Workshop on Attacks in Cryptography 6

description date and location registration schedule organizers previous editions

WAC6 was an affiliated event at Crypto 2023 on Sunday, August 20th 2023 at University of California, Santa Barbara.

workshop description

Cryptography is often thought of as the bright spot of practical security, a mathematical paradise where security can be rigorously proven and issues like buffer overflows are in someone else’s department. However, there is a growing community of researchers who regularly find serious flaws in widely deployed cryptographic implementations and protocols. In recent years, this type of research has mostly been published in systems security conferences. This workshop will bring together researchers who work on cryptographic attacks and provide a showcase of their work for the Crypto community. This is the sixth edition of the WAC workshop, which was established by Nadia Heninger.

date and location

Date: Sunday, August 20th 2023



Select WAC6 under “affiliated events” when registering for Crypto 2023.



Sunday, August 20th 2023
08:55—09:00 (PST) introductory remarks
09:00—09:30 (PST)


Wi-Fi devices routinely queue frames at various layers of the network stack before transmitting, for instance, when the receiver is in sleep mode. In this work, we investigate how Wi-Fi access points manage the security context of queued frames. By exploiting power-save features, we show how to trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key. We demonstrate resulting attacks against several open-source network stacks. We attribute our findings to the lack of explicit guidance in managing security contexts of buffered frames in the 802.11 standards. The unprotected nature of the power-save bit in a frame’s header, which our work reveals to be a fundamental design flaw, also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack.

Furthermore, we demonstrate how an attacker can override and control the security context of frames that are yet to be queued. This exploits a design flaw in hotspot-like networks and allows the attacker to force an access point to encrypt yet-to-be-queued frames using an adversary-chosen key, thereby bypassing Wi-Fi encryption entirely.

Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic. Overall, we highlight the need for transparency in handling security context across the network stack layers and the challenges in doing so.

09:30—10:15 (PST)


In several recent papers [1, 2, 3] we have been able to exploit an attack vector called "key overwriting". Here, an adversary is able to convince a victim to make use of a (potentially) attacker-controlled public key in conjunction with the victim's private key (which itself may have been partially corrupted). Depending on the exact circumstances, this may allow complete recovery of the victim’s private key. In this talk, I’ll give a brief overview of this kind of attack using illustrative examples from [1,2,3]. I’ll also discuss non-robust and robust countermeasures against key overwriting.

[1] Lara Bruseghini, Daniel Huigens, Kenneth G. Paterson: Victory by KO: Attacking OpenPGP Using Key Overwriting. CCS 2022: 411-423.

[2] Matilda Backendal, Miro Haller and Kenneth G. Paterson: MEGA: Malleable Encryption Goes Awry. IEEE Symposium on Security and Privacy, 2023.

[3] Martin R. Albrecht, Miro Haller, Lenka Mareková, Kenneth G. Paterson: Caveat Implementor! Key Recovery Attacks on MEGA. EUROCRYPT (5) 2023: 190-218.

10:15—10:45 (PST) break
10:45—11:45 (PST)


Matrix is a standard that defines a secure group messaging protocol with over 80 million users. This includes a number of European governmental organisations, such as the German healthcare system and military, both of which use it in the field. Despite its popularity and use in high-stakes environments, the cryptography in Matrix has not been well studied until now.

We analysed the security of Matrix and its flagship implementation, Element, finding five practically-exploitable attacks and one theoretical vulnerability.

Join us as we enter the Matrix, uncover vulnerabilities and dive into the details of our attacks.

11:45—12:15 (PST)


In this talk I will give a general overview of several national proposals to mandate client-side content scanning in encrypted messaging systems, and will discuss the risks of these proposals. In particular I will discuss some new research on perceptual hash functions and explore how these functions can be used to undermine the security of encrypted messaging. This work will include some results to be presented concurrently at Usenix Security 2023.

12:15—12:45 (PST)


A flurry of excitement amongst researchers and practitioners has produced modern proof systems built using novel technical ideas and seeing rapid deployment, especially in cryptocurrencies. Most of these modern proof systems use the Fiat-Shamir (F-S) transformation, a seminal method of removing interaction from a protocol with a public-coin verifier. Some prior work has shown that incorrectly applying F-S (i.e., using the so-called "weak" F-S transformation) can lead to breaks of classic protocols like Schnorr's discrete log proof; however, little is known about the risks of applying F-S incorrectly for modern proof systems seeing deployment today.

In this talk, we fill this knowledge gap by presenting our theoretical and practical study of F-S in implementations of modern proof systems. We first demonstrate the prevalence of weak F-S in practice via a comprehensive survey of more than 75 open-source implementations, revealing 36 weak F-S vulnerabilities across 12 different proof systems. For four of these, namely Bulletproofs, Plonk, Spartan, and Wesolowski's VDF, we develop novel knowledge soundness attacks accompanied by rigorous proofs of their efficacy. We then present case studies of breaking applications that use vulnerable implementations, showing that weak F-S vulnerabilities could have led to the creation of unlimited currency in at least two separate blockchain protocols. Finally, we discuss possible mitigations and takeaways for academics and practitioners.

This is joint work with Jim Miller, Opal Wright, and Paul Grubbs.

12:45—14:00 (PST) lunch
14:00—14:45 (PST)


Learning with Errors (LWE) is a hard math problem underpinning many proposed post-quantum cryptographic (PQC) systems. The only PQC key exchange standardized by NIST is based on module LWE, and current publicly available PQ Homomorphic Encryption (HE) libraries are based on ring LWE. The security of LWE-based PQ cryptosystems is critical, but certain implementation choices could weaken them. One such choice is sparse binary secrets, desirable for PQ HE schemes for efficiency reasons.

This talk will discuss our efforts to develop machine learning-based attacks against LWE schemes with sparse binary secrets. Our initial work, SALSA, demonstrated a proof of concept machine learning-based attack on LWE with sparse binary secrets in small dimensions (n<129) and low Hamming weights (h<5). Our more recent work, PICANTE, recovers secrets in much larger dimensions (up to n=350) and with larger Hamming weights (roughly n/10, and up to h=60 for n=350). We achieve this dramatic improvement via a novel preprocessing step, which allows us to generate training data from a linear number of eavesdropped LWE samples (4n) and changes the distribution of the data to improve transformer training. We also improve the secret recovery methods of SALSA and introduce a novel cross-attention recovery mechanism allowing us to read off the secret directly from the trained models. While PICANTE does not threaten NIST's proposed LWE standards, it demonstrates significant improvement over SALSA and could scale further, highlighting the need for future investigation.

14:55—15:25 (PST)


The road to broken cryptography is paved with good intentions. In this talk, we take a look at vulnerabilities we discovered in Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers.

We highlight several important attributes that a secure messaging protocol should strive to achieve, including metadata authenticity and replay protection. Drawing insights from our attacks, we then analyse why these goals were not met, despite the use of solid cryptographic building blocks.

15:25—15:55 (PST) break
15:55—16:40 (PST)


Session tickets improve the TLS protocol performance and are therefore widely used. For this, the server encrypts secret state and the client stores the ciphertext and state. Anyone able to decrypt this ciphertext can passively decrypt the traffic or actively impersonate the TLS Server on resumption. To estimate the dangers associated with session tickets, we perform the first systematic large-scale analysis of the cryptographic pitfalls of session ticket implementations.

We found significant differences in session ticket implementations and critical security issues in the analyzed servers. Vulnerable servers used weak keys or repeating keystreams in the used tickets. Among others, our analysis revealed a widespread implementation flaw within the Amazon AWS ecosystem that allowed for passive traffic decryption for at least 1.9% of all servers in the Tranco Top 100k servers.

16:40—17:00 (PST)


Multi-Party Computation (MPC) has become a major tool for protecting hundreds of billions of dollars in cryptocurrency wallets. MPC protocols are currently powering the wallets of Coinbase, Binance, Zengo, BitGo, Fireblocks and many other fintechs/banks servicing hundreds of millions of consumers and thousands of financial institutions.

We show practical key-extraction attacks requiring no more than a couple of hundred signatures (the severity of the attack depends on the number of signature-generation ceremonies the attacker participates in before extracting the key). In particular, we show three attacks on different protocols/implementations realizing threshold ECDSA requiring 256, 16, and one signature, respectively.


Miro Haller
University of California, San Diego
Keegan Ryan
University of California, San Diego