Matteo Scarlata's Avatar

Matteo Scarlata

@hjkl.space

software occultist

53
Followers 111
Following 5
Posts 19.03.2025
Joined
Posts Following

Latest posts by Matteo Scarlata @hjkl.space

"presenting a cornucopia of practical attacks".

These are my favorite words ever to have occurred in a cryptography paper.

17.02.2026 01:24 πŸ‘ 53 πŸ” 9 πŸ’¬ 3 πŸ“Œ 2

You mean Professor Matilda Backendal! πŸ˜‰

17.02.2026 13:33 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Security through transparency: ETH Zurich audits Bitwarden cryptography against malicious server scenarios | Bitwarden A new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at...

Check out the excellent responses by @bitwarden.bsky.social (bitwarden.com/blog/securit...), @dashlane.com (www.dashlane.com/blog/zero-kn...) and @lastpass.bsky.social (blog.lastpass.com/posts/detail...).

It was really great to working with these companies, and a uniquely smooth disclosure process!

16.02.2026 20:14 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Frog and Toad with a box illustration. Badly edited text. Frog put the KEY in a box. "There," he said. "Now we will not SIGN MALICIOUS MESSAGES." "But we can ASK THE HSM," said Toad. "That is true," said Frog.

Frog and Toad with a box illustration. Badly edited text. Frog put the KEY in a box. "There," he said. "Now we will not SIGN MALICIOUS MESSAGES." "But we can ASK THE HSM," said Toad. "That is true," said Frog.

16.02.2026 16:04 πŸ‘ 254 πŸ” 36 πŸ’¬ 1 πŸ“Œ 1
Zero Knowledge (About) Encryption

I always assumed that #passwordmanagers were simple objects -- create a database, encrypt it, send it to the server, done. I could not have been more wrong!

At zkae.io, we take a look at all the hidden complexity in cloud password managers, and the #attacks that result from that. (ia.cr/2026/058)

16.02.2026 10:55 πŸ‘ 8 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0

Do you use a cloud-based password manager? So what's your threat model?

Vendors like Bitwarden, Dashlane, LastPass and 1Password offer you "Zero Knowledge Encryption", with statements like: "Not even the team at Bitwarden can read your data (even
if we wanted to)."

We decided to test this… 1/n

16.02.2026 08:12 πŸ‘ 32 πŸ” 15 πŸ’¬ 2 πŸ“Œ 3

FYI, this is going live tomorrow morning! :)

16.02.2026 00:13 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

We wanted a link to the full version for our camera-ready, without having to maintain a redirect (inevitably subject to bit rot). We cleared the submission with the eprint editors in advance (kudos Sofia and Matthias for being super responsive!).

16.01.2026 13:58 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Post image

The call for talks for CAW 2026 (a workshop affiliated with Eurocrypt) is out!

This year's motto is "cryptography under real-world constraints and threat models", but other applied cryptography is also very welcome.

All info is on: caw.cryptanalysis.fun.

11.11.2025 18:37 πŸ‘ 13 πŸ” 8 πŸ’¬ 1 πŸ“Œ 1
Post image

This year, #CAW offers the option for remote participation to make our Eurocrypt workshop accessible to the members of our community that cannot or prefer not to travel to Madrid.

Register on our website before May 2 (free): caw.cryptanalysis.fun

The updated program is below.

09.04.2025 17:27 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Breaking and Fixing Content-Defined Chunking A collection of my (future) writings about cryptography, music and other random stuff.

Our latest work is out! Breaking and repairing Content-Defined Chunking, with impact across
multiple backup systems. Read Kien Tuong Truong’s blog here: blog.ktruong.dev/breaking-cdc

25.03.2025 18:10 πŸ‘ 11 πŸ” 2 πŸ’¬ 1 πŸ“Œ 1