Publications
Some of the downloadable files are authors' versions or pre-prints. See also the respective
disclaimers.
Books
- Pape, S.: Authentication in Insecure Environments -- Using Visual Cryptography and Non-Transferable Credentials in Practise. Springer Vieweg, Research , 2014.





- Pape, S.: Sicherheitsmodelle für das Ajtai-Dwork-Kryptosystem: Untersuchungen eines Kryptosystems mit Worst-Case / Average-Case Äquivalenz zum unique Shortest Vector Problem. Vdm Verlag Dr. Müller, 2008.




Journal Articles
- Harborth, D. and Pape, S.: Investigating Privacy Concerns Related to Mobile Augmented Reality Apps - A Vignette Based Online Experiment. In Computers in Human Behavior, 122, 2021.




- Löbner, S.; Tesfay, W. B.; Nakamura, T. and Pape, S.: Explainable Machine Learning for Default Privacy Setting Prediction. In IEEE Access, 9: 63700-63717, 2021.




- Pape, S. and Kipker, D-K.: Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy. In Datenschutz und Datensicherheit, 45 (5): 310-314, 2021.







- Schmitz, C.; Schmid, M.; Harborth, D. and Pape, S.: Maturity Level Assessments of Information Security Controls: An Empirical Analysis of Practitioners' Assessment Capabilities. In Computers & Security, 108, 2021.




- Harborth, D. and Pape, S.: Empirically Investigating Extraneous Influences on the "APCO" Model - Childhood Brand Nostalgia and the Positivity Bias. In Future Internet, 12(12) (220), 2020.




- Harborth, D. and Pape, S.: How Privacy Concerns, Trust and Risk Beliefs and Privacy Literacy Influence Users' Intentions to Use Privacy-Enhancing Technologies - The Case of Tor. In ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 51 (1): 51-69, 2020.





- Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym. In Proceedings on Privacy Enhancing Technologies (PoPETs), 2020 (2): 111-128, 2020.






- Pape, S.; Ivan, A.; Harborth, D.; Nakamura, T.; Kiyomoto, S.; Takasaki, H. and Rannenberg, K.: Re-evaluating Internet Users' Information Privacy Concerns: The Case in Japan. In AIS Transactions on Replication Research, 6 (18): 1-18, 2020.



- Pape, S.; Ivan, A.; Harborth, D.; Nakamura, T.; Kiyomoto, S.; Takasaki, H. and Rannenberg, K.: Open Materials Discourse: Re-evaluating Internet Users' Information Privacy Concerns: The Case in Japan. In AIS Transactions on Replication Research, 6 (22): 1-7, 2020.



- Pape, S.; Paci, F.; Juerjens, J. and Massacci, F.: Selecting a Secure Cloud Provider: An Empirical Study and Multi Criteria Approach. In Information, 11 (5), 2020.






- Schmitz, C. and Pape, S.: LiSRA: Lightweight Security Risk Assessment for Decision Support in Information Security. In Computers & Security, 90, 2020.




- Harborth, D. and Pape, S.: How Nostalgic Feelings Impact Pokémon Go Players - Integrating Childhood Brand Nostalgia into the Technology Acceptance Theory. In Behaviour & Information Technology, 39 (12): 1276-1296, 2019.




- Pape, S. and Rannenberg, K.: Applying Privacy Patterns to the Internet of Things' (IoT) Architecture. In Mobile Networks and Applications (MONET) -- The Journal of SPECIAL ISSUES on Mobility of Systems, Users, Data and Computing, 24 (3): 925-933, 2019.





- Pape, S. and Rannenberg, K.: Cyber-Gefahren auf dem Radar. In ManagementKompass: Unternehmen schützen -- Risiken minimieren, November (03): pages 9-12, 2018.




- Schaab, P.; Beckers, K. and Pape, S.: Social engineering defence mechanisms and counteracting training strategies. In Information and Computer Security, 25 (2): 206-222, 2017.




- Pape, S.; Schöch, C. and Wegner, L.: TEICHI and the Tools Paradox. Developing a Publishing Framework for Digital Editions. In Journal of the Text Encoding Initiative, 2: 1-16, 2012.




Conference and Workshop Papers (peer-reviewed)
- Bracamonte, V.; Pape, S. and Kiyomoto, S.: Investigating User Intention to Use a Privacy Sensitive Information Detection Tool. In Symposium on Cryptography and Information Security (SCIS), 2021.




- Hatzivasilis, G.; Ioannidis, S.; Smyrlis, M.; Spanoudakis, G.; Frati, F.; Braghin, C.; Damiani, E.; Koshutanski, H.; Tsakirakis, G.; Hildebrandt, T.; Goeke, L.; Pape, S.; Blinder, O.; Vinov, M.; Leftheriotis, G.; Kunc, M.; Oikonomou, F.; Magilo, G.; Petrarolo, V.; Chieti, A. and Bordianu, R.: The THREAT-ARREST cyber ranges platform. In IEEE CSR Workshop on Cyber Ranges and Security Training (CRST), 2021.



- Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.



- Pape, S.; Harborth, D. and Kröger, J. L.: Privacy Concerns Go Hand in Hand with Lack of Knowledge: The Case of the German Corona-Warn-App. In ICT Systems Security and Privacy Protection - 36th IFIP TC 11 International Conference, SEC 2021, pages 256-269, Springer, IFIP Advances in Information and Communication Technology 625, 2021.





- Pape, S.; Klauer, A. and Rebler, M.: Leech: Let's Expose Evidently bad data Collecting Habits - Towards a Serious Game on Understanding Privacy Policies (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.



- Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games. In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.







- Pape, S.; Goeke, L.; Quintanar, A. and Beckers, K.: Conceptualization of a CyberSecurity Awareness Quiz. In Computer Security - ESORICS 2020 International Workshops MSTEC, pages 61-76, Springer International Publishing, Cham, LNCS 12512, 2020.







- Pape, S.; Schmitz, C.; Kipker, D-K. and Sekula, A.: On the use of Information Security Management Systems by German Energy Providers. In Presented at the Fourteenth IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, 2020.







- Schmitz, C.; Sekulla, A. and Pape, S.: Asset-centric analysis and visualisation of attack trees. In Graphical Models for Security - 7th International Workshop, GraMSec@CSF 2020, Boston, MA, USA, Virtual Conference, June 22, 2020, Revised Selected Papers, pages 45-64, Springer, LNCS 12419, 2020.




- Goeke, L.; Quintanar, A.; Beckers, K. and Pape, S.: PROTECT - An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks. In Computer Security - ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC, Luxembourg City, Luxembourg, September 26-27, 2019, Revised Selected Papers, pages 156-171, Springer International Publishing, Cham, LNCS 11981, 2019.






- Harborth, D.; Cai, X. and Pape, S.: Why Do People Pay for Privacy?. In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 253-267, 2019, Acceptance rate: 26 / 142 = 18.3%.





- Hamm, P.; Harborth, D. and Pape, S.: A Systematic Analysis of User Evaluations in Security Research. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, UK, August 26-29, 2019, ACM, 2019.




- Harborth, D. and Pape, S.: How Privacy Concerns and Trust and Risk Beliefs Influence Users' Intentions to Use Privacy-Enhancing Technologies -- The Case of Tor. In 52nd Hawaii International Conference on System Sciences (HICSS) 2019, pages 4851-4860, 2019, Acceptance rate: 48%.





- Harborth, D. and Pape, S.: Investigating Privacy Concerns related to Mobile Augmented Reality Applications. In Proceedings of the 40th International Conference on Information Systems ICIS 2019, Munich, Germany, December 13-15, 2019, 2019.





- Hatamian, M.; Pape, S. and Rannenberg, K.: ESARA: A Framework for Enterprise Smartphone Apps Risk Assessment. In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 165-179, 2019, Acceptance rate: 26 / 142 = 18.3%.




- Pape, S. and Stankovic, J.: An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security. In Computer Security - ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, ADIoT, Luxembourg City, Luxembourg, September 26-27, 2019, Revised Selected Papers, pages 287-306, Springer International Publishing, Cham, LNCS 11980, 2019.




- Schmid, M.; Akarkach, K. and Pape, S.: Comparison of different aggregated information security control maturities from AHP ranked companies (Extended abstract). In Preproceedings of IFIP Summer School on Privacy and Identity Management - Data for Better Living: AI and Privacy 2019 (IFIPSC2019), 2019.




- Schmid, M. and Pape, S.: A structured comparison of the corporate information security. In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 223-237, 2019, Acceptance rate: 26 / 142 = 18.3%.



- Sekulla, A.; Schmitz, C.; Pape, S. and Pipek, V.: Demonstrator zur Beschreibung und Visualisierung einer kritischen Infrastruktur. In Human Practice. Digital Ecologies. Our Future. 14. Internationale Tagung Wirtschaftsinformatik (WI 2019), February 24-27, 2019, Siegen, Germany, pages 1978, 2019.





- Aladawy, D.; Beckers, K. and Pape, S.: PERSUADED: Fighting Social Engineering Attacks with a Serious Game. In Trust, Privacy and Security in Digital Business - 15th International Conference, TrustBus 2018, Regensburg, Germany, September 5-6, 2018, Proceedings, Springer, Lecture Notes in Computer Science 11033, 2018, ISBN 978-3-319-98384-4, Acceptance rate: 15 / 29 = 51.7%.







- Harborth, D.; Braun, M.; Grosz, A.; Pape, S. and Rannenberg, K.: Anreize und Hemmnisse für die Implementierung von Privacy-Enhancing Technologies im Unternehmenskontext. In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 29-41, 2018.






- Harborth, D. and Pape, S.: Examining Technology Use Factors of Privacy-Enhancing Technologies: The Role of Perceived Anonymity and Trust. In 24th Americas Conference on Information Systems, AMCIS 2018, New Orleans, LA, USA, August 16-18, 2018, Association for Information Systems, 2018.






- Harborth, D. and Pape, S.: JonDonym Users' Information Privacy Concerns. In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 170-184, 2018, Acceptance rate: 27 / 89 = 30.3%.





- Pape, S.; Tasche, D.; Bastys, I.; Grosz, A.; Laessig, J. and Rannenberg, K.: Towards an Architecture for Pseudonymous E-Commerce -- Applying Privacy by Design to Online Shopping. In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 17-28, 2018.




- Paul, N.; Tesfay, W. B.; Kipker, D-K.; Stelter, M. and Pape, S.: Assessing Privacy Policies of Internet of Things Services. In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 156-169, 2018, Acceptance rate: 27 / 89 = 30.3%.





- Schmitz, C.; Sekula, A.; Pape, S.; Pipek, V. and Rannenberg, K.: Easing the Burden of Security Self-Assessments. In 12th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2018 ,Dundee, Scotland, August 29-31, 2018, Proceedings., 2018.





- Beckers, K.; Fries, V.; Groen, E. C. and Pape, S.: Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment. In Joint Proceedings of REFSQ-2017 Workshops, Doctoral Symposium, Research Method Track, and Poster Track co-located with the 22nd International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ 2017), Essen, Germany, February 27, 2017., 2017.







- Beckers, K.; Schosser, D.; Pape, S. and Schaab, P.: A Structured Comparison of Social Engineering Intelligence Gathering Tools. In Trust, Privacy and Security in Digital Business - 14th International Conference, TrustBus 2017, Lyon, France, August 30-31, 2017, Proceedings, pages 232-246, 2017, Revision 1, Table 7 was corrected, see https://link.springer.com/10.1007/978-3-319-64483-7_16.






- Harborth, D. and Pape, S.: Age Matters - Privacy Concerns of Pokémon Go Players in Germany (Extended Abstract). In Preproceedings of IFIP Summer School on Privacy and Identity Management - the Smart World Revolution 2017 (IFIPSC2017), 2017.





- Harborth, D. and Pape, S.: Exploring the Hype: Investigating Technology Acceptance Factors of Pokémon Go. In 2017 IEEE International Symposium on Mixed and Augmented Reality, ISMAR 2017, Nantes, France, October 9-13, 2017, pages 155-168, 2017, Acceptance rate: (17)/99 = 17.2 %.
![We investigate the technology acceptance factors of the AR smart-phone game Pokemon Go with a PLS-SEM approach based on the UTAUT2 model by Venkatesh et al. [1]. Therefore, we conducted an online study in Germany with 683 users of the game. Many other studies rely on the users' imagination of the application's functionality or laboratory environments. In contrast, we asked a relatively large user base already interacting in the natural environment with the application. Not surprisingly, the strongest predictor of behavioral intention to play Pokémon Go is hedonic motivation, i.e. fun and pleasure due to playing the game. Additionally, we find medium-sized effects of effort expectancy on behavioral intention, and of habit on behavioral intention and use behavior. These results imply that AR applications -- besides needing to be easily integrable in the users' daily life -- should be designed in an intuitive and easily understandable way. We contribute to the understanding of the phenomenon of Pokémon Go by investigating established acceptance factors that potentially fostered the massive adoption of the game. Abstract HP17ismar](/pictures/icon/abstract.png)


- Sailer, M.; Hoppenz, C.; Beckers, K. and Pape, S.: Förderung von IT-Sicherheitsbewusstheit durch spielbasiertes Lernen - eine experimentelle Studie. In Tagung der Sektion ``Empirische Bildungsforschung'' -- Educational Research and Governance (AEPF 2017), 2017.






- Beckers, K. and Pape, S.: A Serious Game for Eliciting Social Engineering Security Requirements. In Proceedings of the 24th IEEE International Conference on Requirements Engineering, IEEE Computer Society, RE '16 , 2016, Acceptance Rate: 22/79 = 27.8%.







- Beckers, K.; Pape, S. and Fries, V.: HATCH: Hack And Trick Capricious Humans -- A Serious Game on Social Engineering. In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.








- Dax, J.; Hamburg, D.; Kreusch, M.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Terhaag, F.: Sichere Informationsinfrastrukturen für kleine und mittlere Energieversorger. In Multikonferenz Wirtschaftsinformatik (MKWI) -- Teilkonferenz IT-Sicherheit für Kritische Infrastrukturen (Poster), 2016.





- Dax, J.; Ley, B.; Pape, S.; Schmitz, C.; Pipek, V. and Rannenberg, K.: Elicitation of Requirements for an inter-organizational Platform to Support Security Management Decisions. In 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016 ,Frankfurt, Germany, July 19-21, 2016, Proceedings., 2016.





- Pape, S.; Flake, J.; Beckmann, A. and Jürjens, J.: STAGE -- A Software Tool for Automatic Grading of Testing Exercises -- Case Study Paper. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016 - Companion Volume, pages 491-500, 2016, Acceptance rate: (22+4)/64 = (34.4 + 6.3) %.



- Schaab, P.; Beckers, K. and Pape, S.: A systematic Gap Analysis of Social Engineering Defence Mechanisms considering Social Psychology. In 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016, Frankfurt, Germany, July 19-21, 2016, Proceedings., 2016.





- Tschersich, M.; Kiyomoto, S.; Pape, S.; Nakamura, T.; Bal, G.; Takasaki, H. and Rannenberg, K.: On Gender Specific Perception of Data Sharing in Japan. In ICT Systems Security and Privacy Protection - 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, May 30 - June 1, 2016, Proceedings, pages 150-160, 2016, Acceptance rate: 27/139 = 20.9%.




- Tesfay, W. B.; Serna, J. and Pape, S.: Challenges in Detecting Privacy Revealing Information in Unstructured Text. In Workshop on Society, Privacy and the Semantic Web - Policy and Technology PrivOn 2016 at the International Semantic Web Conference (ISWC) 2016, Kobe, Japan, 2016.




- Pape, S.; Serna-Olvera, J. and Tesfay, W.: Why Open Data May Threaten Your Privacy. In Workshop on Privacy and Inference, co-located with KI, 2015.




- Pape, S.: Sample or Random Security - A Security Model for Segment-Based Visual Cryptography. In Financial Cryptography and Data Security - 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers, pages 291-303, 2014, Acceptance rate: 31 / 138 = 22.5%.



- Bleikertz, S.; Mastelic, T.; Pape, S.; Pieters, W. and Dimkov, T.: Defining the Cloud Battlefield -- Supporting Security Assessments by Cloud Customers. In Proceedings of IEEE International Conference on Cloud Engineering (IC2E), pages 78-87, 2013, Acceptance rate: 22 / 107 = 20.6%.




- Pape, S.; Schöch, C. and Wegner, L.: Bringing Bérardier de Bataut's Essai sur le récit to the Web: Editorial Requirements and Publishing Framework (Poster). In Poster at: TEI 2010, The 2010 Conference of the Text Encoding Initiative Consortium, 2010.





- Greveler, U.; Laskov, P. and Pape, S.: Sicherer Umgang mit sensiblen Daten - technische Prävention und Reaktionen auf Datenschutzverletzungen. In GI Jahrestagung: Informatik 2009: Im Focus das Leben, Beiträge der 39. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 28.9.-2.10.2009, Lübeck, Proceedings, pages 186-190, GI, LNI 154, 2009.




- Pape, S.: A Survey on Untransferable Anonymous Credentials (extended abstract). In Pre-Proceedings of the IFIP/FIDIS Summer School on ``The Future of Identity in the Information Society'', Brno, 2008.




- Pape, S. and Benamar, N.: Using Identity-Based Public-Key Cryptography with Images to Preserve Privacy (extended Abstract). In Pre-Proceedings of the IFIP/FIDIS Summer School on ``The Future of Identity in the Information Society'', Karlstad, 2007.





- Pape, S.; Dietz, L. and Tandler, P.: Single Display Gaming: Examining Collaborative Games for Multi-User Tabletops. In Workshop on Gaming Applications in Pervasive Computing Environments at Pervasive '04, 2004.




Book Chapters
- Schmid, M. and Pape, S.: Aggregating Corporate Information Security Maturity Levels of Different Assets. In Privacy and Identity Management. Data for Better Living: AI and Privacy - 14th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Windisch, Switzerland, August 19-23, 2019, Revised Selected Papers, pages 376-392, Springer Boston, IFIP Advances in Information and Communication Technology , 2019.




- Dax, J.; Hamburg, D.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Sichere Informationsnetze bei kleinen und mittleren Energieversorgern (SIDATE). In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 29, Universität der Bundeswehr, Neubiberg, 2018.





- Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand der IT-Sicherheit bei deutschen Stromnetzbetreibern. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 69-74, Universität der Bundeswehr, Neubiberg, 2018.





- Dax, J.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Das SIDATE-Portal im Einsatz. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 145-150, Universität der Bundeswehr, Neubiberg, 2018.





- Hamburg, D.; Niephaus, T.; Noll, W.; Pape, S.; Rannenberg, K. and Schmitz, C.: SIDATE: Gefährdungen und Sicherheitsmassnahmen. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 51, Universität der Bundeswehr, Neubiberg, 2018.





- Kipker, D-K.; Pape, S.; Wojak, S. and Beckers, K.: Juristische Bewertung eines Social-Engineering-Abwehr Trainings. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 112-115, Universität der Bundeswehr, Neubiberg, 2018.








- Harborth, D. and Pape, S.: Privacy Concerns and Behavior of Pokémon Go Players in Germany. In Privacy and Identity Management. The Smart Revolution - 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers, pages 314-329, Springer International Publishing, IFIP Advances in Information and Communication Technology 526, 2017.





- Pape, S.: Technische Bedingungen wirksamer Verschlüsselung. In Jahrbuch 2016, Deutsche Gesellschaft für Recht und Informatik, 2017, available via https://www.dgri.de/55/Publikationen/Schriftenreihe-der-DGRI.htm.





- Pape, S.: A Survey on Non-transferable Anonymous Credentials. In The Future of Identity in the Information Society, pages 107-118, Springer Boston, Brno, Czech Republic, IFIP Advances in Information and Communication Technology 298, 2009.



- Pape, S. and Benamar, N.: Using Identity-Based Public-Key Cryptography with Images to Preserve Privacy. In The Future of Identity in the Information Society, pages 299-310, Springer Boston, IFIP International Federation for Information Processing 262, 2008.




Theses
- Pape, S.: Requirements Engineering and Tool-Support for Security and Privacy.








- Pape, S.: The Challenge of Authentication in Insecure Environments.






- Pape, S.: Sicherheitsmodelle für das Ajtai-Dwork-Kryptosystem.

![Ziel der Diplomarbeit war es, zu untersuchen, welche Sicherheitsmodelle durch das Ajtai-Dwork-Kryptosystem erfuellt werden. Dazu wurden verschiedene Absichten und Faehigkeiten eines potentiellen Angreifersvorgestellt. Als zu untersuchende Sicherheitsmodelle kristallisierten sich die von Bellare, Desai, Pointcheval und Rogaway in [BDPR98] bzw. [BDPR01] vorgeschlagenen Sicherheitsmodelle heraus. Dies lag zum einen daran, dass andere Angriffe - wie der Ciphertext-Verification-Angriff von Halevi und Krawczyk [HK99] oder der Reaktionsangriff von Hall, Goldberg und Schneier [HGS99] - sich auf Chosen-Plaintext-Angriffe zurueckfuehren liessen. Zum anderen konnten andere Sicherheitsziele wie bspw. Plaintext-Awareness nicht in passender Weise auf das Ajtai-Dwork-Kryptosystem angewandt werden. Also wurden die verschiedenen Varianten des Ajtai-Dwork-Kryptosystems daraufhin untersucht, ob sie Indistinguishability oder Non-Malleability unter Chosen-Plaintext-Angriffen und (non-)adaptive Chosen-Ciphertext- Angriffen bieten koennen. Dabei stellte sich heraus, dass keine der Varianten sicher im Sinne von Non-Malleability unter Chosen-Plaintext-Angriffen (NM-CPA) oder sicher im Sinne von Indistinguishability unter non-adaptive Chosen-Ciphertext-Angriffen (IND-CCA1) ist. Im Falle der beschraenkten Variante reichte es dazu aus, die Idee des Reduktionsbeweises von Ajtai und Dwork zu betrachten. Der Reduktionsbeweis zeigt, dass ein Angreifer, der in der Lage ist, Verschluesselungen von Null und Eins zu unterscheiden, auch in der Lage ist, den privaten Schluessel zu errechnen. Da sich Non-Malleability unter Chosen-Plaintext-Angriffen auf Indistinguishability unter Parallel-Angriffen zurueckfuehren laesst, steht dem Angreifer in beiden Faellen ein Entschluesselungsorakel zur Verfuegung. Damit kann er Verschluesselungen von Null von Verschluesselungen von Eins unterscheiden und somit den privaten Schluessel erlangen. Bei der unbeschraenkten Variante war dies nur fuer Indistinguishability unter non-adaptive Chosen-Ciphertext-Angriffen moeglich. Wir konnten jedoch einen Parallel-Angriff auf die Indistinguishability der unbeschraenkten Variante zeigen. Dieser macht sich zu Nutze, dass Ciphertexte Punkte im n- dimensionalen Raum sind und Punkte, die dicht beieinander liegen, mit hoher Wahrscheinlichkeit als Verschluesselungen desselben Klartextes betrachtet werden koennen. Der Angreifer kann also das Entschluesselungsorakel nach entsprechenden Punkten fragen und so Informationen ueber den zu entschuesselnden Ciphertext erhalten. Der Reduktionsbeweis der Hauptvariante des Ajtai-Dwork-Kryptosystems konnte jedoch nicht direkt fuer einen non-adaptive Chosen-Ciphertext-Angriff auf die Indistinguishability genutzt werden. Stattdessen konnten wir aber den von Hall, Goldberg und Schneier in [HGS99] gezeigten Reaktionsangriff auf die Variante nach Goldreich, Goldwasser und Halevi in einen erfolgreichen Angriff auf die Hauptvariante aendern. Die Idee des Angriffes ist, durch Anfragen an das Entschluesselungsorakel die Laenge des privaten Schluesselvektors zu approximieren. Ist die Laenge jeder Dimension bekannt, so kann durch weitere Anfragen an das Orakel das Vorzeichen der jeweiligen Dimension und so der private Schluessel herausgefunden werden. Chosen-Plaintext-Angriffe auf die Non-Malleability liessen sich aehnlich den Angriffen in der unbeschraenkten Variante durchfuehren. Fuer non-adaptive Chosen-Ciphertext-Angriffe auf die Indistinguishability der Variante nach Goldreich, Goldwasser und Halevi konnte der eben beschriebene Reaktionsangriff von Hall, Goldberg und Schneier direkt verwendet werden. Allerdings mussten noch zwei Fehler aus der Darstellung in [HGS99] beseitigt werden. Auch bei dieser Variante liessen sich Chosen- Plaintext-Angriffe auf die Non-Malleability aehnlich den Angriffen in der unbeschraenkten Variante durchfuehren. Da alle hier gezeigten Angriffe elementare Eigenschaften des Ajtai-Dwork- Kryptosystems nutzen, ist fuer keine der vier Varianten eine 'Reparatur' des Kryptosystems durch einfache Modifikationen moeglich. Wie in der Einleitung schon angedeutet, wiegt jedoch schwerer, dass auch Chosen-Plaintext-Angriffe auf das Ajtai-Dwork-Kryptosystem von Nguyen und Stern [NS98, NS99] gefunden wurden. Dazu wurden Gitterbasisreduktionsalgorithmen benutzt, um das Shortest-Vector-Problem zu approximieren und so den privaten Schluessel zu errechnen. Wie Nguyen und Stern aufzeigen, benoetigt man dadurch so immens grosse Schluessel, dass der praktische Einsatz des Ajtai-Dwork-Kryptosystems nicht in Frage kommt. Als Ausblick verweisen wir auf das von Regev entwickelte Kryptosystem [Reg03b], dessen Sicherheit auf der Worst-Case Schwierigkeit des n^(1.5) - unique Shortest-Vector-Problem beruht. Eine gruendliche Untersuchung dieses Systems konnte im Rahmen dieser Diplomarbeit nicht erfolgen. Der Angriff auf die Non-Malleability unter Chosen-Plaintext-Angriffen konnte jedoch vom Ajtai-Dwork-Kryptosystem auf Regevs System uebertragen werden. Abstract pape04thesis](/pictures/icon/abstract.png)


Datasets
- Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Jondonym. IEEE Dataport, 2020.




- Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Tor. IEEE Dataport, 2020.




Techreports and Other Contributions
- Goeke, L.; Pape, S. and Tsakirakis, G.: THREAT-ARREST serious games v2. Technical Report Deliverable 4.9, Threat-Arrest, 2021.





- Miller, V. M.; Miller, M.; Rannenberg, K.; Niknia, A.; Arastouei, N.; Pape, S.; Skarmeta, A.; Ferreira, A.; Markatos, E.; Matyas, V.; Crabu, M.; Lopez, J.; Fernandez, C.; Pasic, A.; Omerovic, A.; Lafuente, A. L.; Angelini, M.; Hemetsberger, L.; Halunen, K.; Krenn, S.; Annicchino, P.; Kamm, L.; Goodman, D.; Goodman, R.; Surinx, D.; Preuveneers, D.; Sterlini, P.; Kadenko, N.; Douligeris, C. and Benzekri, A.: Clustering results and SU-ICT-03 project CONCERTATION conference year 1. Technical Report, CyberSec4Europe, 2020.






- Canavese, D.; Lioy, A.; Pedone, I.; Regano, L.; Hatamian, M.; Löbner, S.; Pape, S.; Arastouei, N.; Skarmeta, A.; Hita, A. and Bernal, J.: Cybersecurity outlook 1. Technical Report, CyberSec4Europe, 2020.






- Halunen, K.; Cheminod, M.; Beckerle, M.; Durante, L.; Preuveneers, D.; Kompara, M.; Martinie, C.; Bernabe, J. B.; Garofalo, G.; Tesfay, W. B.; Pape, S.; Palanque, P.; Crispo, B. and Gupta, S.: Usable security & privacy methods and recommendations. Technical Report, CyberSec4Europe, 2020.






- Crispo, B.; Gupta, S.; Halunen, K.; Kompara, M.; Preuveneers, D.; Palanque, P.; Beckerle, M.; Martinie, C.; Hita, A. and Pape, S.: Usability Requirements Validation. Technical Report, CyberSec4Europe, 2020.






- Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Pape, S.; Leftheriotis, G.; Tsakirakis, G.; Bravos, G. and Kunc, M.: Initial Prototype of Integrated THREAT-ARREST Platform. Technical Report, Threat-Arrest, 2020.





- Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudaki, S.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Quintanar, A.; Pape, S.; Tsakirakis, G. and Bravos, G.: Initial installation and usage guidelines for the THREAT-ARREST platform. Technical Report, Threat-Arrest, 2020.





- Frati, F. and Braghin, C., ed.: The Stakeholders' Engagement & Online Channels Report. Technical Report, Threat-Arrest, 2020.





- Sofia, S.; Konstantina, K.; Tsantekidis, M.; Pape, S.; Leftheriotis, G.; Chieti, A.; Oikonomou, F. and Bravos, G.: The THREAT-ARREST dissemination and exploitation report v.1 1. Technical Report Deliverable 8.5, Threat-Arrest, 2020.





- Koshutanski, H.; Tsantekidis, M.; Damiani, E.; Frati, F.; Cimato, S.; Riccobene, E.; Hatzivasilis, G.; Fysarakis, K.; Spanoudakis, G.; Blinder, O.; Vinov, M.; Hildebrandt, T.; Wortmann, D.; Rompoti, V.; Bravos, G.; Chatzigiannakis, V.; Beckers, K.; Pape, S.; Kunc, M. and Bašta, P.: THREAT-ARREST platform's initial reference architecture. Technical Report Deliverable 1.3, Threat-Arrest, 2019.





- Beckers, K.; Goeke, L.; Pape, S. and Bravos, G.: THREAT-ARREST THREAT serious games v1. Technical Report Deliverable 4.2, Threat-Arrest, 2019.







- Harborth, D. and Pape, S.: German Translation of the Concerns for Information Privacy (CFIP) Construct. Technical Report, SSRN, 2018.




- Harborth, D. and Pape, S.: German Translation of the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2) Questionnaire. Technical Report, SSRN, 2018.




- Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht. Technical Report, Universität Siegen, 2018.





- Dax, J.; Ivan, A.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: IT Security Status of German Energy Providers. Technical Report, Cornell University, arXiv, 2017.





- Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht. Technical Report, Universität Siegen, 2017.





- Harborth, D.; Herrmann, D.; Köpsell, S.; Pape, S.; Roth, C.; Federrath, H.; Kesdogan, D. and Rannenberg, K.: Integrating Privacy-Enhancing Technologies into the Internet Infrastructure. Technical Report, Cornell University, arXiv, 2017.





- Ochoa, M.; Pape, S.; Ruhroth, T.; Sprick, B.; Stenzel, K. and Sudbrock, H.: Report on the RS3 Topic Workshop "Security Properties in Software Engineering". Technical Report, Universitätsbibliothek der Universität Augsburg, Universitätsstr. 22, 86159 Augsburg, 2012.






- Pape, S.; Schöch, C. and Wegner, L.: A Framework for TEI-Based Scholarly Text Editions. Technical Report, Universität Kassel, 2010.





- Wolf, C.; Pape, S. and Porada, L.: Leitfaden zur Gründung von GI - Studierendengruppen (GI-SG). , 2010.



- Pape, S.: Some Observations on Reusing One-Time Pads within Dice Codings (abstract). Technical Report, in Tagungsband zum 10. Kryptotag, Workshop der Fachgruppe Angewandte Kryptologie in der Gesellschaft für Informatik, 2009.




- Pape, S.: Templateless Biometric-Enforced Non-Transferability of Anonymous Credentials (extended abstract). Technical Report, Weimar, in Book of Abstracts of the 2nd Weekend of Cryptography, 2008.




- Pape, S.: Embedding Biometric Information into Anonymous Credentials. Technical Report 68, in Extended Abstracts of the Second Privacy Enhancing Technologies Convention (PET-CON 2008.1), 2008.



