LIVE FROM TOKYO, IT'S #REALWORLDCRYPTO
(for a preview discussion of the whole program, check out our episode: securitycryptographywhatever.com/2023/03/24/rwc…)
First up in the PQC session is "How We Broke a Fifth-Order Masked Kyber Implementation by Copy-Paste" presented by Elena Dubrova
Can ChatGPT given some Kyber power traces spit out the secret key??? (this talk is not about ChatGPT but)
#realworldcrypto
#realworldcrypto
Next up, "When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer", presented by Hunter Kippen
#realworldcrypto
#realworldcrypto
Abort leaks magnitude (excellent, excellent)
Can we make this leakage less rare, and use that to attacker's advantage?
#realworldcrypto
Can we make this leakage less rare, and use that to attacker's advantage?
#realworldcrypto
Mitigate: use AES-NI instructions for hashing, reorder ops (expand from seed, gen random before sampling), verify PK!
#realworldcrypto
#realworldcrypto
Next up, "Lessons Learned from Protecting CRYSTALS-Dilithium", presented by Tobias Schneider
#realworldcrypto
#realworldcrypto
Dilithium is the lattice-based signature scheme that has been chosen out of the NIST PQC competition along with Kyber for KEM
#realworldcrypto
#realworldcrypto
Similar to Kyber talk earlier, masking has been a go-to mitigation technique to protect lattice schemes from side-channel attacks
#realworldcrypto
#realworldcrypto
Masking Dilithium requires a mix of boolean and arithmetic masking; switching from a prime modulus to a power of 2 results in 7-9X speedup
#realworldcrypto
#realworldcrypto
Randomized should be the default mode for deploying Dilithium on embedded devices, hedged has negligible performance impact; flexible sampling would enable significant speedup; hardening Dilithium is still a work in progress, less studied than Kyber
#realworldcrypto
#realworldcrypto
Next up is "Crypto Agility and Post-Quantum Cryptography @ Google" presented by Sophie Schmieg
#realworldcrypto
#realworldcrypto
Why not mTLS? Over a decade ago, we have strict requirements for latency that it didn't fit
#realworldcrypto
#realworldcrypto
Allocation of a benchmark is very different than allocation behavior of a full production system 😹
#realworldcrypto
#realworldcrypto
Q: For encrypt at rest, how do i know how long that ciphertext will remain there, to enable key rotation?
A: Encrypt at regular interval to address this; if ciphertext not in your control it becomes tricky
#realworldcrypto
A: Encrypt at regular interval to address this; if ciphertext not in your control it becomes tricky
#realworldcrypto
KMS is notified on every key use and can keep track of whether a key can be deleted/rotated
#realworldcrypto
#realworldcrypto
Q: Can you replace that PQ alg with something else in ALTP?
A: There is some version negotiation to enable this
#realworldcrypto
A: There is some version negotiation to enable this
#realworldcrypto
However, DH allows non-interactive, creates bidirectional authenticity, and can be freely-combined 🤔
#realworldcrypto
#realworldcrypto
lol #realworldcrypto
All KEMs treated separately, allows mix-and-match PQ KEMs like Kyber for ephemeral and McEliece for static
#realworldcrypto
#realworldcrypto
LWE would not replace a NIKE, CSIDH could, but the params for CSIDH are large and slow
#realworldcrypto
#realworldcrypto
Next up, "Post-Quantum Privacy Pass via Post-Quantum Anonymous Credentials", presented by Guru Vamsi Policharla
#realworldcrypto
#realworldcrypto
In PQ, we have sigs, we have KEMs, but we don't really have bling sigs, oprfs, anonymous credentials :(
#realworldcrypto
#realworldcrypto
General purpose proofs are thought to be too big and slow; what about sign & prove?
#realworldcrypto
#realworldcrypto
This "crucial for performance", "careful hand-optimization" stuff is really ripe to be solved by some toolchain, ala real compilers/circuit design tools
#realworldcrypto
#realworldcrypto
PQ Anonymous Credentials are semi-practical, careful tailoring of ZKPs to circuit being proved performs surprisingly well, should PQ sigs be designed with proof verification in mind?
#realworldcrypto
#realworldcrypto
Q: Why care about pq-soundness vs a R1CS proof?
A: Don't need it /now/ but need to start eventually to have it available when you need it
#realworldcrypto
A: Don't need it /now/ but need to start eventually to have it available when you need it
#realworldcrypto
Q: What is the mental model for attacking classical anon credentials with a quantum computer?
A: It's not just about captchas; the primitive is useful elsewhere (ie breaking privacy of Signal group metadata is valuable to a quantum-capable adversary)
#realworldcrypto
A: It's not just about captchas; the primitive is useful elsewhere (ie breaking privacy of Signal group metadata is valuable to a quantum-capable adversary)
#realworldcrypto
Next up, iCloud Private Relay: Multi-hop Internet privacy at scale, from Tommy Pauly Chris Wood Jana Iyengari
#realworldcrypto
#realworldcrypto
Ingress and egress relays MUST be independent otherwise they could collude and link indentities
#RealWorldCrypto
#RealWorldCrypto
Trusted iCloud server, creates per-region bundles that are signed and synced down to clients
#RealWorldCrypto
#RealWorldCrypto
Next up, "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues", presented by Mathy Vanhoef
#RealWorldCrypto
#RealWorldCrypto
"Client isolation was bolted-on to the protocol by vendors: fewer researchers looked at it than the rest of the standard"
#RealWorldCrypto
#RealWorldCrypto
Fix: disallow recently-used MAC address unless a certain amount of time has passed (but how long?)
#RealWorldCrypto
#RealWorldCrypto
Don't rely on client isolation for security; instead use VLANs to isolate groups of users
#RealWorldCrypto
#RealWorldCrypto
Next up, "TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries", presented by Marcel Maehren
#RealWorldCrypto
#RealWorldCrypto
Next up, "Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol", presented by Marc Ilunga
#RealWorldCrypto
#RealWorldCrypto
Last session of the day, starting with "WhatsApp End-to-End Encrypted Backups" presented by Kevin Lewi
#RealWorldCrypto
#RealWorldCrypto
Having both options (encryption key bytes, key protected by password & attempt limit) is very nice
#RealWorldCrypto
#RealWorldCrypto
After programming the HSMs, they are no longer updateable, immutable computation environment
#RealWorldCrypto
#RealWorldCrypto
HSMs have a limited amount of secure memory, just using a merkle tree whose root is stored in the HSM helps get around this
#RealWorldCrypto
#RealWorldCrypto
This has been rolled out to over 100 million users 😳
#RealWorldCrypto
https://twitter.com/wcathcart/status/1600603826477617152
#RealWorldCrypto
Q: DDoS countermeasures?
A: Only authenticated WhatsApp users via phone number access can make attempts
#RealWorldCrypto
A: Only authenticated WhatsApp users via phone number access can make attempts
#RealWorldCrypto
Q: Did you re-eval the security proof for OPAQUE (PAKE?) after modifying it?
A: The proof was against a black-box version so we didn't need to change anything in that regard
#RealWorldCrypto
A: The proof was against a black-box version so we didn't need to change anything in that regard
#RealWorldCrypto
Next up, "Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices" on MEGA, by Matilda Backendal and Miro Haller
#RealWorldCrypto
#RealWorldCrypto
Can't really expect humans to remember key encryption keys, so, passwords; password managers, password generation, eek
#RealWorldCrypto
#RealWorldCrypto
- use authenticated encryption!
- key separation!
- don't design your own file encrpytion scheme!
- cant move away from this vulnerable instantiation
#RealWorldCrypto
- key separation!
- don't design your own file encrpytion scheme!
- cant move away from this vulnerable instantiation
#RealWorldCrypto
Q: Client where the server is just a block box that makes blobs of bytes available?
A: Need key management; need some support from the platform
#RealWorldCrypto
A: Need key management; need some support from the platform
#RealWorldCrypto
Last talk of day 1, "Reversing, Breaking, and Fixing the French Legislative Election E-Voting Protocol", by Lucca Hirschi
#RealWorldCrypto
#RealWorldCrypto
Adapting a proven-secure protocol for real-world deployment resulted in an implementation that was badly broken!
#RealWorldCrypto
#RealWorldCrypto
Good morning! Kicking off day 2 with "Design, Applied Cryptography, and Humans" by Stephan Somogyi
#RealWorldCrypto
#RealWorldCrypto
Strive to build tools that users can use safely without an abundance of advanced training: good for couches and cryptography
#RealWorldCrypto
#RealWorldCrypto
Exposure Notifications: people stopped looking into the cryptography after a while because it was open, transparent, and boring, it was fine and good to go
#RealWorldCrypto
#RealWorldCrypto
"If we focus on the extremes [of our users], the middle will take care of itself." Interesting!
#RealWorldCrypto
#RealWorldCrypto
Q: How do you keep up those design detail considerations in a software project that tends to evolve over time?
A: Wireguard did well; it's hard; having values documented, getting feedback, parameters of your design space, if you need to move away eventually
#RealWorldCrypto
A: Wireguard did well; it's hard; having values documented, getting feedback, parameters of your design space, if you need to move away eventually
#RealWorldCrypto
Q: Create products for a broader swathe of people, including those not like them?
A: Gentle ways to introduce them to the outside world; listening, seeking common understanding
#RealWorldCrypto
A: Gentle ways to introduce them to the outside world; listening, seeking common understanding
#RealWorldCrypto
Q: What do at-risk users need?
A: Don't betray trust; some at-risk users need more options, getting the defaults right is crucial; the nature of the tools affects these greatly
#RealWorldCrypto
A: Don't betray trust; some at-risk users need more options, getting the defaults right is crucial; the nature of the tools affects these greatly
#RealWorldCrypto
Q: Inspiring crypto systems?
A: How PGP came to be is useful, good lessons; it did things at the time that nothing else did; eventually key management became where its's at, it's going to be hard for a while; Signal; WhatsApp
#RealWorldCrypto
A: How PGP came to be is useful, good lessons; it did things at the time that nothing else did; eventually key management became where its's at, it's going to be hard for a while; Signal; WhatsApp
#RealWorldCrypto
Anyone of us can become high-risk users ~instantly; how do you help users like that in your tool? [YES]
#RealWorldCrypto
#RealWorldCrypto
Next up, "Cryptography for Grassroots Organizing" presented by Leah Namisa Rosenbloom
#RealWorldCrypto
#RealWorldCrypto
How do we, as cryptographers, understand
systems of power? How does our understanding inform our threat
modeling and design choices? How might we work toward building power
for communities?
#RealWorldCrypto
systems of power? How does our understanding inform our threat
modeling and design choices? How might we work toward building power
for communities?
#RealWorldCrypto
How might we use cryptographic tools to adapt the existing trust and communication protocols of grassroots organizers from physical to digital spaces, without increasing the risk of surveillance, disinformation, and infiltration of grassroots
movements?
#RealWorldCrypto
movements?
#RealWorldCrypto
Key agreement over bluetooth roots digital trust in interpersonal interaction (proximity required)
#RealWorldCrypto
#RealWorldCrypto
Want a public profile to welcome new people and private aspect for information sharing within the group
#RealWorldCrypto
#RealWorldCrypto
Next up, "Designing cryptography for small organizations and projects", presented by Sofia Celi
#RealWorldCrypto
#RealWorldCrypto
Can proposals be used by small organizations with constrained budgets or are run by volunteers?
#RealWorldCrypto
#RealWorldCrypto
Break time!
Any registered validator had access to the secret seed even if they weren't contributing blocks
#RealWorldCrypto
#RealWorldCrypto
"These attacks are not just done in research labs, they're also done in grad students' apartments"
#realworldcrypto
#realworldcrypto
Next up, "On the possibility of a backdoor in the Micali-Schnorr generator", presented by Adam Suhl
#RealWorldCrypto
#RealWorldCrypto
Some subtle changes between the first proposal of Micali-Schnorr and the ISO standard, against the proof of security 😳
#RealWorldCrypto
#RealWorldCrypto
Does any malicious construction of these moduli give you an advantage in Micali-Schnorr?
#RealWorldCrypto
#RealWorldCrypto
Q: Special primes?
A: For Mersenne primes, there is some work on special attacks (or something)
#RealWorldCrypto
A: For Mersenne primes, there is some work on special attacks (or something)
#RealWorldCrypto
Poseidon hash function, all usages insecure (!), safe api (?), Fiat-Shamir for you?
#RealWorldCrypto
#RealWorldCrypto
Lunchtime!
Coming up, "Reactionary Authoritarianism, Encryption, and You!", presented by Erica Portnoy
#RealWorldCrypto
#RealWorldCrypto
The reactionary authoritarian drive to
rein in unacceptable social deviance is
directly linked to limiting the internet for
kids and the scanning of private content,
which means technologists must encrypt
content quickly and defend encryption
publicly.
#RealWorldCrypto
rein in unacceptable social deviance is
directly linked to limiting the internet for
kids and the scanning of private content,
which means technologists must encrypt
content quickly and defend encryption
publicly.
#RealWorldCrypto
The authoritarian impulse to restore control overrides other rights like privacy, free speech
#RealWorldCrypto
#RealWorldCrypto
Hungarian law prohibits sharing any lgbtq+ content with minors. How do you enforce when most content today is digital?
#RealWorldCrypto
#RealWorldCrypto
The internet is where ideas spread [which is why authoritarians want to control it]
#RealWorldCrypto
#RealWorldCrypto
Myth: we have to settle for the least bad option. False! You don't have to pick one!
#RealWorldCrypto
#RealWorldCrypto
Don't design a system that will reveal people's data just because there's cool crypto involved.
#RealWorldCrypto
#RealWorldCrypto
It's easier to defend E2EE that's already deployed than hypothetical systems that haven't been deployed yet.
#RealWorldCrypto
#RealWorldCrypto
Just because they don't understand technology doesn't mean they can't or won't legislate about it.
#RealWorldCrypto
#RealWorldCrypto
Q: Areas where we're missing privacy technology now?
A: E2EE cloud backups, hard but not impossible (mostly e2ee iCloud, WhatsApp)
#RealWorldCrypto
A: E2EE cloud backups, hard but not impossible (mostly e2ee iCloud, WhatsApp)
#RealWorldCrypto
Q: "it's impossible" sounds like lying?
A: Impossible to build in the real world under real constraints.
#RealWorldCrypto
A: Impossible to build in the real world under real constraints.
#RealWorldCrypto
Q: What about the "we have to do something!!!" line?
A: In politics you have to get elected, to get elected to have to be seen doing things, that will get people to vote for you, so the pressures are different vs technologists
#RealWorldCrypto
A: In politics you have to get elected, to get elected to have to be seen doing things, that will get people to vote for you, so the pressures are different vs technologists
#RealWorldCrypto
Next up, "Three Lessons From Threema: Analysis of a Secure Messenger", by Kien Tuong Truong and Matteo Scarlata
#RealWorldCrypto
#RealWorldCrypto
(We went in-depth on their paper on this episode of @SCWpod: securitycryptographywhatever.com/2023/01/27/thr…)
C2S is basically hand-rolled TLS, but it uses the same keypair as the E2E protocol 😬
#RealWorldCrypto
#RealWorldCrypto
(See the WhatsApp E2EE backup talks yesterday, instead of how Threema did E2EE backup here)
#RealWorldCrypto
#RealWorldCrypto
"Don't roll your own crypto^H^H^H^H^Hprotocol!"
securitycryptographywhatever.com/2021/07/31/the…
#RealWorldCrypto
securitycryptographywhatever.com/2021/07/31/the…
#RealWorldCrypto
Also seen in other systems like Matrix!
securitycryptographywhatever.com/2022/11/02/Mat…
#RealWorldCrypto
securitycryptographywhatever.com/2022/11/02/Mat…
#RealWorldCrypto
Would allow a Signal user to message a WhatsApp user without the Signal user needing to make a WhatsApp account
#RealWorldCrypto
#RealWorldCrypto
Retrofitting protocols and systems to support interop that were never designed to do so
#RealWorldCrypto
#RealWorldCrypto
Q: Crypto agility?
A: Making it hard to interop seems to violate DMA; would have to standardize something
#RealWorldCrypto
A: Making it hard to interop seems to violate DMA; would have to standardize something
#RealWorldCrypto
Next up, "Metadata Protection for MLS and Its Variants", by Shuichi Katsumata Thomas Prest Keitaro Hashimoto
#RealWorldCrypto
#RealWorldCrypto
Bootstrapping Messaging Layer Security to have the metadata privacy properties of Signal
#RealWorldCrypto
#RealWorldCrypto
The messaging service needs to know who the msg is for to route it; this communication graph metadata is valuable!
#RealWorldCrypto
#RealWorldCrypto
Instead of pairwise keys, MLS uses TreeKEM to calc common group message keys and ratchet treekem as users enter/leave group or whenever a rekey is invoked, scales to tens of thousands of group members
#RealWorldCrypto
#RealWorldCrypto
Because there is a unique continually evolving key, can use that key to encrypt and sign group metadata privately that any group member can update and verify
#RealWorldCrypto
#RealWorldCrypto
Q: Deniability is a good property but complex; in practice maybe it doesn't give you what you think it does; can we ever really achieve deniability?
A: Under restricted circumstances it seems so
#RealWorldCrypto
A: Under restricted circumstances it seems so
#RealWorldCrypto
Next up, "The Path to Real World FHE: Navigating the Ciphertext Space", by Shruthi Gorantala
#RealWorldCrypto
#RealWorldCrypto
'The ultimate success of cryptography lies in kicking the developer out of the loop' 😁
#RealWorldCrypto
#RealWorldCrypto
github.com/google/fully-h…
fhe-open-source-users@google.com
FHE is at where deep learning was 10 years ago 📈
#RealWorldCrypto
fhe-open-source-users@google.com
FHE is at where deep learning was 10 years ago 📈
#RealWorldCrypto
Q: Any opportunity to combine infra (MLIRs, math layers) between FHE, MPC, and ZKP?
A: Lots of modular layers agnostic to underlying crypto, that may make crossover possible
#RealWorldCrypto
A: Lots of modular layers agnostic to underlying crypto, that may make crossover possible
#RealWorldCrypto
Next up, "Prime Match: A Privacy Preserving Inventory Matching System", by Antigoni Polychroniadou
#RealWorldCrypto
#RealWorldCrypto
Nex tup, "Interoperable Private Attribution (IPA)", presented by Erik Taubeneck and Ben Savage
#RealWorldCrypto
#RealWorldCrypto
Day 3! Starting with "HACSPEC: a gateway to high-assurance cryptography", with Karthikeyan Bhargavan and Franziskus Kiefer
#RealWorldCrypto
#RealWorldCrypto
u32 vs U32 (U32 only supports secret / constant-time behavior) [not my favorite naming scheme but i like the feature]
#RealWorldCrypto
#RealWorldCrypto
Q: Properties of implementations vs specifications?
A: hacspec is practically a reference implementation, not just a formal (math) spec; but you can do what you want, matter of taste
#RealWorldCrypto
A: hacspec is practically a reference implementation, not just a formal (math) spec; but you can do what you want, matter of taste
#RealWorldCrypto
go stdlib re-implemented all its crypto in its native language, originally because it was easier re: the build chain
#RealWorldCrypto
#RealWorldCrypto
The performance cost is worth it! The safety and maintainability advantage is worth it
#RealWorldCrypto
#RealWorldCrypto
The chance of hitting important field values with random fuzzers is the definition of negligible
#RealWorldCrypto
#RealWorldCrypto
Definining your high-level APIs in terms of bytes helps in avoiding exposing the grotty guts of points, coordinates, etc, to an end-user (vs an implementer)
#RealWorldCrypto
#RealWorldCrypto
fiat-crypto generates golang, c, rust, from Coq models of various curve, field math, and other crypto formal models, some with Coq checks of math correctness (like Montgomery arithmetic)
#RealWorldCrypto
#RealWorldCrypto
"Performance is a matter of practicality; if it's fast enough, it doesn't need to be faster"
#RealWorldCrypto
#RealWorldCrypto
Leaving 5% performance hit on the table because the code is more understandable and reviewable by humans
#RealWorldCrypto
#RealWorldCrypto
Q: Garbage collector?
A: One solution to temporal memory safety; the garbage collector prevents use-after-free; Rust does borrow checking at compile etc
#RealWorldCrypto
A: One solution to temporal memory safety; the garbage collector prevents use-after-free; Rust does borrow checking at compile etc
#RealWorldCrypto
Next up, "CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives", presented by Joel Kuepper
#RealWorldCrypto
#RealWorldCrypto
github.com/mit-plv/fiat-c…
Take the output of fiat-crypto, and optimize it with cryptopt
#RealWorldCrypto
Take the output of fiat-crypto, and optimize it with cryptopt
#RealWorldCrypto
Q: Operate on the operation graph not just the instructions?
A: Get the graph from fiat-crypto, which is optimized, cryptopt doesn't change it, just instructions
#RealWorldCrypto
A: Get the graph from fiat-crypto, which is optimized, cryptopt doesn't change it, just instructions
#RealWorldCrypto
Q: How much work to port to another platform?
A: Supporting all the instructions makes a difference for x86; arm doesn't have as many, but we don't expect as much of a perf boost because there is less variety
#RealWorldCrypto
A: Supporting all the instructions makes a difference for x86; arm doesn't have as many, but we don't expect as much of a perf boost because there is less variety
#RealWorldCrypto
Break time!
Next up, "DatashareNetwork: A Decentralized Privacy-Preserving Search Engine for Investigative Journalists", by Kasra EdalatNejad
#RealWorldCrypto
#RealWorldCrypto
DatashareNetwork paper: usenix.org/system/files/s…
Code: github.com/spring-epfl/da…
#RealWorldCrypto
Code: github.com/spring-epfl/da…
#RealWorldCrypto
But an original photo often is transformed (compressed, resized, greyscale, cropping) all normal parts of publishing photos; this would affect verification of photo signatures
#RealWorldCrypto
#RealWorldCrypto
zkproofs that witness the original photo and the transform(s) applied honestly/correctly
#RealWorldCrypto
#RealWorldCrypto
Original PhotoProof in 2016 was cutting edge but took several minutes to generate a proof for a small image; new advances in zkproof tools now makes it much more efficient
#RealWorldCrypto
#RealWorldCrypto
Doing SHA256 inside a snark is expensive, even Poseidon is too slow, so Poseidon(LatticeHash(photo_bytes))
#RealWorldCrypto
#RealWorldCrypto
Next up, "I was told there would be blockchain: 5 Years of Real World Crypto at DARPA", by Joshua Baron
#RealWorldCrypto
#RealWorldCrypto
"Securing Information for Encrypted Verification and Evaluation
(SIEVE)" (everything at DARPA needs an acronym)
#RealWorldCrypto
(SIEVE)" (everything at DARPA needs an acronym)
#RealWorldCrypto
Extremely difficult to capture say, Rowhammer, but can capture Heartbleed
/17 million gates/
#RealWorldCrypto
/17 million gates/
#RealWorldCrypto
All open source; "there is no world where you should trust closed-source DARPA code for anonymous communication" 😁
#RealWorldCrypto
#RealWorldCrypto
Distributed protocols are hard to engineer especially with weird crypto and transports
#RealWorldCrypto
#RealWorldCrypto
Next up, "From Theory to Practice to Theory: Lessons Learned from Multi-Party Schnorr Signatures", from Elizabeth Crites, Chelsea Komlo, Tim Ruffing
#realworldcrypto
#realworldcrypto
So if you want to use threshold, how do you pick t and n? FROST just leaves that to you!
#realworldcrypto
#realworldcrypto
Robustness: the protocol succeeds so long
as at least t players participate honestly.
(required for liveness!)
#realworldcrypto
as at least t players participate honestly.
(required for liveness!)
#realworldcrypto
FROST draft: datatracker.ietf.org/doc/draft-irtf…
FROST for Zcash draft: github.com/ZcashFoundatio…
MuSig2 for Bitcoin: github.com/bitcoin/bips/b…
#realworldcrypto
FROST for Zcash draft: github.com/ZcashFoundatio…
MuSig2 for Bitcoin: github.com/bitcoin/bips/b…
#realworldcrypto
You /cannot/ use that EdDSA-style deterministic nonce derivation in FROST, it allows key recovery!
#realworldcrypto
#realworldcrypto
So, if we can't do that, can we build a real-world (efficient) deterministic threshold signature at all?
#realworldcrypto
#realworldcrypto
Q: BLS sigs?
A: Threshold BLS is great you should use it; of course it's hard to switch when you have deployed ecdsa or schnorr
#realworldcrypto
A: Threshold BLS is great you should use it; of course it's hard to switch when you have deployed ecdsa or schnorr
#realworldcrypto
Q: Adaptive security for 2-round FROST?
A: Proof coming; can maintain 1-round w/ preprocessing FROST variant
#realworldcrypto
A: Proof coming; can maintain 1-round w/ preprocessing FROST variant
#realworldcrypto
In the random oracle model, /every/ (sub)protocol instance needs a /different/ random oracle! Prefix it!
#Realworldcrypto
#Realworldcrypto
Q: When subnet validators change, do a key refresh?
A: Yes; you need some forward security notions
#realworldcrypto
A: Yes; you need some forward security notions
#realworldcrypto
Break!
Last session! "tlock: Practical timelock encryption based on threshold BLS", by Yolan Romailler
#realworldcrypto
#realworldcrypto
on-chain size: BLS sigs on BLS12-381 are 96bytes compressed in G_2, and mapping the message to G_2 is 10x more costly than G_1
#realworldcrypto
#realworldcrypto
Code:
github.com/drand/tlock/
github.com/drand/tlock-js/
github.com/thibmeu/tlock-…
#realworldcrypto
github.com/drand/tlock/
github.com/drand/tlock-js/
github.com/thibmeu/tlock-…
#realworldcrypto
Next up, "Portunus: Re-imagining Access Control In Distributed Systems Using Attribute-Based Encryption", by Tanya Verma
#realworldcrypto
#realworldcrypto
Q: How are changes in policy handled by the system?
A: More demand than we can handle (per country, needs a few large datacenters in a region/country before we can deploy)
#realworldcrypto
A: More demand than we can handle (per country, needs a few large datacenters in a region/country before we can deploy)
#realworldcrypto
Last talk! "Ask Your Cryptographer if Context-Committing AEAD Is Right for You", by Sanketh Menda
#realworldcrypto
#realworldcrypto
These attacks do not invalidate prior security analyses, but they do exploit the lack of key commitment
#realworldcrypto
#realworldcrypto
OCH:
+ Simple, single primitive
+ optimal length ciphertexts
+ Maximally parallelizable
#realworldcrypto
+ Simple, single primitive
+ optimal length ciphertexts
+ Maximally parallelizable
#realworldcrypto
Q: When are we done?
A: Our applications are getting more and more complex, it's hard to say
#realworldcrypto
A: Our applications are getting more and more complex, it's hard to say
#realworldcrypto
• • •
Missing some Tweet in this thread? You can try to
force a refresh
