Richard Barnes (@rlbarnes) just kicked off #RealWorldCrypto with a great overview of MLS, a new proposed standard for group message encryption. There’s still time to contribute: mlswg.github.io

Joanne Woodage (@joannewoodage) outlines a really cool attack on Facebook’s abuse reporting mechanism for encrypted messages. A great example of how popular schemes like AES-GCM can be easily misused. #RealWorldCrypto

The team also came up with a new one-pass authenticated encryption scheme based only on collision-resistant hash functions. It’s somewhat reminiscent of the Keccac team’s Keyac encryption based the a sponge construction: keccak.team/keyak.html

Subhash Sankuratripati from @Snap is speaking on the deployment of E2E encryption, which launched in 2018 and now encryptes 1B snaps/s. Supporting multiple devices with forward secrecy was a huge problem because of confirmation and retry issues (~2% failure rate).#RealWorldCrypto

Now for the Cryptography and Politics section. Insights from working for U.S. congress from @shaananc and Gabriel Kaptchuk. What works with politicians is statements like: “TLS 1.3: good, SSLv2: bad” #RealWorldCrypto

And now @mattblaze attempts to convince the crowd that crypto mean cryptography but not voting. He’s making a pretty convincing case that voting security is hard and crypto magic will likely make things worse rather than better. #RealWorldCrypto

The 2019 Max Levchin prizes go to Mihir Bellare and Eric Rescorla!

In the secure communications session, @kaepora goes into detail about the Noise Explorer project (noiseexplorer.com) and announces a new feature: the ability to automatically generate Noise handshake implementations in both JavaScript and Go. Coming very soon.

Now @cesarghali from Google goes into detail about ALTS, a protocol first developed back in 2007 to add TLS-like security to internal RPCs using protobufs. It’s currently used in over 10B RPCs per second (actually per second this time).

It was a very, very short break.

Now Hugo Krawczyk goes on to explain a new password-authenticated key exchange algorithm called OPAQUE.

Paper:
eprint.iacr.org/2018/163.pdf

IETF draft:
tools.ietf.org/html/draft-kra…

#RealWorldCrypto

It’s the first PAKE secure against precomputation attacks since the salt is never sent in the clear.

More password work presented by @eyalronen. He presents a method to help protect the Internet from large scale attacks by enabling servers to identify popular passwords (heavy hitters). #RealWorldCrypto

Correction: @eyalr0, who I actually follow. Thanks Twitter autocorrect!

Catching back up as I was distracted by digging into how to shoehorn OPAQUE into TLS 1.3.

There were three talks in the Crypto Usability section. The first was by Joshua Baron, in which he went into DARPA's Investments in Real World Cryptography. Garbled RAM, Oblivious RAM, Fuctional Secret Sharing, Differential Privacy but no zero-knowledge proofs!

Next, Bailey Kacsmar and @chelseakomlo went in depth into secret sharing schemes such as the one used by @FreedomofPress's Sunder (github.com/freedomofpress…) and concluded that they're not ready for use in many real world scenarios.

Michelle Mazurek shared some of the knowledge gained by the programming contest they created to study how developers write secure code (builditbreakit.org). Some takeaways: concept errors are more common than bad decision and non-attempts are more common than mistakes.

Day 2! Encryption at Scale in AWS by Matt Campagna. KMS is now a huge system integrated in over 50 AWS services. At this scale collisions are a real problem, so deterministic IVs are necessary.#RealWorldCrypto

Applying Proxy-Re-Encryption to Payments by Sivanarayana Gaddam of Visa. In an attempt to reduce reliance on HSMs for pin encryption, they came up with system built on proxy-re-encryption. The scheme used (BBS98) is CPA but not CCA secure, which prompted audience questions.

Managing keys for teams. @maxtaco explains the decisions made by Keybase to support teams. Some choices: a user-centric approach focused on devices instead of keys, post-compromise security by default but opt-in forward secrecy, checkpoints every 4 hours on the bitcoin blockchain

In the Cryptographic Implementation session: Jasper van Woudenberg of @Riscure's talk "Practicing the art and science of side channel and fault attacks" explores the implementation of cryptographic algorithms down at the physical layer. Fun graphs, too. #RealWorldCrypto

Bartosz Przydatek from Google is now introducing Tink, a multi-platform cryptography library focused on clean and hard to misuse APIs. Joint work with @XorNinja, Daniel Bleichenbacher and others. github.com/google/tink #RealWorldCrypto

Tink goes beyond the functionality of other libraries by providing key management interfaces to enable the use of features like key rotation without a lot of pain. #RealWorldCrypto

And now the ⚡⚡⚡ round. I'll try to capture what I can.

First, Vipin Bharathan says: don't bash blockchain! Also, Hyperledger needs help by cryptographers.

Second, @BenarrochDaniel announces the second @zkproof standardization conference.

Greg Rubin from AWS Crypto Tools is working on generic tools for crypto along with AWS tools. He needs your help! docs.aws.amazon.com/aws-crypto-too…

Yevgeniy Dodis wants to talk with people about how to generate random numbers safely.

Christopher Allen (@ChristopherA) of TLS 1.0 fame is proposing a decentralized identifier. It's not just about blockchains. Read more: w3c-ccg.github.io/did-primer/

Brent confessed his downward trajectory into blockchain addition.

DLT (distributed ledger technology) job ad for company that's doing work in Australia.

Sergey Gorbunov of @Algorand and @UWaterloo is looking at standardizing BLS signatures.

Jermiah of subspace.network is looking for a cryptographer interested in proof of space

Jonas from easysafe.io wants you to hack his devices.

Hiring alert by @CryptoQuantique

Scott (@CiPHPerCoder) wants is interested in Wordpress and PHP and wants people to review ed25519 signatures in Wordpress 5.2 and is interested in plugin signing with a Black2b

Sam Scott sam@kee.sh is building a unified encryption/authentication layer

Apoorvaa Deshpande: What if we want to prove that we don't know something: Proof of ignorance! eprint.iacr.org/2018/896

Hunter from Google like a new password scheme from Bitcoin that is similar to on correcthorsebatterystaple but produces short passwords classypasswords.com

I missed his name, but he has a new Bleichenbacher '06 attack to be presented at NDSS and he's looking for a job.

Katriel (@katrielalex) announces a March 7th crypto day in London

@hashbreaker is bitching about @united and has a bunch of drink vouchers valid until the end of the month

Key Transparency is cool! @garybelvin points out keytransparency.org

talks.sharemind.cyber.ee I think

Bartosz from Tink has a new key backup project: github.com/google/svalbard

DSA and ECDSA cracks in blockchains by @nadiaheninger eprint.iacr.org/2019/023

Jeff from @web3foundation (@jeffburdges) is interested in mixnets

Hash to curve: invitation to help @armfazh with datatracker.ietf.org/doc/draft-irtf…

@pag_crypto: new encrypted database work! eprint.iacr.org/2019/011

Peter Gaži and Aggelos Kiayias and Dionysis Zindros New result about blockchains: eprint.iacr.org/2018/1239

Summer school ad that went too fast

Job at Mozilla by @ThylaVdMerw

correction @ThylaVdMerwe

Lightning talks over. Back to #realworldcrypto

Afternoon session: Cryptography Standardization. @sudo_jorden talks Direct Anonymous Attestation (DAA). Pairing-based attestation used in newer trusted platform modules (TPM 2.0), FIDO 2.0, and EPID for Intel SGX. Lets you check credentials anonymously. Here be dragons.

So how hard is solving LWE anyway? @martinralbrecht has done the hard work so you don't have to. The efficiency of sieving vs. enumeration in different scenarios is still being determined. Also, quantum doesn't help sieving very much because it's suited to unstructured searches.

Next, Atul Luykx on the story of the standardization of lightweight crypto designed by the NSA (Simon, Speck). SWEET32 bumped key and block size to 128 bits. In the end WG said that the security properties are not well understood and rejected it. ISO is tough place to do crypto.

Daniel Genkin and @yuvalyarom are on a roll with respect to side-channel attacks. FORESHADOW is family of side-channel attacks on Intel's SGX secure enclave. It can be used to extract the enclave's private attestation key, among other things in memory. foreshadowattack.eu

Catching up on the rest of the sessions on Thursday: Joe Kiniry gave an overview of RISC-V (pronounced risk five), an open hardware platform with a simplified instruction set. Big players such as NVIDIA are looking into using it due to simplicity and the lack of license fees.

True2F: Backdoor-resistant authentication tokens, was presented by Emma Dauterman. The idea is that U2F can be improved using verifiable random functions (VRFs) to ensure that compromised hardware tokens are unable to exfiltrate key material in-protocol. arxiv.org/abs/1810.04660

The last talk of the day was "Fast, Furious and Insecure" by @LennertWo. Keyless entry attacks on real world supercars using cryptographic attacks and cheap hardware. Nice demo and fun talk. Don't use 40-bit keys! wired.com/story/hackers-… #RealWorldCrypto

Day 3! Formal Verification. Andres Erbsen introduces fiat-crypto, a tool that formalizes crypto optimization and proves it correct with Coq. Verified implementations can be faster than hand-tuned C implementations. Some ECC crypto from fiat-crypto is now part of BoringSSL!

Verified Vectorized Cryptography by Karthikeyan Bhargavan. The HACL* library is a toolkit for implementing cryptography from formally verifiable first principles. It includes vectorized implementations on multiple platforms. Code has landed in the Firefox web browser and Linux.

Towards an Open Source, Formally Verified Secure Processor: Srini Devadas explores how optimizations and security requirements often contradict each other and side channels are waiting to be discovered around every corner. #RealWorldCrypto

Friday, session 2: Advanced Cryptographic Primitives. Mariana Raykova explores some advanced primitives such as secure multi-party computation, differential privacy, zero-knowledge proofs, private information retrieval and their applications to machine learning.

Deploying MPC for Social Good. @lcyqn explains how MPC is used to aggregate wage data from Boston businesses, and how Callisto uses OPRF and threshold encryption for detecting serial perpetrators of sexual misconduct. github.com/multiparty

Kurt Nielsen of Partisia on transparent zero-knowledge computations with use cases related to secure key management, blockchain privacy, identity management and other threshold applications. An attempt to sell the vision of a more private blockchain ecosystem.

On to the Blockchain and Cryptocurrency sections of the conference. Yehuda Lindell kicks it off with a threshold ECDSA signature scheme. #RealWorldCrypto

Neha NaruIa is now breaking down IOTA. Weird things: ternary data representation, home-brew hash function (Curl-P-27), Winternitz One-Time Signatures. DCI found a chosen message signing attack by colliding the hash function. Weird response by IOTA but the issue is now fixed.