Cyber Security in the Age of Large-Scale Adversaries

Aktuelle Forschungsmeldungen

Zuwendungen und Ehrungen

Mitglied der Leopoldina (2019, Christof Paar)

Program Co-Chair of the IEEE S&P (2021/22, Thorsten Holz)

16 Best Paper Awards bei führenden Kryptografie- & Sicherheits-Konferenzen (diverse)

ERC Advanced Grant  (2015, Christof Paar)

ERC Starting Grant (2014,Thorsten Holz)

ERC Consolidator Grant (2013, Eike Kiltz)

DFG Gottfried Wilhelm Leibniz Preis (2008, Holger Boche)

DFG Heinz Maier-Leibnitz Preis (2011, Thorsten Holz)

DFG Emmy-Noether Program (2008, Aydin Sezgin)

DFG Heisenberg Professorship (2015, Gregor Leander)

NWO Vici Grant (The Netherlands) (2012, Dan Bernstein)

Alexander v. Humboldt-Foundation Sofja Kovalevskaja Award (2010, Eike Kiltz)

ACM SIGSAC Doctoral Dissertation Award (2016, Lucas Davi)

DHL Innovation Award (2013, Gregor Leander, Christof Paar)

IBM Faculty Award (2013, Angela Sasse)

NRW Innovationspreis (2012, Christof Paar)

Facebook Internet Defense Prize at USENIX Security (2014, Thorsten Holz)

German IT-Security Award (1.Platz) (2010, Gregor Leander, Christof Paar)

German IT-Security Award (2.Platz) (2012, Eike Kiltz)

VDE Johann-Philipp-Reis Prize (2007, Holger Boche)

Fellow of the Royal Academy of Engineering (2015, Angela Sasse)

Fellow of the Institute of Mathematical Statistics (2013, Holger Dette)

IEEE Fellow (2010, Christof Paar)

IEEE Fellow (2011, Holger Boche)

IACR Fellow (2017, Christof Paar)

Young Fellow of NRW Academy of Sciences, Humanities & Arts (2015, Tim Güneysu)

Aktuelle herausragende Publikationen


Christof Beierle, Gregor Leander, Yosuke Todo

Improved Differential-Linear Attacks with Applications to ARX Ciphers


40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

We present several improvements to the framework of differential-linear attacks with a special focus on ARX ciphers. As a demonstration of their impact, we apply them to Chaskey and ChaCha and we are able to significantly improve upon the best attacks published so far. (...)


Christof Beierle, Alex Biryukov, Luan Cardoso dos Santos, Johann Großschädl, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov, Qingju Wang

Alzette: a 64-bit ARX-box (feat. CRAX and TRAX)

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

In this paper, we present a 64-bit ARX-based S-box called Alzette, which can be evaluated in constant time using only 12 instructions on modern CPUs. Its parallel application can also leverage vector (SIMD) instructions. (...)


Florian Quinkert, Martin Degeling, Jim Blythe, Thorsten Holz

Be the Phisher - Understanding Users' Perception of Malicious Domains

ACM CCS. ACM Conference on Computer and Communications Security

Attackers use various domain squatting techniques to convince users that their services are legitimate. Previous work has shown that methods like typosquatting, where single characters are removed or duplicated, can successfully deceive users. In this paper, we present a study that evaluates how well participants distinguish malicious from benign domains before and after they learned and applied domain squatting techniques themselves (...)


Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, Norbert Pohlmann

Measuring the Impact of the GDPR on Data Sharing in Ad Network

ACM CCS. ACM Conference on Computer and Communications Security

The European General Data Protection Regulation (GDPR), which went into effect in May 2018, brought new rules for the processing of personal data that affect many business models, including online advertising. The regulation’s definition of personal data applies to every company that collects data from European Internet users. This includes tracking services that, until then, argued that they were collecting anonymous information and data protection requirements would not apply to their businesses. (...)


Teemu Rytilahti, Thorsten Holz

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways

NDSS. Usenix Network and Distributed System Security Symposium

Typical port scanning approaches do not achieve a full coverage of all devices connected to the Internet as not all devices are directly reachable via a public (IPv4) address: due to IP address space exhaustion, firewalls, and many other reasons, an end-to-end connectivity is not achieved in today’s Internet anymore. Especially Network Address Translation (NAT) is widely deployed in practice and it has the side effect of “hiding” devices from being scanned. (...)


Tobias Cloosters, Michael Rodler, Lucas Davi

TeeRex: Discovery and Exploitation of Memory Corruption Vulnerabilities in SGX Enclaves

USENIX-Security. Usenix Security Symposium.


Intel’s Software Guard Extensions (SGX) introduced new instructions to switch the processor to enclave mode which protects it from introspection. While the enclave mode strongly protects the memory and the state of the processor, it cannot withstand memory corruption errors inside the enclave code. In this paper, we show that the attack surface of SGX enclaves provides new challenges for enclave developers as exploitable memory corruption vulnerabilities are easily introduced into enclave code. (...)


Andre Esser, Alexander  May

Low Weight Discrete Logarithms and Subset Sum in 2^0.65n with Polynomial Memory

EUROCRYPT. Annual International Conference on the Theory and Applications of Cryptographic Techniques

We propose two heuristic polynomial memory collision finding algorithms for the low Hamming weight discrete logarithm problem in any abelian group G. The first one is a direct adaptation of the BeckerCoron-Joux (BCJ) algorithm for subset sum to the discrete logarithm setting. The second one significantly improves on this adaptation for all possible weights using a more involved application of the representation technique together with some new Markov chain analysis.


Dear Yonglin Hao; Gregor Leander; Willi Meier; Yosuke Todo; Qingju Wang

Modeling for Three-Subset Division Property without Unknown Subset --Improved Cube Attacks against Trivium and Grain-128AEAD

EUROCRYPT. Annual International Conference on the Theory and Applications of Cryptographic Techniques


A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. (...)


Jörg Schwenk, Marcus Brinkmann, Damian Poddebniak, Jens Müller, Juraj Somorovsky, Sebastian Schinzel

Mitigation of Attacks on Email End-to-End Encryption

ACM CCS. ACM Conference on Computer and Communications Security

OpenPGP and S/MIME are two major standards for securing email communication introduced in the early 1990s. Three recent classes of attacks exploit weak cipher modes (EFAIL Malleability Gadgets, or EFAIL-MG), the flexibility of the MIME email structure (EFAIL Direct Exfiltration, or EFAIL-DE), and the Reply action of the email client (REPLY attacks). Although all three break message confidentiality by using standardized email features, only EFAIL-MG has been mitigated in IETF standards with the introduction of Authenticated Encryption with Associated Data (AEAD) algorithms. (...)


Michael Rodler; Wenting Li; Ghassan Karame; Lucas Davi

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

NDSS. Usenix Network and Distributed System Security Symposium

Recently, a number of existing blockchain systems have witnessed major bugs and vulnerabilities within smart contracts. Although the literature features a number of proposals for securing smart contracts, these proposals mostly focus on proving the correctness or absence of a certain type of vulnerability within a contract, but cannot protect deployed (legacy) contracts from being exploited. (...)


Maik Ender, Amir Moradi, Christof Paar

The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs


29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

In this paper, we introduce novel low-cost attacks against the Xilinx 7-Series (and Virtex-6) bitstream encryption, resulting in the total loss of authenticity and confidentiality. We exploit a design flaw which piecewise leaks the decrypted bitstream. (...)


David Rupprecht, Katharina Kohls, Thorsten Holz

Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard and deployed by most telecommunication providers in practice. Due to this widespread use, successful attacks against VoLTE can affect a large number of users worldwide. In this work, we introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call, hence enabling an adversary to eavesdrop on phone calls. (...)


Tim Bla­zyt­ko, Mo­ritz Schlö­gel, Cor­ne­li­us Ascher­mann, Ali Ab­ba­si, Joel Frank, Simon Wör­ner, Thors­ten Holz

Au­ro­ra: Sta­tis­ti­cal Crash Ana­ly­sis for Au­to­ma­ted Root Cause Ex­pla­na­ti­on

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

In this paper, we propose an automated analysis approach that does not only identify the root cause of a given crashing input for a binary executable, but also provides the analyst with context information on the erroneous behavior that characterizes crashing inputs. (...)


Joel Frank, Cornelius Aschermann, Thorsten Holz

ETHBMC: A Bounded Model Checker for Smart Contracts

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

(...) we present the design and implementation of, a bounded model checker based on symbolic execution which provides a precise model of the Ethereum network. We demonstrate its capabilities in a series of experiments. (...)


Paul Fiterau-Brostean, Bengt Jonsson, Robert Merget, Joeri de Ruiter,  Konstantinos Sagonas, Juraj Somorovsky

Analysis of DTLS Implementations Using Protocol State Fuzzing

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

We present the first comprehensive analysis of DTLS implementations using protocol state fuzzing. To that end, we extend TLS-Attacker, an open source framework for analyzing TLS implementations, with support for DTLS tailored to the stateless and unreliable nature of the underlying UDP layer. (...)


Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, Mathias Payer

HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation

29th USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

Given the increasing ubiquity of online embedded devices, analyzing their firmware is important to security, privacy, and safety. The tight coupling between hardware and firmware and the diversity found in embedded systems makes it hard to perform dynamic analysis on firmware. (...)


Eduard Hauck, Eike Kiltz, Julian Loss

A Modular Treatment of Blind Signatures from Identification Schemes

EUROCRYPT. Annual International Conference on the Theory and Applications of Cryptographic Techniques

We propose a modular security treatment of blind signatures derived from linear identification schemes in the random oracle model. To this end, we present a general framework that captures several well known schemes from the literature and allows to prove their security. (...)


Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Gaëtan Leurent, Léo Perrin, María Naya Plasencia, Yu Sasaki, Yosuke Todo, Friedrich Wiemer

Out of Oddity -- New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

This work compares the security levels offered by two recent families of such primitives, namely GMiMC and HadesMiMC. We exhibit low-complexity distinguishers against the GMiMC and HadesMiMC permutations for most parameters proposed in recently launched public challenges for STARK-friendly hash functions. (...)


Jens Mül­ler, Mar­cus Brink­mann, Da­mi­an Pod­debni­ak, Hanno Böck, Se­bas­ti­an Schin­zel, Juraj So­mo­rovs­ky, Jörg Schwenk

“John­ny, you are fired!” – Spoo­fing Open­PGP and S/MIME Si­gna­tu­res in Emails

28th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty '19)

In this work we show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME’s container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients’ handling of partially signed messages. (...)


Eduard Hauck, Eike Kiltz, Julian Loss, Ngoc Khanh Nguyen

Lattice-Based Blind Signatures, Revisited

40th International Cryptology Conference (IACR Crypto), Santa Barbara, CA, USA, August 2020

We observe that all previously known lattice-based blind signature schemes contain subtle flaws in their security proofs (e.g., R\"uckert, ASIACRYPT '08) or can be attacked (e.g., BLAZE by Alkadri et al., FC '20). Motivated by this, we revisit the problem of constructing blind signatures from standard lattice assumptions. (...)


Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, Thorsten Holz

(Un)informed Con­sent: Studying GDPR Consent Notices in the Field

ACM CCS. ACM Conference on Computer and Communications Security

Since the ad­op­ti­on of the Ge­ne­ral Data Pro­tec­tion Re­gu­la­ti­on (GDPR) in May 2018 more than 60% of po­pu­lar web­sites in Eu­ro­pe dis­play cook­ie con­sent no­ti­ces to their vi­si­tors. This has quick­ly led to users be­co­ming fa­ti­gued with pri­va­cy no­ti­fi­ca­ti­ons and cont­ri­bu­ted to the rise of both brow­ser ex­ten­si­ons that block these ban­ners and de­man­ds for a so­lu­ti­on that bund­les con­sent across mul­ti­ple web­sites or in the brow­ser. (...)


Jens Müller, Fabian Ising, Vladislav Mladenov, Christian Mainka, Sebastian Schinzel, Jörg Schwenk

Practical Decryption exFiltration: Breaking PDF Encryption

ACM CCS. ACM Conference on Computer and Communications Security

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. (...)


Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, Dorothea Kolossa

Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding.

NDSS ISOC Network and Distributed System Security Symposium 2019.

(...) In this paper, we introduce a new type of adversarial examples based on psychoacoustic hiding. Our attack exploits the characteristics of DNN-based ASR systems, where we extend the original analysis procedure by an additional backpropagation step. (...)


Manu Drijvers, Kasra Edalatnejad, Bryan Ford, Eike Kiltz, Julian Loss, Gregory Neven and Igors Stepanovs

On the Security of Two-Round Multi-Signatures

40th IEEE Symposium on Security and Privacy

In this work, we point out serious security issues in all currently known two-round multi-signature schemes (without pairings). First, we prove that none of the schemes can be proved secure without radically departing from currently known techniques. Namely, we show that if the one-more discrete-logarithm problem is hard, then no algebraic reduction exists that proves any of these schemes secure under the discrete-logarithm or one-more discrete-logarithm problem. (...)


Daniel J. Bernstein and Tanja Lange

McTiny: fast high-confidence post-quantum key erasure for tiny network servers

29th USENIX Security Symposium, 2019

This paper describes a protocol, suitable for today's networks and tiny servers, in which clients transmit their code-based one-time public keys to servers. Servers never store full client public keys but work on parts provided by the clients, without having to maintain any per-client state. Intermediate results are stored on the client side in the form of encrypted cookies and are eventually combined by the server to obtain the ciphertext. (...)


David Rupp­recht, Ka­tha­ri­na Kohls, Thors­ten Holz, Chris­ti­na Pöp­per

IM­P4GT: IM­Per­so­na­ti­on At­tacks in 4G NeT­works

Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS), San Diego, Ca­li­for­nia, USA, Fe­bru­ary 2020

In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that combining it with the layer-two vulnerability allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT. (...)


Phil­ipp Mar­kert, Da­ni­el V. Bai­ley, Ma­xi­mi­li­an Golla, Mar­kus Dür­muth, Adam J. Aviv

This PIN Can Be Ea­si­ly Gues­sed: Ana­ly­zing the Se­cu­ri­ty of Smart­pho­ne Un­lock PINs

IEEE Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy (SP '20). San Fran­cis­co, Ca­li­for­nia, May, 2020

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security.


Daniel J. Bernstein and Andreas Hülsing and Stefan Kölbl and Ruben Niederhagen and Joost Rijneveld and Peter Schwabe

The SPHINCS+ Signature Framework

ACM SIGSAC Conference on Computer and Communications Security 2019

We introduce SPHINCS+, a stateless hash-based signature framework. SPHINCS+ has significant advantages over the state of the art in terms of speed, signature size, and security, and is among the nine remaining signature schemes in the second round of the NIST PQC standardization project. One of our main contributions in this context is a new few-time signature scheme that we call FORS. (...)


Cor­ne­li­us Ascher­mann, Ser­gej Schu­mi­lo, Ali Ab­ba­si, Thors­ten Holz

IJON: Ex­plo­ring Deep State Spaces via Fuz­zing

IEEE Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy ("Oak­land"), San Jose, CA, May 2020

In this paper, we propose IJON, an annotation mechanism that a human analyst can use to guide the fuzzer. In contrast to the two aforementioned techniques, this approach allows a more systematic exploration of the program’s behavior based on the data representing the internal state of the program. As a consequence, using only a small (usually one line) annotation, a user can help the fuzzer to solve previously unsolvable challenges. (...)


Joel Frank, Cor­ne­li­us Ascher­mann, Thors­ten Holz

Eth­B­MC: A Boun­ded Model Che­cker for Smart Contracts

USE­NIX Se­cu­ri­ty Sym­po­si­um, Bos­ton, MA, USA, Au­gust 2020

We surveyed eight recently proposed static analyzers for Ethereum smart contracts and found that none of them captures all relevant features of the Ethereum ecosystem. For example, we discovered that a precise memory model is missing and inter-contract analysis is only partially supported. Based on these insights, we present the design and implementation of ETHBMC. (...)


Benedikt Auerbach, Federico Giacon, and Eike Kiltz

Everybody’s a Target: Scalability in Public-Key Encryption

39th Annual International Conference on the Theory and Applications of Cryptographic, 2020

For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a public-key encryption (PKE) scheme. An adversary, given n independent instances of PKE, wins if he breaks at least m out of the n instances. In this work, we are interested in the scaling factor of PKE schemes, SF, which measures how well the difficulty of breaking m out of the n instances scales in m. (...)


Ser­gej Schu­mi­lo, Cor­ne­li­us Ascher­mann, Ali Ab­ba­si, Simon Wör­ner, Thors­ten Holz

Hy­per-Cu­be: High-Di­men­sio­nal Hy­per­vi­sor Fuz­zing

Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty Sym­po­si­um (NDSS), San Diego, Ca­li­for­nia, USA, Fe­bru­ary 2020

In this paper, we present the design and implementation of HYPER-CUBE, a novel fuzzer that aims explicitly at testing hypervisors in an efficient, effective, and precise way. Our approach is based on a custom operating system that implements a custom bytecode interpreter. This high-throughput design for long-running, interactive targets allows us to fuzz a large number of both open source and proprietary hypervisors.



ERC Advanced Grant 20162021 Paar

ERC Consolidator Grant 20142019 Kiltz

ERC Starting Grant 20152020 Holz

NWO Vici Grant 20122017 Bernstein

AvH Sofja Kovalevskaja Award 20102015 Kiltz

DFG Heisenberg Professorship 20152018 Leander

DFG Research Training Group “Cryptography for Ubiquitous Computing" 2012 – 2017 May (co-spokesperson), Paar (cospokesperson),Dürmuth, Güneysu, Holz, Kiltz, Kolossa, Leander, Schwenk

NRW Doctoral Training Group “Security for Humans in Cyberspace” 20162019 Paar (spokesperson), Dürmuth, Holz, Kiltz, Kolossa, May, Rummel

NRW Doctoral Training Group “Human-Centered Systems Security“ 2017 2020 Holz (co-spokesperson), Schwenk (cospokesperson), Dürmuth

Projects in DFG SFB “Statistical modeling of nonlinear dynamic processes” 20132021 Dette (deputy spokesperson)

GCHQ/EPSRC project “UK Research Institute in Science of Cyber Security (RISCS)” 20102021 Sasse (director)

EU project “Post-quantum cryptography for longterm security” 2015 – 2018 Bernstein (co-coordinator), Lange (co-coordinator), Güneysu, Paar

EU project “FutureTrust” 20162019 Schwenk (coordinator)

EU European Training Network “ECRYPT-NET” 20152018 Bernstein, Güneysu, Kiltz, Lange, May, Paar

BMWi project “Secure eMobility” 2012 – 2014 Güneysu, Holz, Paar, Schwenk