{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T04:29:40Z","timestamp":1778128180045,"version":"3.51.4"},"publisher-location":"Cham","reference-count":36,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031305887","type":"print"},{"value":"9783031305894","type":"electronic"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-30589-4_7","type":"book-chapter","created":{"date-parts":[[2023,4,15]],"date-time":"2023-04-15T11:02:07Z","timestamp":1681556527000},"page":"190-218","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Caveat Implementor! Key Recovery Attacks on\u00a0MEGA"],"prefix":"10.1007","author":[{"given":"Martin R.","family":"Albrecht","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8796-5064","authenticated-orcid":false,"given":"Miro","family":"Haller","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8616-4150","authenticated-orcid":false,"given":"Lenka","family":"Marekov\u00e1","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5145-4489","authenticated-orcid":false,"given":"Kenneth G.","family":"Paterson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,4,16]]},"reference":[{"key":"7_CR1","doi-asserted-by":"publisher","unstructured":"Albrecht, M.R., Marekov\u00e1, L., Paterson, K.G., Stepanovs, I.: Four attacks and a proof for Telegram. In: 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, 22\u201326 May 2022, pp. 87\u2013106. IEEE (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833666","DOI":"10.1109\/SP46214.2022.9833666"},{"key":"7_CR2","doi-asserted-by":"crossref","unstructured":"Backendal, M., Haller, M., Paterson, K.G.: MEGA: malleable encryption goes awry. In: 44th IEEE Symposium on Security and Privacy (2023, to appear). https:\/\/eprint.iacr.org\/2022\/959","DOI":"10.1109\/SP46215.2023.10179290"},{"key":"7_CR3","doi-asserted-by":"publisher","unstructured":"Barbosa, M., et al.: SoK: computer-aided cryptography. In: 2021 IEEE Symposium on Security and Privacy, pp. 777\u2013795. IEEE Computer Society Press, May 2021. https:\/\/doi.org\/10.1109\/SP40001.2021.00008","DOI":"10.1109\/SP40001.2021.00008"},{"key":"7_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/BFb0055716","volume-title":"Advances in Cryptology \u2014 CRYPTO \u201998","author":"D Bleichenbacher","year":"1998","unstructured":"Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1\u201312. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0055716"},{"key":"7_CR5","doi-asserted-by":"publisher","unstructured":"Bruseghini, L., Paterson, K.G., Huigens, D.: Victory by KO: attacking OpenPGP using key overwriting. In: ACM Conference on Computer and Communications Security (ACM CCS) (2022, to appear). https:\/\/doi.org\/10.3929\/ethz-b-000545839","DOI":"10.3929\/ethz-b-000545839"},{"key":"7_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/3-540-68339-9_16","volume-title":"Advances in Cryptology \u2014 EUROCRYPT \u201996","author":"D Coppersmith","year":"1996","unstructured":"Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178\u2013189. Springer, Heidelberg (1996). https:\/\/doi.org\/10.1007\/3-540-68339-9_16"},{"key":"7_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/978-3-030-77886-6_9","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2021","author":"L Ducas","year":"2021","unstructured":"Ducas, L., Stevens, M., van Woerden, W.: Advanced lattice sieving on GPUs, with tensor cores. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 249\u2013279. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-77886-6_9"},{"key":"7_CR8","unstructured":"Howgrave-Graham, N.A.: Computational Mathematics Inspired by RSA. Ph.D. thesis, University of Bath (1998). https:\/\/researchportal.bath.ac.uk\/en\/studentTheses\/computational-mathematics-inspired-by-rsa"},{"key":"7_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/BFb0024458","volume-title":"Crytography and Coding","author":"N Howgrave-Graham","year":"1997","unstructured":"Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131\u2013142. Springer, Heidelberg (1997). https:\/\/doi.org\/10.1007\/BFb0024458"},{"key":"7_CR10","doi-asserted-by":"crossref","unstructured":"Klima, V., Rosa, T.: Attack on private signature keys of the OpenPGP format, PGP(TM) programs and other applications compatible with OpenPGP. Cryptology ePrint Archive, Report 2002\/076 (2002). https:\/\/eprint.iacr.org\/2002\/076","DOI":"10.1088\/1126-6708\/2002\/10\/076"},{"key":"7_CR11","unstructured":"Len, J., Grubbs, P., Ristenpart, T.: Partitioning oracle attacks. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 195\u2013212. USENIX Association, August 2021"},{"key":"7_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/BFb0052240","volume-title":"Advances in Cryptology \u2014 CRYPTO \u201997","author":"CH Lim","year":"1997","unstructured":"Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249\u2013263. Springer, Heidelberg (1997). https:\/\/doi.org\/10.1007\/BFb0052240"},{"key":"7_CR13","doi-asserted-by":"publisher","unstructured":"May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P., Vall\u00e9e, B. (eds.) The LLL Algorithm. Information Security and Cryptography. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-02295-1_10","DOI":"10.1007\/978-3-642-02295-1_10"},{"key":"7_CR14","unstructured":"MEGA: About Us, September 2022. https:\/\/mega.io\/about"},{"key":"7_CR15","unstructured":"MEGA: Mega.nz web client (2022). https:\/\/github.com\/meganz\/webclient"},{"key":"7_CR16","unstructured":"MEGA: Security White Paper, June 2022. https:\/\/mega.nz\/SecurityWhitepaper.pdf"},{"key":"7_CR17","unstructured":"MEGA: webclient - #15273: Patch for ETH Zurich exploit, June 2022. https:\/\/github.com\/meganz\/webclient\/commit\/d2a0d054d4dbb90f035b3b4b421f780adafaa78e"},{"key":"7_CR18","unstructured":"MEGA: webclient - #15295: Output detailed information about RSA decoding failures, June 2022. https:\/\/github.com\/meganz\/webclient\/commit\/cd4ab89b2cd0e388b0ea55753b86c8808f810138"},{"key":"7_CR19","unstructured":"MEGA: webclient - asmcrypto.js, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/vendor\/asmcrypto.js"},{"key":"7_CR20","unstructured":"MEGA: webclient - asmcrypto.js: Modulus, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/vendor\/asmcrypto.js#L10325"},{"key":"7_CR21","unstructured":"MEGA: webclient - asmcrypto.js: Modulus_inverse. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/vendor\/asmcrypto.js#L10382 (August 2022)"},{"key":"7_CR22","unstructured":"MEGA: webclient - asmcrypto.js: mredc, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/vendor\/asmcrypto.js#L9706"},{"key":"7_CR23","unstructured":"MEGA: webclient - asmcrypto.js: RSA_decrypt, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/vendor\/asmcrypto.js#L10746"},{"key":"7_CR24","unstructured":"MEGA: webclient - crypto.js: api_updfkeysync, September 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/crypto.js#L3050"},{"key":"7_CR25","unstructured":"MEGA: webclient - crypto.js: crypto_decodeprivkey, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/crypto.js\/#L2047"},{"key":"7_CR26","unstructured":"MEGA: webclient - nodedec.js: crypto_rsadecrypt, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/nodedec.js\/#L550"},{"key":"7_CR27","unstructured":"MEGA: webclient - security.js: decryptRsaKeyAndSessionId, August 2022. https:\/\/github.com\/meganz\/webclient\/blob\/v4.21.4\/js\/security.js#L1231"},{"key":"7_CR28","unstructured":"Micheli, G.D., Heninger, N.: Recovering cryptographic keys from partial information, by example. Cryptology ePrint Archive, Report 2020\/1506 (2020). https:\/\/eprint.iacr.org\/2020\/1506"},{"key":"7_CR29","unstructured":"Ryan, K., Heninger, N.: Cryptanalyzing MEGA in six queries. Cryptology ePrint Archive, Report 2022\/914 (2022). https:\/\/eprint.iacr.org\/2022\/914"},{"key":"7_CR30","unstructured":"Shakevsky, A., Ronen, E., Wool, A.: Trust dies in darkness: shedding light on samsung\u2019s TrustZone keymaster design. Cryptology ePrint Archive, Report 2022\/208 (2022). https:\/\/eprint.iacr.org\/2022\/208"},{"key":"7_CR31","unstructured":"Stein, W., et al.: Sage Mathematics Software Version 9.5. The Sage Development Team (2022). http:\/\/www.sagemath.org"},{"key":"7_CR32","unstructured":"The FPLLL development team: FPLLL, a lattice reduction library (2021). https:\/\/github.com\/fplll\/fplll"},{"key":"7_CR33","unstructured":"The mitmproxy development team: mitmproxy - an interactive HTTPS proxy (2022). https:\/\/mitmproxy.org\/"},{"key":"7_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1007\/3-540-68339-9_29","volume-title":"Advances in Cryptology \u2014 EUROCRYPT \u201996","author":"PC van Oorschot","year":"1996","unstructured":"van Oorschot, P.C., Wiener, M.J.: On Diffie-Hellman key agreement with short exponents. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332\u2013343. Springer, Heidelberg (1996). https:\/\/doi.org\/10.1007\/3-540-68339-9_29"},{"key":"7_CR35","doi-asserted-by":"publisher","unstructured":"Vanhoef, M., Ronen, E.: Dragonblood: analyzing the dragonfly handshake of WPA3 and EAP-pwd. In: 2020 IEEE Symposium on Security and Privacy, pp. 517\u2013533. IEEE Computer Society Press, May 2020. https:\/\/doi.org\/10.1109\/SP40000.2020.00031","DOI":"10.1109\/SP40000.2020.00031"},{"key":"7_CR36","unstructured":"Wikipedia: UTF-8 (2022). https:\/\/en.wikipedia.org\/wiki\/UTF-8"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 EUROCRYPT 2023"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-30589-4_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,15]],"date-time":"2025-04-15T22:04:19Z","timestamp":1744754659000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-30589-4_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031305887","9783031305894"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-30589-4_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"16 April 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"EUROCRYPT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Conference on the Theory and Applications of Cryptographic Techniques","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Lyon","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 April 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 April 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"42","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"eurocrypt2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/eurocrypt.iacr.org\/2023\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"HotCRP","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"415","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"109","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"26% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"16","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}