Other venues

The page covers papers that are not yet formally published or published in venues other than commonly recongized.

tags: Reading sessions

• Other venues
  • Three Lessons from Threema Analysis of a Secure Messenger
  • Modern EMV and NFC cardholder verification issues The Cryptogram Confusion Attack
  • How to take over Amazon Kindle with an malicious e-book - DEFCON29
  • Hybrid Post-Quantum Signatures in Hardware Security Keys - 4th ACNS Workshop on Secure Cryptographic Implementation 2023,
  • TI2Net: Temporal Identity Inconsistency Network for Deepfake Detection
  • Price Manipulability in First-Price Auctions
  • DeAR: A Deep-Learning-Based Audio Re-recording Resilient Watermarking
  • Transaction Fee Mechanism Design with Active Block Producers
  • Commutative Cryptanalysis Made Practical
  • Insight into Voting in DAOs: Conceptual Analysis and A Proposal for Evaluation Framework
  • Unveiling Vulnerabilities in DAO: A Comprehensive Security Analysis and Protective Framework
  • Analyzing Voting Power in Decentralized Governance: Who controls DAOs?
  • SoK: Attacks on DAOs
  • Why Do Competitive Markets Converge to First-Price Auctions?

Three Lessons from Threema Analysis of a Secure Messenger

• By Kenneth G. Paterson, Matteo Scarlata, Kien Tuong Truong

• [FH] This paper presents 7 attacks on Threema, an E2E secure communication app used by the Swiss government, the Swiss Army and many others (10 million users). The root causes are the use of propritary (unfortunately insecure) key exchange protocols. the paper is well presented.

  • Threema E2E protocol: it uses static Diffie-Hellman, hence no forward secrecy. It uses random nonces to prevent replay attakcs, but the nounces need to be saved locally in a database.
  • Threema client-to-server protocol: uses ideas similar to TLS, but the client has a long-term key pair. Threema uses its own custom AKE protocol (not full mixing ephemeral and static keys).
  • Registration protocol: a user registers a key pair and proves the possession of a private key by decrypting a string sent by the server. They could have used a zero-knowledge proof protocol.

• [BB] Short rview by BB

tags: E2E secure communication, attacks

Modern EMV and NFC cardholder verification issues The Cryptogram Confusion Attack

• By Payment villeages
• [FH] Two attacks against NFC contactless cards
  • A cryptgram confusion attack, which allows using a locked contactless card to make payment.
  • A PIN code brute-force attack, which allows unlimited testing of the PIN through a combination of offline PIN check and the Chip & Signature verification scheme.

tags: card payment security, attacks

How to take over Amazon Kindle with an malicious e-book - DEFCON29

• By Slava Makkaveev
• [FH] The attack exploits the vulnerability of the document viewer app of Amazon Kindle and it's poor priviledge management of the App Manager module.
  • The pdf document viewer of Kindle works as image viewer where each page of the pdf is rendered as an image. Along with the readable contents, these pdf pages also contains refignment informations. These refinement information helps the viewer to understand the amount of memory required to display the page.
  • By modifying/setting incorrect refignment information the attacker makes the viewer believe that it needs less memory that the actual size of the content. This results in overflow of memory(similar to buffer overflow) and the attacker can write in any memory location of the memory.
  • Also for Kindle devices, the Address Space Layout Randomization (ASLR) was not randomized. The attacker takes advantage of these vulnerability and can fugure out the memory location to execute the malicious program.
  • The App Manager in Kindle has got the root priviledge. Hence if the user tries to open the malicious document, with the help of App Manager's root priviledge the malicious code get's executed
  • In the DEFCON29 demonstration, Slava Makkaveev showed that an attacker can steal amazon account cookies, device private keys etc.

tags: Amazon Kindle Security, attacks

Hybrid Post-Quantum Signatures in Hardware Security Keys - 4th ACNS Workshop on Secure Cryptographic Implementation 2023,

• Diana Ghinea et al

• [SS] FIDO provides user-friendly password-less authentication using some devices such as Yubico. The core idea is to rely on security devices (con- trolled via biometrics and/or PINs) which can then be used to register and later seamlessly authenticate to online services. The new FIDO2 protocols are: W3C’s Web Authentication (WebAuthn) and FIDO Alliance’s Client-to-Authenticator Protocol v2.0 (CTAP21).

  This work has worked on the PQC migration of FIDO2 where they have presented a hybrid signature. They won the ACNS (Applied Cryptography and Network Security) 2023 "best workshop paper" award. This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO2 standards.

  They consider PQC signature scheme Falcon and Dilithium, the two winners of NIST PQC competition. Dilithium is faster than Falcon, however has larger key sizes. They have optimized Dilithium to get key sizes closer to Falcon. On the other hand, other winner SPHINCS+ has much larger signature size and so it is infeasible for the embedded devices, and the performance cost of signing compared to lattice schemes is significantly worse, so they have ruled out its consideration.

  This work is based on the open source security key OpenSK [31]. OpenSK is a firmware that implements CTAP 2.1. It works as an application on top of the embedded operating system TockOS. This immediately puts the restriction that the firmware including Dilithium, namely the key generation and signing algorithm, to fit 64 kB of RAM.

  Following are the CTAP requirements:
  – User presence and user verification tokens usually timeout after 30 seconds, but are guaranteed to be valid for at least 10 seconds. So they aim for commands to finish within 10 seconds.

  – The size of a CTAP message over USB cannot exceed 7609 B

  A hybrid signature scheme combines a classical signature algorithm with a post-quantum secure signature algorithm (in a construction commonly known as a combiner). They combine the classic signature ECDSA with the post-quantum signature Dilithium (with their optimization). This hybrid scheme ensures that the security guarantees of each underlying scheme are maintained even when one of the scheme becomes insecure. For the message m, the signature is S = (S1, S2), S1 comes from ECDSA and S2 comes from Dilithium: S1 = Sign(m, sk1), S2 = Sign(m, S1, sk2).

  The optimization are of the following types: first, a high speed mode, which follows the original implementation with the exception that the key size is reduced. Second, a low memory footprint mode. One example of optimization is to generate the matrix from the 32 bit seed when required, not to store it all the time.

  Implementation done in all modes on the Nordic nRF52840 development kit. They have given performance comparison with pure Dilithium and hybrid signature.

TI2Net: Temporal Identity Inconsistency Network for Deepfake Detection

• Baoping Liu, Bo Liu, Ming Ding, Tianqing Zhu, Xin Yu;

• [HL] The paper introduced TI2Net, concentrating detect temporal identity inconsistencies. TI2Net is a reference-agnostic detector and can be applied to previously unseen datasets.

  Creativity:
  For a given identity within a video clip, the identity information in all frames is initially encoded into **identity vectors(**Identity features encoded by the identity encoder → which is being pretrained but not updated during joint training to ensure the whole framework will focus on temporal information extraction)

  • Methodlogy: Video frames sequencies is transformed to identity encoder, then the differencing component will do the differencing operation to the raw video frames. Differencings will be taken as the input features to the RNN and use triplet loss to enhance the classification.
  • Evaluation: TI2Net AUC for cross dataset is 65-76% avg accuracy for 70.75%

Price Manipulability in First-Price Auctions

• Presented in WWW 22
• Johannes Brustle, Author PicturePaul Dütting, Author PictureBalasubramanian Sivan
• [MN] Quantify the extent to which first-price auctions are susceptible to manipulation
• [MN] provide conditions under which they are “truthful in the large”

DeAR: A Deep-Learning-Based Audio Re-recording Resilient Watermarking

• Presented in AAAI'2023
• Chang Liu, Jie Zhang, Han Fang, Zehua Ma, Weiming Zhang, Nenghai Yu
• [HL] Solving the prolem of re-recording operation preserves the content information as it destroies the watermark information
  • Methodologies:
    • Watermark Embedding:
      • Transformation with DWT, which split the audio into two parts:
        1. Aac, Approximate Coefficients: Represents the lower, more substantial frequencies
        2. Adc, Detail Coefficients: Represents the higher, more subtle frequencies
    • Embedding the Watermark
      1. Aac part will be embedded for the watermark
      2. Encoder: generates a small "residual" (a change to be added) based on the original Aac and the watermark data W. The encoder applies this change to Aac to create a new version, AWac, which includes the watermark.
      3. Adversarial Training: Use a "discriminator" to tell the difference between the original Aac and the watermarked AWac. The encoder and discriminator are trained together:
         1. The encoder learns to add the watermark in a way that the discriminator can't easily spot.
         2. The discriminator learns to identify if there's a watermark.
  • Watermark Extraction (Ref: 1.c)
  • Audio Re-recording Modeling
    1. The challenge of this paper shows how to maintain robustness against the audio re-recording (AR) process.
    2. The model propose a distortion layer between encoder and decoder. The distortion layer simulates the effects of audio re-recording.
    3. DAR includes three key components:
       1. Environment Reverberation: This simulates the sound bouncing off surfaces in a room, a common effect in re-recording.
       2. Band-Pass Filtering: This restricts the frequency range of the audio, similar to what happens during re-recording.
       3. Gaussian Noise: This adds random noise to the signal, replicating another common source of distortion in audio re-recording.

• [HL] Dataset: FMA, a famous music analysis dataset in which 12000 audios are utilized for the training of the proposed DeAR
• [HL] Evaluation Matrix: SNR signal to noise ratio / Average bit recovery accuracy

Transaction Fee Mechanism Design with Active Block Producers

• by Maryam Bahrani, Pranav Garimidi, and Tim Roughgarden
• on Arxiv!
• Generalize the existing models of TFM design to accommodates active block producers, block producers with a utility function that depends on both the transactions in a block (and their order) and the net fees earned
• Block producer (in this model) is a single entity that publishes a block based on the transactions that it is aware of.
• TFM is incentive-compatible for block producers (BPIC) if it expects a block producer to publish a block that maximizes its private valuation plus the net fees earned.
• Proved with active block producers, no non-trivial (users must at least in some cases pay a nonzero amount for transaction inclusion) TFM satisfies both DSIC and BPIC.
• EIP-1559 and tipless mechanisms fail to satisfy DSIC and BPIC when block producers can be active.
• The loss in DSIC of these mechanisms scales precisely with the value extractable by the block producer from users’ transactions
• TFMs that are both DSIC and BPIC cannot provide any meaningful welfare-maximization guarantees.
• BP has a private valuation over blocks
• call an allocation rule consonant if, given the payment rule, it instructs a BP to always choose such a block
• Maximum Marginal Value of a Transaction is the difference between private value of a block with and without the transaction for a BP.
• At least in some scenarios, even though a BP’s valuation is private, a user may know a reasonable upper bound on the maximum marginal value of its transaction.

Commutative Cryptanalysis Made Practical

• Jules Baudrin1, Patrick Felke2, Gregor Leander3, Patrick Neumann3, LéoPerrin1and Lukas Stennes3
• FSE 2024 (TOSC 2023-4)
• [SS] This paper considers a 20-year-old concept called commutative diagram cryptanalysis that provided a unified framework for important cryptanalysis methods. In this paper, the authors revisit and further generalize this concept for differential cryptanalysis. If E is a block cipher, their goal is to find as many keys as possible such that A(E_k(x)) = B(E_k(x)) holds for all x, where A and B are affine permutations. In terms of differentials, this means they are hunting for probability-1 distinguishers, as they need this relation to be true for all x. They derived an algorithm to find such a probability-1 distinguisher. They applied this to a variant of the Midori block cipher (with generalized round constants). One application of this technique is that they found 2^{96} out of 2^{128} keys for which there is a probability-1 trail for an arbitrary number of rounds in some variants of Midori. Overall, this is an interesting work that can be investigated for other attacks as well.

Insight into Voting in DAOs: Conceptual Analysis and A Proposal for Evaluation Framework

• By Yixuan Fan, Lei Zhang, Senior Member, IEEE, Ruiyu Wang and Muhammad Ali Imran
• This paper looks at how groups called DAOs, which are like groups on the internet where everyone helps make decisions together, figure out the best ways to vote on important matters, aiming to make these processes better and fairer by examining and suggesting improvements
• The paper's main goal is to look at how voting in DAOs (groups where everyone shares control) works and how to make it better so that the group can make fair and smart decisions together
• The paper proposes a new way to evaluate and improve voting in DAOs, focusing on making it fair and effective by introducing a framework and analyzing different voting mechanisms

Unveiling Vulnerabilities in DAO: A Comprehensive Security Analysis and Protective Framework

• By Chia-Cheng Tsai,Cheng-Chieh Lin and Shih-Wei Liao
• This paper reviews 54 real-world incidents from 2016 to 2023 to identify key vulnerabilities in DAOs, such as flash loan attacks, oracle manipulation, governance takeovers, and reentrancy issues, and offers solutions to protect against these risks.
• The study analyzed DAO security threats by collecting on-chain data using Ethereum clients like erigon and geth, focusing on metrics such as governance participation and token distribution. Python code was provided for data analysis to ensure transparency. An empirical analysis of 26 DAOs identified common risks, and real-world incidents were used to categorize potential attacks, aiding in the development of mitigation strategies
• he paper provides a systematic analysis of security threats to Decentralized Autonomous Organizations (DAOs), focusing on attacks that have occurred, those that are theoretically possible, and potential attacks identified during audits. It categorizes these attack vectors into four distinct categories, highlighting the vulnerabilities associated with human governance rather than just technical flaws.

Analyzing Voting Power in Decentralized Governance: Who controls DAOs?

• By Robin Fritsch, Marino Müller and Roger Wattenhofer
• This paper reviews how voting power is distributed in three Ethereum-based DAO systems (Compound, Uniswap, and ENS) and found that a few addresses hold most of the power, but they rarely go against the community's overall decisions.
• The paper analyzes voting power distribution and delegation network structures within DAO governance systems to understand power dynamics and decentralization levels. It examines voting behavior by assessing how delegates exercise their voting power and the impact of their decisions on governance outcomes. Additionally, the study includes case studies of major DAOs like Compound, Uniswap, and ENS to provide practical insights into their governance mechanisms.
• The paper finds that in DAO governance systems like Compound and Uniswap, voting power is highly concentrated, with most of it controlled by delegates receiving power from a single address, resembling traditional shareholder meetings. In contrast, ENS governance is more decentralized, with community delegates holding significant voting power, making it more similar to a decentralized community.

SoK: Attacks on DAOs

• By Rainer Feichtinger, Robin Fritsch, Lioba Heimbach, Yann Vonlanthen and Roger Wattenhofer
• This paper investigates real-world incidents and theorized attacks on DAOs, categorizing them into distinct attack vectors to enhance understanding of DAO security challenges
• The authors categorize DAO attacks into four main types: bribing (BR), token control (TC), human-computer interaction (HCI), and code/protocol vulnerability (CP).
• They analyze 28 real-world incidents across four blockchains, revealing that attacks exploit all four categories, with a notable prevalence of human and economic factors in governance
• A significant finding is that many attacks leverage less tangible vectors, such as human behavior, which are often overlooked in traditional audits focused on code vulnerabilities
• This work represents a comprehensive systematization of DAO attack vectors and risks, providing a foundational understanding that can inform the design of more secure governance frameworks
• By highlighting the vulnerabilities and potential safeguards, the paper aims to equip DAO developers with the knowledge to anticipate and mitigate threats effectively.

Why Do Competitive Markets Converge to First-Price Auctions?

• setting in which bidders participate in multiple auctions run by different sellers, and optimize their bids for the aggregate auction.
• Formulate it as a two-stage game:
  • At the first stage, sellers propose a selling mechanism
  • At the second stage, users propose bids based on their private value and the average mechanism (one bid for all mechanisms)
• the first-price auction being the unique Nash equilibrium in this competition between exchanges without reserve price.
• Reserve price makes it non-trivial: Revenue Equivalence Fails, bidding functions will be discontinuous, and no symmetric BNE. Every exchange will use FPA with different (non-zero) reserve prices.