🤞 fingers crossed 🤞 that #realworldcrypto 2022 will actually be in Amsterdam IRL 🦠
First up in the Group Messaging session:

#REALWORLDCRYPTO Image
How secure is Bridgefy in real world usage? Not open source, had to reverse engineer and decompile the Android app.

#REALWORLDCRYPTO Image
Partial disclosure of vulnerabilities, but not on the app store description 🤔

#REALWORLDCRYPTO Image
Bridgefy claims now that they implement the Signal protocol. Mesh-network style Signal would be neat...if that's what they've actually done. No third-party review to confirm.

#REALWORLDCRYPTO Image
Evaluate the properties of your protocol or app in the circumstances it is actually used!!!

#REALWORLDCRYPTO Image
Q: Is there a place for PKCS1.5 padding in modern crypto?

A: This work shows, perhaps there isn't.

(I agree.)

#REALWORLDCRYPTO
Q: Example of the security goals of a generic mesh protocol?

A: An open question.

#REALWORLDCRYPTO
Q: Mesh vs standard security model for Signal?

A: In Signal you can forget users location, in mesh their proximity is relevant.

#REALWORLDCRYPTO
Next up, E2E for Zoom

#REALWORLDCRYPTO Image
There was a first whitepaper put out in May 2020

#REALWORLDCRYPTO Image
(All versions of the whitepaper are available here:

github.com/zoom/zoom-e2e-…)

#REALWORLDCRYPTO
Mmm mmm long term device keys for long-term id

#REALWORLDCRYPTO Image
Every meeting has a meeting leader, which can be rotated

#REALWORLDCRYPTO Image
(it's funny that a presentation about zoom is happening over zoom)

#REALWORLDCRYPTO
"Zoom identities are mutable", different devices, emails, etc

#REALWORLDCRYPTO Image
Key transparency tree! (Has this been deployed yet? )

#REALWORLDCRYPTO Image
External IdP's can sign/attest to their users as they interact with Zoom's identity infra (has this been integrated with any IdP yet?)

#REALWORLDCRYPTO Image
OK yeah several of these are planned, not deployed yet

#REALWORLDCRYPTO Image
Q: Bearer tokens issues?

A: Plan to use different type of token...

#REALWORLDCRYPTO
Q: Do you get E2E benefits without signing up with an email?

A: Yes, will need to rely on security codes to establish ID because you won't have linkable ID between sessions.

(I discussed this exact thing in a blog post ;) zfnd.org/blog/so-you-wa…)

#REALWORLDCRYPTO
A: Each participant uploads streams of different resolutions, no merging done by the server

#REALWORLDCRYPTO
Q: MLS?

A: Synchronous not async for Zoom, we can use ephemeral keys, don't provide forward-secrecy _within_ the meeting, just _between_ meetings, so for MLS, not quite applicable.

#REALWORLDCRYPTO
Q: How often do on-device ID keys change?

A: In practice we don't expect device keys to change key often (which is a tradeoff in privacy and security compromise)

#REALWORLDCRYPTO
Q: SRTP? Media metadata leaks?

A: Everything is under a TLS connection....

#REALWORLDCRYPTO
Next up:

#REALWORLDCRYPTO Image
🔧🔧🔧

#REALWORLDCRYPTO
How do you (safely) ratchet key material forward, if one of the previously trusted group members have been compromised?

#REALWORLDCRYPTO
This is Post Compromise Security

#REALWORLDCRYPTO
omg more trees 🌲

#REALWORLDCRYPTO Image
To recover, update secrets on the path to the root

#REALWORLDCRYPTO
But there may be a race condition, all have a tradeoff

#REALWORLDCRYPTO Image
- minimal overhead in comms when _t_ users try to recover concurrently
- can a group ratchet protocol reach this minimum?

#REALWORLDCRYPTO
A result: _t_-Concurrency

#REALWORLDCRYPTO
Tradeoff exists but it's not _too_ bad

#REALWORLDCRYPTO Image
Q: If you are hiding metadata, to you have to do trial encryption?

A: No: Signal encrypts all messages, group or 1:1, the same way, the group membership is separate; in this protocol, these messages are indistinguishable from normal usage patterns

#REALWORLDCRYPTO
Next up is the Multiparty Computation session, starting with 'Lessons and Challenges in Deploying (Heavy) MPC in Different Environments' by Yehuda Lindell Valery Osheter Samuel Ranellucci, presented by Yehuda Lindell

#REALWORLDCRYPTO
Engineering, not cryptographic, solutions exist to make these protocols more practical in SaaS solutions

#REALWORLDCRYPTO Image
Next up, 'The Red Wedding: Playing Attacker in MPC Ceremonies', presented by Omer Shlomovits

iacr.org/submit/files/s…

#REALWORLDCRYPTO Image
Reviewing the 'Diogenes' RSA modulus generation paper

#REALWORLDCRYPTO
A thousand participants! (Why so many?)

#REALWORLDCRYPTO Image
Last up, 'Senate: A Maliciously Secure MPC Platform for Federated Analytics', presented by Rishabh Poddar

#REALWORLDCRYPTO Image
circuits!

#REALWORLDCRYPTO Image
Senate allows decomposed execution securely

#REALWORLDCRYPTO Image
query planning to plan optimal decomposition

#REALWORLDCRYPTO
Allow only trees, not graphs

#realworldcrypto Image
145X faster than baseline benchmarks, and 13/22 analytics benchmark queries

#realworldcrypto
Q: Implementation?

A: Yes, tested.

#REALWORLDCRYPTO
Have tested up to 16 parties

#REALWORLDCRYPTO
Q: How do you ensure that decompositions are valid?

A: Require that each sub is efficiently invertible

#REALWORLDCRYPTO
That's all the talks for the day, social time nao!

#REALWORLDCRYPTO
My dear followers, I will have to cover the invited talk on isogenies by @luca_defeo after the fact, it pains me 😭 💫

#realworldcrypto
Q: Are you surprised that NIST has relegated SIKE to the 'consolation' bracket?

A: No, it's a bit early; not surprised that lattices and McElice are the preferred candidates.

#realworldcrypto
Next up, Signatures

#realworldcrypto Image
Randomness failures have real-world implications, even side channels.

#realworldcrypto Image
BLEICHENBACHERRRRR

#realworldcrypto Image
Lattice vs Fourier attacks

#realworldcrypto Image
"Hey uh, where can I acquire some nonce leakage?"

#realworldcrypto Image
But, it's constant time! 😅

#realworldcrypto Image
ECDSA nonce very sensitive!

Also applies to Schnorr sigs

#realworldcrypto Image
Next up, MuSig2: Simple Two-Round Schnorr Multi-Signatures, presented by Tim Ruffing

#realworldcrypto
_multi_, not _threshold_, signatures

#realworldcrypto Image
For use in... CYBER COINS 😏

#realworldcrypto
(disclosure: i work on a cyberrr co1n)
#realworldcrypto

Extremely here for keeping the on-chain data simple Image
(Great for privacy!)

#realworldcrypto
#realworldcrypto

Want non-interactive, and public Image
"You have probably learned what nonces are from the previous talk" 😁

#realworldcrypto Image
This nice linearity in the verification underlies all the Schnorr-based signature schemes

#realworldcrypto
An _insecure_ multi-signature

#realworldcrypto Image
Throw an exponent from a hash and you protect against row key attacks

#realworldcrypto Image
Instead of a pre-commitment round, every sender sends 2 pre-nonces, the proper nonce is a random linear combination of those

#realworldcrypto Image
Shout out to FROST!

#realworldcrypto Image
Convergence on multiple pre-nonces as input to linear combination. Proved under ROM+AGM+OMDL _or_ ROM+OMDL

#realworldcrypto Image
Q: What's the difference between multi and threshold sigs?

A: N-of-N vs T-of-N where T < M

Q: 2-user case?

A: Having 1-of-2 is not particularly helpful? But our scheme does work for it.

#realworldcrypto
eg FROST is in the threshold setting

#realworldcrypto
These schemes should all be marry-able if you want

#realworldcrypto
Q: ECDSA?

A: No, depends on the nice linearity inherent in Schnorr, would be hard and cumbersome

#realworldcrypto
Next up, WEB AUTH N 🎉

Presented by Emil Lundberg

#realworldcrypto
Specifically, 'Asynchronous Remote Key Generation: An Analysis of Yubico’s Proposal for W3C WebAuthn'

#realworldcrypto
(pets one of my many Yubikeys lovingly)

#realworldcrypto
Mmm mmm JavaScript

#realworldcrypto Image
You can use your phone secure enclave as an authenticator!

#realworldcrypto Image
One problem is that sometimes keys get lost 😬

#realworldcrypto Image
Very real usability and system design constraints that affect adoption

#realworldcrypto Image
Proposal: pair a primary and backup authenticator

#realworldcrypto Image
Asynchronous Remote Key Generation (ARKG)

(pssst try Ristretto! 😉)

#realworldcrypto Image
Key, key handle stored with service

#realworldcrypto Image
PK-unlinkability
SK-security

#realworldcrypto Image
Proof relies on dlog and PRF-ODH assumptions

#realworldcrypto Image
Current runtime, 100ms, this scheme would double it, but these are ~one time registration/recovery operations

#realworldcrypto
Q: Can you do multiple backups?

A: Yes, no limit.

#realworldcrypto
Q: Can you confine backup keys to only work with some relying parties?

A: Yes, you register a backup key with relying parties, so you can choose not to do that.

#realworldcrypto
Q: What about host malware, trying to pretend it is a backup when you register?

A: Pin must be entered on authenticator first

#realworldcrypto
Q: Can I have one backup for 5 primary keys?

A: Yes! On the one service, using the backup, the 5 primary keys would be revoked (this is the server-side logic).

#realworldcrypto
Next session, on Humans, Policy, and Crypto

Starting with, 'Mental Models of Cryptographic Protocols - Understanding Users to Improve Security', presented by Katharina Krombholz

#realworldcrypto
Configuring TLS! 😭

#realworldcrypto Image
"Admins were incapable of making informed security decisions"

"I'm afraid of using crypto"

😭

#realworldcrypto
How can we measure the mental models users have of security tools and protocols (and just asking them is not so easy)

#realworldcrypto
Best case mental model of HTTPS (turns out to be very sparse!)

#realworldcrypto Image
"Worse-case mental model has some...strange assumptions" 😬

#REALWORLDCRYPTO Image
All APIs, designs, interfaces, that we use, shape the mental models of our users

#realworldcrypto Image
Even if they are experts

#realworldcrypto Image
Q: How do we know that 'human' is the right level of abstraction to understand this problem, vs 'developers' or?

A: Yes, we focus on 'users', which was developed by technology developers; where else do we go, maybe theoreticians?

#realworldcrypto
Q: What should the role of human factors work in the development of crypto standards?

A: I wish this perspective is incorporated in standardization too

#realworldcrypto
Q: How much do users need to _understand_ the crypto? Shouldn't the browser take care of this for them?

A: Yes: ala conservation theory, to protect the end users, we should protect the admins, the designers, the developers, who are upstream in the ecosystem

#realworldcrypto
Next up! 'Protecting Cryptography against Self-Incrimination', presented by Sarah Scheffler

#realworldcrypto
SCOTUS! Compelled decryption!

#realworldcrypto Image
Mmm mmm the 5th (but only covers 'testimonial' action)

#realworldcrypto Image
'Foregone conclusion' doctrine is now being used to compel device decryption

#realworldcrypto Image
Are you testifying that you know a password, or because the password unlocks your cloud drive, that you know the contents of your cloud drive?

#realworldcrypto Image
Formalize 'learn nothing' using simulation 🧠

#realworldcrypto Image
(i love this)

#realworldcrypto
"What determines nature?" 🤔 🤔 🤔

#realworldcrypto Image
"The encryption cases are so all over the place that it's hard to create a reliable benchmark" 😂

#realworldcrypto
"If such a [backdoor key], it would make the whole compelled decryption a foregone conclusion" 😱

#realworldcrypto Image
It seems like having a password stored in your brain meat is actually protective in this model against compelled decryption

#realworldcrypto
"FC-resilient"

#realworldcrypto Image
paper at Usenix

#realworldcrypto Image
(fire alarm!, and a break!)

#realworldcrypto
Next up, invited talk on the NIST PQC competition!

#realworldcrypto Image
Even without a current quantum computer, you can just save the protected data until it is available.

#realworldcrypto Image
How long? "It's been 10-15 years away for at least 10-15 years" 😉

#realworldcrypto
Requirements:

#realworldcrypto Image
Opening submissions had ~80, 20+ broken quite quickly 😉

#realworldcrypto
Merges, updates, more breakage in the second round

#realworldcrypto Image
For round 3 selections, two tracks: finalists, and alternates

Alternates have a _potential_ of eventual standardization

#realworldcrypto Image
Lattices! Codes!

#REALWORLDCRYPTO Image
Lattice-based KEMs in the third round

#realworldcrypto Image
Code-based KEMs, and the alternate, SIKE! 💫

#realworldcrypto Image
Lattice-based and hash/blockcipher-based post-quantum signatures:

#realworldcrypto Image
Cryptanalysis continues!

#realworldcrypto Image
"Don't want all our eggs in one basket"

#realworldcrypto Image
3rd round expected to continue up to another 12 months, followed by a 4th round

#realworldcrypto Image
'Done' by 2024 🤞

#realworldcrypto
Other challenges:

- IP
- benchmarking
- side channel analysis
- real world experiments (like Chrome, Cloudflare TLS experiments)
- Hybrids!

#realworldcrypto
Transition guidelines will definitely help

#realworldcrypto Image
Stateful hash-based signatures were not included in the NIST competition, they are not the same as standard-use digital signatures, have been standardized by IETF, if you are _careful_ about using them, they are quantum-resistant

#realworldcrypto Image
Q: Will criteria such as PKE-robustness inform the selections?

A: Try to weigh everything including that

#realworldcrypto
Q: Does NIST help with dealing with IP contention issues resolved?

A: Trying to work behind the scenes to help clear up any IP questions by the end of the 3rd round.

#realworldcrypto
Next up, the post-quantum session!

Starting with 'Attacks on NIST PQC 3rd Round Candidates' presented by Daniel Apon and James Howe

#realworldcrypto
Types considered:

#realworldcrypto Image
Only presenting attacks against specific candidates

#realworldcrypto Image
Summary:

#realworldcrypto Image
Lattices make up more than 50% of the attack targets

#REALWORLDCRYPTO
Integrating hints from the side-channel into the lattice-reduction attack algorithm 🤯

#realworldcrypto Image
Masking vs non-masking , ntt vs non-ntt

#realworldcrypto Image
Masking floating-point arithmetic is an open problem

#realworldcrypto Image
- implementation complexity will significantly increase with these standards
- more attack vectors? more countermeasures?
- fragile/sensitive ops

#realworldcrypto Image
(And this is mostly re: lattices!)

#realworldcrypto
A question (more of a comment, really) about conflating attacks on implementation vulns and against constructions

#realworldcrypto
Q: Does the existence of fault attacks imply anything?

A: There may be categories of side-channel attacks exploit a property of the algorithm, that can allow you to distinguish between protocols that are similar, that's important.

#realworldcrypto
Next up, 'Separate Your Domains: NIST PQC KEMs and Pitfalls in Implementing Random Oracles', presented by Hannah Davis

#realworldcrypto
Round 1 KEM (DAGS) was leaking over half the bits of the session key directly in the ciphertext, none of these were caught in the first round (eliminated for other reasons) 😱

#realworldcrypto
Why? Multiple hash functions in the spec, but only the one same in the implementation.

#realworldcrypto Image
Oracle cloning! 🔮🔮

#realworldcrypto Image
What about domain separation?

In practice, not always used, or done poorly, but not being caught in evals.

#realworldcrypto
What other methods? How about a more rigorous definition?

#realworldcrypto
First step: classification

#realworldcrypto Image
Attacked schemes have been eliminated from NIST PQC, but these attacks were not found before then.

#realworldcrypto
From the good ones, good oracle cloning methods are distilled

#realworldcrypto Image
*taking furious notes*

#realworldcrypto Image
Can be catastrophic, just use one oracle cloning method from the toolbox; one candidate has already done this 🎉

#realworldcrypto
A: Big problems arise when the spec expects 3 different hash functions, and only one is used for all usages. Static analysis may not catch all cases

#realworldcrypto
A: Our hope is that putting specific oracle cloning methods into specifications will become more common, rather than leaving it up to the implementor.

#realworldcrypto
Last talk, 'Post-Quantum Crypto: The Embedded Challenge', presented by Joppe Bos

#realworldcrypto
What counts as an embedded device?

#realworldcrypto Image
Key concerns:
- secure boot
- over-the-air update

If this is PQ-secure, you can deliver the remaining updates via that platform.

#realworldcrypto Image
Comparing X25519 and lattice-based competitors (but Cortex M4 is considered 'high end' for a lot of the domains mentioned previously)

#realworldcrypto Image
Stack _usage_ in byes 🤯

#realworldcrypto Image
love me some 19th century german

#realworldcrypto Image
People are asking for quantum-resilient crypto no matter what, gotta get ready

#realworldcrypto Image
Q: Why NTRU use so much more stack than Kyber?

A: Not sure if inherent to the scheme or an implementation tradeoff to get more speed.

#realworldcrypto
Q: Schemes mandated use of NTT, does that matter?

A: For some embedded devices that is an unfortunate performance impact, maybe make it optional

#realworldcrypto
A: New hardware optimized for winners of the NIST PQC? Codes vs lattice need completely different types of co-processors, so we kinda have to look at using the hardware we have.

#realworldcrypto
And now, lightning talks! 🌩️🌩️🌩️

#realworldcrypto
I will say the organizers are extremely efficient and uh, well-organized, with their Zoom'ing. 👏

#realworldcrypto
@dstebila speaking on CHES 2021 call for artifacts, to improve reproducibility of crypto research

#realworldcrypto
@FiloSottile on AGE! 'A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability'

github.com/FiloSottile/age

#realworldcrypto
New: a plugin system, allows Yubikey support!

#realworldcrypto
@kobigurk on proof-of-stake blockchain, doing an MPC set up for the params for the circuit

#realworldcrypto
Yaron Gvili on a Swift hash function implementation, look for 'secure homomorphic hash'

#REALWORLDCRYPTO
Greg from MSR security and crypto team about remote internships open for this summer! careers.

#REALWORLDCRYPTO
Cheap plug from myself about hiring at the @ZcashFoundation ;)

#realworldcrypto
Question about modelling bittorrent protocol

#realworldcrypto
@str4d on modeling: trial decryption to scan for notes is slow, we'd like something like a detection key without revealing it, useful for Zcash

#realworldcrypto
Emil replies about 'dual-stealth key' protocol re: Bitcoin

#realworldcrypto
From Daniel Apon on NIST PQC monthly seminar talks:
groups.google.com/a/list.nist.go…

#realworldcrypto
And done with the program for the day, social time!

#realworldcrypto
Back for day 3 of #realworldcrypto! The first invited talk of the day by Carmela Troncoso on 'Privacy by Design -- From Theory to Practice in the Context of COVID-19 Contact Tracing', on the D3PT protocol, which influenced the iOS | Android one

Next up, Vanessa Teague (@VTeagueAus )on a dovetailing talk, 'Unintended Privacy Problems in Some Centralized and Decentralized COVID-19 Exposure Notification Systems'

#REALWORLDCRYPTO
@VTeagueAus An unusual example in which an app failing at its core value proposition is undetectable by users.

#realworldcrypto Image
@VTeagueAus Now fixed privacy and security issues in the Australian COVIDSafe app:

#realworldcrypto ImageImageImage
"For centralized apps like COVIDSafe, inferring social graph edges is the least of our worries." 😭

#realworldcrypto
Some variants of this app allow optional extra exposure information to say a health authority/the government, it all depends on whether ExposureInfo is shuffled before upload; was fixed in June 2020

#realworldcrypto Image
If Annika opts in to uploading detailed ExposureInfo, and if the metadata is enough to re-identify Bob, Charlie and Dan’s records, the authorities can tell whether a record for Wit appears after them.

#realworldcrypto
- decentralized protect privacy of the social graph of users much more than centralized
- GAEN apps much better than centralized apps

#realworldcrypto Image
Q: Android location services needed to be turned on for the app to run?

A: Required to be turned on if any app is scanning for BLE pings; the app did not use location services (did not ping back to Google) unknown but unclear if this allows Google to correlate

#realworldcrypto
Next up, 'Exposure Notification System May Allow for Large-Scale Voter Suppression' presented by Rosario Gennaro

#realworldcrypto
In the US, contact tracing is state-by-state per the health authorities, all the apps rolled out use the Google | Apple Exposure Notification interoperable API (GAEN)

#realworldcrypto Image
How do we increase adoption of a public health intervention? We can learn lessons from other campaigns, such as successful campaigns for PReP adoption to combat HIV

#realworldcrypto Image
Relay attacks as a tactic towards voter suppression in the US elections?

#realworldcrypto Image
Can a relay attack against these COVID alert apps dissuade election-day voters? (Aside: this is why vote by mail was a huge campaign in the US, to avoid COVID impacts on votes getting counted)

#realworldcrypto Image
Suggestion to suspend notifications just for election day, just in case.

#realworldcrypto Image
"Why not suspend notifications? We think it was a PR issue"

#realworldcrypto
Q: Is this still a problem if most people vote by mail ?

A: Those are good countermeasures to this, there a still large number of ballots cast on election day, a compromise of an official government channel in a way that affects the vote could still make a diff

#realworldcrypto
Next up, 'Privacy-Preserving Bluetooth Based Contact Tracing --- One Size Does Not Fit All', presented by Eyal Ronen

#realworldcrypto
In Israel, a lot of public health information is available

#realworldcrypto Image
Apparently 'automatic' contact tracing in Israel was not been super effective?

#realworldcrypto Image
'BLE contact tracing, BLE contact tracing everywhere'

#realworldcrypto Image
Privacy vs Explainability tradeoff

Balancing false negatives, privacy, and useful notifs

#realworldcrypto Image
For contact tracing, we don't necessarily need to know geo locations, just proximity and duration

#realworldcrypto
1.0 : GPS-based solution , low resolution. Why not GPS and BLE ?

#realworldcrypto Image
2.0: no one installed it

#realworldcrypto Image
(surprise)

#realworldcrypto
Q: Did HamAgen expose the GPS data of infected users to the rest of the country?

A: No.

#realworldcrypto
Next up, 'Privately Connecting Mobility to Infectious Diseases via Applied Cryptography', presented by Lukas Helminger

#realworldcrypto
This work is orthogonal to contact tracing

#realworldcrypto
Aggregating mobility data of infected people, that may catch potential superspreader events early, with small numbers. Problem so far is privacy.

#realworldcrypto Image
Throw a whole bunch of hot techniques at it

#realworldcrypto Image
"Techniques from bulletproofs" tell me moar

#realworldcrypto
Oh, this relies on mobile operators doing things correctly? 😬

#realworldcrypto
Q: what is the timespan for a single heatmap rated at 2hours/10USD?

A: Last 7 days of mobility data.

#realworldcrypto
Q: is there two variants of the protocol for semi-honest/malicious adversaries, and is there a performance hit if so?

A: We can split them up; there is not much overhead from semihonest to malicious models

#realworldcrypto
They used SEAL from MSR for the homomorphic encryption

#realworldcrypto
Q: are there difficulties due to different sets of researchers and different mobile data providers all having separate datasets?

A: Those are issues we'd have to solve when/if this is rolled out

#realworldcrypto
Break!
Next up, "Rosita: Towards Automatic Elimination of Power-Analysis" presented by Yuval Yarom

#realworldcrypto
Using an attacked called "elmo" and a tool called Rosita they wrote to find leakage and rewrite code to remove side channels

#realworldcrypto
Comparing a masked impl of AES, vs a processed version, removes the leak. Adding new instructions slows down by 15% and 64% for ChaCha

#realworldcrypto Image
Q: Is the masking compiler dependent? Will switching compiler optimization level matter?

A: Independent; switching compiler optimizations changes the code generation, has no effect as we apply our fixes in the assembly itself.

#realworldcrypto
Q: Can you identify "patches" where you only need to re-order instructions, rather than add new ones? To save impacting performance etc.

A: Not yet; we insert dummy instructions that change the execution to one that has no interactions at the microarch level

#realworldcrypto
Q: What happens when the CPU gets smarter and starts reordering the instruction stream?

A: Pipelining yet baked into the tool, we are targeting CortexM3, for anything more complex we need to re-eval

#realworldcrypto
Next up, 'RISC-V Scalar Crypto' presented by Markku-Juhani Saarinen

#realworldcrypto Image
Multiple flavors of RISC-V

#realworldcrypto Image
"scalar" crypto here means 'not-vector', in 32bit registers, etc

#realworldcrypto
Lightweight AES: doing t-tables in hardware

#realworldcrypto Image
For 64bit, use wider registers to process 128-bit block over two instructions

#realworldcrypto Image
Lightweight SHA2 support maps well to several FIPS 180-4 functions

#realworldcrypto Image
Making sure this meets the entropy source requirements for several standards

#realworldcrypto Image
How do I do constant time? Use crypto extensions, avoid table lookups, branches. Krypto
defines encoding rules for constant‐time multiply. A compiler flag should activate it.

#realworldcrypto Image
Also the NIST PQC finalists are performing well on it, good SHA3 helps

#realworldcrypto
Q: Any spec for the RNG entropy source?

A: We have a paper here, a lot of design rational in the spec itself and pitfalls to avoid.

#realworldcrypto Image
Q: When designing the crypto extensions, Yes; for timing the important ones are table lookups, so we wrapped that up; there are proposals in the spec for constant-time sboxes

#realworldcrypto
Q: Bignum? I'd love to have a simple way to do carry chains and multiply-accumulates with the full width in the hardware.

A: Can use 8 bits out of 64bits as a carry, works on scalar and vectorized instructions;

#realworldcrypto
Next up, 'CacheOut and SGAxe: How SGX Fails in Practice' presented by Stephan van Schaik

#realworldcrypto
Reminder of 2018

#realworldcrypto Image
Now you can no longer leak in the L2 cache (?), but there are plenty of other microarchitectural attacks remaining

#realworldcrypto
Intel mitigated MDS

#realworldcrypto Image
Doesn't fix that you _can_ leak, just flushes buffers frequently enough to make it less likely

#realworldcrypto Image
How do we exploit evictions?

#realworldcrypto Image
Leaks enough to extract things in SGX

#realworldcrypto Image
Love 2 remotely attest my leaky enclave

#realworldcrypto Image
Intel can't invalidate SGX too quickly, requires BIOS updates 😬

#realworldcrypto
Ayup, SGX in Signal (this is live now)

#realworldcrypto Image
Allows short and memorable pins

But this attack allows leaking those pins from SGX, with side channel knowledge

#realworldcrypto
#realworldcrypto

Leak, then brute force 4-digit pin Image
Assumes a malicious Signal server with access to the cluster

#realworldcrypto Image
Q: Mitigations in the signing bot against abuse?

A: Can only allow certain fields; no evidence of anyone trying to misuse the bot

#realworldcrypto
Q: Other threat scenarios?

A: Experimental: using it combined with Ethereum

#realworldcrypto
Q: Which mainstream architectures have been microcode patched?

A: Intel is the only one affected, haven't heard about others being affected.

#realworldcrypto
Next up, 'My other car is your car: compromising the Tesla Model X keyless entry system', presented by Lennert Wouters

#realworldcrypto
FOB. Fob. Fob is a computer.

#realworldcrypto Image
Has a secure element 👀

#realworldcrypto
It's a BLE peripheral, with over the air download, allowing easier overwriting of firmware on the keyfob; Tesla has mitigated this slightly

#realworldcrypto Image
Can unlock the car

#realworldcrypto Image
How useful

#realworldcrypto Image
Say you 'lost' your keyfob: how do you pair a new one? 🕵️‍♀️

#realworldcrypto Image
RSA will never die 😒

#realworldcrypto Image
We can modify a keyfob and check all the provisioning-related steps, and go straight to pairing.

#realworldcrypto Image
Did not modify the keyfob firmware, but removed secure element and emulated it in Python

#realworldcrypto Image
Disclosed, patched in Nov 2020, Tesla awarded a bounty 💸

#realworldcrypto Image
Demo 😁



#realworldcrypto
The car is completely disjoint from the provisioning and pairing protocol for a new key fob.

#realworldcrypto
Tesla has a second factor (pin code) that you can use to also require to start the car, with the fob, but that may also be bypassable.

#realworldcrypto
Not requiring a power cycle for a new fob seems to be intended to make the lives of service technicians easier

#realworldcrypto
Next up! Formal Analysis

#realworldcrypto
'SoK: Computer-Aided Cryptography', presented by Kevin Liao from MIT 🦫

#realworldcrypto
(damnit, that's supposed to be a beaver emoji)
Helps improve current human effort, error-prone processes

#realworldcrypto Image
TLS vs ✨TLS 1.3✨

#realworldcrypto Image
Minimizes room for error

#realworldcrypto
Writing constant-time code is not 'natural' and tricky to get right.

#realworldcrypto Image
Deployed software and processes 🎉

#realworldcrypto Image
⚠️ formal models != real world, simplifications are necessary to model

#realworldcrypto Image
In order to carry formal guarantees down the stack ,we have to check our assumptions and that they continue to hold as we go layer to layer. // @fugueish

#realworldcrypto
@fugueish - Embrace design changes that simplify/modularize reasoning
- Verified compilers, scale assembly verification
- Security-oriented hardware-software contract at the ISA level

- Consolidate each layer of guarantees

#realworldcrypto Image
@fugueish We don't need it to be perfect, just need to keep the bar higher than attackers can get over

#realworldcrypto Image
Q: X509?

A: No efforts that I'm aware of

#realworldcrypto
Q: Formal methods not just for crypto?

A: Crypto is the sweet spot: not a huge volume of code vs a kernel, the benefits far outweigh the costs, may not be the same for every system

#realworldcrypto
Q: How much of this depends on invisible compiler optimizations?

A: There are some verified compiles that preserve side-channel countermeasures

#realworldcrypto
last up for the day, 'Verifpal: Cryptographic Protocol Analysis for the Real World' by Nadim Kobeissi

#realworldcrypto
Collaborators Georgio Nicolas and Mukesh Tiwari sound to be on the job market soon 🎓

#realworldcrypto
That's today, one more day tomorrow!
First up on the last day of #realworldcrypto, Eli Ben-Sasson on 'Scaling Computations on Blockchains with ZK-STARKs' Image
Gotta read this post

#realworldcrypto Image
'For short proofs, SNARKs like Groth16, for everything else, STARKs' 😊

#realworldcrypto
"Why don't Bitcoin or Ethereum compete at scale to Visa or Swift?

Your laptop can't do it."

#realworldcrypto Image
Relying on the hardness of a hash function (eg SHA3) makes STARKs theoretically quantum-resistant 🎉

#realworldcrypto Image
AIR-FRI STARKs

#realworldcrypto Image
😳 writing this code doesn't scale well

#realworldcrypto Image
Mmm love a compiler 💕

#realworldcrypto Image
Q: Cairo is a new DSL, among others for proof systems, where does Cairo fit?

A: it's more like assembly for this VM, allows memory access, branching, Turing complete, more similar to TinyRAM. Cairo is production-grade, integrated in existing blockchains

#realworldcrypto
Q: Does this apply to Bitcoin in any way?

A: Would require Bitcoin to have a STARK verifier of some sort;

#realworldcrypto
Q: How has your view of the diff between STARKs & SNARKs changed over the last year w/ transparency for SNARKs too?

A: if the length of the arg is the thing you want to minimize, Groth16 is king; for proving time, verifiying time, min assumptions, STARK wins

#realworldcrypto
Q: In this architecture, can you prevent front-running?

A: Question of sequencing txs, in our system there is an operator, in others, zkRollup, pushes the sequencing to the blockchain

#realworldcrypto
Next up, 'Attacking Threshold Wallets' presented by Omer Shlomovits

#realworldcrypto
(For an example of threshold sigs, check out FROST!

eprint.iacr.org/2020/852.pdf)

#realworldcrypto Image
'Forget & forgive'

#realworldcrypto ImageImage
Another against threshold ECDSA

#realworldcrypto Image
MPC and TSS offer high assurance on
paper thanks to math proofs, but remain susceptible to misimplementations or overlooked threat vectors

#realworldcrypto
Q: Have these attacks affected prod systems?

A: They have affected exchanges and been disclosed and patched responsibly.

#realworldcrypto
I think N=18 is the largest I've encountered but it's usually much lower than that, complexity makes it hard and slow to use w/ large N

#realworldcrypto
Q: stateful vs stateless? e.g. failing to delete/overwrite shares, reusing nonces, etc

A: If you can be stateless it eliminates a lot of vulns

#realworldcrypto
Next up, 'From Crypto-Paper to Crypto-Currency: the Cardano Consensus Layer', presented by Christian Badertscher

#realworldcrypto
"Protocol must take into account that some (some!) participants are rational, and must be incentivized" 😁

#realworldcrypto
🐍:ouroboros:🐍

#realworldcrypto Image
The macroscopic properties of the system must be enumerated, checked against the spec, and possibly tested via property-based tests (❤️)

#realworldcrypto Image
👏 property 👏 based 👏 tests 👏

#realworldcrypto Image
Transition from a federated set of nodes

#realworldcrypto Image
An open network when anyone can send you data, so you must design with the worst-case behavior in mind.

#realworldcrypto Image
Q: Property-based testing?

A: Aggressive filtering of incoming data, we can do that because Proof-of-Stake determines blocks, allows forecasting; our prop tests revealed that an expected behavior did not arise, just a very general property test caught this

#realworldcrypto ImageImage
Next up, 'Alice in Randomland: How to Build and Use Distributed Randomness Beacons', presented by Bernardo David

#realworldcrypto
It's not just enough to have intuition that your protocol works, a proof that works with arbitrary compositions is also needed.

#realworldcrypto
ooo VRFs!

#realworldcrypto
_threshold_ VRFs

#realworldcrypto Image
Each construction has a security/efficiency tradeoff.

#realworldcrypto Image
Combine them?

#realworldcrypto
Next up, 'SWiSSSE: System-Wide Security for Searchable Symmetric Encryption' presented by @kennyog

#realworldcrypto
(omg @SchmiegSophie and @XorNinja are coming up soon too!)

#realworldcrypto
Symmetric techniques only! For efficiency reasons

#realworldcrypto
mmm mmm key-value stores for everybody

#realworldcrypto Image
☁️ 🗃 🔒

#realworldcrypto Image
Existing security notions in the literature to not take into account the actual fetching of the documents 👀

#realworldcrypto Image
Two key-val stores: encrypted search index and encrypted doc array

#realworldcrypto Image
Reduces most but not all leakage 🇨🇭💦

#realworldcrypto Image
Uses standard HMAC-SHA-256, AES-GCM, Java+JCE, and a Redis server. 6X overhead vs plaintext

#realworldcrypto Image
Huge improvement over ORAM

#realworldcrypto
We welcome adversarial cryptanalysis in case we missed something

#realworldcrypto Image
In the general setting, we consider the server adversarial (ie, your cloud provider). Also a network attacker, maybe they can see volumes and directionality of traffic, that is taken into account in this model.

#realworldcrypto
Q: What client storage is necessary for this scheme? What about multiple writers?

A: This is a single-writer scheme; in our paper we give worst-case stash size estimates

#realworldcrypto
Q: what happens if a client crashes while processing / writing back a query? Does the system stay available, secure?

A: No impact on security if they crash

#realworldcrypto
Q: Fancier query types?

A: Not yet, this is single key fetch queries

#realworldcrypto
Next up, 'In Band Key Negotiation: Trusting the Attacker' presented by @SchmiegSophie

#realworldcrypto
@SchmiegSophie JWT 😭

alg='none' 🔥

#realworldcrypto Image
@SchmiegSophie 'alg=none' is not the only problem, it's having a alg field at _all_

#realworldcrypto Image
@SchmiegSophie Isn't just JWT, a common issue elsewhere, the key is associating metadata about how to verify to the ciphertext/signature itself

#realworldcrypto Image
@SchmiegSophie Can swap out AES-GCM with AES-CBC, and start guessing

#realworldcrypto Image
@SchmiegSophie Avoiding this class of problem in Tink (github.com/google/tink): store the metadata with the _key_

All the keys in the keyset are equally trusted

#realworldcrypto Image
Key ids can just be random integers

#realworldcrypto
Ciphertext now includes 3 parts:

- version id
- key id
- the rest of the ciphertext/sig

If key gets compromised it must be removed from the key set

#realworldcrypto
Never trust the ciphertext! It is controlled by the attacker.

Key metadata is part of the key!

Key IDs only within a key set, carefully!

#realworldcrypto Image
Q: transport protocols?

A: In an interactive protocol, you negotiate the params before you do any crypto ops

#realworldcrypto
Q: Can detection of these problems be automated?

A: Determined by the crypto library, often the lib is fine but used in a way that impacts the properties of the larger scheme; automating at the correct scope is tough

#realworldcrypto
Q: so how does Tink handle PRF output? Just raw bytes?

A: Yes (basically)

#realworldcrypto
Q: Key metadata?

A: algorithm, params to the algorithm, everything you need to turn ~32 random bytes into an actual key

#realworldcrypto
Next up, 'Pancake: Frequency Smoothing for Encrypted Data Stores' presented by Paul Grubbs

#realworldcrypto
Frequency smoothing of access patterns 📈

#realworldcrypto Image
We need to make sure real and fake accesses are indistinguishable

#realworldcrypto
Randomly selecting from the real incoming query queue and the fake 'queue'

#realworldcrypto
Guarantees that the real vs ideal world are indistinguishable to the attacker

#realworldcrypto

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deirdre Connolly¹

Deirdre Connolly¹ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @durumcrustulum

11 Jan
Netflix prompted me to watch The American President before it leaves and I've barely gotten through the opening credits and I'm not crying you're crying
Also it's weird to see a Sorkin white house that moves this (relatively) slow
Annette Benning is mesmerizing in this
Read 8 tweets
9 Jan
Just in case, I'm going to thread the weird emojis from now on, so you can mute the thread if needed 😘

EMOJI KITCHEN THREAD 👇
Read 257 tweets
10 Jan 20
If the attacker has <= Q guesses, access to the FSB bucket will give no advantage over baseline guessing. Higher Q, greater security loss

#realworldcrypto
Read 103 tweets
10 Jan 20
LIVE FROM COLUMBIA, IT'S DAY 3 OF #REALWORLDCRYPTO
Starting the Messaging session is "E2EE for Messenger: goals, plans and thinking"

#realworldcrypto
Zuck wants to integrate and E2E encrypt all the messaging services (messenger, Instagram, WhatsApp)

#realworldcrypto
Read 66 tweets
9 Jan 20
LIVE FROM COLUMBIA, IT'S DAY 2 OF #REALWORLDCRYPTO
I'm starting another thread because there were multiple branches in the previous one 🤦‍♀️
Second talk of the MPC session is on Apple's 'Find My Device' feature

#realworldcrypto
Read 319 tweets
8 Jan 20
LIVE FROM COLUMBIA, IT'S #REALWORLDCRYPTO
First up is the TLS session 🔒
First talk is Johanna Amann on measuring TLS 1.3 deployment in the wild with active and passive methods

#realworldcrypto
Read 250 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!