Deirdre Connolly¹ Profile picture
Apr 13, 2022 747 tweets >60 min read Read on X
LIVE, IN THE FLESH, FROM AMSTERDAM, IT'S #REALWORLDCRYPTO!
@cryptojedi kicking off with logistics Image
Kicking off with in fact, side channels: Spectre Declassified
Image
Secret annotations seem highly desired in many programming languages! Image
You had me at secure type systems

#realworldcrypto Image
"Under speculative execution, the invariants of our program may not hold." 😭

#realworldcrypto
Spectre can smuggle a private-typed value into the public domain. Some mitigations, incl. speculative load hardening

#realworldcrypto Image
"no mis-speculations detected"

#realworldcrypto
SLH can poison the speculative flow of secret values to the outside world

#realworldcrypto
"Skip the encryption itself" ??? 😳 👻

#realworldcrypto Image
Hate these microarchitectural side channels 😭

#realworldcrypto
Speculation fence into the declassification 👍 :fence-emoji:

#realworldcrypto Image
Mitigations with negligible performance impact with fencing, masking operations

#realworldcrypto
Because a value can never leak (🤔) we can skip 95% of masking operations

#realworldcrypto
Q: What happens when value speculation is introduced?

A: Haven't looked at it yet

#realworldcrypto
Q: Declassify does a lot, what if a function used once is safe, but again is not (like involving a nonce), can this be enforced with the type system?

A: Declassifier would check somewhat but that's getting beyond our classifier type system

#realworldcrypto
Q: Is data considered secret by default?

A: Must be marked explicitly

#realworldcrypto
Q: Ensure instructions before the fence are correctly executed?

A: lfence() ensures the instructions before MUST be executed before the lfence

#realworldcrypto
Q: All these attacks and mitigations feel like a cat and mouse game, should this be handled at the hardware level? Feels fragile on a micro/architectural change

A: Yesss? Need cooperation with vendors

#realworldcrypto
Next up, timing attack mitigations! Speaker: Ján Jančár

#realworldcrypto Image
Attacks that abuse timing leaks, but can be algorithmic, not hardware: branches / accesses that vary based on secret values

#realworldcrypto
Often you have to ✨hope✨ that the compiler doesn't optimize away your constant time mitigations, tools can help check that they persist to machine code

#realworldcrypto Image
Widely varying guarantees in these tools

#realworldcrypto
So why do timing attacks still exist? Ask developers!

#realworldcrypto Image
@RustCryptoOrg Lot of crypto devs may not be aware of these tools!

#realworldcrypto Image
@RustCryptoOrg Everyone knew about timing attacks! 🎉

#realworldcrypto Image
@RustCryptoOrg (I basically agree with this!)

#realworldcrypto Image
@RustCryptoOrg Constant time algorithms, and kinda just, hoping, the compiler doesn't mess them up

#realworldcrypto Image
(Come to HACS?!)

#realworldcrypto
Leaky pipeline!

#realworldcrypto Image
Automate all the things!

#realworldcrypto Image
Compilers should 'just' add this support (cc llvm 😅)

#realworldcrypto Image
Crypto competitions (like NIST PQC) should require / standardize constant-time code

#realworldcrypto Image
Custom tools, but also custom languages, which devs don't like because of integration issues/effort

Big divide between compiler authors and crypto devs re side channels

#realworldcrypto
Q: Which of these tools are actively maintained and 'industry ready'?

A: *chuckle* a few; 5 actively maintained; some tools are used in CIs of crypto libraries of big libs like AWS S2N (// @colmmacc )

#realworldcrypto
Q: Which tools would fit the trusted execution environment?

A: Depends if you have access to the code, or the binary, 'most' should work

#realworldcrypto
Next up, "Lend Me Your Ear: Passive Remote Physical Side Channels on PCs ", presented by Daniel Genkin and Roei Schuster

#realworldcrypto Image
Software vs physical side channels

#realworldcrypto Image
hehehe 🕵️‍♂️

#realworldcrypto Image
Oh no. Oh NO—

#realworldcrypto Image
"My whistle shows up in the power spectrogram" 😭

#realworldcrypto
AAAAHHHH

#realworldcrypto Image
Building on Elie's work, using DNN's trained on power analyses to classify new traces and save humans lots of work

#realworldcrypto
Nonces are ⭐supposed⭐ to be kept secret in ECDSA

#realworldcrypto
DETERMINISTIC NONCES, YOU HAVE FAILED ME 😭

#realworldcrypto Image
"Non-constant time rendering"

#realworldcrypto Image
"The leak is happening because the target is rendering the attacker's avatar" 😹

#realworldcrypto
"This is the first example of a physical attack running across the internet, without the target running attack code." YEAH.

#realworldcrypto
Q: Did you find adding noise makes it hard for the DNN to detect?

A: Possible, did an experiment with interference, really trying to introduce truly random noise (not human white noise) can help ,attack is only 94%, can lower accuracy

#realworldcrypto
Q: Are any particular codecs vulnerable?

A: 'Most of them?' Also depends on how close the microphone is

#realworldcrypto Image
I missed the question but:

#realworldcrypto Image
Q: Geolocation?

A: Haven't tried, we're very interested

#realworldcrypto
Coffee break!
Back! Next up, "Heavyweight Security via Lightweight Cryptography", presented by Meltem Sonmez Turan

#realworldcrypto Image
Some history on our old reliable AES

#realworldcrypto Image
AES is standing strong, but there are some new asks of our symmetric primitives

#realworldcrypto Image
"Real hardware constraints with smaller integers" 👀

#realworldcrypto Image
Shout out to @veorq for "Too Much Crypto" 😎

#realworldcrypto Image
Multi-round competition to develop new guidelines, recommendations and standards optimized for constrained devices

#realworldcrypto
Submission requirements here: csrc.nist.gov/CSRC/media/Pro…

#realworldcrypto
Didn't realize that the PQC competition was very popular, compared to other NIST competitions!

#realworldcrypto Image
Round 1: lots of things based on block ciphers, tweakable block ciphers, and hashes based on sponge constructions

#realworldcrypto Image
Round 2: evaluation

#realworldcrypto Image
[ Needs a third axis for some adhoc 'security' metric ]

#realworldcrypto Image
10 candidates emerged from Round 2, round 3 happening now

#realworldcrypto
Relevant to the talks from the side channel session

#realworldcrypto Image
Upcoming, fifth workshop this May

#realworldcrypto
Don't let the name fool you, "lightweight" doesn't mean "weak", rather they are optimized to perform well and securely on constrained devices. Follow here: csrc.nist.gov/Projects/light…

#realworldcrypto
Q: After some of these lightweight primitives are finalized, does it make sense to use AES at all after?

A: They will not be very efficient as AES in servers / PCs where AES-NI instructions are available

#realworldcrypto
Next up, "Rugged Pseudorandom Permutations and Their Applications", presented by Jean Paul Degabriele

#realworldcrypto Image
"Nonce-set AEAD" 👀

(// @SchmiegSophie )

#realworldcrypto
@SchmiegSophie Variable-length tweakable cipher over a split domain

#realworldcrypto Image
Encode-then-Encipher paradigm

#realworldcrypto Image
Gives a scheme that is secure against misuse

#realworldcrypto
More compact ciphertext, use the nonce to authenticate the ciphertext

#realworldcrypto Image
Nonce-set AEAD

#realworldcrypto Image
Looks nice for order-resilient channels like QUIC, DTLS; need to handle out-of-order delivery of packets/records

#realworldcrypto Image
oooo Tor 🧅

#realworldcrypto
Q: This looks to help so much with protocol design, were you looking at things like QUIC when designing?

A: Yeah Tor, and some QUIC

#realworldcrypto
Next up, the Levchin prize!

#realworldcrypto
Nigel apologies for not being @danboneh

#realworldcrypto Image
History:

#realworldcrypto Image
Ooo! Don Coppersmith!

#realworldcrypto Image
Don Coppersmith accepting via the internet

#realworldcrypto Image
"I started at IBM Research and sat next to Feistel" lol small world

#realworldcrypto
"IBM allowed me to work on things of my own taste, including signatures, discrete log; I was able to dabble with authentication schemes and public key schemes." Sounds like a lovely research environment 🥰

#realworldcrypto
"If you submitted a paper to CRYPTO/EUROCRYPT in the early 90s, and your paper was rejected because of a 'devastating attack', that was me." [applause]

#realworldcrypto
Some scheme that escaped Pandora's box? I missed it

#realworldcrypto
We absolutely have moved the internet on deployment of TLS because in huge part of Let's Encrypt's work

#realworldcrypto Image
"It felt frustrating that [creating a new CA from scratch] was what had to happen, it's a lot of work." Support them! letsencrypt.org/donate/

#realworldcrypto
Only 11 engineers support Let's Encrypt! 🤯

#realworldcrypto
[ Cheap plug: it's hard to be a certificate authority! …tycryptographywhatever.buzzsprout.com/1822302/914639… ]

#realworldcrypto
Being free is essential to usability and availability [didn't think about that!]

#realworldcrypto
Resiliency is really important in the PKI ecosystem, automated revocation is work that will make this even better

#realworldcrypto
Privacy-preserving metrics coming too (talk later at rwc)

#realworldcrypto
Nigel: pls stop nominating Satoshi, they've been nominated 😂

#realworldcrypto
Lunchtime!
Back with Mallory Knodel!

#realworldcrypto Image
Compelled decryption and lawful intercept are system changes, it's not just about a single ciphertext

#realworldcrypto
"Direct E2E encryption messaging is now ubiquitous, so the laws are changing"

#realworldcrypto
Encryption protects children along with everyone else

#realworldcrypto
Encryption enables censorship circumvention

#realworldcrypto
Implications of interoperability requirements between E2EE services

#realworldcrypto
Bangladesh: "criminals are using e2ee services to plan [offline] crimes!" Motivates the ask for 'traceability'

#realworldcrypto Image
Ethiopia: after a workshop on how to do PGP-encrypted email, organizers arrested on allegations of being "spies" (!)

#realworldcrypto Image
Zimbabwe: gov claimed they could read E2EE'd WhatsApp messages, scared people enough to chill activity; if gov can't stop usage enough, they just block WhatsApp completely

#realworldcrypto Image
US: EARN-IT act
EU: Child Safety Act

Would embolden govs/actors around the world to also feel entitled to similar access

#realworldcrypto
Offer alternative narratives, watch alternative policies, don't forget civil liberties implications of things like compelled decryption, client-side scanning

#realworldcrypto Image
Need clear definitions of what End to End Encryption is, or others try to erode the definition while claiming to still be E2EE'd

#realworldcrypto
Q: Intellectual property law threats to encryption?

A:Proposed in the past, largely unpopular, in contrast to the client-side scanning, CSAM matching approaches

#realworldcrypto
Q: Web3, circumvent censorship?

A: In the EU there things that get taken down, and the inability to ever take something down (like on a blockchain) presents problems

#realworldcrypto
Q: end-running E2EE via escrow, thresholds?

A: Eval'd a bunch of proposals, found most are unsatisfactory; NCMEC hash databases maintained by trusted parties and humans, the promise of confidentiality is gone (Apple too). User reporting is good, but see above

#realworldcrypto
Q: What if the democratic will wants to crack down on encryption?

A: In our offline lives, we have the right to whisper: allowing this online includes encryption; taking breaking encryption off the table may help us come up with better societal solutions

#realworldcrypto
Next up, "All about that Data: Towards a Practical Assessment of Attacks on Encrypted Search", presented by Amos Treiber

#realworldcrypto Image
"Benign leakage" 😭

#realworldcrypto Image
Tool: LEAKER, implementation of 17 major attacks in python ➛ github.com/encryptogroup/…

#realworldcrypto Image
Expectations of the frequency of user queries did not pan out in the data 😅

#realworldcrypto
Q: Factoring in weighted risk of occurrence?

A: No numerical analysis, intuition as to what level of revealing is 'bad'

#realworldcrypto
Next up, "A privacy attack on the SwissPost e-voting system", presented by Alexandre Debant

#realworldcrypto
E-voting system, audited by experts, obtain formal proofs, target: Sept 2022

#realworldcrypto Image
Found an attack where all the votes can be revealed!

#realworldcrypto Image
Oh boy, mixers 🥣

#realworldcrypto Image
Oop, single point of trust failure

#realworldcrypto Image
Introduce a fake ballot box 🗳️

#realworldcrypto Image
_Many_ variants of the attack exist ಠ‿ಠ

#realworldcrypto Image
Nice bounty 💰

#realworldcrypto
it is important to model _all the specificities of the system_ when doing formal proofs

#realworldcrypto
New requirement, made a mess of the security properties established up to this point

#realworldcrypto Image
Q: Methodology to find the attack?

A: Started symbolic proof w/ ProVerif very naïvely, and found an attack for a different one; did same for SwissPost; quite easy to detect

#realworldcrypto
Break time!
Next up, "Exposure Notifications Private Analytics", by Tim Geoghegan, Mariana Raykova Frederic Jacobs

#realworldcrypto
[Thought: do any health authorities support a curated at-home rapid test as input to their EN systems?]

#realworldcrypto
Designed for privacy: opt-in, no persistent iDs, no centralized social graph

#realworldcrypto
How can we tune the system to be useful to epidemiologists and health authorities, while upholding privacy principles?

#realworldcrypto Image
Relies on non-collusion of aggregation servers

#realworldcrypto Image
Rangeproofs!

#realworldcrypto Image
Each client adds a small amount of noise, aggregation amplifies this noise, providing differential privacy

#realworldcrypto
The real world part of real world crypto:

#realworldcrypto Image
An aggregator is operated by ISRG (the org behind @letsencrypt ), and by NCI at NIH; running on k8s on different cloud hosts

#realworldcrypto Image
Web portal to access the results by MITRE

#realworldcrypto
Ingestion servers to authenticate and attest to data and devices before their inputs get aggregated

#realworldcrypto Image
All together now:

#realworldcrypto Image
Deployed since December 2020, 15 US states and 4 Mexican states; 9 metrics collected; servers process millions of contributions daily

Used to estimate that dozens of lives were saved in Olympia Washington by Covid Exposure Notifications in that area

#realworldcrypto
When your TLS certs aren't strictly TLS certs:

#realworldcrypto Image
["Instantiating PKIs for <specific thing> is harder than it looks, ask @sleevi_ , @letsencrypt ]

#realworldcrypto
AWS <-> GCP identity federation! Wow!

#realworldcrypto Image
To get a cred that lets you do something, you need 4 different cred exchanges 🥴

To get it to work, you need a /lot/ of config that is easy to mess up 😒

#realworldcrypto Image
Mmm multi-cloud 🌥🌥🌥

#realworldcrypto Image
Test your heterogeneous distributed private observability system! 😵‍💫

#realworldcrypto Image
Drive tests from a seed for repeatability, prep for integrating with servers outside your VPN, custom builds, needs close communication with teams that aren't on your team Slack

#realworldcrypto Image
6 months! Impressive!

#realworldcrypto Image
CTA: user and adopter education, standardization (datatracker.ietf.org/doc/bofreq-pri…, which is the next talk!)

#realworldcrypto
Important goal: interop

#realworldcrypto
Q: Delta values for the differential privacy?

A: Aiming 2:1 [I think]

#realworldcrypto
Q: What kind of user adoption rates do you see?

A: Not being collected

#realworldcrypto
Next up, "Standardizing MPC for Privacy-preserving Measurement" presented by Chris Patton

#realworldcrypto Image
ENPA was designed specifically for aggregating bitvectors - what about other types of stats? Other papers' goals tend to vary. A roadmap: IETF working group on privacy-preserving measurement:

datatracker.ietf.org/doc/bofreq-pri…

#realworldcrypto
Discussing candidates: Prio, Poplar, others

#realworldcrypto
Applications: are users of my website experiencing high latency?

#realworldcrypto
Prio: additive secret sharing

#realworldcrypto Image
Incremental distributed point function (IDPF), allows counting the number of strings beginning with a given prefix

#realworldcrypto
Filter out some below a threshold, and get the ones that occur at least as many times as our threshold

#realworldcrypto
Hopefully this general form will support more candidates

#realworldcrypto Image
Ooo, Masked LARk might support private computation of gradient descent

#realworldcrypto Image
Not all solutions will have the same shape, but hopefully similar enough to build applications around them: Verifiable Distributed Aggregation Functions (VDAFs)

datatracker.ietf.org/doc/draft-patt…

#realworldcrypto
The Privacy-Preserving Measurement Protocol:

#realworldcrypto Image
Contribute! 📜

#realworldcrypto Image
Q: Failure modes - identification of cheaters, after aggregation?

A: Whole bag of worms, let's talk offline 🐛

#realworldcrypto
Q: Crypto seems to be a small part of making the whole system work, does a standard help?

A: Useful to abstract away the cloud primitives, something agnostic.

#realworldcrypto
Last talk of the day, "Oblivious Message Retrieval", by Zeyu Liu and Eran Tromer

eprint.iacr.org/2021/1256

#realworldcrypto Image
Scanning the whole blockchain is common (😭)

#realworldcrypto Image
[Wooo Zcash 😉]

#realworldcrypto Image
FMD: using decoys in the trial decryption, gives weak privacy, needs honest senders and receivers

#realworldcrypto
Private Signaling needs trusted hardware (🔥)

V2 needs two communicating, non-colluding server, a strong assumption

#realworldcrypto
OMR: fully private under strong security notions, using FHE

#realworldcrypto Image
You can give your encrypted viewing key to a server, server does an FHE'd query using that encrypted key, gives you results, and the server doesn't need to be within your trust boundary 🎉

#realworldcrypto
Also useful, oblivious message detection

#realworldcrypto Image
Can you give me a clue, man?

#realworldcrypto Image
Kilobytes just to represent ciphertext 😬

#realworldcrypto Image
PVW encryption, based on LWE (lattice) assumptions, much smaller and more efficient

#realworldcrypto Image
Further:

#realworldcrypto Image
Earlier schemes assume some level of honesty; OMR mitigates malicious clues sent from dishonest clients

#realworldcrypto Image
Supports key unlinkability!

#realworldcrypto Image
Less than a byte per message 😻
~5ms
Clue size is < 1KB
Detection keys are about 100MB (😬)
Strongest notions of privacy and honesty of parties

#realworldcrypto Image
Q: Should we actually worry about quantum computers?

A: Yes; Sure it keeps mathematicians employed; gives cryptographers opportunity to dev new schemes

#realworldcrypto
Yuval says Mike Hamburg suggested looking at exploiting speculative execution to break attack crypto schemes (๑•́ ヮ •̀๑)

#realworldcrypto
Q: Advice for younger-career members of RWC community?

A: Do what you like; get a taste of research in different contexts, see who's going to use the results of your research

#realworldcrypto
Q: what do you think will ultimately happen with cryptocurrencies?

A: Some really cool cryptography is going to come out of it [😉]

#realworldcrypto
Cryptography > steganography, from the panel of cryptographers

#realworldcrypto
Q: besides tricky names, what's the secret to strong cryptography?

A: For AES, we were working on it for years before the competition started; for SHA3, we invested a lot of time, open research, no pressure to publish papers really helped

#realworldcrypto
Q: what do you think will be the future of Intel SGX?

Yuval: Intel has stopped producing SGX for the end user, if you have physical access to a machine holding secrets you will eventually break it, SGX cloud-only can become a defense-in-depth layer

#realworldcrypto
Q: is the gap between theory and practice in cryptography narrowing?

A: There's a large spread, the gap is narrowing, companies are investing more; much better than 20 years ago

#realworldcrypto
Me: Are paper reviewers responsible for bugs in my implementation of a crypto protocol that gets deployed to prod? [NB: not necessarily the protocol, but implementation]

A: Science is about building on others; you would think reviewers would check the proof

#realworldcrypto
Q: How do you define privacy?

A: I wrote it down but I have forgotten it already 😂

#realworldcrypto
Q: Who should roll their own crypto?

A: Don't do it alone, bring a friend!

[Cheap plug: …tycryptographywhatever.buzzsprout.com/1822302/895384…]

#realworldcrypto
End of day 1!
Day 2 of #realworldcrypto ! Kicking off with the TLS session, "Justifying Standard Parameters in the TLS 1.3 Handshake", presented by Hannah Davis
Only a few choices of group and fields (by design), limited scaling bounds

#realworldcrypto Image
A concrete evaluation of the game, missing the guarantees that we want

#realworldcrypto Image
The reduction to diffie-hellman isn't tight, giving a tighter bound, quadratic loss -> constant loss

#realworldcrypto
When the hash is SHA-384 (for pre-shared keys) this method failed

#realworldcrypto Image
A reduction to DH has to simulate all these sessions at once; a random factor for picking a session and for a server leads to the tightness loss

#realworldcrypto Image
SLAP A RANDOM ORACLE IN THERE

#realworldcrypto Image
Gotta pull all those things in your session transcript!

#realworldcrypto Image
Compare / contrast the Zcash Sapling key schedule 😅

#realworldcrypto Image
Only one hash function, so not more than one random oracle - proof has to model only the one random oracle

#realworldcrypto Image
12 RANDOM ORACLES

#realworldcrypto Image
How NOT to Separate Your Domains (old school session identifier)

#realworldcrypto Image
* slaps roof of TLS 1.3 * This bad boy can fit so many random oracles in it

#realworldcrypto Image
👏 DOMAIN 👏 SEPARATION 👏

#realworldcrypto
Q: If you could, how would you redesign TLS 1.3?

A: No perfect answer, starting from scratch would incl. redesigning HMAC to separate; incl. suffix padding to each of HMAC & KDF

#realworldcrypto
Q: KEM instead of DH?

A: Relies on re-randomization properties of DH, if possible we could try them in this technique

#realworldcrypto
Next up, "ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication", presented by Marcus Brinkmann

#realworldcrypto Image
It's called 'transport layer' for a reason

#realworldcrypto Image
There is no IP protection, can lead to cross-protocol attacks

#realworldcrypto
Oh yeah this rings a bell 😅

#realworldcrypto Image
Prior work from Jann Horn, 2015, attack HTTPS when the server also serves FTP

#realworldcrypto Image
Can extract the cookie and impersonate user to the web site, such as your bank (or crypto exchange?)

#realworldcrypto Image
Detect, "limit syntax errors", avoid reflection, to mitigate in the application layer

#realworldcrypto Image
"This is clearly impractical"

#realworldcrypto Image
Found 114,000 servers that are vulnerable!

#realworldcrypto Image
Q: Is the attack limited by CORS policies?

A: There are some 'CORS-safe' requests that are kept for compat, that always seem to go through cross-origin; can be mitigated, doesn't work in a scenarios, more in paper, depends on cookie policies

#realworldcrypto
Next up, "Improved CRL compression with structured linear functions", by Mike Hamburg

#realworldcrypto
Gotta be online!

#realworldcrypto Image
Compress, only need to query some certs, only need to build a function that is correct on a finite domain

#realworldcrypto Image
'Structured linear functions'

#realworldcrypto Image
Ooo, solve the matrix with gaussian elimination, but this takes O(n³) time, O(n^2.8) memory

#realworldcrypto Image
Oh hey I just heard about these, they are deployed in RocksDB

#realworldcrypto Image
Efficient in time and memory, but there is a chance there will not be a solution, so you can make the matrix larger to lower this chance

#realworldcrypto Image
New: Frayed Ribbon Filters

O(n^(3/2)) time, low overhead, constant or 1%

#realworldcrypto Image
I can has frayed ribbons in my db, thx

#realworldcrypto
For CRLs, we're not done yet

#realworldcrypto Image
CRLite uses stacks of Bloom filters

#realworldcrypto
Always with 11% of Shannon entropy

#realworldcrypto
[ don't you want to be within 11% of this guy?]

#realworldcrypto Image
[ Written in Rust! ]

#realworldcrypto
Q: What were the causes for variance between query times of different approaches?

A: Rust is better for safety, when optimizing to compare cross-platform, Rust's siphasher crate was slower on Intel vs M1; Some had more than one frayed ribbon filter

#realworldcrypto
Break!
Next up, "Commit Acts of Steganography — Before It's Too Late", presented by Gabriel Kaptchuk

#realworldcrypto Image
Encode a sensitive message into a mundane message

#realworldcrypto
Universal Steganography

1: Pick a covertext channel (emoji!)

#realworldcrypto
2: Encode

#realworldcrypto
Using a perfectly unbiased hash function to map to the cover text set

#realworldcrypto
How to decode? Generative models

#realworldcrypto Image
But this fails! The unbiased hash function over human text doesn't exist

#realworldcrypto
If low entropy in the channel, don't transmit, wait for higher entropy

#realworldcrypto
Ha! Encoded

#realworldcrypto Image
Not that bad! Basically looks like a bot 😁

#realworldcrypto
Provable indistinguishability

#realworldcrypto Image
Q: Do we have to work so hard to make covertext look like natural language? Needle in a high stack?

A: We're shooting higher, usually in a high-risk environment

#realworldcrypto
Q: How resilient is this to adversary that malleates?

A: This is CPA secure, CCA/ integrity is future work

#realworldcrypto
Next up, password-based key exchange

#realworldcrypto
Don't like this

#realworldcrypto Image
Identity -based PAKEs

#realworldcrypto
Ooo hash to curve!

#realworldcrypto Image
Commitment to ID use to prove we are who we say we are

#realworldcrypto Image
(// @SoatokDhole )
Low overhead, suitable for Wi-Fi and IoT

eprint.iacr.org/2020/529.pdf

#realworldcrypto Image
Q: NIKE?

A: Yes

#realworldcrypto
Next up, "Rebuilding Meta’s Ads Stack with MPC", by James Reyes

#realworldcrypto Image
Deprecation of cookies, ad killer! Right?

#realworldcrypto
Private Lift, Private Attribution projects

#realworldcrypto
(Python)

#realworldcrypto
[Advertisers don't actually understand the /current/ ads tech ecosystem, sooooo]

#realworldcrypto Image
Private Lift

#realworldcrypto Image
(//@swodinsky )
Trying to determine the causal impact of the ad you are running

#realworldcrypto
Woof, complexity

#realworldcrypto Image
💸💸💸

#realworldcrypto Image
Every feature you add increases cost and time

#realworldcrypto Image
We call these "partner integrations"

#realworldcrypto Image
Q: Separating between advertisers & meta, how are you doing the secret sharing?

A: Paper coming

#realworldcrypto
Q: To systems people, MPC may not be hard to abstract, what's hard about the crypto to systems people?

A: Because there are more constraints, that operating in the clear, different paradigm

#realworldcrypto
Q: How does this affect the opacity of the ads ecosystem for /users/?

A: it's hard enough to explain to developers, let alone users, similar with regulators

#realworldcrypto
Q: Can you show ads on clients such that Meta doesn't know which clients saw which ads?

A: Federated analytics [this is not the same]

#realworldcrypto
LIGHTNING ROUND

#realworldcrypto
Conf in Birmingham

#realworldcrypto
MLS! Spec in final phase, impl in Rust (OpenMLS), via @raphaelrobert

#realworldcrypto
.@FiloSottile on supporting open source software 🎉

words.filippo.io/pay-maintainer…

#realworldcrypto
Props to RWC for providing childcare, allows people to attend who otherwise couldn't!

#realworldcrypto
EUROCRYPT in May in Norway!

#realworldcrypto
Google hiring people to mask on top of QUIC

#realworldcrypto
Qualcomm hiring

#realworldcrypto
Cheslea Komlo previewing a paper on proving properties re: threshold signatures, proving lack of participation

#realworldcrypto
W3C, private add tech community group

#realworldcrypto
ZKproofs, circtree

#realworldcrypto
@zx2c4 on updates to the RNG in the Linux kernel

#realworldcrypto
No jerks!

#realworldcrypto
cryptography.rs ! It has a vetted curation of good Rust cryptography implementations

#realworldcrypto
Julie from the Go Cryptography team is hiring!

#realworldcrypto
COSIC is recruiting! Biggest crypto group in the world (~100)

#realworldcrypto
Lunchtime!
Next up, "Secure Messaging Authentication against Active Man-in-the-Middle Attacks", presented by Britta Hale

#realworldcrypto
Comparing Signal public keys is not directly checking anything about the encryption between those two parties

#realworldcrypto
Different Meta :P

#realworldcrypto Image
Fingerprints don't need to be verified all the time

#realworldcrypto Image
Requires a tweak to the Signal protocol

#realworldcrypto Image
Follow-on work : "Continuous Authentication in Secure Messaging"

#realworldcrypto Image
Signal protocol security properties

#realworldcrypto Image
Authentication can be applied to the protocol to miitgate

#realworldcrypto Image
Q: When a device is compromised, can't the ratchet keys be influenced? Does adding the authentication key affect deniability?

A: Using a designated verifier sig preserves deniability

#realworldcrypto
Next up, "An evaluation of the risks of client-side scanning", presented by @matthew_d_green

#realworldcrypto
Rather than occasional targeted exceptional access, law enforcement started asking to delay E2E encryption deployment in general

#realworldcrypto
"Is it possible to build systems to scan for content without breaking end to end encryption and violating privacy?"

#realworldcrypto
CSAM scanning on the server side when the service has access to plaintext: PhotoDNA or other perceptual hashes, checking against a known db of hashes

#realworldcrypto Image
Newer: use neural nets to find alike content, vs exact known content

#realworldcrypto
What about on E2EE systems? Has to move to the client side, to the ends.

#realworldcrypto
Unfortunately this changes the system operational and security models

#realworldcrypto Image
"Slap some crypto on it!" 🙄

#realworldcrypto Image
This research became very real when Apple announced it was going to deploy a system like this with iOS 15, now delayed indefinitely

#realworldcrypto Image
[ We did an episode on this at the time w/ @matthew_d_green that goes into detail about the crypto in Apple's system: …tycryptographywhatever.buzzsprout.com/1822302/909977… ]

#realworldcrypto
Opens up a hole that anyone else could theoretically walk through

#realworldcrypto Image
'Not just a theoretical concern': terrorist content, 'foreign adversaries attempts to undermine democratic values' have also been floated as in-scope for client-side scanning

#realworldcrypto
Hard to detect attempts to surveil because privacy-preserving:

#realworldcrypto Image
Nothing in the crypto specs to show that this is built-in protects, auditable

#realworldcrypto Image
Easy to game these NN hashes (NeuralHash) but also PhotoDNA to produce false collisions against the CSAM hash set:

#realworldcrypto Image
Even if we deploy systems like this, we MUST figure out how to make them auditable and abuse-resistant.

#realworldcrypto Image
More in the paper Bugs in Our Pockets: arxiv.org/abs/2110.07450

#realworldcrypto
Sometimes we produce technology and deploy it before we understand how to audit it and handle abuse of it

#realworldcrypto
Q: The adversarial model that LEO has?

A: They are not very robust to even mild adversarial behavior; 97% of reports to NCMEC aren't prosecuted, are outside of the US

#realworldcrypto
Next up, "Four Attacks and a Proof for Telegram", presented by Igors Stepanovs

#realworldcrypto Image
Oh, Telegram

#realworldcrypto Image
Telegram generally used for large public groups and small private chats

#realworldcrypto
Cloud chats vs Secret chats:

#realworldcrypto Image
#REALWORLDCRYPTO chat: 'Non-technical evaluation: MTProto is *weird*'
"Infinite garble extension mode (IGE)" hwat

#realworldcrypto Image
Four attacks: what a response

#realworldcrypto Image
- IND-CPA attack - in theory
- Message reordering - trivial, easy to exploit
- Tiiming side channel on clients - plaintext recovery, practically infeasible
- Timing side channel on server - MITM the kex, practically infeasible

#realworldcrypto Image
@durov claimed the server code will not be released because some government wanted their server code, to stand up a telegram clone?

#realworldcrypto
@durov No time for questions, next up, "Making Signal Post-quantum Secure: Post-quantum Asynchronous Deniable Key Exchange from Key Encapsulation and Designated Verifier Signatures", presented by Rune Fiedler

#realworldcrypto Image
@durov KEMs (key encapsulation mechanisms)

#realworldcrypto Image
@durov Can we swap out our DH's with KEMs in Signal?

#realworldcrypto Image
Deniable authentication via designated verifier signatures (heard about in the earlier Signal talk)

#realworldcrypto
DVS can only be verified by Bob, who already know it's you, so that gives you transcript deniability

#realworldcrypto Image
Deniability as Signal defines it:

signal.org/docs/specifica…

#realworldcrypto Image
[ snrk ]

#realworldcrypto Image
Wooooo SIDH 💫

#realworldcrypto Image
[ SIKE is SIDH turned into a KEM ]

#realworldcrypto
Q: Signal group chats?

A: Didn't look

#realworldcrypto
Break time!
next up, "Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Cryptographic Design", presented by Alon Shakevsky

#realworldcrypto Image
Protecting key material on Android

#realworldcrypto Image
"This is a fragile design that is not misuse resistant"

#realworldcrypto
Fixed on latest Samsung

But

Downgrade attack

#realworldcrypto Image
👀👀👀

#realworldcrypto Image
Thanks I hate it

#realworldcrypto Image
muh keys

#realworldcrypto Image
Now do Pixels 🙏

#realworldcrypto Image
Desirable for a uniform open standard for encrypting and storing keys

#realworldcrypto Image
"AES-GCM is fragile, decades of IV reuse in systems" 👈

#realworldcrypto
Q: What would you recommend to replace AES-GCM?

A: SIV mode, maybe a different block cipher, or use the cipher with the recommended usage

#realworldcrypto
Q: Test WebAuthN against first-party services (re: counter)?

A: Cloning from devices is tricky, you have to update the counter, even without the user's knowledge

#realworldcrypto
Next up, @luca_defeo on "On the (in)security of ElGamal in OpenPGP"

#realworldcrypto Image
@luca_defeo Under-specified cryptostandards give you room to hammer your fingers...

#realworldcrypto Image
@luca_defeo 90s, finite field ElGamal 😭

#realworldcrypto Image
@luca_defeo What does it mean to use ElGamal, or RSA? :points at some books, some edition:

#realworldcrypto Image
@luca_defeo "Don't look at that algorithm, it's terrible, you will never be able to implement it"

#realworldcrypto Image
@luca_defeo One in cm's, one in inches. 🤣

#realworldcrypto Image
@luca_defeo 🧐

Go pgp is the least offender and is now deprecated

#realworldcrypto Image
Cross-configuration attacks: different impls do slightly different things when doing ElGamal encryption

#realworldcrypto
✨picking a prime ✨

#realworldcrypto Image
of 800k ElGamal OpenPGP keys, most use primes from a 'standard' set. Some use Schnorr-style primes, Lim-Lee/GnuPG

#realworldcrypto Image
These 2qf + 1 primes have problems, can use a Pohlig–Hellman attack

#realworldcrypto
Then a CRT

#realworldcrypto Image
Maybe a co-located attacker, in the cloud say

#realworldcrypto Image
Q: Can you do it in weekend on a laptop?

A: In a few hours, on a laptop

#realworldcrypto
Q: This is a basically key validation?

A: the ECC is better because they use the RFC, which specifies, ElGamal was not sufficiently specified to include validation

#realworldcrypto
Q: Symantec?

A: We didn't look, we couldn't find the software [apparently it's widely used in corp. contexts]

#realworldcrypto
Next up, "Don't Break the Web: APIs for Chrome's Privacy Sandbox", presented by Michael Kleber

#realworldcrypto
heh, google.com would not suffer that kind of loss, because https://t.co/cNC9CnF9bM does not need cookies to target users, they just target queries typed in by untracked users

#realworldcrypto Image
🐦🕊🦅

#realworldcrypto Image
All these JS functions are isolated [ I'm guessing all the work on Site Isolation has enabled this ]

#realworldcrypto
Bidding functions /do/ need some real-time information, not just pre-loaded data on the device

#realworldcrypto
💸 Conversion attribution 💸

attribution is always hard! Roll some dice :P

#realworldcrypto
What they really want to know is the /aggregate/ ROI driven by different ads, publishers, etc

#realworldcrypto
Q: Fraud prevention? [ a real issue in the current ad ecosystem ]

A: PRIVACY PASS WOO [ emphasis mine ]

#realworldcrypto
A: Other blind signatures. There is not an end-to-end solution for this problem, turns out there is a lot of overlap with solutions for fraud prevention

#realworldcrypto
Q: users explicitly specifying their ad preferences?

A: Some proposals ('Topics' from Chrome), all need good privacy properties

#realworldcrypto
A: Privacy is contextually-dependent; some people think contextual distinctions exist and some think other ones exist, it's tricky

#realworldcrypto
Panel time! "Publication Venues and Proposed New IACR Journal"

#realworldcrypto
Right now, Eurocrypt -> CRYPTO -> Asiacrypt, etc, until your paper gets in

#realworldcrypto Image
New Journal should be free/open access, fast turnaround time (3 months), all crypto areas, scaling, reduce load on reviewers, can publish without travel to conferences, complement but not replace other confs, and

#realworldcrypto ImageImage
$100 to submit, vs $2780 / article for Springer Journal of Cryptology (!!!)

#realworldcrypto Image
How to run: [ HotCRP! Use HotCRP! ]

#realworldcrypto Image
Yay HotCRP, and no Springer publishing

#realworldcrypto Image
Minutes from that meeting: iacr.org/docs/minutes/v…

#realworldcrypto
All the items from there

#realworldcrypto Image
FAQ cont.

#realworldcrypto Image
straw poll: room is broadly in favor, no one really opposed

#realworldcrypto
Q: If people still submit to the main confs, are they unchanged?

A: Unchanged, adding a new publication, takes /some/ papers out of the queue for the other confs, relieving the burden of the conf reviewers

#realworldcrypto
A: We have a lot of people who can't travel for many diverse reasons to confs, so many more people in the community than before, a journal like this scales much better so that many people can get published that otherwise wouldn't because of travel requirements

#realworldcrypto
We could see some Real World Crypto papers!

#realworldcrypto
Q: What about code, artifacts?

A: TCHES has artifacts that are reviewed, we should look at it

#REALWORLDCRYPTO
@BearSSLnews : if the new journal happens, I will probably submit there and only there ʕ·͡ᴥ·ʔ

#realworldcrypto
Q: What if conf-accepted papers aren't required to challenge?

A: That does have benefits, but this was proposed in 2011 and did not get much community support, but we can also try that again, while also trying the new journal

#realworldcrypto
A: Easier to do something new that changing something that exists that people have a vested interest in

#realworldcrypto
Q: What about Reviewer #2?

A: We propose mechanisms to handle this, rebuttal etc, why 2 accept and 1 reject?

#realworldcrypto
@SmartCryptology being chaotic good

#realworldcrypto
OH it costs _IACR_ $100/paper, _not_ the paper submitter. No cost to the submitter.

#realworldcrypto
Done for day 2!
Day 3 of #realworldcrypto!
Catching up the Post Quantum session, with "Quantum-Resistant Security for Software Updates on Low-power Networked embedded Devices", by Benjamin Smith

#realworldcrypto
Target: RIOT OS for low-end IoT devices

#realworldcrypto Image
What is the practical cost of transitioning from classical cryptosystems
(ECDSA/P256 or Ed25519) to post-quantum alternatives on RIOT, say?

#realworldcrypto
SUIT looks like TUF but for IoT

#realworldcrypto Image
Yep PQC things tend to be bigger

#realworldcrypto Image
PQ signing benchmarks on an ARM Cortex-M4 (not including dyn Dilithium which doesn't fit on the stack on the Sipeed Nano board)

#realworldcrypto Image
Yeah tranfer costs....

#realworldcrypto Image
Falcon is the leader

#realworldcrypto Image
"For larger updates, the network transfer costs overwhelm the other factors." [ looks at SIDH ]

#realworldcrypto
You can now update your RIOT software with a PQ update toolset now!

#realworldcrypto Image
[ I'll catch up on the other PQC talks later ]

#realworldcrypto
Next up in the threshold crypto session, "A threshold ECDSA protocol: its design
and implementation", by Victor Shoup

#realworldcrypto
[ If you want a Schnorr threshold sig protocol instead of ECDSA, can I interest you in FROST? ]

ietf.org/id/draft-irtf-…

#realworldcrypto
"The Internet computer", a distributed platform for secure execution of smart contracts, by DFINITY

#realworldcrypto
"I'll be using additive notation here" [ CORRECT. ]

#realworldcrypto Image
Nice, keeping this verification equation around for us

#realworldcrypto Image
Steps that don't rely on the message M at all, so we can do them early

#realworldcrypto Image
Doing a preprocessing round allows the latency of a signature to just be one communication round between the parties

#realworldcrypto
If there are thousands of signing keys, it will be hard to efficiently maintain them when there are updates, reshares, etc

#realworldcrypto
Instead, use additive key derivation, so we verify like:

sR = (h + te)G + tD

#realworldcrypto
ECDSA security 😅

#realworldcrypto Image
ECDSA proven secure in Generic Group Model (GGM) assuming hash is
collision resistant and random preimage resistant (Brown02)

#realworldcrypto
ECDSA w/ presigs: secure in GGM and ROM, 2020

#realworldcrypto
ECDSA w/ additive key derivation: no general security proof results

ECDSA w/ presigs & additive key derivation: no results, despite the desire for it

#realworldcrypto
Aaand an attack falls out

#realworldcrypto Image
Using Wagner’s 4-sum algorithm, attack takes time O(q^1/3). Not awesome

#realworldcrypto
Mitigations:

- re-randomized pre-sigs
- homogeneous key derivation
- both!

#realworldcrypto Image
Works async, byzantine corruptions, guaranteed output delivery, NI online signing, BIP32- style additive key derivation

#realworldcrypto Image
"• It relies on the Internet Computer’s “Random Beacon” to implement
re-randomized presigs" [ oh.]

#realworldcrypto
Compare / contrast w/ other threshold ECDSA

#realworldcrypto Image
Next up, "Threshold Cryptography as a Service", by Tal Rabin

#realworldcrypto Image
/Another/ PrivacyPass shout out 😎

#realworldcrypto Image
Dedicated servers, vs ad-hoc servers

#realworldcrypto
Multi-dealer verifiable secret sharing

#realworldcrypto Image
[ Is this not a DKG? ]

#realworldcrypto
Dedicated servers: many servers, many secrets, each server runs existing protocols many times, slow

#realworldcrypto
"Could barely run"

#realworldcrypto
For ad-hoc servers, nicer for big systems when sharing between millions of parties, where compute is N²

#realworldcrypto Image
Needs to continue running in the presence of malicious actors

#realworldcrypto
YOSO model, You Only Speak Once

#realworldcrypto
Hard to design

#realworldcrypto Image
Take actions now, others speak on their behalf in the future:

#realworldcrypto Image
Next up, Lightning Talks!

#realworldcrypto
Aggressive muting will happen!

#realworldcrypto
First one up, slide deck :PPP

#realworldcrypto
Muhammed Usama Sardar hiring!

#realworldcrypto
Conference on Cryptology in Abu Dhabi

#realworldcrypto
There is an artisan chocolate shop in Amsterdam, try it!

#realworldcrypto
NIcholas on papers from 40's, 50's, on rotor probability?

#realworldcrypto
Input/Output, Cardano, hiring

#realworldcrypto
@kaplannie: if you are reviewing/auditing crypto professionally, meetup in Amsterdam upstairs

#realworldcrypto
"Just a quick plug for the EU Commssions Chat Controls legislative debate and Open Letter to the EU Commissioners, which is online and available @ ChatControlsv2.EU"

#realworldcrypto
For "Drive (Quantum) Safe! --Towards Post-Quantum Security for Vehicle-to-Vehicle Communications", presented by Nina Bindel:

#realworldcrypto Image
True hybrid kex/kem using Falcon:

#realworldcrypto Image
Some of their security goals:

#realworldcrypto Image
For "Surviving the FO-calypse: Securing PQC Implementations in Practice", presented by Tobias Schneider 👀

#realworldcrypto Image
The Fujisaki-Okamoto (FO) transformation (or slight variants) underlies the IND-CCA security of many KEMs

#realworldcrypto Image
Leeeeaakage

#realworldcrypto Image
Can this be overcome through masking?

#realworldcrypto
Sounds like the F-O transform itself needs a tweak

#realworldcrypto Image
[ I may have to rewind the tape later to capture the pq agility talk ]
Lunch!
Next up, "arkworks: A Rust Ecosystem for Programming zkSNARKs", by @zkproofs !

#realworldcrypto
Expressing your zkSNARK is not super easy, there are now many languages and frameworks to express your computation and then compile it down to a constraint system

#realworldcrypto Image
'Everyone reimplements each portion from scratch!' 😭

#realworldcrypto
Very understandable reasons, though

#realworldcrypto Image
But:
- tons of duplicate, wasted effort
- optimizations are scatted across libraries
- upgrading becomes hard
- auditing and bugfixes are split

#realworldcrypto
Trying to achieve these goals in @arkworks_rs !

github.com/arkworks-rs

#realworldcrypto
Cool

Inspired by an API in the bellman ecosystem, via @ElectricCoinCo 🦓

#realworldcrypto Image
@ElectricCoinCo Yes, this does allow higher level proving systems to swap out 'pretty easily'

#realworldcrypto Image
@ElectricCoinCo Generic impls match or outperform specialized and hand-coded impls

#realworldcrypto Image
@ElectricCoinCo Can switch proof systems easily in the code

#realworldcrypto Image
Very helpful when prototyping and benchmarking a protocol

#realworldcrypto
When the real generally lines up with the pseudocode, this really helps with auditability

#realworldcrypto Image
Directly programming algebraic constraints is painful 😫

Want to achieve safety, ergonomics, without sacrificing efficiency

#realworldcrypto
libsnark

#realworldcrypto Image
A lot of adoption, including academics

#realworldcrypto Image
Many contributors

#realworldcrypto Image
Q: Language features that would help even more?

A: Const functions, more useful const generics, would allow getting rid of some macros, const expressions aren't on stable yet

#realworldcrypto
Q: How can you help prevent mixing and matching in insecure ways?

A: Only so much you can do, but, curve interfaces only let you construct prime order group elements, but also depends

#realworldcrypto
Q: Audited? Projects using arkworks been audited?

A: Various of those have been audited, latest codebase will be getting audited after some refactors, stabilization

#realworldcrypto
Q: Plonk?

A: 3 external ones relying on arkworks to impl Plonk, arkworks doesn't have its own Plonk impl yet

#realworldcrypto
Q: Governance model of arkworks?

A: Definitely, we're just starting to think about that, now that we're big enough

#realworldcrypto
Next up, "Decentralized Private Computations on Aleo", by Howard Wu

#realworldcrypto
Based on Zexe

#realworldcrypto
But these come with significant limitations

#realworldcrypto Image
Aleo: autonomous ledger executions offchain

#realworldcrypto Image
The entire program's state has to be consumed to update it

#realworldcrypto
Instead of the account model, the record model:

#REALWORLDCRYPTO Image
Concurrency, without double spends

#realworldcrypto
Q: Why new curve params?

A: We needed recursion, and Twisted Edwards are very efficient for circuits

#realworldcrypto
Q: Moving to the record model, does this affect access patterns and impact privacy?

A: Not functional privacy but data privacy, can see which applications are popular, the parties using them and the data used are not revealed 👀

#realworldcrypto
Leo language helps write code to compile to assembly then R1CS to make it even easier for developers: github.com/AleoHQ/leo

#realworldcrypto
Expressing complex logic is often too slow and hard to do on-chain, so to do it off-chain, with a transparency log, helps achieve that

#realworldcrypto
Coffee time!
Next up, "SnarkPack: Practical SNARK Aggregation", presented by Anca Nitulescu

#realworldcrypto
"Here I will use multiplicative notation" [ boo hiss :P ]

#realworldcrypto Image
[ If you need fast batch verification of Groth16 proofs, I upstreamed an implementation to the bellman library: github.com/zkcrypto/bellm… ]

#realworldcrypto
Instead of pushing this math to the verifier, the prover will do a lot of it themselves:

#realworldcrypto Image
Proofs of inner-pairing products

#realworldcrypto Image
Oop, Groth16 requires a trusted setup

#realworldcrypto Image
Woo! 🦓

#realworldcrypto Image
Using a bellperson fork

#realworldcrypto Image
Nice! 📦

#realworldcrypto
Aha, that's where it goes

#realworldcrypto Image
Proof of storage in Filecoin

#realworldcrypto Image
- bootstraps from existing trusted setup CRS's
- transparent aggregation
- optimized
- Could we extend this to other pairing-based schemes, besides Groth16?

#realworldcrypto
[ Maybe this could extend to BLS signatures? ]

#realworldcrypto
Next up, "Zero-Knowledge Middleboxes", presented by @pag_crypto !

#realworldcrypto
Can we have privacy _and_ policy enforcement on the network?

#realworld
Requirements:

- Don't weaken encryption
- Able to enforce policies as before
- No server changes

#realworldcrypto
eg, only 51% of TLS servers are providing TLS 1.3, whereas 80+% of Chrome clients are speaking it

#realworldcrypto
"We don't want to prevent circumvention by advanced users", which could be misused for censorship

#realworldcrypto Image
ZKPs to save the day!

#realworldcrypto
[ These have to be teeny tiny proofs, right? ]

#realworldcrypto
Proof prevents the client from lying, and middlebox strips out the proofs when it forwards on the traffic to the server

#realworldcrypto
Gotta slot it in to existing protocols like TLS 1.3

#realworldcrypto Image
Output the plaintext is the AEAD decryption succeeds, but the TLS 1.3 AEADs are not _binding_, ciphertexts can have multiple correct decryptions

#realworldcrypto
To fix, add another constraint that the client prove key was handshake output

#realworldcrypto Image
Re-run the key derivation inside the circuit - the handshake 'commits to' the intermediate steps of key derivation, check these instead to shortcut key derivation

#realworldcrypto
See the paper for more detail

eprint.iacr.org/2021/1022.pdf

#realworldcrypto
Amortized by caching a hashed version if the client connects again

#realworldcrypto
Sometimes, DNS filtering is required by local laws

#realworldcrypto Image
Extends nicely, just need to update the parse/extract step for DoT/DoH

#REALWORLDCRYPTO
Used Groth16

#REALWORLDCRYPTO Image
DoT using ChaCha is over twice as fast vs AES

#realworldcrypto
Now over Spartan, over 10x improvement!

#realworldcrypto Image
Proofs are bigger but still reasonable at 49KB

#realworldcrypto
Next up, "Puncturable Encryption – A Fine-Grained Approach to Forward-Secure Encryption and More", presented by Christoph Striecks

#REALWORLDCRYPTO
Fine in an interactive setting, but harder in a non-interactive setting

#REALWORLDCRYPTO
[ My halloween costume in 2014 ]

#realworldcrypto Image
"Apparently leaking secrets and keys on GitHub is a thing" ayup

#realworldcrypto
- Long-term static public key, minimum to no state between entities

#realworldcrypto Image
Needs epochs

#realworldcrypto Image
Solution: puncturable encryption (2015)

#realworldcrypto Image
Tag-based approach

#realworldcrypto Image
1-RTT TLS 1.3

#realworldcrypto Image
W/ Early Data

#realworldcrypto Image
Forward-secure CDNs

#realworldcrypto Image
Using puncturable encryption directly adds forward security 🎉

#realworldcrypto Image
Q: Handle a million messages?

A: ~Yes

#realworldcrypto
Closing remarks from @cryptojedi

#REALWORLDCRYPTO
Covid: 2 reports of positives, they attended but left when they tested positive

#REALWORLDCRYPTO
Thank you sponsors!

#REALWORLDCRYPTO
Thank you venue staff and the great AV team!

#REALWORLDCRYPTO
#REALWORLDCRYPTO 2023 will be in Japan! March 27-29
Coool 🏯

#REALWORLDCRYPTO Image
See you in Tokyo!

#REALWORLDCRYPTO
And we're done! 👋

</fin>

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deirdre Connolly¹

Deirdre Connolly¹ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @durumcrustulum

Mar 27, 2023
LIVE FROM TOKYO, IT'S #REALWORLDCRYPTO
(for a preview discussion of the whole program, check out our episode: securitycryptographywhatever.com/2023/03/24/rwc…)
First up in the PQC session is "How We Broke a Fifth-Order Masked Kyber Implementation by Copy-Paste" presented by Elena Dubrova
Read 863 tweets
Sep 16, 2022
log | head
holy shit they did it
Read 78 tweets
Sep 14, 2022
(I tested + on an antigen test, isolated for 1.5 days, my spouse probably/definitely already had been infected before I popped +)
(I had tested - on the antigen...36 hours before popping positive? Yeah.)
Read 5 tweets
Aug 15, 2022
Cute, more emojis in slides!
Relevant
Read 5 tweets
Jan 25, 2022
I need a black metal James Webb Space Telescope shirt
meh Image
better Image
Read 4 tweets
Jun 7, 2021
LOL DID THEY REUSE THE SHITTY RSA-1024 KEY
I think I'm fine with cybercom doing this
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(