###### tags: `Reading sessions` [toc] # 2022 <https://esorics2022.compute.dtu.dk/program.html> ## [**One Vote is Enough for Analysing Privacy**](https://hal.inria.fr/hal-03669664/document) * By Stéphanie Delaune, Joseph Lallemand. * [FH] A formal method paper; uses the BPRIV definition (as opposed to Benaloh's SWAP definition) to analyze vote privacy in a number of schemes. In Fig 1, it has a scheme called "Helios (id in ZKP)", but without a reference. How to add id in ZKP? That will change the Helios protogocol. It also includes a scheme that allows revoting for Helios, but without a reference. If we allow revoting in Helios, how can it still be E2E? * [AA] If you have read the same paper, feel free to write some notes here for sharing and cross-comparison. Include any quotes from the paper which you may consider useful. * `One common way of formalising vote privacy, which we will call SWAP, is to require that an attacker is not able to distinguish between the situation where Alice is voting yes and Bob is voting no from the situation where the two voters swapped their vote. That formalisation was first proposed by Benaloh.` * `More quotes` ###### tags: `e-voting` ## [**For Your Voice Only: Exploiting Side Channels in Voice Messaging for Environment Detection**](https://link.springer.com/content/pdf/10.1007/978-3-031-17143-7_29.pdf?pdf=inline%20link) - By Matteo Cardaioli, Mauro Conti, Arpita Ravindranath - [FH] Voice messages can reveal side-channel information about the surrounding environment (e.g., specific rooms). This paper uses 7,200 whatsapp voice messages collected from 15 users to identify four environments (ie.., three breadrooms and a terrance). ###### tags: ``side-channel attacks`` ## [**Browser-based CPU Fingerprinting**](https://publications.cispa.saarland/3745/1/paper.pdf) - By Leon Trampert, Christian Rossow, and Michael Schwarz - [FH] Microarchitectural attacks such as Spectre and Rowhammer require precise knowledge about microarchitectural properties. The paper presents a side-channel attack to reveal CPU properties of a computing device (including mobile phones) through JavaScript in a browser. ****Meaurement****: based on six benchmarks (running JavaScript and WebAssembly in the browser). Take about a couple of minutes to run. ****Implementation****: run JavaScript in the browser. ****Classifers****: used three including KNN, SVC and MLP ****Study****: 834 participants (Amzon Mechnical Turk), 297 CPU models. Able to identiy a CPU model with over 95% accuracy. ****Other finding****: current browser-fingerprinting mitigations do not prevent browser-based CPU fingerprinting attacks. ****Open source****: <https://github.com/CISPA/browser-cpu-fingerprinting> ****Takeaway****: a remote attacker can reliably infer a user computer's CPU properties (vendor of CPU, the microarchitecture and the CPU model) through JavaScript in a browser. ###### tags: ``side-channel attacks`` ## [**How to Verifiably Encrypt Many Bits for an Election?**](https://link.springer.com/content/pdf/10.1007/978-3-031-17146-8_32.pdf?pdf=inline%20link) - [LH] The paper looks at improving the efficiency of ballot generation for e-voting protocols. At the arithmetic level, they use a lookup-table scheme and precompute group elements. Assuming a lot of exponentiations in base $g$ with exponents of at most $l$-bits, select a parameter $k$ and compute $table[i][j] ← g^{2i·j}$. Computing $g^{e}$ for $e = (e_{t−1} . . . e_{0})_{2k}$ with $e_{i} \in \{0, . . . , 2k − 1\}$ is just $g^{e} = \prod_{i=0}^{t-1}table[i][e_{i}]$. They discuss choosing optimal values of $k$. Choosing $k$ as large as the memory can fit (at the cost of precomputation) leads to fast exponentiations. At the protocol level, they consider batching ElGamal and using multi-ElGamal. With multiple public keys $(h_{1},...,h_{m}) = (g^{x_{1}},...,g^{x_{m}})$, with $(x_{i} \leftarrow \mathbb{Z}_{q})$, encrypt $m$ bits $(v_{0},...v_{m})$ as $(g^{r}, g^{v_{1}}h_{1}^{r},...,g^{v_{m}}h_{m}^{r})$. Ideally achieves 2x speedup, although in practice this was found to be less when combined with their improvements at the arithmetic level. Finally they consider improvements to the 0-1 ZKP. The main idea is to instead do a product proof of $v_{j}(1-v_{j})=0$. They combine it with a batching process and shorten it with logarithmic batching (though this is quite complex). Benchmarks are recorded through Python. Main finding is that gains from multi-ElGamal are lost through the precomputation time for fixed-base exponentiations (only around 1.25x rather than 2x). It would be interesting to explore these optimisations for our e-voting schemes. - [FH] The idea of using a product proof of $v_{j}(1-v_{j})=0$ instead of a one-out-of-two CDS proof to prove $v_{j}$ is either 0 or 1 is interesting, although why it's more efficient is not immediately clear. The rest techniques seem not new. For approval voting, the system may require choosing $k$ out $n$ where $k$ has certain constraints, e.g., no more than 3, between 2 and 3 etc. There may be further scope for optimization for such scenarios. This paper seems to have done concrete improvements over the implementations in **ElectionGuard**. It's worthwhile to look deep into **ElectrionGuard** (which is getting quite noted as an offering from Microsoft) when we have time and resource. ###### tags: `e-voting` ## [**Fuzzy Authenticated Key Exchange with Tight Security**](https://link.springer.com/content/pdf/10.1007/978-3-031-17146-8_17.pdf?pdf=inline%20link) - [MD] This paper introduces a generic construction for Fuzzy Authenticated Key Exchange (FAKE), which basically uses a fuzzy source like biomertric features or PUFs to generate a shared key between two users. Each user generates public strings from its own fuzzy source, and register them to the system. The advantage of FAKE is that users do not need to store the secret keys. Their construction consists of three following building blocks: - Secure Sketch (SS) to generate the same bit string from fuzzy input - Key Encapsulation (KEM) to encapsulate the shared session key - Digital Signature (SIG) for message and user authentication Each user generates the signing and verification keys for SIG and public/private key pair for KEM from their fuzzy source. Each user knows the verification keys of all other users in the network while the public key for KEM is transmitted in each session. The user's signing key is used for signing the public key for KEM. The other party uses the received public key for encapsulating the session key. Secure sketch is kind of noise cancellation scheme and helps to obtain the same public/private key pairs from the fuzzy source. ###### tags: `Authentication` `Key exchange` `Fuzzy` ## [**Post-Quantum Verifiable Random Function from Symmetric Primitives in PoS Blockchain**](https://eprint.iacr.org/2021/302.pdf) - Maxime Buser, Rafael Dowsley,Muhammed F. Esgin, Shabnam Kasra Kermanshahi, Joseph Liu, Raphael Phan, Veronika Kuchta, Zhenfei Zhang. - [SS] Verifiable Random Function (VRF) is a variant of Pseudorandom Functions (PRFs) satisfying a verifiability property. It has a secret key and public key pair (sk, pk) such that for a given input x, it outputs a psuedorandom value y and a proof \pi, which can be verified by pk:  y, \pi <-- V(x, sk) VRF is used in Algorand's Proof of Stake (POS) to choose the committee members, and the membership can be verified by the verifiability property of the VRF. Existing VRF constructions are not not based on post-quantum hard problems. This paper has obtained a post-quantum variant of VRF, known as X-VRF. This is based on a hash based signature scheme (which is post-quantum) known as XMSS. Note that XMSS is a stateful signature scheme, so to match the stateless requirement of the VRF, they empower blockchain's state (block number is used as the counter). In that way they could make VRF stateless in terms of the user's point of view. The construction looks simple which uses the \pi = XMSS.sign(x,ctr) as the proof and y = Hash(\pi,x) as the pseudorandom output. ###### tags: `` `` --- ## [**EVExchange: A Relay Attack on Electric Vehicle Charging System**](https://link.springer.com/chapter/10.1007/978-3-031-17140-6_24) - The paper introduces a relay attack on EV charging stations where the attacker can charge his car while the victim pays for it. Also, if the charging station supports V2G (vehicle to greed), the attacker can earn money by selling the victim's battery charge to the grid. - The attacker can cause damage to the victim's car battery. - V2G offers smart charging management and enables a bidirectional power flow with the grid. - To support the V2G paradigm, communication is needed between the vehicle and the Electric Vehicle Supply Equipment (EVSE). - The research is focused on ISO 15118 standard for the mentioned communication, especially a highly comfortable service called Plug-and-Charge (PnC). - Proposed attack countermeasure by detecting the delay that happens in the relay attack communication. ###### tags: `Relay attack` `Electric Vehicle` `ISO 15118` --- ## [**Puncturable Signature: A Generic Construction and Instantiations**](https://link.springer.com/chapter/10.1007/978-3-031-17146-8_25) - Mei Jiang, Dung Hoang Duong, and Willy Susilo - [SS] Puncturable signature (PS), was proposed by Bellare, Stepanovs and Waters at EUROCRYPT 2016. It gives the power to a fine grained revocation of signing capacity. Puncturable signature: -- (SK, p, m) -> sigma, here m = message, p = prefix, SK = secret key -- SK is punctured at p, so SK is updated as SK’ -- SK’ can now sign any message with any prefix p’ \ne p. -- If SK’ is used to sign a message with prefix p it will not be verified It can be used for forward secure sigantures and disappearing signature in the bounded storage model. In this paper, three constructions are given: -- Lattice based -- CDH based -- Multivariate based However, the paper does not discuss the parameters for the implentation. So not sure about the practicality of the constructions at this moment. ----