Final spell pass using grammarly

grammarly is pretty garbage

paper.tex

@@ -78,18 +78,17 @@ paper-based workflows that are error-prone and lead to healthcare providers ofte
 patient's medical records. Data in scope for the system includes medical letters, laboratory results, and medical
 imaging files.
 
-Due to Germany's mandatory health insurace laws, the system's user base encompasses the majority of all German
-residents. People who have replaced their public health insurance with private insurance currently are not subject to
+Due to Germany's mandatory health insurance laws, the system's user base encompasses the majority of all German
+residents. People who have replaced their public health insurance with private insurance as of now are not subject to
 the system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
 household income. This means that the system disproportionally affects people who have low income, creating an equity
 issue. While it is possible to opt out from the use of the system, the process of opting out is difficult. Additionally,
-both the government through advertising campaigns and health insurance providers have publically depicted the system in
-a one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a
-comprehensive understanding of the system's benefits and risks that would be necessary for an informed decision on
-opting out.
+the government and health insurance providers have publically depicted the system in a one-sidedly positive way, meaning
+that it is unlikely the majority of people subject to the system have a comprehensive understanding of the system's
+benefits and risks that would be necessary for an informed decision.
 
 While there has been loud criticism of the system's security from civil society organizations such as digital rights
-nonprofit organization Chaos Commputer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have
+nonprofit organization Chaos Computer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have
 been demonstrated practically, this criticism has largely been ignored by the political structures in charge. We observe
 that despite this civil society outrage and the system's large scale, it has received little attention from the academic
 cryptography and information security community.
@@ -108,26 +107,26 @@ bits of entropy\footnote{
 }. Finally, we note that according to specification, the only physical security requirement for the protection of this
 highly sensitive secret is a ``hard, opaque potting material'', with no tamper detection and response required.
 
-We base our analysis on the system's publicly available standards in their latest version as of writing of this paper in
-April 2025, describing version 3.0 of the healthcare record system \cite{
+We base our analysis on the system's publicly available standards in their latest version as of the writing of this
+paper in April 2025, describing version 3.0 of the healthcare record system \cite{
     gematikSpezifikationAktensystemEPA2025,
     gematikUbergreifendeSpezifikationVerwendung2024,
-}. We note that the implementation might well deviate from these standards and be more secure - however, with the
-system's history of flaws, we believe that is unlikely to be the case and the reference implementation provided by the
-specification authority \cite{GithubRepositoryERPFD} follows the standards' minimum requirements closely. As of now,
+}. We note that the implementation might well deviate from these standards and be more secure--however, with the
+system's history of flaws, we believe this is unlikely to be the case. The reference implementation provided by the
+specification authority \cite{GithubRepositoryERPFD} follows the specified minimum requirements closely. As of now,
 there is no meaningful way for either the public or for researchers such as us to ascertain the concrete implementation
 security of the system.
 
 \section{The Design of ePA}
 
-ePA is embedded into Germany's national public healtcare backend system ``Telematikinfrastruktur'' (TI). TI is a highly
+ePA is embedded into Germany's national public healthcare backend system ``Telematikinfrastruktur'' (TI). TI is a highly
 complex system, and a detailed description would exceed the limits of this paper. Briefly put, TI consists of a shared
 DMZ that parties like insurance providers and healthcare providers connect to through a VPN. At the client location,
-this VPN connection is created from a specialized VPN appliance named ``Konnektor'' that simultaneously hosts as a
-trusted environment executing some software for purposes such as authentication. The Konnektor hosts several smart cards
-that store keys used for authentication.
+this VPN connection is terminated by a specialized VPN appliance named ``Konnektor'' that simultaneously hosts a trusted
+environment executing some software for purposes such as authentication. The Konnektor hosts several smart cards that
+store keys used for authentication.
 
-Every person enrolled in the system as well as every healthcare professional providing services in it is issued a ID
+Every person enrolled in the system as well as every healthcare professional providing services under it is issued an ID
 card that contains a smart card that contains keys used to authenticate towards the central infrastructure. The primary
 use of these smart cards up to now is that when someone visits a healthcare provider, they will insert their ID card
 into a terminal so the healthcare provider can automatically fetch their personal information such as name, birth date,
@@ -148,7 +147,7 @@ encrypted records themselves. Records are symmetrically encrypted with keys that
 inside an HSM. While the current version of the standard is unclear on the exact mechanism of key derivation, in
 previous versions of the standard, the escrow service's root key, a random salt, and the healthcare ID number of the
 person owning the record was used in SHA256-HKDF. The specification requires that a new root key is generated once a
-year, but as far as we can tell, key rollover is not done automatically, but is only meant to be done when the
+year, but as far as we can tell, key rollover is not done automatically but is only meant to be done when the
 \emph{user} requests it, and old root keys must be retained forever to ensure old records can be accessed.
 
 \section{Related Work}
@@ -158,8 +157,8 @@ key escrow service. \textcite{fischlinKryptographischeAnalyseSpezifikation2021}
 dimension of the key escrow service used in an older version of the standard, and is now obsolete.
 \textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on the
 cryptography of the inner protocol layers spoken between the system's components. Industry research organization
-Fraunhofer SIT were comissioned for a structured, theoretical assessment of attack paths to the
-system \cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of
+Fraunhofer SIT was comissioned for a structured, theoretical assessment of attack paths to the system
+\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of
 independent academic security research on the system. 
 
 The design and operation of the system have been independently described in detail by civil society activists, who have
@@ -177,9 +176,9 @@ more scrutiny.
 \subsection{Use of Key Escrow}
 
 First, the system's general approach of using a key escrow service instead of securely storing the keys inside the
-system's already existing smart card infrastructure is concerning, given that this key escrow service poses as a
+system's already existing smart card infrastructure is concerning, given that this key escrow service poses a
 centralized security risk. The system's designers made this decision since it was deemed important that access to an
-encrypted record can be restored quickly after an insurance ID card is lost, without requiring cooperation of the
+encrypted record can be restored quickly after an insurance ID card is lost, without requiring the cooperation of the
 healthcare providers holding the primary copies of the person's medical records.
 
 While key escrow services have been a topic of political debate in decades past, in the cryptographic community,
@@ -195,7 +194,7 @@ surface \cite{
 The system's overall cryptographic design is intentionally kept simple. The standard explicitly mentions that symmetric
 primitives have been preferred over asymmetric primitives in the core key escrow functions due to the risk of an attack
 on asymmetric primitives in the long term. Notably, other advanced cryptographic techniques such as secret sharing
-schemes, oblivious pseudo-random functions or multiparty computation that could help with the security and privacy of
+schemes, oblivious pseudo-random functions, or multiparty computation that could help with the security and privacy of
 the key escrow service are also absent while the system relies extensively on the engineering-based security guarantees
 of TEEs and HSMs.
 
@@ -218,8 +217,8 @@ attacks on national digital infrastructure are a realistic concern.
 
 Physical security has received some consideration in the system's specification. First, smart cards are used extensively
 for authentication. Second, Hardware Security Modules are used in key locations of the system to process some
-cryptographic secrets. The core of the system's key escrow sevice is implemented inside an HSM. However, it is notable
-that the actual security level required of this HSM is only FIPS 140-2 level
+cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM. However, it is notable
+that the actual security level required for this HSM is only FIPS 140-2 level
 3 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. Not only has FIPS 140-2
 been superseded by FIPS 140-3 since
 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security level 3 mostly
@@ -229,8 +228,8 @@ coating is specified to be tamper-evident, but notably no active tamper detectio
 this standard. In contrast to the newer FIPS 140-3 standard and the related ISO/IEC 19790 \cite{ISOIEC19790} as well as
 ISO/IEC 24759 \cite{ISOIEC24759} standards, FIPS 140-2 does not make any particular requirements regarding resistance to
 side-channel attacks. The lack of tamper response, unspecified resistance to side-channel attacks and the fact that the
-ePA specification only requires the long-lived key escrow root key inside the HSM to have 256 bit of security lead to an
-unsatisfactory overall constellation.
+ePA specification only requires the long-lived key escrow root key inside the HSM to have 256 bits of security lead to
+an unsatisfactory overall constellation.
 
 \section{Conclusion}
 
@@ -239,7 +238,7 @@ standardization and implementation process, several cryptographic compromises en
 Even assuming that nation-scale key escrow is a good idea, the implementation of this key escrow system seems to stray
 from current best practice. The system uses a secret key with only 256 bits of entropy to derive highly sensitive secret
 keys for potentially tens of millions of people sharing an insurance provider. The cryptographic design of this escrow
-system is unsophisticated, ignoring the past three decades in crytographic developments in particular in multiparty
+system is unsophisticated, ignoring the past three decades in cryptographic developments particularly in multiparty
 computation (MPC) and other secret sharing techniques in favor of an engineering approach. In the engineering dimension,
 the system's physical security is only held to the basic level 3 of the obsolete FIPS 140-2 standard, which is
 considerably less secure than an average credit card payment terminal. The system's root keys are only protected by a