Deirdre Connolly¹ Profile picture
Mar 27, 2023 863 tweets >60 min read Read on X
LIVE FROM TOKYO, IT'S #REALWORLDCRYPTO
(for a preview discussion of the whole program, check out our episode: securitycryptographywhatever.com/2023/03/24/rwc…)
First up in the PQC session is "How We Broke a Fifth-Order Masked Kyber Implementation by Copy-Paste" presented by Elena Dubrova
"SIKE (dead)" 💀

#realworldcrypto
Tricksy FO transform

#realworldcrypto Image
Very easy to extract

#realworldcrypto
Hahaha oh boy

#realworldcrypto Image
*shuffle shuffle* ah boo

#realworldcrypto Image
*slaps Kyber impl* we fit so many orders of masking in this thing

#realworldcrypto Image
Can ChatGPT given some Kyber power traces spit out the secret key??? (this talk is not about ChatGPT but)

#realworldcrypto
"Don't believe countermeasures exist at present" 😅

#realworldcrypto Image
"Hardware impls are harder to attack"

#realworldcrypto
Next up, "When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer", presented by Hunter Kippen

#realworldcrypto
FrodoKEM

#realworldcrypto
Recovered e2e key with ~8,000USD's of AWS compute 💰

#realworldcrypto
Gandalf shaking his head at not keeping it secret, not keeping it safe

#realworldcrypto Image
Abort leaks magnitude (excellent, excellent)

Can we make this leakage less rare, and use that to attacker's advantage?

#realworldcrypto Image
With 7 bitflips, very reasonable

#realworldcrypto
Balancing on failure rate, keeps undetectable to honest users

#realworldcrypto
Rowhammer! (Needs orc memes)

#realworldcrypto
Exploits a vuln in how we manufacture memory

#realworldcrypto
/You're/ a large chunk 😒

#realworldcrypto Image
How do you suppress bad bit flips?

#realworldcrypto
🐐🩸 (Rambleed)

#realworldcrypto Image
7 bit flips, suppressed 117

Bruteforce session keys in 2 mins on regular laptop

#realworldcrypto Image
Mitigate: use AES-NI instructions for hashing, reorder ops (expand from seed, gen random before sampling), verify PK!

#realworldcrypto
Public key is poisoned undetectably forever ☠️

#realworldcrypto
Next up, "Lessons Learned from Protecting CRYSTALS-Dilithium", presented by Tobias Schneider

#realworldcrypto
Dilithium is the lattice-based signature scheme that has been chosen out of the NIST PQC competition along with Kyber for KEM

#realworldcrypto
Similar to Kyber talk earlier, masking has been a go-to mitigation technique to protect lattice schemes from side-channel attacks

#realworldcrypto
What needs protecting in Dilithium?

#realworldcrypto Image
Masking Dilithium requires a mix of boolean and arithmetic masking; switching from a prime modulus to a power of 2 results in 7-9X speedup

#realworldcrypto Image
Deterministic vs randomized variants of Dilithium signatures are more vulnerable 😅

#realworldcrypto
Flexible sampling provides significant speedup over randomized 📈

#realworldcrypto
Combine deterministic and randomized Dilithium into one:

#realworldcrypto Image
Hedged provides comparable perf as randomized 👍

#realworldcrypto Image
Randomized should be the default mode for deploying Dilithium on embedded devices, hedged has negligible performance impact; flexible sampling would enable significant speedup; hardening Dilithium is still a work in progress, less studied than Kyber

#realworldcrypto
Coffee time! ☕

#realworldcrypto
Next up is "Crypto Agility and Post-Quantum Cryptography @ Google" presented by Sophie Schmieg

#realworldcrypto
Key rotation! Bread and butter stuff

#realworldcrypto Image
At Google scale, key rotation becomes a distributed-systems problem

#realworldcrypto Image
Horizontally monitor usage of keys within library (on users behalf)

#realworldcrypto
Relies on the key management service backend

#realworldcrypto Image
This plays into the post-quantum migration at google

#realworldcrypto
Store now, decrypt later, is a primary present risk

#realworldcrypto Image
Hardware roots of trust are hard to rotate!

#realworldcrypto Image
mmmhmmmmmm

#realworldcrypto Image
"Disclosed to us by an external security researcher" 😏

#realworldcrypto
Why not mTLS? Over a decade ago, we have strict requirements for latency that it didn't fit

#realworldcrypto
static-static ECDH

#realworldcrypto Image
resumption tickets too

#realworldcrypto
lol rip sidh

#realworldcrypto Image
Added ephemeral PQC to clientinit and PQC KEM ciphertext to ServerInit

#realworldcrypto
Cache client key a bit in case server doesn't speak PQ

#realworldcrypto
Just too bit to fit on the stack, had to put it on the heap

#realworldcrypto
Allocation of a benchmark is very different than allocation behavior of a full production system 😹

#realworldcrypto
Rolling out PQC takes a long time, it's been almost 3 years in this project

#realworldcrypto Image
Q: For encrypt at rest, how do i know how long that ciphertext will remain there, to enable key rotation?

A: Encrypt at regular interval to address this; if ciphertext not in your control it becomes tricky

#realworldcrypto
KMS is notified on every key use and can keep track of whether a key can be deleted/rotated

#realworldcrypto
Q: Can you replace that PQ alg with something else in ALTP?

A: There is some version negotiation to enable this

#realworldcrypto
Next up, Post Quantum Noise, presented by Florian Weber

#realworldcrypto
Noise! Foundation of Wireguard, others

noiseprotocol.org/noise.html

#realworldcrypto
Diffie-Hellman based → not Quantum-safe

#realworldcrypto
How can we replace the DH's in Noise with PQ KEMs?

#realworldcrypto Image
However, DH allows non-interactive, creates bidirectional authenticity, and can be freely-combined 🤔

#realworldcrypto
Some cases are easy, some are challenging, some are impossible 😭

#realworldcrypto Image
DH our OG NIKE 💖

#realworldcrypto
Static-Ephemeral Entropy-Combination (SEEC)

#realworldcrypto Image
'Many reviewers disliked this model' 😅

#realworldcrypto
All KEMs treated separately, allows mix-and-match PQ KEMs like Kyber for ephemeral and McEliece for static

#realworldcrypto Image
Q: Did you benchmark with the other ciphersuites besides kyber?

A: No

#realworldcrypto
LWE would not replace a NIKE, CSIDH could, but the params for CSIDH are large and slow

#realworldcrypto
Next up, "Post-Quantum Privacy Pass via Post-Quantum Anonymous Credentials", presented by Guru Vamsi Policharla

#realworldcrypto
In PQ, we have sigs, we have KEMs, but we don't really have bling sigs, oprfs, anonymous credentials :(

#realworldcrypto
"semi-practical"

#realworldcrypto
Blind signatures support private web service access

#realworldcrypto Image
General purpose proofs are thought to be too big and slow; what about sign & prove?

#realworldcrypto
- Dilithium → zkDilithium
- zkSTARK proof

#realworldcrypto
Winterfell is getting quite popular for STARKs

#realworldcrypto Image
This "crucial for performance", "careful hand-optimization" stuff is really ripe to be solved by some toolchain, ala real compilers/circuit design tools

#realworldcrypto
'figure roughly to scale' 😹

#realworldcrypto Image
PQ Anonymous Credentials are semi-practical, careful tailoring of ZKPs to circuit being proved performs surprisingly well, should PQ sigs be designed with proof verification in mind?

#realworldcrypto
Formal verification for the AIR translation (🎉)

#realworldcrypto
(oh that's formal verification would be nice to have)

#realworldcrypto
Q: Why care about pq-soundness vs a R1CS proof?

A: Don't need it /now/ but need to start eventually to have it available when you need it

#realworldcrypto
Q: What is the mental model for attacking classical anon credentials with a quantum computer?

A: It's not just about captchas; the primitive is useful elsewhere (ie breaking privacy of Signal group metadata is valuable to a quantum-capable adversary)

#realworldcrypto
Next up, the Levchin Prize!

#realworldcrypto
First 2023 winner: Vincent Rijmen for co-designing AES!

#realworldcrypto
Computers all over the world go brrrr with the block cipher named after him :D

#realworldcrypto
Mathematical elegance of AES

#realworldcrypto
Publishing often, and shallow 👀

#realworldcrypto
Double-edged sword of academic vs real-world / commercial cryptography

#realworldcrypto
Also winner of 2023: Paul Kocher for pioneering work on side-channel analysis!

#realworldcrypto
Kocher also co-authored SSL 3.0! 🤯

#realworldcrypto
"I wrote to Marty Hellman, they welcomed me into this world of cryptography" :D

#realworldcrypto
18,000 citations 👀

#realworldcrypto
evil monster living in a cave outside of town -> spectre :D

#realworldcrypto
(right? or is it another thing, just side-channels in general)

#realworldcrypto
"The future is bright [for security researchers] but in a really dark way"

#realworldcrypto
Paul has 'just' an undergrad degree in biology 💚

#realworldcrypto
Lunch time!

#realworldcrypto
Next up, iCloud Private Relay: Multi-hop Internet privacy at scale, from Tommy Pauly Chris Wood Jana Iyengari

#realworldcrypto
Reminds me of something... 🧅

#realworldcrypto Image
No version, ciphersuite negotiation; no X.509 certificate parsing

#realworldcrypto Image
Saves on latency

#realworldcrypto
How do we prevent abuse?

#realworldcrypto Image
Ingress and egress relays MUST be independent otherwise they could collude and link indentities

#RealWorldCrypto
Also want to prevent tracking

#realworldcrypto Image
Trusted iCloud server, creates per-region bundles that are signed and synced down to clients

#RealWorldCrypto
What if there are malicious clients?

#RealWorldCrypto Image
"Certain geo-based region restrictions" 🇨🇳

#RealWorldCrypto
Anonymous credentials!

#RealWorldCrypto Image
"This is basically Privacy Pass" yes!

#RealWorldCrypto
Return of Blind RSA :P

#RealWorldCrypto Image
"Why in 2023 are we using RSA for new applications? Efficiency."

#realworldcrypto Image
"we were not able to integrate them into our production software"

#RealWorldCrypto
(pairing-based schemes)

#RealWorldCrypto
🤞🤞🤞

#realworldcrypto Image
Next up, "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues", presented by Mathy Vanhoef

#RealWorldCrypto
🔓🔓🔓

#RealWorldCrypto Image
If you don't model part of the protocol you will miss issues :P

#RealWorldCrypto
"Client isolation was bolted-on to the protocol by vendors: fewer researchers looked at it than the rest of the standard"

#RealWorldCrypto
Fix: disallow recently-used MAC address unless a certain amount of time has passed (but how long?)

#RealWorldCrypto
Disallow recently-used MAC addresses based on 802.1X identity or cached keys

#RealWorldCrypto
Don't rely on client isolation for security; instead use VLANs to isolate groups of users

#RealWorldCrypto
Next up, "Cellular Radio “Null Ciphers” and Android " by Yomna Nasser

#RealWorldCrypto
"network equipment is just mis-configured" 😭

#RealWorldCrypto Image
connectivity >> security

#RealWorldCrypto
Next up, "TLS-Anvil: Adapting Combinatorial Testing for TLS Libraries", presented by Marcel Maehren

#RealWorldCrypto
...I'm getting the feeling it's not always checked

#RealWorldCrypto Image
(I hate padding)

#RealWorldCrypto
No BearSSL? ʕ·͡ᴥ·ʔ

#RealWorldCrypto Image
I stand corrected!

#RealWorldCrypto Image
segfault! 😭

#RealWorldCrypto Image
Poor MatrixSSL

#RealWorldCrypto Image
another one

#RealWorldCrypto Image
🐺🔒

#RealWorldCrypto Image
Better than I thought

#RealWorldCrypto Image
Next up, "Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol", presented by Marc Ilunga

#RealWorldCrypto
TLS 1.3 is not lightweight enough!

#RealWorldCrypto
Bandwidth-saving measure

#RealWorldCrypto Image
Send a short ID associated with the cert for X

#RealWorldCrypto
boo hiss ecdsa

#RealWorldCrypto Image
Last session of the day, starting with "WhatsApp End-to-End Encrypted Backups" presented by Kevin Lewi

#RealWorldCrypto
What if one of your ends ends up in the toilet?

#RealWorldCrypto
Want the backups to have the ~same guarantees as the original messaging protocol

#RealWorldCrypto Image
Having both options (encryption key bytes, key protected by password & attempt limit) is very nice

#RealWorldCrypto
What's this

#RealWorldCrypto ImageImage
After programming the HSMs, they are no longer updateable, immutable computation environment

#RealWorldCrypto Image
HSMs have a limited amount of secure memory, just using a merkle tree whose root is stored in the HSM helps get around this

#RealWorldCrypto Image
boo hiss RSA-OAEP

#RealWorldCrypto Image
Can we move away from HSMs? What about threshold OPRFs/OPAQUE?

#RealWorldCrypto
This has been rolled out to over 100 million users 😳



#RealWorldCrypto
Password in this protocol is only for backups

#RealWorldCrypto
PBKDF because of client restrictions

#RealWorldCrypto
Q: How many HSMs could die and keep the service operational?

A: 3/5 need to be up

#RealWorldCrypto
Q: DDoS countermeasures?

A: Only authenticated WhatsApp users via phone number access can make attempts

#RealWorldCrypto
Q: Did you re-eval the security proof for OPAQUE (PAKE?) after modifying it?

A: The proof was against a black-box version so we didn't need to change anything in that regard

#RealWorldCrypto
Next up, "Why E2EE Cloud Storage is hard - Challenges, Attacks and Best Practices" on MEGA, by Matilda Backendal and Miro Haller

#RealWorldCrypto
Can we ensure E2EE cloud storage against a malicious or compromised server?

#RealWorldCrypto
Gotta sync those key encryption keys??

#RealWorldCrypto Image
Can't really expect humans to remember key encryption keys, so, passwords; password managers, password generation, eek

#RealWorldCrypto
RSA again!

#RealWorldCrypto Image
> AES-ECB

oh no

#RealWorldCrypto Image
Server can exploit that the ciphertext is malleable

#RealWorldCrypto
ECB also for the file keys and the file encryption - cut and paste 😭

#RealWorldCrypto Image
- use authenticated encryption!
- key separation!
- don't design your own file encrpytion scheme!
- cant move away from this vulnerable instantiation

#RealWorldCrypto
team broke the patches for their first round of attacks ;)

#RealWorldCrypto
- no post-compromised security

#RealWorldCrypto
What to actually do:

#RealWorldCrypto Image
Standardization?

#RealWorldCrypto
Q: Client where the server is just a block box that makes blobs of bytes available?

A: Need key management; need some support from the platform

#RealWorldCrypto
"i wouldn't propose using MEGA's design even if they fixed everything"

#RealWorldCrypto
Last talk of day 1, "Reversing, Breaking, and Fixing the French Legislative Election E-Voting Protocol", by Lucca Hirschi

#RealWorldCrypto
FLEP (not BLEP)

#RealWorldCrypto Image
4 different receipts received by the voting client 🎟️

#RealWorldCrypto
Attacker can learn some target voters' vote (and perform remote coercion)

#RealWorldCrypto Image
Fixes ✅

#RealWorldCrypto Image
Adapting a proven-secure protocol for real-world deployment resulted in an implementation that was badly broken!

#RealWorldCrypto ImageImage
That's day 1! See you tomorrow!

#RealWorldCrypto
Good morning! Kicking off day 2 with "Design, Applied Cryptography, and Humans" by Stephan Somogyi

#RealWorldCrypto
Strive to build tools that users can use safely without an abundance of advanced training: good for couches and cryptography

#RealWorldCrypto
"Not everyone likes the clicking of someone else's clicky pen" 😉

#RealWorldCrypto
Micro consideration: thought into the tiny details and composition of the thing

#RealWorldCrypto
Industrial craft; picking the wrong metrics doesn't always lead to better quality

#RealWorldCrypto
Exposure Notifications: people stopped looking into the cryptography after a while because it was open, transparent, and boring, it was fine and good to go

#RealWorldCrypto
Meet users where they are in the context they are

#RealWorldCrypto
"If we focus on the extremes [of our users], the middle will take care of itself." Interesting!

#RealWorldCrypto
Stress cases, not edge cases

#RealWorldCrypto
Reminds me of nonces at AWS scale

#RealWorldCrypto
Q: How do you keep up those design detail considerations in a software project that tends to evolve over time?

A: Wireguard did well; it's hard; having values documented, getting feedback, parameters of your design space, if you need to move away eventually

#RealWorldCrypto
Q: Create products for a broader swathe of people, including those not like them?

A: Gentle ways to introduce them to the outside world; listening, seeking common understanding

#RealWorldCrypto
Q: What do at-risk users need?

A: Don't betray trust; some at-risk users need more options, getting the defaults right is crucial; the nature of the tools affects these greatly

#RealWorldCrypto
Q: Inspiring crypto systems?

A: How PGP came to be is useful, good lessons; it did things at the time that nothing else did; eventually key management became where its's at, it's going to be hard for a while; Signal; WhatsApp

#RealWorldCrypto
Anyone of us can become high-risk users ~instantly; how do you help users like that in your tool? [YES]

#RealWorldCrypto
Next up, "Cryptography for Grassroots Organizing" presented by Leah Namisa Rosenbloom

#RealWorldCrypto
How do we, as cryptographers, understand
systems of power? How does our understanding inform our threat
modeling and design choices? How might we work toward building power
for communities?

#RealWorldCrypto
Operation Vula

#RealWorldCrypto Image
COINTELPRO 👀

#RealWorldCrypto Image
Arab Spring, major social media dynamics

#RealWorldCrypto
Be safe, or be seen?

#RealWorldCrypto Image
Face to face preceeds phone to phone

#RealWorldCrypto Image
Remote deletion re: compromise

#RealWorldCrypto Image
How might we use cryptographic tools to adapt the existing trust and communication protocols of grassroots organizers from physical to digital spaces, without increasing the risk of surveillance, disinformation, and infiltration of grassroots
movements?

#RealWorldCrypto
Key agreement over bluetooth roots digital trust in interpersonal interaction (proximity required)

#RealWorldCrypto Image
"Grounded pairs" that were in physical proximity

#RealWorldCrypto Image
Alice looks bothered

#RealWorldCrypto Image
Future work: formalizing 'the vibes were off' in this security model

#RealWorldCrypto Image
Trust metrics over social networks

#RealWorldCrypto Image
Want a public profile to welcome new people and private aspect for information sharing within the group

#RealWorldCrypto
Next up, "Designing cryptography for small organizations and projects", presented by Sofia Celi

#RealWorldCrypto
cui bono?

#RealWorldCrypto
Can proposals be used by small organizations with constrained budgets or are run by volunteers?

#RealWorldCrypto
For privacy-preserving schemes, who can afford to run them/use them?

#RealWorldCrypto
How hard is it to deploy non-colluding servers?

#RealWorldCrypto Image
STAR 🤩

#RealWorldCrypto Image
Easy, 'boring' cryptography

#RealWorldCrypto Image
FrodoPIR

#RealWorldCrypto Image
Supports single server, no special hardware

#RealWorldCrypto Image
Need to address financial costs as part of protocol design

#RealWorldCrypto Image
Break time!
Next up, "SGX.Fail: How Secrets Get eXtracted"

#realworldcrypto
This is amazing, 2003-me would love this

#RealWorldCrypto Image
smart contracts 🤓

#RealWorldCrypto Image
Any registered validator had access to the secret seed even if they weren't contributing blocks

#RealWorldCrypto Image
Secret: no strat for rolling their consensus seed 🙃

#RealWorldCrypto Image
"These attacks are not just done in research labs, they're also done in grad students' apartments"

#realworldcrypto
/must/ plan on TCB recovery (sgx breakage) as part of deployment

#RealWorldCrypto
"SGX breaks early and often"

#RealWorldCrypto
Q: How do I make an unbreakable enclave?

A: Depends (😹)

#RealWorldCrypto
Q: What's stopping you from tweeting out the seed?

A: That would not be nice!

#RealWorldCrypto
Next up, "Randomness of random in Cisco ASA", by Ryad BENADJILA and Arnaud EBALARD

#RealWorldCrypto
ECDSA certificates: 😵

#RealWorldCrypto Image
nonce reuse w/ same ECDSA signing key -> leaked key!

#RealWorldCrypto
oof these network appliances

#RealWorldCrypto Image
Fail instead of falling back to bad entropy source

#realworldcrypto
Next up, "On the possibility of a backdoor in the Micali-Schnorr generator", presented by Adam Suhl

#RealWorldCrypto
👀👀👀

#RealWorldCrypto Image
Juniper 😓

#RealWorldCrypto Image
Some familiar patterns between Dual EC DRBG and Micali-Schnorr

#RealWorldCrypto
Some subtle changes between the first proposal of Micali-Schnorr and the ISO standard, against the proof of security 😳

#RealWorldCrypto
Repeated RSA encryption

#RealWorldCrypto Image
Can you use knowledge of the rsa prime factors to rewind the state?

#RealWorldCrypto
Does any malicious construction of these moduli give you an advantage in Micali-Schnorr?

#RealWorldCrypto Image
There /is/ an algebraic attack, in non-default settings

#RealWorldCrypto
Compliant with the standard!

#RealWorldCrypto Image
Short cycles 😳

#RealWorldCrypto Image
A possible undetectable backdoor 👀

#RealWorldCrypto Image
But how to exploit? NOBUS-style? Truncation makes it harder

#RealWorldCrypto Image
Contact the authors!

#RealWorldCrypto Image
Q: performance?

A: Supposedly they are 'better' / stronger, but slower

#RealWorldCrypto
Q: Special primes?

A: For Mersenne primes, there is some work on special attacks (or something)

#RealWorldCrypto
Next up, lightning talks!

#RealWorldCrypto
Poseidon hash function, all usages insecure (!), safe api (?), Fiat-Shamir for you?

#RealWorldCrypto
Do you need a nice chip as a trusted platform for crypto ops? Missed the name

#RealWorldCrypto
key management via threshold, millions of keys

#RealWorldCrypto
SAFE api (sponge api for field elements): hackmd.io/@7dpNYqjKQGeYC…

#RealWorldCrypto
Martin Albrecht is hiring post-docs

#RealWorldCrypto
Nigel is hiring at COSICs

#RealWorldCrypto
@isogenies from CryptoHack needs assistance to implement PQ CTF challenges!

#RealWorldCrypto
ISRG has money to help run infra like DivvyUp

#RealWorldCrypto
Lunchtime!
Coming up, "Reactionary Authoritarianism, Encryption, and You!", presented by Erica Portnoy

#RealWorldCrypto
The reactionary authoritarian drive to
rein in unacceptable social deviance is
directly linked to limiting the internet for
kids and the scanning of private content,
which means technologists must encrypt
content quickly and defend encryption
publicly.

#RealWorldCrypto
The authoritarian impulse to restore control overrides other rights like privacy, free speech

#RealWorldCrypto
Empowering bounty hunters in Texas against people seeking healthcare

#RealWorldCrypto Image
Hungarian law prohibits sharing any lgbtq+ content with minors. How do you enforce when most content today is digital?

#RealWorldCrypto
BUNNY. 💜

#RealWorldCrypto Image
The internet is where ideas spread [which is why authoritarians want to control it]

#RealWorldCrypto
Utah bill ready to be signed 😳

#RealWorldCrypto Image
Sleepy bunny :😴

#RealWorldCrypto Image
Authoritarians cannot allow uncontrolled private communication

#RealWorldCrypto Image
Pivot to CSAM instead of in-person abuse

#RealWorldCrypto Image
Surveillance impinges freedom

#RealWorldCrypto Image
Inserting ghost users in e2ee group chats or other channels

#RealWorldCrypto Image
/intended recipients/ matter

#RealWorldCrypto
Yes yes this 💯

#RealWorldCrypto Image
So, what can we, the people building technology, do about it?

#RealWorldCrypto
Myth: we have to settle for the least bad option. False! You don't have to pick one!

#RealWorldCrypto
Don't design a system that will reveal people's data just because there's cool crypto involved.

#RealWorldCrypto Image
It's easier to defend E2EE that's already deployed than hypothetical systems that haven't been deployed yet.

#RealWorldCrypto
Pin this one.

#RealWorldCrypto Image
"It's impossible [to legislate this]"

#RealWorldCrypto
Just because they don't understand technology doesn't mean they can't or won't legislate about it.

#RealWorldCrypto
Q: Areas where we're missing privacy technology now?

A: E2EE cloud backups, hard but not impossible (mostly e2ee iCloud, WhatsApp)

#RealWorldCrypto
Q: "it's impossible" sounds like lying?

A: Impossible to build in the real world under real constraints.

#RealWorldCrypto
Q: What about the "we have to do something!!!" line?

A: In politics you have to get elected, to get elected to have to be seen doing things, that will get people to vote for you, so the pressures are different vs technologists

#RealWorldCrypto
Next up, "Three Lessons From Threema: Analysis of a Secure Messenger", by Kien Tuong Truong and Matteo Scarlata

#RealWorldCrypto
(We went in-depth on their paper on this episode of @SCWpod: securitycryptographywhatever.com/2023/01/27/thr…)
@SCWpod "tries to hide the message length"

#realworldcrypto Image
If this metadata box appears bolted-on, you would be right

#RealWorldCrypto
C2S is basically hand-rolled TLS, but it uses the same keypair as the E2E protocol 😬

#RealWorldCrypto
"Hwat is a vouch box??"

#RealWorldCrypto Image
Lack of domain separation 😭

#RealWorldCrypto Image
lol. lmao

Stunt crypto :P

#RealWorldCrypto Image
Threema, just like a good Swiss cheese, it has holes 😂

#RealWorldCrypto Image
'lose your threema attack as a service' 💀

#RealWorldCrypto
(See the WhatsApp E2EE backup talks yesterday, instead of how Threema did E2EE backup here)

#RealWorldCrypto Image
Extract whole encrypted backup private key 💀

#RealWorldCrypto
All fixed by Threema

#RealWorldCrypto
"Don't roll your own crypto^H^H^H^H^Hprotocol!"

securitycryptographywhatever.com/2021/07/31/the…

#RealWorldCrypto
Strong cryptobox API influence on the design of a whole protocol (in a bad way)

#RealWorldCrypto
Cross-protocol interactions!

#RealWorldCrypto Image
Next up, "Interoperability in E2EE Messaging", presented by Julia Len

#RealWorldCrypto
EU DMA is forcing interop. Somehow.

#RealWorldCrypto
Would allow a Signal user to message a WhatsApp user without the Signal user needing to make a WhatsApp account

#RealWorldCrypto
Initial deadline of March 2024 (!)

#RealWorldCrypto
Different services can vary on a lot of axes

#RealWorldCrypto Image
Retrofitting protocols and systems to support interop that were never designed to do so

#RealWorldCrypto
¯\_(ツ)_/¯

#RealWorldCrypto Image
Server-to-server makes more sense

#RealWorldCrypto Image
Identity discovery

#RealWorldCrypto Image
"Everybody use a standardized protocol" yeah right

#RealWorldCrypto
Could get code complexity expensive and more attack surface

#RealWorldCrypto
Interop abuse prevention: just don't? 😅

#RealWorldCrypto
Message franking!

#RealWorldCrypto Image
(This does seem like a lot of work to deploy)

#RealWorldCrypto
Key transparency? Metadata leakage? Calling?

#RealWorldCrypto
Q: Crypto agility?

A: Making it hard to interop seems to violate DMA; would have to standardize something

#RealWorldCrypto
Next up, "Metadata Protection for MLS and Its Variants", by Shuichi Katsumata Thomas Prest Keitaro Hashimoto

#RealWorldCrypto
Content but also metadata leaks a lot about users

#RealWorldCrypto
Bootstrapping Messaging Layer Security to have the metadata privacy properties of Signal

#RealWorldCrypto
The messaging service needs to know who the msg is for to route it; this communication graph metadata is valuable!

#RealWorldCrypto Image
NSA: "we kill people based on metadata"

#RealWorldCrypto Image
[To be precise, Michael Hayden, former head of NSA and CIA, said that]

#RealWorldCrypto
3 layers: messages, static explicit metadata, dynamic implicit metadata

#RealWorldCrypto Image
Yep, MLS motivated by the poor scaling of using pairwise channels for groups

#RealWorldCrypto Image
Instead of pairwise keys, MLS uses TreeKEM to calc common group message keys and ratchet treekem as users enter/leave group or whenever a rekey is invoked, scales to tens of thousands of group members

#RealWorldCrypto
Because there is a unique continually evolving key, can use that key to encrypt and sign group metadata privately that any group member can update and verify

#RealWorldCrypto
Proof in UC model!

#RealWorldCrypto Image
next steps, work on content moderation?

#RealWorldCrypto
Next up, "Real World Deniability in Messaging", presented by Daniel Collins

#RealWorldCrypto
How relevant is deniability, really?

#RealWorldCrypto
Signal: X3DH and Double Ratchet

Claims that X3DH provides deniability

#RealWorldCrypto
By composition, using Double Ratchet with X3DH is also deniable

#RealWorldCrypto
(lots of screenshots submitted as evidence)

#RealWorldCrypto
[this feels fraught for users who butt-type a lot]

#RealWorldCrypto
'practical/explainable deniability is better'

'minimize metadata/auxilary info'

#RealWorldCrypto Image
Q: Deniability is a good property but complex; in practice maybe it doesn't give you what you think it does; can we ever really achieve deniability?

A: Under restricted circumstances it seems so

#RealWorldCrypto
break time!

#RealWorldCrypto
Next up, "The Path to Real World FHE: Navigating the Ciphertext Space", by Shruthi Gorantala

#RealWorldCrypto
Huge ciphertext size, complexity

#RealWorldCrypto
Multiverse of FHE schemes 🍩

#RealWorldCrypto
Which fhe library? Which fhe compiler? How to interop?

#RealWorldCrypto
How do you paint the whole elephant?

#RealWorldCrypto Image
frontend
middle-end
backend

A whole compiler toolchain (like llvm to a point)

#RealWorldCrypto
Synthesis this far up!

#RealWorldCrypto Image
Nice nice nice

#RealWorldCrypto Image
[need more like this in ZK proof circuits]

#RealWorldCrypto
😵‍💫

#RealWorldCrypto Image
FHE programs are huge [😬]

#RealWorldCrypto
lol mobile FHE no time soon

#RealWorldCrypto Image
That was Boolean, now arithmetic:

#RealWorldCrypto Image
'The ultimate success of cryptography lies in kicking the developer out of the loop' 😁

#RealWorldCrypto
Actualization starts to sound like 'just software engineering' 👍

#RealWorldCrypto Image
github.com/google/fully-h…
fhe-open-source-users@google.com

FHE is at where deep learning was 10 years ago 📈

#RealWorldCrypto
Q: Any opportunity to combine infra (MLIRs, math layers) between FHE, MPC, and ZKP?

A: Lots of modular layers agnostic to underlying crypto, that may make crossover possible

#RealWorldCrypto
Next up, "Prime Match: A Privacy Preserving Inventory Matching System", by Antigoni Polychroniadou

#RealWorldCrypto
Privacy-preserving auctions

#RealWorldCrypto Image
🕳️ 🕳️

#RealWorldCrypto Image
Then on the commitments

#RealWorldCrypto Image
Nex tup, "Interoperable Private Attribution (IPA)", presented by Erik Taubeneck and Ben Savage

#RealWorldCrypto
bye bye third party cookies 👋🍪

#RealWorldCrypto
Doesn't this enable tracking?

#RealWorldCrypto Image
Secret sharing prevents linking

#RealWorldCrypto
3 party honest majority

#RealWorldCrypto
Capped contributions, add noise, aggregate

#RealWorldCrypto
Need to be able to sort by match key (🤔)

#RealWorldCrypto Image
Privacy across queries not just per-query

#RealWorldCrypto Image
SHARDing

#RealWorldCrypto
Fallback to random match keys

#RealWorldCrypto
Seems bad?

#RealWorldCrypto Image
Next up, CFRG! Presented by Stanislav V. Smyshlyaev

#RealWorldCrypto
IRTF != IETF but sure whatever

#RealWorldCrypto Image
Some recent specs:

#RealWorldCrypto Image
CFRG -> IETF

#RealWorldCrypto Image
CFRG vs ISO

#RealWorldCrypto Image
FROST is almost done!

#RealWorldCrypto Image
Next up, "NIST Call for Threshold Schemes", by Luis Brandao

#RealWorldCrypto
Some recent NIST crypto projects

#RealWorldCrypto Image
Also 'exploratory' vs standardization

#RealWorldCrypto Image
look at this absolute legend

#RealWorldCrypto Image
Need interaction from the community

#RealWorldCrypto Image
Not a competition!

#RealWorldCrypto Image
That's it for day 2!

#RealWorldCrypto
Day 3! Starting with "HACSPEC: a gateway to high-assurance cryptography", with Karthikeyan Bhargavan and Franziskus Kiefer

#RealWorldCrypto
🧡 hacspec 🧡

#RealWorldCrypto Image
Purely functional style

#RealWorldCrypto Image
u32 vs U32 (U32 only supports secret / constant-time behavior) [not my favorite naming scheme but i like the feature]

#RealWorldCrypto Image
Translates to Coq, EasyCrypt, F* backends (for now)

#RealWorldCrypto
The hacspec itself is executable!

#RealWorldCrypto
libcrux!

#RealWorldCrypto
Pretty fast!

#RealWorldCrypto Image
🎉💖

#RealWorldCrypto Image
(i love this line of work)

#RealWorldCrypto
Q: Properties of implementations vs specifications?

A: hacspec is practically a reference implementation, not just a formal (math) spec; but you can do what you want, matter of taste

#RealWorldCrypto
Next up, "High-assurance Go cryptography in practice", by Filippo Valsorda

#RealWorldCrypto
go stdlib re-implemented all its crypto in its native language, originally because it was easier re: the build chain

#RealWorldCrypto Image
Gives golang crypto a lot of latitude

#RealWorldCrypto
Making it easier not to make mistakes

#RealWorldCrypto Image
The performance cost is worth it! The safety and maintainability advantage is worth it

#RealWorldCrypto
language-agnostic test vectors

#RealWorldCrypto Image
de-duplication across languages, implementations

#RealWorldCrypto Image
age testkit

#RealWorldCrypto Image
Published test vectors to github.com/C2SP/CCTV

#RealWorldCrypto
General-purpose fuzzers struggle with crypto code

#RealWorldCrypto Image
Weighted fuzzing distributions

#RealWorldCrypto Image
The chance of hitting important field values with random fuzzers is the definition of negligible

#RealWorldCrypto Image
You should not be allowed to tickle the dragon's tail

#RealWorldCrypto Image
Definining your high-level APIs in terms of bytes helps in avoiding exposing the grotty guts of points, coordinates, etc, to an end-user (vs an implementer)

#RealWorldCrypto
Code evolves, original programmers leave and new ones start messing around

#RealWorldCrypto
fiat-crypto generates golang, c, rust, from Coq models of various curve, field math, and other crypto formal models, some with Coq checks of math correctness (like Montgomery arithmetic)

#RealWorldCrypto Image
The safest code is the code you don't write

#RealWorldCrypto Image
Deprecate!

#RealWorldCrypto Image
"Performance is a matter of practicality; if it's fast enough, it doesn't need to be faster"

#RealWorldCrypto
Spending the complexity budget on the subject /matter/, not on the code itself

#RealWorldCrypto
Leaving 5% performance hit on the table because the code is more understandable and reviewable by humans

#RealWorldCrypto
Q: Garbage collector?

A: One solution to temporal memory safety; the garbage collector prevents use-after-free; Rust does borrow checking at compile etc

#RealWorldCrypto
Next up, "CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives", presented by Joel Kuepper

#RealWorldCrypto
Being super careful does not prevent significant bugs

#RealWorldCrypto Image
Very small trusted computing base

#RealWorldCrypto
CryptOpt basically automates random local search

#RealWorldCrypto
github.com/mit-plv/fiat-c…

Take the output of fiat-crypto, and optimize it with cryptopt

#RealWorldCrypto
it's faster, is it correct? verified checker

#RealWorldCrypto Image
Q: Operate on the operation graph not just the instructions?

A: Get the graph from fiat-crypto, which is optimized, cryptopt doesn't change it, just instructions

#RealWorldCrypto
Q: architecture-specific heuristics?

A: 'yes', double-edged sword

#RealWorldCrypto
Q: How many architectures?

A: Just x86, but all CPUs that support x86

#RealWorldCrypto
Q: How much work to port to another platform?

A: Supporting all the instructions makes a difference for x86; arm doesn't have as many, but we don't expect as much of a perf boost because there is less variety

#RealWorldCrypto
Q: Time to generate?

A: Couple of hours

#RealWorldCrypto
Break time!
Next up, "E2EE in Japan – culture and policy", by Hinako Sugiyama

#RealWorldCrypto
Next up, "DatashareNetwork: A Decentralized Privacy-Preserving Search Engine for Investigative Journalists", by Kasra EdalatNejad

#RealWorldCrypto
Slap some tor on it 😂

#RealWorldCrypto Image
prepare to interop with legacy code (incl. oauth)

#RealWorldCrypto
Next up, "Using ZK Proofs to Fight Disinformation", by Trisha Datta

#RealWorldCrypto
Image provenance verification (bet BeilingCat would like this)

#RealWorldCrypto
But an original photo often is transformed (compressed, resized, greyscale, cropping) all normal parts of publishing photos; this would affect verification of photo signatures

#RealWorldCrypto Image
zkSNARKs

#RealWorldCrypto Image
zkproofs that witness the original photo and the transform(s) applied honestly/correctly

#RealWorldCrypto Image
Original PhotoProof in 2016 was cutting edge but took several minutes to generate a proof for a small image; new advances in zkproof tools now makes it much more efficient

#RealWorldCrypto Image
Proof verification is /very/ fast, must be

#RealWorldCrypto
Doing SHA256 inside a snark is expensive, even Poseidon is too slow, so Poseidon(LatticeHash(photo_bytes))

#RealWorldCrypto Image
lol Poseidon-only hash ran out memory at largest input size

#RealWorldCrypto Image
Q: keep ID of camera private?

A: Not in our threat model

#RealWorldCrypto
Next up, "I was told there would be blockchain: 5 Years of Real World Crypto at DARPA", by Joshua Baron

#RealWorldCrypto
'Are blockchains decentralized?' blog.trailofbits.com/2022/06/21/are…

#RealWorldCrypto
Crypto programs at DARPA

#RealWorldCrypto Image
Everything on-device

#RealWorldCrypto Image
"Securing Information for Encrypted Verification and Evaluation
(SIEVE)" (everything at DARPA needs an acronym)

#RealWorldCrypto
Care less about succintness, the proof statements are just massive

#RealWorldCrypto
Extremely difficult to capture say, Rowhammer, but can capture Heartbleed

/17 million gates/

#RealWorldCrypto
Relevance to policy

#RealWorldCrypto Image
ZKP to prove you drove on Estonian roads without where/when

#RealWorldCrypto
Resilient Anonymous Communication for Everyone (RACE

#RealWorldCrypto
All open source; "there is no world where you should trust closed-source DARPA code for anonymous communication" 😁

#RealWorldCrypto
'steganography' encodings

#RealWorldCrypto Image
[is it butkus or bupkis?]

#RealWorldCrypto
better obfuscated tor bridges! 🧅

#RealWorldCrypto Image
Using MPC for metadata security ("send this e2ee msg to Bob" is moot)

#RealWorldCrypto Image
Distributed protocols are hard to engineer especially with weird crypto and transports

#RealWorldCrypto Image
Measuring the Information Control Environment (MICE)

#RealWorldCrypto
Using AI for measurement and analysis of tons of data

#RealWorldCrypto Image
Lunch time!

#RealWorldCrypto
Next up, "From Theory to Practice to Theory: Lessons Learned from Multi-Party Schnorr Signatures", from Elizabeth Crites, Chelsea Komlo, Tim Ruffing

#realworldcrypto
Schnorr signatures! 💖

#realworldcrypto
Threshold vs multi sigs

#realworldcrypto ImageImage
Need to commit to our nonces to avoid ROS attacks

#realworldcrypto Image
Standard single party Schnorr verification

#realworldcrypto
Adaptive security against a continuously-meddling adversary

#realworldcrypto Image
mult, or threshold?

#realworldcrypto
BROADCAST CHANNEL

(no not like twitter.com)

#realworldcrypto Image
So if you want to use threshold, how do you pick t and n? FROST just leaves that to you!

#realworldcrypto
No progress, but no forgery

#realworldcrypto Image
Robustness: the protocol succeeds so long
as at least t players participate honestly.
(required for liveness!)

#realworldcrypto
FROST is /not/ robust. Efficient, but

#realworldcrypto Image
ROAST takes FROST and makes it robust, with n-t+1 FROST protocol runs

#realworldcrypto Image
NIST call for threshold schemes:

csrc.nist.gov/publications/d…

#realworldcrypto
Some open research problems include efficient deterministic signatures

#realworldcrypto Image
You /cannot/ use that EdDSA-style deterministic nonce derivation in FROST, it allows key recovery!

#realworldcrypto Image
So, if we can't do that, can we build a real-world (efficient) deterministic threshold signature at all?

#realworldcrypto
Can we prove that the 2-round schemes require these stronger assumptions?

#realworldcrypto Image
🔑🔑🔑

#realworldcrypto Image
3-round and 2-round DKG schemes based on different assumptions

#realworldcrypto Image
Do two-round, efficient and composable DKGs exist?

#realworldcrypto
🎉

[check out some FROST impls in Rust: github.com/zcashfoundatio…]

#realworldcrypto Image
Q: BLS sigs?

A: Threshold BLS is great you should use it; of course it's hard to switch when you have deployed ecdsa or schnorr

#realworldcrypto
Q: Adaptive security for 2-round FROST?

A: Proof coming; can maintain 1-round w/ preprocessing FROST variant

#realworldcrypto
Next up, "Threshold ECDSA Towards Deployment", by abhi shelat

#realworldcrypto
Assuming 1 honest party

#realworldcrypto Image
ECDSA and its weirdness exists because Schnorr sigs were patented until about 2007

#realworldcrypto
Subtle work to get our security proof working

#realworldcrypto Image
✨ Lagrange ✨

#realworldcrypto Image
Nice for key refresh

#realworldcrypto Image
5 rounds

#realworldcrypto Image
In the random oracle model, /every/ (sub)protocol instance needs a /different/ random oracle! Prefix it!

#Realworldcrypto Image
Recovery!

#realworldcrypto Image
Is threshold a 10x better experience for
{user, organization}?

#realworldcrypto
For the org, yes; for the user, it's annoying/friction, but it's security

#realworldcrypto
Q: Beaver triples—

A: No triples! That's why we avoid the overhead

#realworldcrypto
Next up, "How a Blockchain Can Keep Many Secrets", by Gregory Neven

#realworldcrypto
BLS back again

#realworldcrypto Image
'status: complicated!' 😅

#realworldcrypto Image
Internet Computer 💻

#realworldcrypto Image
Q: When subnet validators change, do a key refresh?

A: Yes; you need some forward security notions

#realworldcrypto
Break!
Last session! "tlock: Practical timelock encryption based on threshold BLS", by Yolan Romailler

#realworldcrypto
Applications: 'responsible ransomware' :P

#realworldcrypto
Chained randomness 👀⛓️

#realworldcrypto Image
unchained randomness

#realworldcrypto Image
on-chain size: BLS sigs on BLS12-381 are 96bytes compressed in G_2, and mapping the message to G_2 is 10x more costly than G_1

#realworldcrypto
So, swap G_1 and G_2

#realworldcrypto Image
Q: PQ IBE?

A: Maybe, NIST call may motivate it

#realworldcrypto
Next up, "Portunus: Re-imagining Access Control In Distributed Systems Using Attribute-Based Encryption", by Tanya Verma

#realworldcrypto
But key is not supposed to be outside of the EU 🤔

#realworldcrypto
Naïve approach: every data center gets its own key

#realworldcrypto Image
Region-based encryption

#realworldcrypto Image
🔑🌐🔑

#realworldcrypto Image
Nice ✨

#realworldcrypto Image
Classical hybrids

#realworldcrypto Image
"Formidable notation can hide significant computation steps" oh man yeah

#realworldcrypto Image
Smells like pairings 😹

#realworldcrypto
Q: How are changes in policy handled by the system?

A: More demand than we can handle (per country, needs a few large datacenters in a region/country before we can deploy)

#realworldcrypto
A: For changes, we ask user to re-upload

#realworldcrypto
Last talk! "Ask Your Cryptographer if Context-Committing AEAD Is Right for You", by Sanketh Menda

#realworldcrypto
mmm mmm love that AEAD 🥰

#realworldcrypto Image
However:

#realworldcrypto Image
Multi-recipient integrity

#realworldcrypto Image
Malicious sender can arrange for different plaintexts to be received! 😭

#realworldcrypto Image
Currently deployed AEADs are not /key-commiting/

#realworldcrypto Image
[are axolotls salamanders?]

#realworldcrypto
These attacks do not invalidate prior security analyses, but they do exploit the lack of key commitment

#realworldcrypto
We could standardize a key-committing solution, but fear this is short-sighted

#realworldcrypto
What we want is /context commitment/, not just key commitment

#realworldcrypto
Key commitment approaches don't ensure context commitment

#realworldcrypto
Some proposals for context commitment schemes:

#realworldcrypto Image
I see you sponge 🧽

#realworldcrypto
OCH:

+ Simple, single primitive
+ optimal length ciphertexts
+ Maximally parallelizable

#realworldcrypto Image
Is context-committing AEAD right for you? YES

#realworldcrypto Image
let's standardize and deploy them!

#realworldcrypto Image
Q: OCB is my favorite mode

A: Me too!

#realworldcrypto
Q: When are we done?

A: Our applications are getting more and more complex, it's hard to say

#realworldcrypto
Wrap up:

#realworldcrypto
650 in-the-flesh attendees! 150 remote! 🥴

#realworldcrypto Image
Thanks for attending!

#realworldcrypto
Propose venue for RWC 2025

#realworldcrypto Image
RWC 2024: Toronto Canada

#realworldcrypto Image
TIFF Bell Lightbox venue

#realworldcrypto Image
See you in Canada! 🍁 👋

</fin>

#realworldcrypto

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Deirdre Connolly¹

Deirdre Connolly¹ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @durumcrustulum

Sep 16, 2022
log | head
holy shit they did it
Read 78 tweets
Sep 14, 2022
(I tested + on an antigen test, isolated for 1.5 days, my spouse probably/definitely already had been infected before I popped +)
(I had tested - on the antigen...36 hours before popping positive? Yeah.)
Read 5 tweets
Aug 15, 2022
Cute, more emojis in slides!
Relevant
Read 5 tweets
Apr 13, 2022
LIVE, IN THE FLESH, FROM AMSTERDAM, IT'S #REALWORLDCRYPTO!
@cryptojedi kicking off with logistics Image
Kicking off with in fact, side channels: Spectre Declassified
Read 747 tweets
Jan 25, 2022
I need a black metal James Webb Space Telescope shirt
meh Image
better Image
Read 4 tweets
Jun 7, 2021
LOL DID THEY REUSE THE SHITTY RSA-1024 KEY
I think I'm fine with cybercom doing this
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(