AI features in E2EE systems.

With the growing prevalence of software-based cryptographic implementations in high-level languages, understanding the role of architectural and micro-architectural components in side-channel security is critical. The role of compilers in case of software implementations towards contribution to side-channel leaks is not investigated. While timing-based side-channel leakage due to compiler effects has been extensively studied, the impact of compiler optimizations on power-based leakage remains underexplored, primarily due to challenges in isolating the architectural power component. In this work, we present ARCHER, an architecture-level tool for side-channel analysis and root cause identification of cryptographic software on RISC-V processors. ARCHER integrates two key functionalities: (1) Side-Channel Analysis using TVLA and its variants to detect leakage, and (2) Data Flow Analysis to track intermediate values and explain observed leaks. ARCHER supports pre-silicon analysis of high-level and assembly code, offering algorithm-agnostic insights through interactive visualizations and detailed reports on execution statistics, leakage points, and their causes. Using ARCHER, we analyze binary transformations across five optimization levels (-O0, -O1, -O2, -O3, -Os) to isolate the architectural effects of compiler optimizations from the micro-architectural influences of the target device. This study, spanning both unprotected and masked AES implementations, reveals actionable insights into how optimizations affect power-based leakage. Notably, we identify a previously undocumented vulnerability in the ShiftRow operation of masked AES, introduced by compiler optimizations. This vulnerability, confirmed through correlation analysis on simulated power traces, is validated on physical hardware using an ASIC implementation of the PicoRV32 core, confirming that architectural-level vulnerabilities translate to real-world leakage. To enhance practical applicability, we introduce two dataflow metrics, remanence and revive, for predicting side-channel leakage based on binary transformations. These metrics, coupled with ARCHER’s analysis and visualization capabilities, provide designers with effective tools to assess and mitigate power-based side-channel vulnerabilities at the software optimization stage, advancing the security of cryptographic implementations in resource-constrained environments.

Compressing Proofs using Cryptography:  A Triumph of Theory and PracticeIn this talk, I will survey a line of work that demonstrates how to take a long proof and make it succinct using cryptographic magic. I will highlight the deep and ongoing interplay between theoretical advancements, practical implementations, and real-world deployment, showcasing key milestones and addressing the challenges encountered along the way.

The problem is that cryptographic primitives are typically designed to run on digital computers that use Boolean gates to map sequences of bits to sequences of bits, whereas DNNs are a special type of analog computer that uses linear mappings and ReLUs to map vectors of real numbers to vectors of real numbers. In the past, this discrepancy between the discrete and continuous computational models had led to many interesting side channel attacks. In this talk I will describe a new theory of security when digital cryptographic primitives are implemented as ReLU-based DNNs. I will then show that the natural implementations of block ciphers as DNNs can be broken in linear time by using nonstandard inputs whose “bits” are real numbers. Finally, I will develop a new and completely practical method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way.

Let’s Encrypt: Ten Years Encrypting the WebPeople deserve a secure and privacy-respecting Internet. Ubiquitous HTTPS is an essential part of delivering on that vision. To that end, our public benefit certificate authority has been issuing TLS certificates free of cost in a reliable, automated, and trustworthy manner for ten years. We went from issuing our first certificate in 2015 to servicing over 500,000,000 websites in 2025, and we’ve got big plans for the future. We’ll talk about how we got here and some lessons learned. We’ll also talk about what’s coming, from short lived certificates to the future of revocation and root generation.

What would it take to operationalize UTXO-based settlement for central bank digital currency?I explore the advantages, trade-offs and challenges of a hypothetical adoption of the UTXO data model for representing currency values in a token-based central bank digital currency. The UTXO model potentially offers greater scalability, privacy, security and interoperability for CBDC than the traditional account model. However, some aspects, in particular with respect to liquidity and denomination management, would require careful design as to fit the prevailing regulatory and institutional requirements. I present possible solutions and conclude that there are no in-principle impediments to the adoption of UTXO-based tokens in a central bank digital currency context.

In this talk, we present a side-channel attack on a Bluetooth chip embedded in millions of devices worldwide, from wearables and smart home products to industrial IoT. The attack marks a significant milestone as previous attempts to recover the encryption key from the proprietary hardware AES-CCM accelerator in this chip were unsuccessful. Our approach leverages side-channel information from AES computations that is unintentionally transmitted by the chip together with the RF signals. Unlike traditional side-channel attacks based on power or near-field EM emissions, the presented one leaves no evidence of tampering, eliminating the need for package removal, chip decapsulation, or additional soldered components. However, side-channel signals which we extract from RF signals are considerably weaker and noisier, requiring more traces for successful key recovery. The presented attack requires 180,000 traces, with each trace computed by averaging 10,000 measurements per encryption.

Elligator is widely used to encode elliptic-curve public keys in protocols that require random-looking bytestrings. These include password authenticated key exchange protocols (e.g., EKE) as well as protocols which attempt to avoid fingerprinting (e.g., Tor's obfs4 pluggable transport). We consider a replacement for Elligator in the post-quantum setting. We present Kemeleon: novel encodings for ML-KEM public keys and ciphertexts into bytestrings which are computationally indistinguishable from random. Kemeleon includes variants that allow for optimized implementations or deterministic encodings. We then consider how to combine traditional and post-quantum obfuscated key encapsulation mechanisms (KEMs). In contrast with hybrid key exchange where simple concatenation yields a secure solution, hybrid obfuscation is more subtle, and can require a nested construction when computational assumptions are involved. From Kemeleon and hybrid obfuscated KEMs, we show how to construct obfuscated key exchange as well as the first known hybrid password authenticated key exchange protocol which is secure in the adaptive-corruptions model.

Protests are an important tool in the fight against authoritarian power structures around the world. Authoritarian governments often respond to a large protest by shutting down the Internet in an attempt to stifle this communication. Smartphone mesh messaging has been considered a promising solution to this problem by academics. Given this research interest, it should be the case that mesh messaging is on the path to deployment to counter Internet shutdowns during large-scale protests. So why hasn't it? In this talk, we try to answer this question. We describe the challenges of mesh messaging in detail, and discuss the shortcomings of prior work. We also present our work, Amigo (https://eprint.iacr.org/2024/1872), which represents a step towards a deployable system. But, more work is needed. During this talk, we will journey deep into the network stack of mesh messaging, and show how improvements to cryptographic constructions may not translate to optimized performance. The goal of this talk is to convince the audience that mesh messaging requires more than just better cryptography to achieve deployment; we need cryptography that is tailored to the low-level challenges of a mesh network.

End-to-end encryption (E2EE) allows data to be outsourced and stored on an untrusted server, such as in the cloud, without compromising its privacy. The need for stronger cryptographic guarantees for outsourced persistent data (such as encrypted files in cloud storage) has been highlighted by recent attacks on E2EE cloud storage providers, which all identify sharing as one of the main challenges. But even recently proposed E2EE cloud storage protocols which address this challenge suffer from another problem: when data is shared between a group of users, they all share access to the same, static, key material used for data encryption. This means that when the group membership changes, access control is only enforced by the server; security breaches or compelled disclosure would let even a removed member decrypt both current and future shared data. In this talk, we explore stronger security guarantees for groups of users and the data they share, and implement a practical system that delivers them. We propose to move away from the use of static keys for data encryption in the setting of file sharing. Taking inspiration from the related setting of continuous group key agreement (CGKA) [3] and the MLS standardization effort for group messaging, we introduce a new primitive, called group key progression, that enables a dynamic group of users to agree on a persistent sequence of keys. With our efficient instantiation of this primitive, called Grappa, group members can secure future and past data from former and future group members, respectively, while themselves retaining access to all of their data. We avoid expensive data re-encryption and ensure that all users in Grappa only need to keep a compact cryptographic state. Grappa uses CGKA as a core building block to transport key updates between users, hence finding a use-case for MLS beyond group messaging. In this talk, we want to share our take-aways from the journey of developing a file sharing system with strong security, from the novel theoretical building blocks, to challenges on the path to practice. On the theoretical side, we begin by showing that forward security (FS) and post-compromise security (PCS)—which are standard security notions for data in transit—are fundamentally more challenging to achieve for data at rest. Persistent data hence necessitates tailored methods to ensure strong end-to-end security. Instead of aiming for FS and PCS, we propose the new security notion of cryptographically-enforced interval access control (IAC), which gives similar guarantees in the common setting of persistent data applications where a group of users share access to the outsourced data, such as file sharing. On the practical side, we spent significant engineering effort to implement a file sharing system which utilizes Grappa to achieve both end-to-end security and IAC. In doing so, we uncovered several interesting limitations of the current cryptography ecosystem that we believe to be of interest to the RWC audience. These include the lack of support for low-level cryptographic primitives in the Web Crypto API, barriers to using MLS outside of the secure messaging context as a transport layer for Grappa, and challenges with developing new cryptographic applications for cross-platform usage.

While cryptographic systems gravitate toward more decentralized and distributed architectures, threshold signatures are gaining considerable renewed attention. Yet, Distributed Key Generation (DKG), with its heavy requirements on the underlying communication mechanisms such as secure channels and a secure broadcast mechanism, remains the Achilles heel of threshold signatures and holds back their deployment in the real world. In this talk, we will first take a detailed look at the obstacles that implementers and practitioners face in practice. We will foster an understanding of potential pitfalls and attacks, in particular those that can arise from the (mis)use of reliable broadcast protocols. We will then provide recommendations and guidelines on how to avoid these pitfalls and implement broadcast securely in practice. A key technical ingredient in our recommendations is a simple extension of the Goldwasser-Lindell echo broadcast protocol, which we have not seen proposed in the context of DKG so far. With these learnings in mind, we present ChillDKG, a DKG protocol that fully incorporates minimal but sufficient implementations of secure channels and reliable broadcast, and thereby hides this complexity from engineers entirely. The protocol addresses further practical problems by eliminating the need for fresh randomness per threshold setup and offering a practical solution for backups. To facilitate real-world adoption of this ChillDKG protocol, we have been working on a publicly available specification that aims to be comprehensive and easy to use. While our talk is geared towards Schnorr (incl. EdDSA) signatures, the main insights and learnings we present are equally applicable to other settings where DKG is required, e.g., BLS threshold signatures or threshold encryption.

_Server authentication_ assures users that they are communicating with a server that genuinely represents a claimed domain. Today, server authentication relies on certification authorities (CAs), third parties who sign statements binding public keys to domains. CAs remain a weak spot in Internet security, as any faulty CA can issue a certificate for any domain. This talk describes the design, implementation, and experimental evaluation of NOPE [SOSP ’24], a new mechanism for server authentication that uses succinct proofs (for example, zero-knowledge proofs) to prove that a DNSSEC chain exists that links a public key to a specified domain. The use of DNSSEC dramatically reduces reliance on CAs, and the small size of the proofs enables compatibility with legacy infrastructure, including TLS servers, certificate formats, and certificate transparency. NOPE proofs add minimal performance overhead to clients, increasing the size of a typical certificate chain by about 10% and requiring just over 1 ms to verify. NOPE's core technical contributions (which generalize beyond NOPE) include efficient techniques for representing parsing and cryptographic operations within succinct proofs, which reduce proof generation time and memory requirements by nearly an order of magnitude.

The Secure Shell (SSH) protocol is one of the first security protocols on the Internet to upgrade itself to resist attacks against future quantum computers, with the default adoption of the "quantum (otherwise, classically)" secure hybrid key exchange in OpenSSH from April 2022. However, there is a lack of a comprehensive security analysis of this quantum-resistant version of SSH in the literature: related works either focus on the hybrid key exchange in isolation and do not consider security of the overall protocol, or analyze the protocol in security models which are not appropriate for SSH — especially in the "post-quantum" setting. This talk describes how we remedy the state of affairs by providing a thorough post-quantum cryptographic analysis of SSH. We follow a "top-down" approach wherein we first prove security of SSH in a more appropriate model — namely, our post-quantum extension of the so-called authenticated and confidential channel establishment (ACCE) protocol security model; our extension which captures "harvest now, decrypt later" attacks could be of independent interest. Then we establish the cryptographic properties of SSH's underlying primitives, as concretely instantiated in practice, based on our protocol-level ACCE security analysis: for example, we prove relevant cryptographic properties of "Streamlined NTRU Prime" — a key encapsulation mechanism (KEM) which is used in recent versions of OpenSSH and TinySSH — and address open problems related to its analysis in the literature. Notably, our ACCE security analysis of post-quantum SSH relies on the weaker notion of IND-CPA security of the ephemeral KEMs used in the hybrid key exchange. This is in contrast to prior works which rely on the stronger assumption of IND-CCA secure ephemeral KEMs. Hence, our talk will focus on potentially replacing IND-CCA secure KEMs in current post-quantum implementations of SSH with simpler and faster IND-CPA secure counterparts, thereby resulting in reduced financial and ecological costs.

Two years ago, at RWC 2023 in Tokyo, we presented attacks on Mega—an end-to-end encrypted (E2EE) cloud storage provider with over 300 million users—and challenges on the path to designing a secure cloud storage protocol with end-to-end guarantees. Now, it is time for an update. In the past two years, analyses of multiple E2EE cloud storage providers revealed serious flaws in most systems, showing that the entire ecosystem is largely broken. At the same time, Google and Apple launched optional client-side encryption for Google Drive and iCloud, thereby making E2EE cloud storage available to their users (albeit with limited functionality). This is great news for privacy-minded users, but given the vulnerabilities that were discovered in most of the smaller providers, one may ask: how do we know if they are secure? Moreover, the vast majority of cloud storage providers still only use server-side encryption, which provides no protection against server compromise. Why is this the case? And what can we do about it? In this talk, we present the first cryptographic model for secure cloud storage in the malicious server threat model, formalizing E2EE cloud storage. Our model and security notions are motivated by our study of real-world E2EE cloud storage providers. We begin by briefly recapping our insights from analyzing MEGA and Nextcloud, identifying the main challenges that they struggled with. We then give a formal syntax for the core functionality of a cloud storage system, focusing on how we tailored the model to capture the real-world complexity of such systems. We continue by showing how we define the expected end-to-end security guarantees against a potentially compromised or malicious cloud server. Finally, we present the first provably secure E2EE cloud storage protocol. Along the way, we hope to inspire a discussion between academia and industry on the remaining challenges of bringing provably secure E2EE cloud storage to practice.

In this talk, we present a new approach using Fully Homomorphic Encryption (FHE), which enables end-to-end encryption for group voice calls. Concretely, we introduce blind audio mixing, an FHE-compatible compression technique, and an encrypted watermarking approach.

Public randomness has many important applications, from games and state lotteries to allocation of visas and public housing or assignment of judges to legal cases. Yet today, most of these applications provide little or no public verifiability. This talk will survey the past ten years of work on using cryptography to generate publicly verifiable randomness, including the development of verifiable delay functions and modern randomness beacon protocols based on them. A highlight will be recent resarch showing that verifiable delay functions are the only way to achieve distributed randomness in a dishonest majority setting. It will also discuss the practical challenges in bringing these protocols into common use.

Authenticated encryption (AE) is a cryptographic mechanism that allows communicating parties to protect the confidentiality and integrity of messages exchanged over a public channel, provided they share a secret key. In this work, we present new AE schemes leveraging the SHA-3 standard functions SHAKE128 and SHAKE256, offering 128 and 256 bits of security strength, respectively, and their “Turbo” counterparts. They support session-based communication, where a ciphertext authenticates the sequence of messages since the start of the session. The chaining in the session allows decryption in segments, avoiding the need to buffer the entire deciphered cryptogram between decryption and validation. And, thanks to the collision resistance of (Turbo)SHAKE, they provide so-called CMT-4 committing security, meaning that they provide strong guarantees that a ciphertext uniquely binds to the key, plaintext and associated data. The AE schemes we propose have the unique combination of advantages that 1) their security is based on the security claim of SHAKE, that has received a large amount of public scrutiny, that 2) they make use of the standard KECCAK-p permutation that not only receives more and more dedicated hardware support, but also allows competitive software-only implementations thanks to the TurboSHAKE instances, and that 3) they do not suffer from a 64-bit birthday bound like most AES-based schemes.

Over the last two decades, researchers have repeatedly demonstrated that microarchitectural attacks, and in particular cache attack, pose a significant risk to the security of cryptographic implementations. One of the main defenses against such attacks is to follow the constant-time programming paradigm, which ensures that the memory addresses a program accesses do not depend on secret data. While effective, constant-time programming can incur a significant performance penalty. Consequently, when constant-time programming is deemed to be too hard, developer may choose to use heuristic defenses that aim to limit the attacker's ability to observe the memory access patterns of the victim. For example, web browser reduced the resolution of the timer they provide, based on the observation that a high resolution timer is required to distinguish cache hits from cache misses. Moreover, as cache attacks have a limited temporal resolution, implementations whose access patterns are indistinguishable except at a high sampling rate are considered more secure. In this talk we show that such restrictions are insufficient to protect against cache attacks. We start by representing the cache status of a memory address as a Boolean value. This allows us to express cache attacks as computing a logical function of the cache state. We then design ``weird gates'' that compute logical functions of cache state and store the result in the cache. We demonstrate that through composing these gates, we can perform arbitrary computations on cache state. Finally, we leverage our gates to perform two attacks against cryptographic implementations. Our first attack shows that an implementation of ElGamal remains vulnerable even when the clock resolution is reduced by six orders of magnitude. Our second attack shows that we can increase the frequency of cache probing to a level that allows key recovery from an S-box-based AES implementation. This talk is based on the USENIX Security'23 publication ``The Gates of Time: Improving Cache Attacks with Transient Execution'' and the CCS'24 distinguished paper ``Spec-o-Scope: Cache Probing at Cache Speed''.

The US is currently rolling out the mDL, a digital version of the driver’s license, a primary form of identity credential, and credentials relating to employment and healthcare are also becoming more common (in the US and globally). Their potential to enhance online authentication is exciting—yet their privacy implications remain a significant concern. This talk will describe how we can “upgrade” the privacy features of these credentials, adding selective disclosure and unlinkability, without help from credential issuers. In cryptographic terms, we construct an anonymous credential system based on zero knowledge proofs and existing credentials. The system has practical performance, offering fast proof generation and verification times (10--20ms) after a once-per-credential setup phase. We give demos for two practical scenarios, proof of employment for benefits eligibility, and online age verification, and provide an open-source implementation to enable further research and experimentation.

This talk presents Argos: a viable path to make fully homomorphic encryption (FHE) deployable in real world scenarios where attackers cannot be assumed to be semi-honest. We demonstrate that trusted hardware can be securely used to provide integrity for FHE and other FHE-based protocols that implement functionalities such as private information retrieval (PIR) or private set intersection (PSI). We show that the major security pitfall of trusted hardware, \emph{microarchitectural} side channels, can be completely mitigated by excluding any secrets from the CPU and the memory hierarchy. This is made possible by focusing on building a platform that only enforces program and data \emph{integrity} and \emph{not} confidentiality (all that is required for verifiable FHE). All secrets can be kept in a separate co-processor (e.g., a TPM) inaccessible to an attacker. While relying on an off-CPU chip for attestation typically incurs significant performance overheads, our modified protocol turns it into a fixed-cost. Argos requires no dedicated hardware extensions and is supported on commodity processors from 2008 onward. Our hardware prototype executes 80 times faster than state-of-the-art on SGX, while introducing only 7\% overhead for FHE evaluation and 22\% for more complex protocols. By demonstrating how to combine cryptography with trusted hardware, Argos paves the way for widespread deployment of FHE-based protocols beyond the semi-honest setting.

How will future microarchitectures impact the security of existing cryptographic implementations? As we cannot keep reducing the size of transistors, chip vendors have started developing new microarchitectural optimizations to speed up computation. A recent study (Sanchez Vicarte et al., ISCA 2021) suggests that these optimizations might open the Pandora’s box of microarchitectural attacks. However, there is little guidance on how to evaluate the security impact of future optimization proposals. To help chip vendors explore the impact of microarchitectural optimizations on cryptographic implementations, we develop (i) an expressive domain-specific language, called LmSpec, that allows them to specify the leakage model for the given optimization and (ii) a testing framework, called LmTest, to automatically detect leaks under the specified leakage model within the given implementation. Using this framework, we conduct an empirical study of 18 proposed microarchitectural optimizations on 25 implementations of eight cryptographic primitives in five popular libraries. We find that every implementation would contain secret-dependent leaks, sometimes sufficient to recover a victim’s secret key, if these optimizations were realized. Ironically, some leaks are possible only because of coding idioms used to prevent leaks under the standard constant-time model.

Secure Messaging apps have seen growing adoption, and are used by billions of people daily. However, due to imminent threat of a "Harvest Now, Decrypt Later" attack, secure messaging providers must react know in order to make their protocols hybrid-secure: at least as secure as before, but now also post-quantum (PQ) secure. Since many of these apps are internally based on the famous Signal's Double-Ratchet (DR) protocol, making Signal hybrid-secure is of great importance. In fact, Signal and Apple already put in production various Signal-based variants with certain levels of hybrid security: PQXDH (only on the initial handshake), and PQ3 (on the entire protocol), by adding a PQ-ratchet to the DR protocol. Unfortunately, due to the large communication overheads of the KYBER scheme used by PQ3, real-world PQ3 performs this PQ-ratchet approximately every 50 messages. As we observe, the effectiveness of this amortization, while reasonable in the best-case communication scenario, quickly deteriorates in other still realistic scenarios; causing many consecutive (rather than 1 in 50) re-transmissions of the same KYBER public keys and ciphertexts (of combined size 2272 bytes!). In this presentation, we will talk about a new Signal-based, hybrid-secure secure messaging protocol, which significantly reduces the communication complexity of PQ3. We call our protocol "the Triple Ratchet" (TR) protocol. First, TR uses erasure codes to make the communication inside the PQ-ratchet provably balanced. This results in much better worst-case communication guarantees of TR, as compared to PQ3. Second, we design a novel "variant" of KYBER, called KATANA, with significantly smaller combined length of ciphertext and public key (which is the relevant efficiency measure for "PQ-secure ratchets"). For 192 bits of security, KATANA improves this key efficiency measure by over 37%: from 2272 to 1416 bytes. In doing so, we identify a critical security flaw in prior suggestions to optimize communication complexity of lattice-based PQ-ratchets, and fix this flaw with a novel proof relying on the recently introduced hint-MLWE assumption. This protocol has been developed with the Signal team, and they are actively evaluating bringing a variant of it into production in a future iteration of the Signal protocol.

CRLite is a low-bandwidth, low-latency, privacy-preserving mechanism for distributing certificate revocation data. The system was originally described by Larisch, Choffnes, Levin, Maggs, Mislove, and Wilson at IEEE S&P in 2017. It was implemented by Mozilla shortly thereafter, and aspects of Mozilla’s implementation were presented by Thyla van der Merwe at RWC 2020. Firefox users have had the option to enable CRLite since September 2019 / Firefox 69. However, until very recently, the system was only enabled by default for Firefox Nightly users and 1% of Firefox Release users. The bandwidth costs of the system, while modest in theory, were not low enough for Mozilla, or Firefox users, to accept. This talk will highlight a combination of technical innovations and policy changes that have put us on the path to enabling CRLite for all of our users. Our new implementation of CRLite encodes the set of all revoked certificates in a 6.7 MB package—54% smaller than our original implementation of CRLite, and 21% smaller than a widely-cited lower bound. Our implementation also produces differential updates that describe the certificates that were revoked in the previous 6 hours. The average size of these differential updates is about 25 kB. This talk will also describe the path ahead of us. If CT log operators switch to the Static CT API and the CA/B Forum reduces the maximum validity period of WebPKI certificates to 90 days, we believe that a software client will be able to track all revocations, at 6 hour latency, by downloading approximately 100 kB of revocation data per day.

In an attempt to provide organizations with access to correct and bug-free implementations of the new NIST-selected PQC algorithms, Cryspen and Google have joined forces to produce formally verified, open source implementations of these algorithms. In this talk we will cover our cutting-edge approach to formally verifying ML-KEM, the challenges encountered during the verification process, and the timing side channel attack uncovered by the process. We will also discuss the way forward for formal verification of PQC algorithms, the impact of formal verification on the development workflow, and the subsequent deployment of secure and optimized PQC implementations.

With the advent of Blockchains, there has been reinvigorated interest in deploying ZK-proof systems in the form of ZKSNARKs, an attractive, non-interactive, succinct variant. Yet, current deployments require heavy hardware / huge running times / very large memory. In this talk, I will discuss new applications of zero-knowledge from verifiable credentials to zk-email, zktls, and zklogin that demand scalable client-side proving systems. I will present the Ligetron platform that can allow to build and deploy an end-to-end system for these applications. Crucially, the platform relies on the recent Ligetron system developed by Ligero Inc. that showcases speed on the browser that stands competitive against all known ZKSNARK implementations executed on heavy machines to date! Furthermore, I will show how the platform leverages the ZK-WASM feature of the Ligetron system, allowing developers to implement their zkApps from the browser by coding in standard high-level languages such as C/C++/Rust.

Digital signatures underpin identity, authenticity, and trust in modern systems. Advanced variants of signatures—such as proofs of possession, ring signatures, and threshold signatures—offer security, privacy, and anonymity benefits but are rarely deployed due to incompatibility with widely used legacy schemes. This talk explores how to transform these legacy signatures— concretely, RSA, ECDSA, Ed25519, and the new NIST standards Falcon and Dilithium— into advanced variants using zkSNARKs. Making our zkSNARK-based schemes practical requires closing a huge efficiency gap that stems from, roughly, the cost of proving signature verification using the zkSNARK. We will present optimized protocols for expensive parts of signature verification, such as hashing and elliptic curve scalar multiplication. Using our techniques, we can generate a 240-byte proof of possession of an RSA signature over a message the size of a typical TLS certificate—two kilobytes—in only three seconds; the proof takes only 28 milliseconds to verify.

For many users, a private key based wallet serves as the primary entry point to blockchains. Commonly recommended wallet authentication methods, such as mnemonics or hardware wallets, can be cumbersome. This difficulty in user onboarding has significantly hindered the adoption of blockchain-based applications. In this talk we will present zkLogin, a novel technique that leverages identity tokens issued by popular platforms (any OpenID Connect enabled platform e.g., Google, Facebook, etc.) to authenticate transactions. At the heart of zkLogin lies a signature scheme allowing the signer to sign using their existing OpenID accounts and nothing else. This improves the user experience significantly as users do not need to remember a new secret and can reuse their existing accounts. zkLogin provides strong security and privacy guarantees. Unlike prior works, zkLogin’s security relies solely on the underlying platform’s authentication mechanism without the need for any additional trusted parties (e.g., trusted hardware or oracles). As the name suggests, zkLogin leverages zero-knowledge proofs (ZKP) to ensure that the sensitive link between a user’s off-chain and on-chain identities is hidden, even from the platform itself. zkLogin enables a number of important applications outside blockchains. It allows billions of users to produce verifiable digital content leveraging their existing digital identities, e.g., email address. For example, a journalist can use zkLogin to sign a news article with their email address, allowing verification of the article’s authorship by any party. We have implemented and deployed zkLogin on the Sui blockchain as an additional alternative to traditional digital signature-based addresses. Due to the ease of web3 on-boarding just with social login, many hundreds of thousands of zkLogin accounts have already been generated in various industries such as gaming, DeFi, direct payments, NFT collections, sports racing, cultural heritage, and many more.