Deirdre Connolly¹ ²eprint.iacr.org/2025/132
#realworldcrypto
Distributional Private Informa...
Distributional Private Information Retrieval
A private-information-retrieval (PIR) scheme lets a client fetch a record from a remote database without revealing which record it fetched. Classic PIR schemes treat all database records the same but, in practice, some database records are much more popular (i.e., commonly fetched) than others. We introduce distributional PIR, a new type of PIR that can run faster than classic PIR---both asymptotically and concretely---when the popularity distribution is skewed. Distributional PIR provides exactly the same cryptographic privacy as classic PIR. The speedup comes from a relaxed form of correctness: distributional PIR guarantees that in-distribution queries succeed with good probability, while out-of-distribution queries succeed with lower probability. Because of its relaxed correctness, distributional PIR is best suited for applications where "best-effort" retrieval is acceptable. Moreover, for security, a client's decision to query the server must be independent of whether its past queries were successful. We construct a distributional-PIR scheme that makes black-box use of classic PIR protocols, and prove a lower bound on the server runtime of a natural class of distributional-PIR schemes. On two real-world popularity distributions, our construction reduces compute costs by $5$-$77\times$ compared to existing techniques. Finally, we build CrowdSurf, an end-to-end system for privately fetching tweets, and show that distributional-PIR reduces the end-to-end server cost by $8\times$ (depending on the frequency of tweets).
Next up, 'How Private Can Private Advertising Really Be?', presented by Alishah Chator
#realworldcrypto
'If a population has a sensitive feature correlated with it, membership in the population can be used as a proxy for targeting that feature'
#realworldcrypto
UC gives us language to see what cannot compose
#realworldcrypto
Differential Privacy is an individual privacy notion
#realworldcypto
Next, 'Sprinkle Differential Privacy on a Bit of Everything', presented by Daniel Pöllmann
#realworldcrypto
Bluetooth! 'Security of Bluetooth: A Cryptographic View on Analyzing a Leviathan', by Olga Sanina
#realworldcrypto
lol this thing is so broken. Bluetooth is basically TOFU. No known plans to move to PQ
#realworldcrypto
"just add signatures' [ML-DSA bludgeons you]
eprint.iacr.org/2024/874
#realworldcryto
Next up, 'The Landscape of Offline Finding Protocols:
Privacy, Safety, Problems', presented by Akshaya Kumar and Carolina Ortega Pérez
#realworldcrypto
If you have to make a tradeoff, favor anti-stalking vs anti-theft
#realworldcrypto
LIGHTNING TALK TIME 🎺
#realworldcrypto
@proofnerd.bsky.social on MPC implementation security at MPC Security in Practice workshop at TPMPC
#realworldcrypto
PhotoDNA broken??? eprint coming, 'whitebox attack'
#realworldcrypto
Nicky formerly of NIST is looking for gigs
#realworldcrypto
@kientuong114.bsky.social matilda and matteo plug Cryptographic Applications Workshop at Eurocrypt in Rome caw.cryptanalysis.fun
#realworldcrypto
CAW
CAW
Crypto job board
#realworldcrypto
@filippo.abyssdomain.expert plugs Wycheproof test vectors github.com/C2SP/wychepr...
#realworldcrypto
GitHub - C2SP/wycheproof: Proj...
GitHub - C2SP/wycheproof: Proj...
Michael Rosenberg offering opsec trainings, materials; points out that cryptography is the rearrangement of power
#realworldcrypto
Talk to Peter Schwabe if you'd like to further sponsor Real World Crypto
#realworldcrypto
Thom on Merkle Tree Certs
github.com/davidben/mer...
#realworldcrypto
White-Box Attacks on PhotoDNA Perceptual Hash Function
𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is a widely deployed perceptual hash function used for the detection of illicit content such as Child Sexual Abuse Material (CSAM). This paper presents the first mathematical description of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴, a new function which has identical outputs to that of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 for a large database of test images. From this description, several design weaknesses are identified: the algorithm is piece-wise linear and differentiable, the hash value only depends on the sum of the RGB values of each pixel, and it is trivial to find images with hash value equal to all zeroes. The paper further demonstrates that gradient-based optimization techniques and quadratic programming can exploit the mathematical weaknesses of 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 to produce visually appealing exact collisions and second preimages; for near-collisions and near-second-preimages the image quality can be further improved. The same techniques can be used to recover the rough shapes of an image from its hash value, disproving the claim from the designer that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is irreversible. Finally, it is also shown that it is easy to produce high-quality perceptually identical images with a hash value that is far from the original image allowing to avoid detection. We have implemented our attacks on a large set of varied images and we have tested them on both 𝐴𝑙𝑙𝑒𝑔𝑒𝑑 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 and 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴. Our attacks have success rates close or equal to 100% and run in seconds or minutes on a personal laptop; they present a substantial improvement over earlier work that requires hours on parallel machines and that results only in near-collisions. We believe that with additional optimization of the parameters, the image quality and/or the attack performance can be further improved. Our work demonstrates that 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 is unreliable for the detection of illicit content: it is easy to incriminate someone by sending them false content with a hash value close to illicit content (a false positive) and to avoid detection of illicit content with minimal modifications to an image (a false negative). False positives and leakage of information are particularly problematic in a Client Side Scanning (CSS) scenario as envisaged by several countries, where large hash databases would be stored on every user device and billions of images would be hashed with 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴 every day. Overall, our research cast serious doubts on the suitability of 𝑃ℎ𝑜𝑡𝑜𝐷𝑁𝐴for the large-scale detection of illicit content.
SQIsign is very nice and not broken! - lorenz panny
#realworldcrypto
Bas says Cloudflare has PQ internships in London Lisbon and Austin
LUNCH
#realworldcrypto
Next up, Nadia Heninger on 'A bird's-eye view of cryptographic practice'
#realworldcrypto
"Blissfully unaware of the last 15 years [of crypto breakage]"
#realworldcrypto
In-flight wifi is not encrypted; https is happening though
#realworldcrypto
Starlink is encrypted
#realworldcrypto
"It's really hard to disclose vulns to foreign militaries"
#realworldcrypto
US gov, when we finally got in contact, took config mistakes very seriously
#realworldcrypto
Next up, '(Dis)patches from the Web PKI: Fina, Static CT, MTC, and PLANTS', presented by Luke Valenta
#realworldcrypto
