{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,7]],"date-time":"2025-12-07T13:09:29Z","timestamp":1765112969151,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":48,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,5,30]],"date-time":"2022-05-30T00:00:00Z","timestamp":1653868800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Bundesministerium f\u00fcr Bildung und Forschung (BMBF)","award":["16ME0234"],"award-info":[{"award-number":["16ME0234"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,5,30]]},"DOI":"10.1145\/3488932.3517387","type":"proceedings-article","created":{"date-parts":[[2022,5,24]],"date-time":"2022-05-24T04:23:26Z","timestamp":1653366206000},"page":"712-726","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["ASAP"],"prefix":"10.1145","author":[{"given":"Sebastian","family":"Berndt","sequence":"first","affiliation":[{"name":"University of L\u00fcbeck, L\u00fcbeck, Germany"}]},{"given":"Jan","family":"Wichelmann","sequence":"additional","affiliation":[{"name":"University of L\u00fcbeck, L\u00fcbeck, Germany"}]},{"given":"Claudius","family":"Pott","sequence":"additional","affiliation":[{"name":"University of L\u00fcbeck, L\u00fcbeck, Germany"}]},{"given":"Tim-Henrik","family":"Traving","sequence":"additional","affiliation":[{"name":"University of L\u00fcbeck, L\u00fcbeck, Germany"}]},{"given":"Thomas","family":"Eisenbarth","sequence":"additional","affiliation":[{"name":"University of L\u00fcbeck, L\u00fcbeck, Germany"}]}],"member":"320","published-online":{"date-parts":[[2022,5,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"M. Meeker \"Internet Trends 2019 \" https:\/\/www.bondcap.com\/pdf\/Internet_Trends_2019.pdf accessed 2020-10-08.  M. Meeker \"Internet Trends 2019 \" https:\/\/www.bondcap.com\/pdf\/Internet_Trends_2019.pdf accessed 2020-10-08."},{"key":"e_1_3_2_2_2_1","volume-title":"Iranian hackers found way into encrypted apps, researchers say","author":"Bergman R.","year":"2020","unstructured":"R. Bergman and F. Fassihi , \" Iranian hackers found way into encrypted apps, researchers say ,\" 2020 , https:\/\/www.nytimes.com\/2020\/09\/18\/world\/middleeast\/iran-hacking-encryption.html. Accessed 2020-10-13. R. Bergman and F. Fassihi, \"Iranian hackers found way into encrypted apps, researchers say,\" 2020, https:\/\/www.nytimes.com\/2020\/09\/18\/world\/middleeast\/iran-hacking-encryption.html. Accessed 2020-10-13."},{"key":"e_1_3_2_2_3_1","unstructured":"J. Cox \"How police secretly took over a global phone network for organized crime \" Motherboard Tech by VICE July 2 2020 https:\/\/www.vice.com\/en\/article\/3aza95\/how-police-took-over-encrochat-hacked. Accessed 2020-10-13.  J. Cox \"How police secretly took over a global phone network for organized crime \" Motherboard Tech by VICE July 2 2020 https:\/\/www.vice.com\/en\/article\/3aza95\/how-police-took-over-encrochat-hacked. Accessed 2020-10-13."},{"key":"e_1_3_2_2_4_1","volume-title":"Sept. 17, 2015, https:\/\/unit42","author":"Xiao C.","year":"2020","unstructured":"C. Xiao , \"Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store,\" Palo Alto Networks Blog , Sept. 17, 2015, https:\/\/unit42 .paloaltonetworks.com\/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store\/. Accessed 2020 -10-14. C. Xiao, \"Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store,\" Palo Alto Networks Blog, Sept. 17, 2015, https:\/\/unit42.paloaltonetworks.com\/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store\/. Accessed 2020-10-14."},{"key":"e_1_3_2_2_5_1","volume-title":"February 9","author":"Birsan A.","year":"2021","unstructured":"A. Birsan , \"Dependency confusion : How i hacked into apple, microsoft and dozens of other companies,\" Medium , February 9 , 2021 , https:\/\/medium.com\/@alex.birsan\/dependency-confusion-4a5d60fec610. Accessed 2021-04-29. A. Birsan, \"Dependency confusion: How i hacked into apple, microsoft and dozens of other companies,\" Medium, February 9, 2021, https:\/\/medium.com\/@alex.birsan\/dependency-confusion-4a5d60fec610. Accessed 2021-04-29."},{"key":"e_1_3_2_2_6_1","first-page":"319","volume-title":"On the practical exploitability of dual EC in TLS implementations,\" in Proc","author":"Checkoway S.","year":"2014","unstructured":"S. Checkoway , R. Niederhagen , A. Everspaugh , M. Green , T. Lange , T. Ristenpart , D. J. Bernstein , J. Maskiewicz , H. Shacham , and M. Fredrikson , \" On the practical exploitability of dual EC in TLS implementations,\" in Proc . USENIX. USENIX Association , 2014 , pp. 319 -- 335 . S. Checkoway, R. Niederhagen, A. Everspaugh, M. Green, T. Lange, T. Ristenpart, D. J. Bernstein, J. Maskiewicz, H. Shacham, and M. Fredrikson, \"On the practical exploitability of dual EC in TLS implementations,\" in Proc. USENIX. USENIX Association, 2014, pp. 319--335."},{"key":"e_1_3_2_2_7_1","unstructured":"B. Schneier \"Did nsa put a secret backdoor in new encryption standard?\" 2007 https:\/\/www.schneier.com\/essays\/archives\/2007\/11\/did_nsa_put_a_secret.html.  B. Schneier \"Did nsa put a secret backdoor in new encryption standard?\" 2007 https:\/\/www.schneier.com\/essays\/archives\/2007\/11\/did_nsa_put_a_secret.html."},{"key":"e_1_3_2_2_8_1","volume-title":"On the possibility of a back door in the nist sp800--90 dual ec prng,\" Presentation at the CRYPTO 2007 Rump Session","author":"Shumow D.","year":"2007","unstructured":"D. Shumow and N. Ferguson , \" On the possibility of a back door in the nist sp800--90 dual ec prng,\" Presentation at the CRYPTO 2007 Rump Session , 2007 . D. Shumow and N. Ferguson, \"On the possibility of a back door in the nist sp800--90 dual ec prng,\" Presentation at the CRYPTO 2007 Rump Session, 2007."},{"key":"e_1_3_2_2_9_1","volume-title":"On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits","author":"Wu Q.","year":"2021","unstructured":"Q. Wu and K. Lu , \" On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits ,\" 2021 , https:\/\/github.com\/QiushiWu\/QiushiWu.github.io\/blob\/main\/papers\/OpenSourceInsecurity.pdf (withdrawn from S&P 2021). Accessed 2021-05-05. Q. Wu and K. Lu, \"On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,\" 2021, https:\/\/github.com\/QiushiWu\/QiushiWu.github.io\/blob\/main\/papers\/OpenSourceInsecurity.pdf (withdrawn from S&P 2021). Accessed 2021-05-05."},{"key":"e_1_3_2_2_10_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1007\/3-540-68697-5_8","volume-title":"The dark side of ?black-box\" cryptography or: Should we trust capstone?\" in Proc. CRYPTO","author":"Young A.","year":"1996","unstructured":"A. Young and M. Yung , \" The dark side of ?black-box\" cryptography or: Should we trust capstone?\" in Proc. CRYPTO , ser. Lecture Notes in Computer Science , vol. 1109 . Springer , 1996 , pp. 89 -- 103 . A. Young and M. Yung, \"The dark side of ?black-box\" cryptography or: Should we trust capstone?\" in Proc. CRYPTO, ser. Lecture Notes in Computer Science, vol. 1109. Springer, 1996, pp. 89--103."},{"key":"e_1_3_2_2_11_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1007\/3-540-69053-0_6","volume-title":"Using cryptography against cryptography,\" in Proc. EUROCRYPT","author":"Young A.","year":"1997","unstructured":"A. Young and M. Yung : Using cryptography against cryptography,\" in Proc. EUROCRYPT , ser. Lecture Notes in Computer Science , vol. 1233 . Springer , 1997 , pp. 62 -- 74 . ----, \"Kleptography: Using cryptography against cryptography,\" in Proc. EUROCRYPT, ser. Lecture Notes in Computer Science, vol. 1233. Springer, 1997, pp. 62--74."},{"key":"e_1_3_2_2_12_1","series-title":"Lecture Notes in Computer Science","first-page":"1","volume-title":"Security of symmetric encryption against mass surveillance,\" in Proc. CRYPTO","author":"Bellare M.","year":"2014","unstructured":"M. Bellare , K. G. Paterson , and P. Rogaway , \" Security of symmetric encryption against mass surveillance,\" in Proc. CRYPTO , ser. Lecture Notes in Computer Science , vol. 8616 . Springer , 2014 , pp. 1 -- 19 . M. Bellare, K. G. Paterson, and P. Rogaway, \"Security of symmetric encryption against mass surveillance,\" in Proc. CRYPTO, ser. Lecture Notes in Computer Science, vol. 8616. Springer, 2014, pp. 1--19."},{"key":"e_1_3_2_2_13_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1007\/978-3-030-80825-9_5","volume-title":"Help, my signal has bad device! - breaking the signal messenger's post-compromise security through a malicious device,\" in DIMVA","author":"Wichelmann J.","year":"2021","unstructured":"J. Wichelmann , S. Berndt , C. Pott , and T. Eisenbarth , \" Help, my signal has bad device! - breaking the signal messenger's post-compromise security through a malicious device,\" in DIMVA , ser. Lecture Notes in Computer Science , vol. 12756 . Springer , 2021 , pp. 88 -- 105 . J. Wichelmann, S. Berndt, C. Pott, and T. Eisenbarth, \"Help, my signal has bad device! - breaking the signal messenger's post-compromise security through a malicious device,\" in DIMVA, ser. Lecture Notes in Computer Science, vol. 12756. Springer, 2021, pp. 88--105."},{"key":"e_1_3_2_2_14_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"579","DOI":"10.1007\/978-3-662-48116-5_28","volume-title":"A more cautious approach to security against mass surveillance,\" in Proc. FSE","author":"Degabriele J. P.","year":"2015","unstructured":"J. P. Degabriele , P. Farshim , and B. Poettering , \" A more cautious approach to security against mass surveillance,\" in Proc. FSE , ser. Lecture Notes in Computer Science , vol. 9054 . Springer , 2015 , pp. 579 -- 598 . J. P. Degabriele, P. Farshim, and B. Poettering, \"A more cautious approach to security against mass surveillance,\" in Proc. FSE, ser. Lecture Notes in Computer Science, vol. 9054. Springer, 2015, pp. 579--598."},{"key":"e_1_3_2_2_15_1","first-page":"364","article-title":"Subversion-resilient signature schemes","author":"Ateniese G.","year":"2015","unstructured":"G. Ateniese , B. Magri , and D. Venturi , \" Subversion-resilient signature schemes ,\" in Proc. CCS. ACM , 2015 , pp. 364 -- 375 . G. Ateniese, B. Magri, and D. Venturi, \"Subversion-resilient signature schemes,\" in Proc. CCS. ACM, 2015, pp. 364--375.","journal-title":"Proc. CCS. ACM"},{"key":"e_1_3_2_2_16_1","first-page":"1431","article-title":"Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks","author":"Bellare M.","year":"2015","unstructured":"M. Bellare , J. Jaeger , and D. Kane , \" Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks ,\" in Proc. CCS. ACM , 2015 , pp. 1431 -- 1440 . M. Bellare, J. Jaeger, and D. Kane, \"Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks,\" in Proc. CCS. ACM, 2015, pp. 1431--1440.","journal-title":"Proc. CCS. ACM"},{"key":"e_1_3_2_2_17_1","first-page":"1649","article-title":"Algorithm substitution attacks from a steganographic perspective","author":"Berndt S.","year":"2017","unstructured":"S. Berndt and M. Li\u015bkiewicz , \" Algorithm substitution attacks from a steganographic perspective ,\" in Proc. CCS. ACM , 2017 , pp. 1649 -- 1660 . S. Berndt and M. Li\u015bkiewicz, \"Algorithm substitution attacks from a steganographic perspective,\" in Proc. CCS. ACM, 2017, pp. 1649--1660.","journal-title":"Proc. CCS. ACM"},{"key":"e_1_3_2_2_18_1","volume-title":"Subvert KEM to break DEM: practical algorithm-substitution attacks on public-key encryption,\" in ASIACRYPT (accepted)","author":"Chen R.","year":"2020","unstructured":"R. Chen , X. Huang , and M. Yung , \" Subvert KEM to break DEM: practical algorithm-substitution attacks on public-key encryption,\" in ASIACRYPT (accepted) , 2020 . R. Chen, X. Huang, and M. Yung, \"Subvert KEM to break DEM: practical algorithm-substitution attacks on public-key encryption,\" in ASIACRYPT (accepted), 2020."},{"key":"e_1_3_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1201\/b17668"},{"key":"e_1_3_2_2_20_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1007\/978-3-662-53890-6_2","volume-title":"Cliptography: Clipping the power of kleptographic attacks,\" in ASIACRYPT (2)","author":"Russell A.","year":"2016","unstructured":"A. Russell , Q. Tang , M. Yung , and H. Zhou , \" Cliptography: Clipping the power of kleptographic attacks,\" in ASIACRYPT (2) , ser. Lecture Notes in Computer Science , vol. 10032 , 2016 , pp. 34 -- 64 . A. Russell, Q. Tang, M. Yung, and H. Zhou, \"Cliptography: Clipping the power of kleptographic attacks,\" in ASIACRYPT (2), ser. Lecture Notes in Computer Science, vol. 10032, 2016, pp. 34--64."},{"key":"e_1_3_2_2_21_1","volume-title":"Probability and computing: Randomization and probabilistic techniques in algorithms and data analysis","author":"Mitzenmacher M.","year":"2017","unstructured":"M. Mitzenmacher and E. Upfal , Probability and computing: Randomization and probabilistic techniques in algorithms and data analysis . Cambridge university press , 2017 . M. Mitzenmacher and E. Upfal, Probability and computing: Randomization and probabilistic techniques in algorithms and data analysis. Cambridge university press, 2017."},{"key":"e_1_3_2_2_22_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"546","DOI":"10.1007\/11535218_33","volume-title":"A high-performance secure diffie-hellman protocol,\" in CRYPTO","author":"Krawczyk H.","year":"2005","unstructured":"H. Krawczyk , \"HMQV : A high-performance secure diffie-hellman protocol,\" in CRYPTO , ser. Lecture Notes in Computer Science , vol. 3621 . Springer , 2005 , pp. 546 -- 566 . H. Krawczyk, \"HMQV: A high-performance secure diffie-hellman protocol,\" in CRYPTO, ser. Lecture Notes in Computer Science, vol. 3621. Springer, 2005, pp. 546--566."},{"key":"e_1_3_2_2_23_1","first-page":"164","volume-title":"IEEE Computer Society","author":"Cohn-Gordon K.","year":"2016","unstructured":"K. Cohn-Gordon , C. J. F. Cremers , and L. Garratt , \" On post-compromise security,\" in CSF . IEEE Computer Society , 2016 , pp. 164 -- 178 . K. Cohn-Gordon, C. J. F. Cremers, and L. Garratt, \"On post-compromise security,\" in CSF. IEEE Computer Society, 2016, pp. 164--178."},{"key":"e_1_3_2_2_24_1","unstructured":"Qualys Inc \"SSL Pulse \" https:\/\/www.ssllabs.com\/ssl-pulse\/ accessed 2020-10-07.  Qualys Inc \"SSL Pulse \" https:\/\/www.ssllabs.com\/ssl-pulse\/ accessed 2020-10-07."},{"key":"e_1_3_2_2_25_1","first-page":"1","article-title":"The transport layer security (TLS) protocol version 1.3","volume":"8446","author":"Rescorla E.","year":"2018","unstructured":"E. Rescorla , \" The transport layer security (TLS) protocol version 1.3 ,\" RFC , vol. 8446 , pp. 1 -- 160 , 2018 . E. Rescorla, \"The transport layer security (TLS) protocol version 1.3,\" RFC, vol. 8446, pp. 1--160, 2018.","journal-title":"RFC"},{"key":"e_1_3_2_2_26_1","first-page":"1","article-title":"Hmac-based extract-and-expand key derivation function (HKDF)","volume":"5869","author":"Krawczyk H.","year":"2010","unstructured":"H. Krawczyk and P. Eronen , \" Hmac-based extract-and-expand key derivation function (HKDF) ,\" RFC , vol. 5869 , pp. 1 -- 14 , 2010 . H. Krawczyk and P. Eronen, \"Hmac-based extract-and-expand key derivation function (HKDF),\" RFC, vol. 5869, pp. 1--14, 2010.","journal-title":"RFC"},{"key":"e_1_3_2_2_27_1","first-page":"726","article-title":"On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments","volume":"2020","author":"Diemert D.","year":"2020","unstructured":"D. Diemert and T. Jager , \" On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments ,\" IACR Cryptol. ePrint Arch. , vol. 2020 , p. 726 , 2020 . D. Diemert and T. Jager, \"On the tight security of TLS 1.3: Theoretically-sound cryptographic parameters for real-world deployments,\" IACR Cryptol. ePrint Arch., vol. 2020, p. 726, 2020.","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"e_1_3_2_2_28_1","first-page":"1","article-title":"The transport layer security (TLS) protocol version 1.2","volume":"5246","author":"Dierks T.","year":"2008","unstructured":"T. Dierks and E. Rescorla , \" The transport layer security (TLS) protocol version 1.2 ,\" RFC , vol. 5246 , pp. 1 -- 104 , 2008 . T. Dierks and E. Rescorla, \"The transport layer security (TLS) protocol version 1.2,\" RFC, vol. 5246, pp. 1--104, 2008.","journal-title":"RFC"},{"key":"e_1_3_2_2_29_1","first-page":"98","volume-title":"ACM Conference on Computer and Communications Security. ACM","author":"Rogaway P.","year":"2002","unstructured":"P. Rogaway , \"Authenticated-encryption with associated-data,\" in ACM Conference on Computer and Communications Security. ACM , 2002 , pp. 98 -- 107 . P. Rogaway, \"Authenticated-encryption with associated-data,\" in ACM Conference on Computer and Communications Security. ACM, 2002, pp. 98--107."},{"key":"e_1_3_2_2_30_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1007\/11761679_23","volume-title":"A provable-security treatment of the key-wrap problem,\" in EUROCRYPT","author":"Rogaway P.","year":"2006","unstructured":"P. Rogaway and T. Shrimpton , \" A provable-security treatment of the key-wrap problem,\" in EUROCRYPT , ser. Lecture Notes in Computer Science , vol. 4004 . Springer , 2006 , pp. 373 -- 390 . P. Rogaway and T. Shrimpton, \"A provable-security treatment of the key-wrap problem,\" in EUROCRYPT, ser. Lecture Notes in Computer Science, vol. 4004. Springer, 2006, pp. 373--390."},{"key":"e_1_3_2_2_31_1","first-page":"1","article-title":"An interface and algorithms for authenticated encryption","volume":"5116","author":"McGrew D. A.","year":"2008","unstructured":"D. A. McGrew , \" An interface and algorithms for authenticated encryption ,\" RFC , vol. 5116 , pp. 1 -- 22 , 2008 . D. A. McGrew, \"An interface and algorithms for authenticated encryption,\" RFC, vol. 5116, pp. 1--22, 2008.","journal-title":"RFC"},{"key":"e_1_3_2_2_32_1","first-page":"1","article-title":"Chacha20 and poly1305 for IETF protocols","volume":"8439","author":"Nir Y.","year":"2018","unstructured":"Y. Nir and A. Langley , \" Chacha20 and poly1305 for IETF protocols ,\" RFC , vol. 8439 , pp. 1 -- 46 , 2018 . Y. Nir and A. Langley, \"Chacha20 and poly1305 for IETF protocols,\" RFC, vol. 8439, pp. 1--46, 2018.","journal-title":"RFC"},{"key":"e_1_3_2_2_33_1","volume-title":"Problems and countermeasures,\" http:\/\/www. openssl. org\/ bodo\/tls-cbc. txt","author":"Moller B.","year":"2004","unstructured":"B. Moller , \"Security of cbc ciphersuites in ssl\/tls : Problems and countermeasures,\" http:\/\/www. openssl. org\/ bodo\/tls-cbc. txt , 2004 . B. Moller, \"Security of cbc ciphersuites in ssl\/tls: Problems and countermeasures,\" http:\/\/www. openssl. org\/ bodo\/tls-cbc. txt, 2004."},{"key":"e_1_3_2_2_34_1","volume-title":"Next generation kernel network tunnel,\" https:\/\/www.wireguard.com\/papers\/wireguard.pdf","author":"Donenfeld J. A.","year":"2020","unstructured":"J. A. Donenfeld , \"Wireguard : Next generation kernel network tunnel,\" https:\/\/www.wireguard.com\/papers\/wireguard.pdf , 2020 , accessed 2020--10-08. J. A. Donenfeld, \"Wireguard: Next generation kernel network tunnel,\" https:\/\/www.wireguard.com\/papers\/wireguard.pdf, 2020, accessed 2020--10-08."},{"key":"e_1_3_2_2_35_1","first-page":"1","article-title":"The BLAKE2 cryptographic hash and message authentication code (MAC)","volume":"7693","author":"Saarinen M. O.","year":"2015","unstructured":"M. O. Saarinen and J. Aumasson , \" The BLAKE2 cryptographic hash and message authentication code (MAC) ,\" RFC , vol. 7693 , pp. 1 -- 30 , 2015 . M. O. Saarinen and J. Aumasson, \"The BLAKE2 cryptographic hash and message authentication code (MAC),\" RFC, vol. 7693, pp. 1--30, 2015.","journal-title":"RFC"},{"key":"e_1_3_2_2_36_1","first-page":"1","article-title":"Elliptic curves for security","volume":"7748","author":"Langley A.","year":"2016","unstructured":"A. Langley , M. Hamburg , and S. Turner , \" Elliptic curves for security ,\" RFC , vol. 7748 , pp. 1 -- 22 , 2016 . A. Langley, M. Hamburg, and S. Turner, \"Elliptic curves for security,\" RFC, vol. 7748, pp. 1--22, 2016.","journal-title":"RFC"},{"key":"e_1_3_2_2_37_1","unstructured":"O. W. Systems \"Signal protocol specifications \" https:\/\/signal.org\/docs\/ accessed 2020-09--28.  O. W. Systems \"Signal protocol specifications \" https:\/\/signal.org\/docs\/ accessed 2020-09--28."},{"key":"e_1_3_2_2_38_1","unstructured":"WhatsApp \"Whatsapp encryption overview \" https:\/\/www.whatsapp.com\/security\/WhatsApp-Security-Whitepaper.pdf 2017 accessed 2020-09-28.  WhatsApp \"Whatsapp encryption overview \" https:\/\/www.whatsapp.com\/security\/WhatsApp-Security-Whitepaper.pdf 2017 accessed 2020-09-28."},{"key":"e_1_3_2_2_39_1","unstructured":"Microsoft \"Skype private conversation \" https:\/\/az705183.vo.msecnd.net\/onlinesupportmedia\/onlinesupport\/media\/skype\/documents\/skype-private-conversation-white-paper.pdf 2018 accessed 2020-09-28.  Microsoft \"Skype private conversation \" https:\/\/az705183.vo.msecnd.net\/onlinesupportmedia\/onlinesupport\/media\/skype\/documents\/skype-private-conversation-white-paper.pdf 2018 accessed 2020-09-28."},{"key":"e_1_3_2_2_41_1","first-page":"60","article-title":"Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates","author":"Fischlin M.","year":"2017","unstructured":"M. Fischlin and F. G\u00fc nther , \" Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates ,\" in EuroS&P. IEEE , 2017 , pp. 60 -- 75 . M. Fischlin and F. G\u00fc nther, \"Replay attacks on zero round-trip time: The case of the TLS 1.3 handshake candidates,\" in EuroS&P. IEEE, 2017, pp. 60--75.","journal-title":"EuroS&P. IEEE"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/bxaa104"},{"key":"e_1_3_2_2_43_1","series-title":"Lecture Notes in Computer Science","first-page":"519","volume-title":"0-rtt key exchange with full forward secrecy,\" in EUROCRYPT (3)","author":"F.","year":"2017","unstructured":"F. G\u00fc nther, B. Hale , T. Jager , and S. Lauer , \" 0-rtt key exchange with full forward secrecy,\" in EUROCRYPT (3) , ser. Lecture Notes in Computer Science , vol. 10212 , 2017 , pp. 519 -- 548 . F. G\u00fc nther, B. Hale, T. Jager, and S. Lauer, \"0-rtt key exchange with full forward secrecy,\" in EUROCRYPT (3), ser. Lecture Notes in Computer Science, vol. 10212, 2017, pp. 519--548."},{"key":"e_1_3_2_2_44_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"657","DOI":"10.1007\/978-3-662-46803-6_22","volume-title":"Cryptographic reverse firewalls,\" in EUROCRYPT (2)","author":"Mironov I.","year":"2015","unstructured":"I. Mironov and N. Stephens-Davidowitz , \" Cryptographic reverse firewalls,\" in EUROCRYPT (2) , ser. Lecture Notes in Computer Science , vol. 9057 . Springer , 2015 , pp. 657 -- 686 . I. Mironov and N. Stephens-Davidowitz, \"Cryptographic reverse firewalls,\" in EUROCRYPT (2), ser. Lecture Notes in Computer Science, vol. 9057. Springer, 2015, pp. 657--686."},{"key":"e_1_3_2_2_45_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"341","DOI":"10.1007\/978-3-662-53018-4_13","volume-title":"Message transmission with reverse firewalls - secure communication on corrupted machines,\" in CRYPTO (1)","author":"Dodis Y.","year":"2016","unstructured":"Y. Dodis , I. Mironov , and N. Stephens-Davidowitz , \" Message transmission with reverse firewalls - secure communication on corrupted machines,\" in CRYPTO (1) , ser. Lecture Notes in Computer Science , vol. 9814 . Springer , 2016 , pp. 341 -- 372 . Y. Dodis, I. Mironov, and N. Stephens-Davidowitz, \"Message transmission with reverse firewalls - secure communication on corrupted machines,\" in CRYPTO (1), ser. Lecture Notes in Computer Science, vol. 9814. Springer, 2016, pp. 341--372."},{"key":"e_1_3_2_2_46_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"241","DOI":"10.1007\/978-3-319-96881-0_9","volume-title":"Correcting subverted random oracles,\" in CRYPTO (2)","author":"Russell A.","year":"2018","unstructured":"A. Russell , Q. Tang , M. Yung , and H. Zhou , \" Correcting subverted random oracles,\" in CRYPTO (2) , ser. Lecture Notes in Computer Science , vol. 10992 . Springer , 2018 , pp. 241 -- 271 . A. Russell, Q. Tang, M. Yung, and H. Zhou, \"Correcting subverted random oracles,\" in CRYPTO (2), ser. Lecture Notes in Computer Science, vol. 10992. Springer, 2018, pp. 241--271."},{"key":"e_1_3_2_2_47_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"627","DOI":"10.1007\/978-3-030-75245-3_23","volume-title":"Subversion-resilient public key encryption with practical watchdogs,\" in Public Key Cryptography (1)","author":"Bemmann P.","year":"2021","unstructured":"P. Bemmann , R. Chen , and T. Jager , \" Subversion-resilient public key encryption with practical watchdogs,\" in Public Key Cryptography (1) , ser. Lecture Notes in Computer Science , vol. 12710 . Springer , 2021 , pp. 627 -- 658 . P. Bemmann, R. Chen, and T. Jager, \"Subversion-resilient public key encryption with practical watchdogs,\" in Public Key Cryptography (1), ser. Lecture Notes in Computer Science, vol. 12710. Springer, 2021, pp. 627--658."},{"key":"e_1_3_2_2_48_1","first-page":"76","volume-title":"IEEE Computer Society","author":"Fischlin M.","year":"2018","unstructured":"M. Fischlin and S. Mazaheri , \" Self-guarding cryptographic protocols against algorithm substitution attacks,\" in CSF . IEEE Computer Society , 2018 , pp. 76 -- 90 . M. Fischlin and S. Mazaheri, \"Self-guarding cryptographic protocols against algorithm substitution attacks,\" in CSF. IEEE Computer Society, 2018, pp. 76--90."},{"key":"e_1_3_2_2_49_1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1007\/978-3-662-46800-5_5","volume-title":"A formal treatment of backdoored pseudorandom generators,\" in EUROCRYPT (1)","author":"Dodis Y.","year":"2015","unstructured":"Y. Dodis , C. Ganesh , A. Golovnev , A. Juels , and T. Ristenpart , \" A formal treatment of backdoored pseudorandom generators,\" in EUROCRYPT (1) , ser. Lecture Notes in Computer Science , vol. 9056 . Springer , 2015 , pp. 101 -- 126 . Y. Dodis, C. Ganesh, A. Golovnev, A. Juels, and T. Ristenpart, \"A formal treatment of backdoored pseudorandom generators,\" in EUROCRYPT (1), ser. Lecture Notes in Computer Science, vol. 9056. Springer, 2015, pp. 101--126."}],"event":{"name":"ASIA CCS '22: ACM Asia Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Nagasaki Japan","acronym":"ASIA CCS '22"},"container-title":["Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3488932.3517387","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3488932.3517387","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:48:29Z","timestamp":1750193309000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3488932.3517387"}},"subtitle":["Algorithm Substitution Attacks on Cryptographic Protocols"],"short-title":[],"issued":{"date-parts":[[2022,5,30]]},"references-count":48,"alternative-id":["10.1145\/3488932.3517387","10.1145\/3488932"],"URL":"https:\/\/doi.org\/10.1145\/3488932.3517387","relation":{},"subject":[],"published":{"date-parts":[[2022,5,30]]},"assertion":[{"value":"2022-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}