The CROSSING Collaboration Award 2023 was given to the collaboration on the papers “SCAtt-man: Side-Channel Based Remote Attestation for Embedded Devices that Users Understand“ and ”Building Trust in Remote Attestation through Transparency – A Qualitative User Study on Observable Attestation" by the projects S2 (Christian Niesler and Sebastian Surminski from University Duisburg-Essen), and E7 (Sebastian Linsner and Kilian Demuth from TU Darmstadt).

Abstract

From the perspective of end-users, IoT devices behave like a black box: As long as they work as intended, the user will not detect any compromise. The user has minimal control over the software. Hence, it is very likely that the user misses when for instance illegal recordings and transmissions occur if a security camera or a smart speaker gets hacked. Therefore, we developed SCAtt-man, the first remote attestation scheme that is specifically designed with the user in mind. SCAtt-man deploys software-based attestation to check the integrity of remote devices allowing users to verify the integrity of IoT devices with their smartphone.

However, software-based remote attestation inherently suffers from the root-of-trust problem: the verifier cannot identify the device that is being attested, allowing an attacker to replace the attested device with another device or a simulation, so-called offloading attacks. To tackle this problem, SCAtt-man utilizes user-observable side-channels like light or sound in the attestation protocol, so that the user can observe the attestation process and identify the attested device to detect offloading attacks.

Besides the technical challenges to implement a secure attestation scheme, the involvement of the user also demands for a good usability and user experience to make SCAtt-man usable in practice.

Our proof-of-concept implementation targets a smart speaker and an attestation protocol that is based on a data-over-sound protocol. Our evaluation demonstrates the effectiveness of SCAtt-man against a variety of attacks and its usability based on a comprehensive user study with 20 participants. Our user study not only showed that SCAtt-man has good usability, but participants also stated that they actually believe that attestation can detect a device’s compromise and that they would use such functionality if their own devices featured such an attestation functionality.

This user study leads us to a more fundamental question addressing remote attestation: Do users understand and trust remote attestation? Can transparency assist users in understanding remote attestation? And do users trust formerly compromised devices that have been restored and verified with remote attestation? These questions are neglected in research on remote attestation, but very relevant for a practical usage. To answer these questions, we performed an extensive user study with 35 participants. The participants were provided with a smart home setup and state-of-the-art smart speakers, which they could attest using a smartphone app. We simulated compromised smart speakers and asked the participants to conduct a process to resolve the compromise.

We discovered that trust increases when additional explanations of the technical process are provided and thus the understanding of the attestation process is improved. The enhanced understanding of the process also decreases the false trust many users have in devices or processes which they do not understand. Observable attestation via the audio channel also strengthens trust in the attestation process. We also found that the process of the observable attestation increases the trust in the device and the sense of security positively. Thus, increased transparency in security mechanisms increases not only the understanding but also the trust of users and reduces false assumptions about the own security.

Link to the paper
SCAtt-man: Side-Channel Based Remote Attestation for Embedded Devices that Users Understand

The paper has been published the Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy (CODASPY'23).

Contact

Project S2 Project E7

The CROSSING Collaboration Award 2022 was given to the collaboration “ExTRUST: Reducing Exploit Stockpiles with Privacy-Preserving Depletion Systems for Inter-State Relationship” by the projects E4 (Daniel Günther), and E7 (Philipp Kühn, Thomas Reinhold).

Abstract

Cyberspace is a fragile construct threatened by malicious cyber operations of different actors, with vulnerabilities in IT hardware and software forming the basis for such activities, thus also posing a threat to global IT security. Advancements in the field of artificial intelligence accelerate this development, either with artificial intelligence enabled cyber weapons, automated cyber defense measures, or artificial intelligence-based threat and vulnerability detection. Especially state actors, with their long-term strategic security interests, often stockpile such knowledge of vulnerabilities and exploits to enable their military or intelligence service cyberspace operations. While treaties and regulations to limit these developments and to enhance global IT security by disclosing vulnerabilities are currently being discussed on the international level, these efforts are hindered by state concerns about the disclosure of unique knowledge and about giving up tactical advantages. This leads to a situation where multiple states are likely to stockpile at least some identical exploits, with technical measures to enable a depletion process for these stockpiles that preserve state secrecy interests and consider the special constraints of interacting states as well as the requirements within such environments being non-existent. This paper proposes such a privacy-preserving approach that allows multiple state parties to privately compare their stock of vulnerabilities and exploits to check for items that occur in multiple stockpiles without revealing them so that their disclosure can be considered. We call our system ExTRUST and show that it is scalable and can withstand several attack scenarios. Beyond the intergovernmental setting, ExTRUST can also be used for other zero-trust use cases, such as bug-bounty programs.

Link to the paper
ExTRUST: Reducing Exploit Stockpiles with Privacy-Preserving Depletion Systems for Inter-State Relationship.

The paper has been published in IEEE Transactions on Technology and Society ( Volume: 4, Issue: 2, June 2023).

Contact

Project E4 Project E7

The CROSSING Collaboration Award 2021 was given to the collaboration “QKD post-processing software” by the projects E1 (Michael Schlichtig, Anna-Katharina Wickert), E3 (Johannes Schickel, Alexandra Weber) and P4 (Erik Fitzke, Oleg Nikiforov, Alexander Sauer, Maximilian Tippmann).

Abstract

Quantum cryptography allows one to transmit secret information securely, based on the laws of quantum physics. It consists of (1) the transmission of physical particles like photons and (2) the software-based processing of measurements during the transmission. Quantum key distribution (QKD), e.g., transmits material for establishing a shared crypto key in this way. The key material is encoded into the particles in a way that leakage can be detected and mitigated via so-called privacy amplification. In this article, we investigate the role of the software implementation for the security of quantum cryptography. More concretely, we quantify the security of QKD software against cache side channels and show how to integrate cache-side-channel mitigation with the privacy amplification in QKD. We evaluate our approach at one variant of a QKD software that is in practical use. During our evaluation, we detect a cache-side-channel vulnerability, for which we develop a parametric mitigation that combines privacy amplification and program rewriting. We propose a cost model for the combined mitigation, which allows one to optimize the interaction between privacy amplification and program rewriting for the mitigation.

Link to the paper

Cache-Side-Channel Quantification and Mitigation for Quantum Cryptography (opens in new tab).

Contact

Project E1 Project E3 Project P4

Abstract
Most blockchain solutions are susceptible to quantum adversaries as they rely on cryptography that is known to be insecure in the presence of quantum adversaries. In this work, we advance the study of quantum-resistant blockchain solutions by giving a quantum-resistant construction of a deterministic wallet scheme.
In cryptocurrencies, money is transfered via transactions. A transaction is valid only when signed with the sender's secret key. This makes secret keys of users an attractive target to attackers. Deterministic wallets are frequently used in practice in order to securely store user's keys. A deterministic wallet has two components – usually the sensitive secret key is stored in a so-called cold wallet which is most of the time online, whereas the public key is stored in an online wallet called the hot wallet. Recently, Das et al. developed a formal model for the security analysis of deterministic wallets and proposed a generic construction from certain types of classical signature schemes that exhibit key rerandomization properties. For security in a quantum world, it is therefore mandatory to show that the generic construction proposed in this paper is secure against quantum adversaries and to design post-quantum secure signature schemes with key rerandomization to instantiate this generic construction.

Link to the Paper
Deterministic Wallets in a Quantum World

Contact
Project P1 , Project S7

Abstract

Due to advances in cryptanalysis and quantum computing, longterm secure storage of sensitive data cannot rely on current encryption, especially when the storage service is hosted by third-party cloud computing providers. One approach to achieve long-term secure storage is secret sharing-based distributed storage systems, where shares of data are generated and distributed to multiple storage servers. Data confidentiality and integrity are maintained by periodically renewing the shares and verifying the consistency of the shares using commitment schemes. However, protecting outsourced data in such scenarios remains prohibitively costly and impractical: Share renewal requires an information-theoretically secure channel between any two storage servers and long-term confidential commitment schemes are computationally impractical for large files.

In this paper, we present Safe, a secret sharing-based long-term secure distributed storage system that leverages a Trusted Execution Environment (TEE). Share generation and renewal are performed inside the TEE and the shares are securely distributed to the storage servers.We propose optimized protocols for Safe where significantly fewer information-theoretically secure channels are required than in state-of-the-art long-term secure storage systems, and computationally binding commitment schemes are replaced by more efficient computationally secure signatures. We prototype Safe protocols using a TEE instantiation, and show their efficiency, even for large files, compared to existing schemes. Safe is TEEagnostic, as it allows seamless migration from one TEE to another while maintaining the same security guarantees.

Link to the Paper

Safe: A Secure and Efficient Long-Term Distributed Storage System

Contact

Project P3 , Project E4 , Project S2 , Project S6

Abstract

Sensitive digital data, such as health information or governmental archives, are often stored for decades or centuries. The processing of such data calls for long-term security. Secure channels on the Internet require robust key establishment methods. Currently used key distribution protocols are either vulnerable to future attacks based on Shor's algorithm, or vulnerable in principle due to their reliance on computational problems. Quantum-based key distribution protocols are information-theoretically secure and offer long-term security. However, significant obstacles to their real-world use remain. This paper, which results from a multidisciplinary project involving computer scientists and physicists, systematizes knowledge about obstacles to and strategies for the realization of long-term secure Internet communication from quantum-based key distribution. We discuss performance and security particulars, consider the specific challenges arising from multi-user network settings, and identify key challenges for actual deployment.

Link to the Paper

The Status of Quantum-Based Long-Term Secure Communication over the Internet

Contact

Project P4 , Project S4 , Project S6

Abstract

There exists an extensive body of research demonstrating that application developers often fail to correctly and securely use cryptographic APIs and, as a result, produce insecure code. They mainly struggle with the cryptographic domain knowledge required to decide which algorithms are appropriate to use to perform a certain task and how to properly configure them. In addition, due to the low-level design of most cryptographic APIs, developers often face problems identifying the correct order of method calls and parameter values. When surveyed, developers indicate that they desire API design to be more high-level, more examplerich documentation showcasing common use cases of the API, as well as assistance tools that support them in using such APIs. In our work that was accepted at the ASE 2017 Tool Demonstrations track, we presented CogniCrypt, a tool that assists developers with the use of cryptographic APIs. CogniCrypt is implemented as an Eclipse plugin to smoothly integrate into any application developer’s workflow and assists the developer in two ways. First, for a number of common programming tasks that involve cryptography, CogniCrypt facilitates the generation of code snippets that implement the respective task in a secure manner. Currently, CogniCrypt supports tasks such as data encryption, communication over secure channels, and long-term archiving. Second, CogniCrypt continuously performs a suite of static code analyses in the background to ensure a secure integration of the generated code into the developer’s project. Since the code analysis runs independently of code generation, CogniCrypt still supports developers to produce secure code if they prefer to write the code themselves or are not aware of CogniCrypt’s full functionality. This video demo showcases the main features of CogniCrypt: youtube.com.

Link to the Paper

CogniCrypt: Supporting Developers in using Cryptography

Contact

Project E1 , Project E4 , Project S4 , Project S6

Abstract

In the recent years, secure computation has been the subject of intensive research, emerging from theory to practice. In order to make secure computation usable by non-experts, Fairplay (USENIX Security 2004) initiated a line of research in compilers that allow to automatically generate circuits from high-level descriptions of the functionality that is to be computed securely. Most recently, TinyGarble (IEEE S&P 2015) demonstrated that it is natural to use existing hardware synthesis tools for this task.

In this work, we present how to use industrial-grade hardware synthesis tools to generate circuits that are not only optimized for size, but also for depth. These are required for secure computation protocols with non-constant round complexity. We compare a large variety of circuits generated by our toolchain with hand-optimized circuits and show reduction of depth by up to 14%. The main advantages of our approach are developing customized libraries of depth-optimized circuit constructions which we map to high-level functions and operators, and using existing libraries available in the industrial-grade logic synthesis tools which are heavily tested. In particular, we show how to easily obtain circuits for IEEE 754 compliant floating-point operations.

We extend the open-source ABY framework (NDSS 2015) to securely evaluate circuits generated with our toolchain and show between 0.5 to 21.4 times faster floating-point operations than previous protocols of Aliasgari et al. (NDSS 2013), even though our protocols work for two parties instead of three or more. As application we consider privacy-preserving proximity testing on Earth.

Link to the Paper

Automated Synthesis of Optimized Circuits for Secure Computation

Contact

Project P3 , Project S2 , Project E4

Abstract

The learning with errors problem (LWE) is one of the most important problems in lattice-based cryptography. The goal of the LWE challenge is to determine the practical hardness of LWE, to gain an overview of the best known LWE solvers, and to motivate additional research eff?ort in this direction. The team has set up a web page that presents the LWE challenge to the community. At this page, all instances can be downloaded. Furthermore, solutions can be submitted and correct solutions will be displayed in a hall of fame.

The LWE challenge is not only a collaboration between CROSSING projects P1 (Florian Göpfert, Juliane Krämer) and S5 (Niklas Büscher) but also with international partners – University of California, San Diego (UCSD), University of Tartu and TU Eindhoven – and an industry partner, Cybernetica.

Link to the Paper

Creating Cryptographic Challenges Using Multi-Party Computation: The LWE Challenge

Link to the LWE Challenge

Website of the LWE Challenge

Contact

Project P1 , Project S5