GCM IV reuse attack Bitstream Protection in Dynamic Partial Reconfiguration Systems Using Authenticated Encryption (IEICE Trans on Info and Sys. 2013) paper Sec 4.2: good diagram to describe GCM. Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (WOOT 2016) Paper and slides (Github) Attack demo code for WOOT 16 https://github.com/nonce-disrespect/nonce-disrespect/

Faqir, Youssef El et al. “A Scalable Voting System: Validation of Holographic Consensus in DAOstack.” Hawaii International Conference on System Sciences (2021). https://www.semanticscholar.org/paper/A-Scalable-Voting-System%3A-Validation-of-Holographic-Faqir-Arroyo/91b72f1b6517ea404527ab3ac99dc82716341068 Field M, Holographic consensus - Part 1, Web Article, 2018 https://medium.com/daostack/holographic-consensus-part-1-116a73ba1e1c Field M, Holographic consensus - Part 2, Web Article, 2019 https://medium.com/daostack/holographic-consensus-part-2-4fd461e8dcde DAO

Focusing on the security of electronic passport. Created by Rongyuan on 17 February 2025. Papers Reports 2025 Identity Fraud Report by Entrust Cybersecurity Institute latest updated report indicating GenAI fuels rise in digital document fraud.

Papers A gentle introduction to risk-limiting auditsIntroduces the literature for RLA Defines key terms including audit trail, risk limit, ballot-polling audit, comparison audit, understatement / undervote and overstatement / overvote Describes an example ballot-polling audit and an example comparison audit Discusses methods for picking random samples of ballots, e.g. PRNGs Provides a case study of a real-world risk limiting audit Risk-Limiting AuditsTalk given at Fourth NASEM committee meeting on Future of Voting Briefly introduces RLA and its key terms States possible extensions including many contests, many jurisdictions and vote-by-mail

Papers Variants of Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA Signatures https://download.hrz.tu-darmstadt.de/pub/FB20/Dekanat/Publikationen/CDC/sigflaw.pdf SICHERHEIT 2008 The exact security of digital signatures: How to sign with RSA and Rabin Mihir Bellare and Phillip Rogaway, EUROCRYPT '96' https://web.cs.ucdavis.edu/%7Erogaway/papers/exact Original scheme in Figure 1

Cryptography A toolbox for verifiable tally-hiding e-voting systems Builds tally-hiding e-voting systems using MPC. Provides a solution for STV but covers IRV as the single-winner case. FH: 1) voters computation O(n^2), authorities computation O(n^3); 2) implementation used 3 trusttees (no threshold)l 3) voters must perform cryptography and shuffling of ballots; trustees must use mixnets to do additional shuffling 4 "Homomorphic tally can only be applied to simple vote counting functions." (not correct) Extending the tally-hiding Ordinos system: implementations for Borda, Hare-Niemeyer, Condorcet, and Instant-Runoff Voting Extends Ordinos to permit other voting methods including IRV. IRV implementation runs in $O(n!)$ time for $n$ candidates. Doesn't consider indifference

Main security papers Pereira, Olivier, and Peter B. Rønne. "End-to-end verifiable quadratic voting with everlasting privacy." Financial Cryptography and Data Security: FC 2019 https://link.springer.com/chapter/10.1007/978-3-030-43725-1_22 Assumes a set of tallying authorities, a budget b < 2^20. Park, Sunoo, and Ronald L. Rivest. "Towards secure quadratic voting." Public Choice 172 (2017): 151-175. https://link.springer.com/article/10.1007/s11127-017-0407-2 It says Lalley-Weyl's QV scheme (2016) is for electing one out of two candidates; all expositions of QV the authors are aware of focus solely on the two-candidate case. Extending this to multiple candidates is possible but non-trivial. Each voter gets an equal share of the election revenue.

https://sp2024.ieee-security.org/ FlowMur: A Stealthy and Practical Audio Backdoor Attack with Limited Knowledge By Jiahe Lan; Jie Wang; Baochen Yan; Zheng Yan; Elisa Bertino [HL] The paper proposes an attack method that enables attackers to compromise a voice dataset by embedding a trigger based on the Signal-to-Noise Ratio (SNR). Unlike traditional backdoor attacks, which place the trigger in a fixed position, this approach dynamically adjusts the trigger's position using AI technique, to make the backdoor reaches a higher stealthy level. Investigating Voter Perceptions of Printed Physical Audit Trails for Online Voting By Karola Marky, Nina Gerber, Henry John Krumb, Mohamed Khamis, and Max Mühlhäuser [LH] The paper proposes a new hybrid online voting system. Once a vote is cast, a physical receipt is printed in a secure facility and put into a physical ballot box. Verifiability is assured through live streaming to the public, although the system is not completely E2E verifiable. The encryption scheme is only said to "follow guidelines from the literature", and no other details are given. The protocol was evaluated in a study of 150 participants. Two implementations of an audit trail were trialled: one printing paper receipts, and another 3D printing tokens. There was no evidence that the introduction of either trail impacts the perceived security of their system, although paper was preferred due to its efficiency in printing.

The page covers papers that are not yet formally published or published in venues other than commonly recongized. Three Lessons from Threema Analysis of a Secure Messenger By Kenneth G. Paterson, Matteo Scarlata, Kien Tuong Truong [FH] This paper presents 7 attacks on Threema, an E2E secure communication app used by the Swiss government, the Swiss Army and many others (10 million users). The root causes are the use of propritary (unfortunately insecure) key exchange protocols. the paper is well presented.Threema E2E protocol: it uses static Diffie-Hellman, hence no forward secrecy. It uses random nonces to prevent replay attakcs, but the nounces need to be saved locally in a database. Threema client-to-server protocol: uses ideas similar to TLS, but the client has a long-term key pair. Threema uses its own custom AKE protocol (not full mixing ephemeral and static keys). Registration protocol: a user registers a key pair and proves the possession of a private key by decrypting a string sent by the server. They could have used a zero-knowledge proof protocol. [BB] Short rview by BB

https://www.sigsac.org/ccs/CCS2024/ A Succinct Range Proof for Polynomial-based Vector Commitments Rui Gao, Zhiguo Wan, Yuncong Hu, Huaqun Wang A zero-knowledge proof (ZKP) allows the prover to convince the verifier that he knows a secret witness satisfying the certain relation without revealing the witness itself. A range proof is a type of ZKPs that allows a prover to convince a verifier that for a commitment 𝐶, he knows the committed value 𝑣, and 𝑣 is in a certain range. Range proofs have found numerous applications, such as anonymous credentials, e-voting, e-cash, electronic auctions, and cryptocurrencies. The existing range proof schemes mostly focus on proving the commitment to a single element. Sometimes the prover will need to prove that multiple elements are in a certain range. In this case, every element is committed to a public commitment. The prove uses some batching techniques to batch the proof and verification, to make them independent of or sublinear in the number of elements. However, there are still linear number of commitments to be sent. This paper introduces MissileProof, a range proof for a vector commitments. The vector commitment will commit several values to a single commitment. Given this commitment, the prover could prove that every element underlying this commitment is in the same certain range. By using KZG commitment, achieve O(1) commitment length, proof size, verification time, with a tradeoff in the prover time, which is quasi-linear and requires FFTs. Implemented an anti-money-laundering stateless blockchain based on the MissileProof. The gas consumption of the verification smart contract is reduced by 85%.

https://petsymposium.org/2024/program.php DeVoS: Deniable Yet Verifiable Vote Updating By Johannes Müller, Balázs Pejó, Ivan Pryvalov [LH] The paper proposes a new publicly verifiable e-voting protocol for Internet voting. The main properties are that it preserves participation privacy and deniable vote updating. The protocol is described in the context of homomorphic encryption or verifiable shuffles. The main novelty is the addition of dummy ballots onto the bulletin board which are periodically either replaced by the voter or re-encrypted by an authority, so a coercer cannot check to see if a voter decided to change their vote. DeVoS is also proven to maintain everlasting privacy through integration with the PPAT voting protocol. A proof of concept implementation is demonstrated to handle 10,000 dummy votes per second for a 3-candidate election. The paper also contains proofs of verifiability, however it does not follow E2E verifiability.

Applied Cryptography and Network Security 2005 Non-interactive Zero-Knowledge Arguments for Voting By Jens Groth This paper considers voting based on homomorphic threshold encryption. Some authorities publish a public key. Voters use this key to encrypt his vote and sends it to the authorities. Digital signatures or other means of authentication ensure that only eligible voters vote. After receiving the votes, the authorities use the homomorphic property of the cryptosystem to compute the final encrypted vote, and jointly decrypt this ciphertext to get the vote. For this kind of voting, a simplist case is where each voter has a single vote to cast, and there are practical solutions for this case. This paper applied the homomorphic threshold encryption to four advanced elections and provided several new ZKPs to prove the correct form of each vote.The first considered voting is called limited vote, where voters can vote multiple times. Sometimes we require the voters use all their votes on different candidates. For this case, the author provided a ZKP for a statement that captures this condition, and obtained a limited vote scheme, which has better efficiency compared with prior works. The second considered voting is called approval vote, where the voter can vote for as many different candidates as he likes. But he can only vote 0 or 1. For this case, the author also provided a ZKP for the corresponding statement. The resulting approval voting scheme is claimed to be the first in the literature. The third considered voting is called divisible vote, where based on the approval vote, the voter can cast mutiple votes for one candidate. The author improved the existing divisible voting by improving its underlying ZKPs. The fourth considered voting is called Borda vote, where the voters cast weighted votes. The worst candidate gets 1 vote, the second worst 2 votes, and so forth. Supposing L candidates, the best candidate gets L votes. With a designed ZKP, this paper provided the first secure Borda voting scheme.

EUROCRYPT https://eurocrypt.iacr.org/2024/acceptedpapers.php Unlocking the lookup singularity with Lasso By Srinath Setty, Justin Thaler, and Riad Wahby In the domain of ZKPs, to prove the correct execution of computer programs, one usually first expresses the execution of the program in a specific form, like arithmetic circuits or related generalizations. The size of the circuit is vital since it determines the complexity of the underlying SNARKs. In practice, some operations in the program need a circuit with large size, like bitwise operations, and range check, etc. For these operations, a better approach to prove is using lookup arguments. Informally, lookup arguments allow an untrusted prover to commit to a vector a and prove that all entries of a reside in some predetermined table. This paper introduces Lasso, a new family of lookup arguments, which can be instantiated with any multilinear polynomial commitment schemes. It provides the following efficiency properties:For $m$ lookups into a table of size $n$, Lasso’s prover commits to just $m+n$ field elements. The committed field elements are small (in {0,...,m), no matter how big the field is.

Domain Generalization via Aggregation and Separation for Audio Deepfake Detection By Yuankun Xie Use LCNN and Bi-LSTM extract features from voices, then creates domain classifier and train two models for detect / generate fake features. Then use Triplet mining approach to optimize the system.Domain Classifier: Create a feature space where the characteristics of real speech are similar, regardless of the source. It make sure the features (distinctive aspects) of real speech sound similar, even if they come from different places. Triplet Mining: The paper use a method called triplet mining. Imagine comparing three voice samples at a time - one real (anchor), another real (positive), and one fake (negative). Databases:LA Database, wavefake and fakeAVCeleb Lossless Data Hiding in NTRU Cryptosystem by Polynomial Encoding and Modulation [HL] Lossless Data Hiding in Ciphertexts, LDH-CT, allows to embed data with the plain text, but not changing the plaintext, which allows to transmit extra data in the application with lower data transmission cost. The main contribution of this paper includes:Propose NTRU based LDH-CT algorithms A higher embedding capacity companed with NTRU (“N-th Degree Truncated Polynomial Ring Unit”)

Papers A. Systematic Review of DAO Voting 1. Insight into Voting in DAOs: Conceptual Analysis and A Proposal for Evaluation Framework (2023) By Yixuan Fan, Lei Zhang, Senior Member, IEEE, Ruiyu Wang and Muhammad Ali Imran This paper looks at how groups called DAOs, which are like groups on the internet where everyone helps make decisions together, figure out the best ways to vote on important matters, aiming to make these processes better and fairer by examining and suggesting improvements The paper's main goal is to look at how voting in DAOs (groups where everyone shares control) works and how to make it better so that the group can make fair and smart decisions together The paper proposes a new way to evaluate and improve voting in DAOs, focusing on making it fair and effective by introducing a framework and analyzing different voting mechanisms 2. Understanding decentralized autonomous organizations from the inside (2023) By Nils Augustin, Andreas Eckhardt and Alexander Willem de Jong

https://crypto.iacr.org/2023/acceptedpapers.php Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol Gareth T. Davies, Sebastian Faller, Kai Gellert, Tobias Handirk, Julia Hesse, Máté Horváth & Tibor Jager CRYPTO 2023 [MD] 2022 https://crypto.iacr.org/2022/program.php

https://asiacrypt.iacr.org/2021/program.php Cryptographic Analysis of the Bluetooth Secure Connection Protocol Suite Marc Fischlin, Olga Sanina Diffie-Hellman items do not need to be fresh; devices can use up to 8 connections A good summary of previous attackse.g., Breaking Passkey Entry through MITM (Zhang et al, USENIX Security 2020): the attack itself is standard, not suprising thought In bluetooth, privacy is mostly defined as linkability of physical characteristics The reuse of Diffie-Hellman allows linking the device (Sun et al., Sensor 2019)

https://fc24.ifca.ai/program.html Scan, Shuffle, Rescan: Two-Prover Election Audits With Untrusted Scanners [LH] The paper proposes a new paradigm and protocols for risk-limiting audits where the margin of victory for the election is small. The paradigm is called "rescan audit" and is based on the idea of a "multi-prover proof". Two scanners separately scan a random sample of ballots and the scans are checked for consistency. This is combined with a smaller manual check to provide assurance on the election result. To prevent collusion between the scanners, the ballot list is shuffled. The protocols are empirically evaluated against the conventional ballot polling audit and ballot comparison audit. For margins less than $1%$, the rescan audits perform better in time and monetary cost, whereas the ballot comparison audit performs better for margins greater than $1%$. The security proof assumes that all ballots for one candidate are indistinguishable from one another, which is difficult to enforce in some settings. Additionally, the paper only covers plurality voting and not other voting methods, e.g., ranked-choice. SAVER: SNARK-compatible Verifiable Encryption [MD] In applications involving zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), there is often a need to combine the proof system with encryption. For example, a user might want to encrypt their identity while proving that it satisfies a given authorized function (e.g., credit checks). A naive solution would be to extend the zk-SNARK circuit to include the encryption code. In other words, the entire encryption process becomes part of the SNARK circuit.

https://e-vote-id.org/e-vote-id-2023/ Faster Coercion-Resistant E-Voting by Encrypted Sorting By Diego F. Aranha, Michele Battagliola, and Lawrence Roy. [LH] The paper proposes a new variant of the Juels Catalano Jakobsson (JCJ) protocol for coercion resistant voting. JCJ is not very scalable due to its quadratic complexity. The paper improves the complexity to log-linear by encorporating a comparison-based sort as part of the tallying process. The main idea is to store registration data in binary form for each voter, and create a sort using circuits over encrypted bits. The authors note their protocol could be improved further by possibly adopting a bucket sort, but this might be prone to a bucket overflow attack. Dimension of the credentials is also a problem as these are stored as encryptions of bits rather than whole strings. 2022 https://e-vote-id.org/programme-2022/

This page summarizes usage of e-voting References Case Note: Germany (2009) https://sas-space.sas.ac.uk/5561/1/1910-2683-1-SM.pdf 2005, e-voting machines were used in the German Bundestag (Parliament) election. 2009, the Federal Consitutional Court Germany ruledThe use of these machines is permitted under Germany law However, the present function of these machines violates the public nature of elections, which prescribes that all essential steps of an election are subject to the possibility of public scrutiny unless other constituional interests justify an exception. No indication to show fraud in that election, hence the ruling doesn't result in the dissolution of the Bundestag.