Android Security Symposium 2017

Using threshold crypto to protect single users with multiple devices

About the speaker

Erinn Atwater

University of Waterloo, Waterloo, ON, Canada
Erinn is currently in the last year of her PhD in Computer Science at the University of Waterloo, where she is a member of the Cryptography, Security and Privacy (CrySP) lab and the Centre for Applied Cryptographic Research.
Her research interests span a variety of topics, mostly revolving around the obstacles that prevent widespread deployment of end-to-end encryption. Her thesis includes work on usable encrypted webmail and protecting keys across multiple devices. In the past, she has also worked on machine learning for behavioural authentication on smartphones, and genetic programming for classification of high-volume online data streams.
You can find Erinn online @errorinn or


The average computer user is no longer restricted to one device. They may have several
devices and expect their applications to work on all of them. A challenge arises when
these applications need the cryptographic private key of the devices' owner. Here the
device owner typically has to manage keys manually with a “keychain” app,
which leads to private keys being transferred insecurely between devices – or even to
other people. Even with intuitive synchronization mechanisms, theft and malware still
pose a major risk to keys. Phones and watches are frequently removed or set down, and
a single compromised device leads to the loss of the owner's private key, a catastrophic
failure that can be quite difficult to recover from.

We introduce Shatter, an open-source framework that runs on desktops, Android, and
Android Wear, and performs key distribution on a user's behalf. Shatter uses threshold
cryptography to turn the security weakness of having multiple devices into a strength.
Apps that delegate cryptographic operations to Shatter have their keys compromised only
when a threshold number of devices are compromised by the same attacker. We demonstrate
how our framework operates with three popular Android apps (protecting identity keys
for Signal and OTR apps, and encryption keys for a note-taking app) in a
backwards-compatible manner: only Shatter users need to move to a Shatter-aware version
of the app. Shatter has minimal impact on app performance, with signatures and
decryption being calculated in only seconds.


Get the slides here.