Martin's Blog Post: "Based on these ethnographic findings, we initiate the cryptographic study of at-compromise security"

19 Feb 2026

Our work – “At-Compromise Security: The Case for Alert Blindness” – was accepted at EUROCRYPT 2026; with “us” being Simone Colombo, Benjamin Dowling, Rikke Bjerg Jensen and, well, me.

Abstract. We start from the observation in prior work that cryptography broadly intuits security goals – as modelled in games or ideal functionalities – while claiming realism. This stands in contrast to cryptography’s attentive approach towards examining assumptions and constructions through cryptanalysis and reductions. To close this gap, we introduce a technique for determining security goals. Given that games and ideal functionalities model specific social relations between various honest and adversarial parties, our methodology is ethnography: a careful social science methodology for studying social relations in their contexts. As a first application of this technique, i.e. ethnography in cryptography, we study security at-compromise (neither pre- nor post-) and introduce the security goal of alert blindness. Specifically, in our 2024/2025 six-and-a-half-month ethnographic fieldwork with protesters in Kenya, we observed that alert blindness captures a security goal of abducted persons who were taken by Kenyan security forces for their presumed activism. We show this notion is achievable under standard assumptions by providing a construction secure in our model. We discussed both the notion and the construction with some interlocutors in Kenya.

As can be gleaned from the abstract, our work does two things. First, we introduce to cryptography a technique for establishing security goals (ethnography) that we then (as cryptographers) formalise in games or ideal functionalities. This starts from the observation that these security goals are typically intuited in cryptographic works yet, at the same time, claim realism. This is also the starting point of our project Social Foundations of Cryptography and you can find introductory ethnography-focused and cryptography-focused posts on our website. A notable and integral component of our work is that we did not validate some security notion after we came up with it, but rather that it emerged from our data. In other words, we (i.e. Rikke) did not go to Kenya to study at-compromise security but this focus emerged from the fieldwork.

Second, we study at-compromise security, i.e. security during a ‘compromise’, here an abduction by Kenyan President William Ruto’s security forces. That is, our data reveals how protection during such an abduction was a major concern during the 2024 Anti-Finance Bill protests in Kenya. In particular, several surviving targets of such abductions attribute their survival to their ability to inform others about being taken. Public calls for their release eventually led their abductors to let them go. Our data also revealed that the reason for these abductions at that time¹ was intelligence gathering about these unprecedented protests. Our security notion ‘exploits’ this adversarial goal to establish a covert channel to a remote server to raise the alarm, i.e. to realise the security goal of many of those targeted for abduction. However, given the brutality of these abductions, it was paramount that the abductors did not discover this act of defiance of their targets before protective mechanisms, such as those public calls for their release, could be deployed. That is, we want the alert to be blind. A consequence of this blindness requirement is that the cooperating server which registers the alarm will unconditionally return the correct decryption key: we surrender confidentiality to realise alert blindness. This – perhaps – counter-intuitive decision is well-justified from our data, and we consider this justification as a central contribution of this work.

We will also present our work at RWC 2026 and we are organising an autumn school on the social foundations of cryptography.