Arms Control in Cyberspace

CROSSING paper presents new system for reducing exploit stockpiles

2023/06/13 by

A new paper from the research groups ENCRYPTO and PEASEC at TU Darmstadt proposes a privacy-preserving approach that allows state actors to compare exploit stockpiles without revealing national secrets. The method can provide a practical approach to cyber arms control and promote cyber security for civilians, as identified exploits that are known to multiple states can potentially be disclosed to be fixed. The paper has now been published in IEEE Transactions on Technology and Society and also received the CROSSING Collaboration Award 2022.

In the interconnected cyberspace, our fragile digital infrastructure is constantly exposed to cyber threats from various actors. Exploiting vulnerabilities in IT hardware and software has become a primary tool in cyber espionage and cyber warfare, posing significant challenges to global cybersecurity. Advances in artificial intelligence further contribute to these challenges, with AI-enabled cyber weapons and AI-based automated cyber defences contributing to an increasingly complex landscape.

State actors, driven by long-term strategic security interests, often retain knowledge of vulnerabilities and vulnerability exploits to support their military or intelligence operations in cyberspace. While international treaties and regulations are being discussed to limit such activities through vulnerability disclosure, concerns over sharing unique knowledge with each other or with third parties is preventing progress, as this could create a potential tactical disadvantage and compromise state interests.

Addressing political challenges with tech

In their paper “ExTRUST: Reducing Exploit Stockpiles with a Privacy-Preserving Depletion System for Inter-State Relationships”, researchers from Prof. Thomas Schneider's Cryptography and Privacy Engineering Group (ENCRYPTO) and Prof. Christian Reuter's group Science and Technology for Peace and Security (PEASEC) propose a privacy-preserving solution to this problem using cryptography. The ExTRUST system enables two or more state actors to privately compare their vulnerability stockpiles using multi-party computation (MPC) and a novel exploit description method to detect common elements without disclosing them to opposing parties. This approach allows for careful consideration of disclosure while preserving the secrecy interests of the parties involved.

While the researchers point out that the MPC-based ExTRUST system does not currently meet all conceptual requirements, it shows to be scalable and can withstand several attack scenarios. The potential of ExTRUST goes beyond the inter-governmental context and is also transferable to other zero-trust applications such as bug bounty programmes. This versatile system represents a notable step forward in the pursuit of arms control and disarmament and provides new impulses on how technology can be used to address political challenges. The paper won the CROSSING Collaboration Award 2022 and has now been published in the IEEE journal Transactions on Technology and Society.


Thomas Reinhold, Philipp Kühn, Daniel Günther, Thomas Schneider, and Christian Reuter. ExTRUST: Reducing exploit stockpiles with a privacy-preserving depletion system for inter-state relationships. IEEE Transactions on Technology and Society, May 29, 2023.

This research has been funded by the German Research Foundation (DFG) via the Collaborative Research Center CROSSING, and co-funded via the Research Training Group Privacy & Trust. Further support came from the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE, as well as the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program.