A Formal Treatment of End-to-End Encrypted Cloud Storage
We present a formal syntax and security notions for end-to-end encrypted cloud storage and design the first, provably secure protocol for this widespread application.
Talks and presentations
The Blast-RADIUS attack
The Blast-RADIUS attack allows an MITM attacker to authenticate to any device that uses RADIUS over UDP, which includes the vast majority of network routers and other network gear in enterprise infrastructure.
MFKDF: Multiple Factors Knocked Down Flat
This talk presents multiple attacks against the Multi-Factor Key Derivation Function, a novel cryptographic primitive that was presented at USENIX’23.
Thriving in between theory and practice: How applied cryptography bridges the gap
Matilda Backendal and I were invited to give this talk at the NIST CRClub on where the gap between theory and practice occurs.
Key Overwriting Attacks
I was fortunate to be hosted by Henry Corrigan-Gibbs and held this talk at MIT CSAIL.
CSE 207b: Key Overwriting Attacks
In this guest lecture in the applied cryptography course CSE 207b at UCSD, I formalize key overwriting attacks.
MEGA: Malleable Encryption Goes Awry
In this talk, I present five attacks on the user-controlled end-to-end security MEGA. Our attacks show that a malicious provider can break authentication and compromise file confidentiality and integrity.
Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices
We discuss leasons learnt from breaking MEGA for why end-to-end encrypted cloud storage is hard to design.
Climbing the Hacking /mnt/ain
This talk discusses my experience as team coach of the Swiss National Hacking Team and preparing it for the European Cyber Security Challenge 2021.
Revisiting Microarchitectural Side-Channels
This talks presents the results of applying cache side-channels to contemporary hardware and investigating AES lookup tables, AES key scheduling, and Argon2. The slides give a brief overview of the content described in this blog post
SGX Accurate Time Measurements
This talk briefly summarizes our improvements on time measurements inside SGX enclaves. It discusses our discovery of the “Poor man’s CMOV” phenomenon, which later led to the USENIX Security paper on the Frontal Attack.