{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T04:30:16Z","timestamp":1778128216390,"version":"3.51.4"},"reference-count":46,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179290","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"146-163","source":"Crossref","is-referenced-by-count":18,"title":["MEGA: Malleable Encryption Goes Awry"],"prefix":"10.1109","author":[{"given":"Matilda","family":"Backendal","sequence":"first","affiliation":[{"name":"ETH Zurich,Zurich,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Miro","family":"Haller","sequence":"additional","affiliation":[{"name":"ETH Zurich,Zurich,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kenneth G.","family":"Paterson","sequence":"additional","affiliation":[{"name":"ETH Zurich,Zurich,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"About Us \u2013 Encrypted Cloud Storage \u2013 MEGA","year":"2022"},{"key":"ref2","volume-title":"Eight years of MEGA \u2013 Tweet","year":"2021"},{"key":"ref3","volume-title":"Security and Why It Matters \u2013 MEGA","year":"2022"},{"key":"ref4","first-page":"1","article-title":"Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1","volume-title":"CRYPTO\u201998","volume":"1462","author":"Bleichenbacher"},{"key":"ref5","volume-title":"MEGA security white paper","year":"2020"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196547"},{"key":"ref7","article-title":"Cryptographic vulnerabilities and other shortcomings of the Nextcloud server side encryption as implemented by the default encryption module","volume-title":"Cryptology ePrint Archive, Report 2020\/1439","author":"Niehage","year":"2020"},{"key":"ref8","article-title":"Attack on private signature keys of the OpenPGP format, PGP(TM) programs and other applications compatible with OpenPGP","volume-title":"Cryptology ePrint Archive, Report 2002\/076","author":"Klima","year":"2002"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559363"},{"key":"ref10","first-page":"37","article-title":"On the importance of checking cryptographic protocols for faults (extended abstract)","volume-title":"EUROCRYPT\u201997","volume":"1233","author":"Boneh"},{"key":"ref11","author":"Lenstra","year":"1996","journal-title":"Memo on RSA signature generation in the presence of faults"},{"key":"ref12","article-title":"How to abuse and fix authenticated encryption without key commitment","volume-title":"Cryptology ePrint Archive, Report 2020\/1456","author":"Albertini","year":"2020"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-96884-1_6"},{"key":"ref14","first-page":"195","article-title":"Partitioning oracle attacks","volume-title":"USENIX Security 2021","author":"Len"},{"key":"ref15","first-page":"817","article-title":"Return of Bleichenbacher\u2019s oracle threat (ROBOT)","volume-title":"USENIX Security 2018","author":"B\u00f6ck"},{"key":"ref16","first-page":"752","article-title":"Bleichenbacher\u2019s attack strikes again: Breaking PKCS#1 v1.5 in XML encryption","volume-title":"ESORICS 2012","volume":"7459","author":"Jager"},{"key":"ref17","first-page":"733","article-title":"Revisiting SSL\/TLS implementations: New Bleichenbacher side channels and attacks","volume-title":"USENIX Security 2014","author":"Meyer"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00062"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660356"},{"key":"ref20","article-title":"On the security of cloud storage services","author":"Borgmann","year":"2012","journal-title":"Fraunhofer SIT, Tech. Rep."},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-61176-1_23"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01446-9_20"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14992-4_13"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24095"},{"key":"ref25","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2022.24161","article-title":"Titanium: A metadata-hiding file-sharing system with malicious security","volume-title":"Cryptology ePrint Archive, Report 2022\/051","author":"Chen","year":"2022"},{"key":"ref26","volume-title":"MEGA: Malleable Encryption Goes Awry"},{"key":"ref27","doi-asserted-by":"crossref","DOI":"10.17487\/rfc3610","article-title":"Counter with CBC-MAC (CCM)","volume-title":"RFC 3610","author":"Whiting","year":"2003"},{"key":"ref28","doi-asserted-by":"crossref","DOI":"10.17487\/rfc3602","article-title":"The AES-CBC Cipher Algorithm and Its Use with IPsec","volume-title":"RFC 3602","author":"Frankel","year":"2003"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-36492-7_7"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/1457838.1457864"},{"key":"ref31","article-title":"Recovering cryptographic keys from partial information, by example","volume-title":"Cryptology ePrint Archive, Report 2020\/1506","author":"Micheli","year":"2020"},{"key":"ref32","article-title":"Computational Mathematics Inspired by RSA","volume-title":"Ph.D. dissertation","author":"Howgrave-Graham","year":"1998"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02295-1_10"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1007\/11761679_23"},{"key":"ref35","first-page":"3","volume-title":"Authentication Failures in NIST version of GCM","author":"Joux","year":"2006"},{"key":"ref36","article-title":"Cache-collision timing attacks against AES-GCM","volume-title":"master\u2019s thesis","author":"Huang","year":"2010"},{"key":"ref37","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-642-04138-9_1","article-title":"Faster and timing-attack resistant AES-GCM","volume-title":"Cryptology ePrint Archive, Report 2009\/129","author":"Kasper","year":"2009"},{"key":"ref38","volume-title":"Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process","author":"Ferguson","year":"2005"},{"key":"ref39","article-title":"The fragility of AES-GCM authentication algorithm","volume-title":"Cryptology ePrint Archive, Report 2013\/157","author":"Gueron","year":"2013"},{"key":"ref40","doi-asserted-by":"crossref","DOI":"10.17487\/rfc5869","article-title":"HMAC-based Extract-and-Expand Key Derivation Function (HKDF)","volume-title":"RFC 5869","author":"Krawczyk"},{"key":"ref41","first-page":"0278","article-title":"The Galois\/Counter Mode of Operation (GCM)","volume":"20","author":"McGrew","year":"2004","journal-title":"Submission to NIST Modes of Operation Process"},{"key":"ref42","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.SP.800-38b","author":"Dworkin","year":"2016","journal-title":"NIST SP 800-38B, Recommendation for block cipher modes of operation: The CMAC mode for authentication"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0053428"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-78372-7_15"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1007\/BF01457454"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/11792086_18"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179290.pdf?arnumber=10179290","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:11:16Z","timestamp":1721452276000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179290\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":46,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179290","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}