Real World Crypto 2019

A perspective from the front row

Axolotl — the true namesake of the double ratchet based self-healing message protocol

When you find yourself seated in the front row, somewhere between Whitfield Diffie & Vitalik Buterin, listening to one challenging, stimulating talk after another, you know that you are at the right conference. Real World Crypto 2019, three back to back days: Jan 9, 10 and 11th in San Jose had me rapt.

Note that the word crypto in the title refers to cryptology. In deference to this sentiment, Zooko Wilcox of ZCash, now refers to Zcash as a cybercoin. You will have to wait until the end of this article to read more about what he had to say in the last talk of the conference. Since there were some 35 presentations; we focus on our personal favorites and refer in passing to some others. The entire conference will be available on youtube, where it was live-streamed. Slides are available on the program website. We await the 2020 conference in our backyard, New York City.

Since RWC was in San Jose, the giants of silicon valley were well represented; Google was prominent among them. Other big outfits like AWS, Visa etc were also present. Smaller fintech firms were in evidence, also in the lists of sponsors of the conference. There were brilliant shoals of students, recent students (post docs and others) and academics. We of course felt like a tortoise (not an axolotl), slightly out of place, slow moving but determined.

2019 Levchin Prize winners Mihir Bellare & Eric Rescorla at RWC 2019 San Jose (photo by VB)

Topics included actual implementations of cryptography at scale; presentations on hardware glitching techniques for side channel attacks; process boundary attacks on SGX; tooling around Noise, a protocol generator; formal verification techniques; new microprocessor architectures; regulatory matters; custody of cyber-coins etc.

What does a salamander have to do with cryptology? In particular with end to end encryption. The self healing property of the salamander Axolotl prompted the creators of the protocol (Whisper Systems) behind signal, whatsapp etc. to name their protocol Axolotl. Axolotls can regenerate entire limbs and even certain parts of their brain, due to neoteny which is being stuck in an embryonic or larval state due to iodine deficiency, which is the defining characteristic of that species. Axolotl is about Post Compromise Security (PCS) or Future Secrecy where the protocol heals itself even after a successful man in the middle attack. We will delve deeper into this in my next article concentrating on E2EE and the blockchain.

End to end encryption was a major theme; for those who think that end-to-end encryption is a pipe-dream; messaging systems and RPC mechanisms at scale have E2EE built-in as demonstrated in several talks. Sure, not all asynchrony, future privacy and forward privacy concerns have been addressed; there is also the specter of quantum computing hanging over the whole scene. In engineering, we prefer the improvement of practical strengths of today with our eyes wide open.

Talking of post-quantum, the partial govt shutdown affected us as well, as no one could present on the NIST competition candidates from the second round of the PQC; NIST folks were prohibited from traveling and presenting, even if RWC-2019 offered to pay. Essentially a gag order, without it being a gag order.

The conference opened with talks on messaging layer security (MLS) standardization efforts. The important considerations for MLS are:

• Async- messaging between two parties who may not be online at the same time
• Support for large group conversations
• Forward Security and Post Compromise Security-

The MLS standardization effort uses a Tree based KEM (Key Encapsulation Method) as opposed to a DH (Diffie Helman) based solution.

The first talk gave the status of this effort, including the implementations as well as the challenges.

Talking about cryptography at scale, there was a talk was on implementing End to End Encryption (E2EE) for Snap. Snap allows users to share ephemeral multi-media content with others. The system has about 190 million users who share 10 billion or so pieces of content every day in an asynchronous manner. Privacy is enhanced, by the evanescence of the content according to certain rules.

• Handling identity churn for both the producer of the content and the consumer. Which means having the means to rapidly synch if the users switch devices or bring new devices on line.
• Device sharing by users which had to solve for keeping content segregated on the same device.
• All of this has to be done with minimal retries as even a 1.85% retry rate in a protocol like Axolotl (double ratchet) creates unacceptable (for snap) loads and delays on the system for the users. The end design uses an account model to relax the coupling of users to devices. This design has a retry rate around 0.8 % (not sure of exact %). Which would represent huge numbers in a widely used app like snap.
• The features have been implemented using a bespoke protocol that covers all aspects of key management for ephemeral content; the redesign also altered some of the privacy guarantees like forward secrecy.
• The protocol design reflects the commercial demands on protocols that relax the ephemeral quality of the content and ease of use which end up challenging the privacy guarantees. To monetize an app like snap, concepts like what constitutes a session, a shared ephemeral key, ephemeral content, asynchrony and other properties have to be reconciled.
• Snap is working on forward secrecy and transparent key management a la coniks.

Elections & Cryptography was about the contentious topic of elections and election machines by Matt Blaze (uPenn).

• Trust in election mechanism is vital to the democratic process. Paper based systems, machines (mechanical) and software based systems have been shown to be flawed and insecure. Further, voting infrastructure is controlled in about 3000 counties in the US in relatively resource-starved settings. Elections do not stop for the proper development of voting technology.
• Has to be implementable today, relatively secure and private, must have multiple methods of recordation and counting which has to be timely (results have to be announced right away), there are no do-overs.
• Pure software only or manual voting methods are less secure than hybrids or methods that can use one to check on another. Story from
• Stop with blockchain based voting solutions already! This comment seems to be based on a certain viewpoint on decentralization, all voters do not need to run full blockchain nodes, nor be able to look at all the records transparently for there to be a voting solution based on blockchains.

Word from Congo election (Jan 16–2019) where the machines were used to check the manual count, to show that the results as certified pointed to widespread fraud; in other words machines to the rescue!

Noise Explorer (NE) an online tool that helps reason about a Noise protocol. Noise is protocol framework for Diffie-Hellman key agreement based crypto protocols. Noise generates a concrete protocol using tokens-> message patterns-> handshake patterns created through the use of DH functions, cipher functions and hash functions. The number of tokens limited to 8 (of which two are repeats). The number of protocols that it can generate is unbounded.

The presentation by Nadim Kobeissi (INRIA, Symbolic Software) was one of the most riveting presentations in the conference, due to the level of detail, the audience engagement and the subject matter. Noise Explorer does the following:

• A convenient catalog of available handshake patterns and detailed formal verification of these including malicious attackers. This can also be used as a check to see if any of them satisfy your requirements or as a starting point to develop your own protocol to meet your use case.
• Immediate analysis of a handshake pattern created by any user (try it out now!). The pattern can be entered on the website using tokens and interactions between a sender and a receiver using a spare notation.
• Analysis includes validity checks against the Noise specification as well as display of this on the browser as you enter the pattern.
• Generation of symbolic models in pi calculus; formal verification of the model using ProVerif, these models can be analyzed against passive and active attackers with malicious principals.
• The NE can also generate Go code to securely implement the protocol.
• Noise is used in whatsapp.

In short, a neat package that levers existing tools that makes the generation of a concrete Noise protocol secure, valid and efficient. Nadim gave a shout out to David Wong’s blog on cryptologie.net. He also thanked his adviser Karthikeyan Bhargavan who is a co-author of this talk (and presumably Noise Explorer) and also the the talk on MLS. Karthik gave another talk later on Verified Vectorized Cryptography, a way to generate correct crypto code targeted to multiple processors. Karthik’s work on F* could have great impact since the project is backed by Microsoft Research.

We also ran into the inimitable Trevor Perrin, the creator of Noise and major contributor to messaging protocols, including the Axolotl double ratchet. We had a conversation with TP about collaborating with Ursa, a cryptographic library being created in Hyperledger, for use across multiple DLT platforms. We saw Trevor following up with @MikeLodder, one of the chief maintainers of Ursa and we are excited about the potential and cannot wait to hear about the developments on that front.

Cryptographers and Engineers

All this brings us to the next theme of this conference. Lots of analysis has been done on developers and crypto code. On the whole, there was a certain disbelief about the kind of mistakes that developers make, lots of laughter and head-shakes; “I cant believe that they did that” among crypto-cognescenti. This leads to a certain feeling of smugness. The main take away is that best practice dissemination from cryptographers<->developers is a two way street. Cryptographers need engineers and vice versa.

Security is often bolted on at the end of a development process that is driven by commercial considerations and unrealistic deadlines; which leads to several sub-optimal and buggy approaches including

• Roll your own crypto, both methods and implementations (see the IOTA vulnerability). Neha Narula presented how this vulnerability was discovered and the communications that they had with IOTA team in detail.
• Side-channels
• The usual litany; memory access (buffer overflow), integer overflow, SQL injection etc.

And many others. Bugs are not obvious until they are caught, even security bugs; when bugs are caught there is no need to roll in the aisles laughing, shaming and pointing. The gap needs to be closed, starting with a genuine respectful conversation and well tested tools that enhance correctness, even automatic generation of crypto code. We are moving in the right direction, but the distance is large between cryptographers and engineers.

In a session presented by Michelle Mazurek on understanding security mistakes that developers make, communication comes as the top culprit in the distance between specification and implementation. The data says that even for very basic implementations in the development contest, the vast majority of the errors are from “misunderstanding” or “no implementation”. Specification to implementation has been the bugbear of software development in all fields. Methods like Agile and Scrum have been developed to create a process to make adjustments using rapid feedback loops. Software development has always been mostly an art, so no surprises here. Formal analysis and model to code tools are of course creating ways to forge engineering from art.

Microprocessor Architecture

Microprocessor architectures have been a fertile ground for the arms race between the breakers and the fixers. In a talk about the art of we heard from side-channel attacks using forced and unforced electromagnetic leakage and measurements. It was fascinating to hear about fuzzing and the exploration of boundaries between breakdown and normal working of electronic components; it is in this boundary where many exploits lie. The systematic and artful exploration of these boundaries was the talk Practicing the art and science of side channel and fault attacks by Jasper van Woudenberg (Riscure).

Later we had the full Monty on Foreshadow, the widely publicized exploit on SGX, which calls into question the whole concept of security enclaves. It was a deliberately hilarious talk (have a look at the slides from the program site). Of course, high drama does not equate to the exploit being widely used in the wild. However, the highly baroque architecture of the Intel technical stack does not inspire either; maybe due to years of success and requirements for backward compatibility and the takeover of a serious engineering enterprise by marketers and hype-meisters.

This is why the excitement around RISC-V is understandable, since it is a sweep of the decks with modern concepts of clean-slate design and modularization, designed for growth via extensions. No license fees and higher level languages also spurs adoption. Just the participation curve in RISC-V conferences seems to predict good times. Intel may get into the act themselves, but it is difficult to see how people who have been suckling on the license teat letting go without a difficult and bitter weaning.

Of extreme interest to us was the talk by Srini Devdas of MIT on the latest design thinking Towards Open Source Formally Verified Processors. The main idea is the architectural isolation of processes. This would remove the side-channel vector of shared cache space combined with speculative execution which was the way in which Spectre among other attacks succeed against SGX. Srini took us through spatial and temporal isolation combined with cryptography in Sanctum and some other micro-processor architectures and the minimal hardware extension techniques that would provide better security. Today, turning off hyper-threading can protect the SGX enclave from Foreshadow, but the performance hit would be tremendous. Turning off speculative execution completely has a 3x slowdown. Srini’s team was able to reduce this to around a 10% slowdown by selectively turning off speculation backed by increasing temporal (to prevent timing attacks)and spatial separation in DRAM and caches. Of course as implied by the word “towards” the solution is aspirational, since some challenges remain.

Blockchain @ RWC-2019

During lightning talks we asked the community to have an open mind about Blockchain and invited cryptographers to the community around Hyperledger including the crypto lib Ursa; since we would all (cryptographers and engineers) benefit from this collaboration. We did get positive signals from multiple cryptographers about this brief announcement, including a nod from Dan Boneh one of the leaders of #RealWorldCrypto. The BPASE conference that he heads is just around the corner.

The last session of the conference was devoted to Blockchain. This included the talk on analysis of IOTA by Neha Nerula that we mentioned before. Details of custody and protection of cryptocoins and digital tokens was a talk by the creators of Unbound tech. The Unbound solution uses MPC and Threshold ECDSA. Parts of the solution is open sourced and available on github. Cryptocurrency protection needs three settings; exchanges (for high turnover and volume- we may need large, medium and small vaults and different protection to be offered on each), sustody solutions are necessary only for high value, low turnover settings, customer solutions like wallets.

Zooko Wilcox closed the session with an inspiring and hopeful talk filled with idealism and vision. Some points that he made:

• Cryptography reduces power imbalance.
• We believe that privacy is necessary for economic freedom and human dignity.
• Talk to the regulators using analogies they understand like Blockchain being like a shared Excel spreadsheet. He drove this forward by showing the ZCash system as a spreadsheet with many of the columns blacked out.
• Creation of transparent and shielded addresses were a mistake; could have been better off with just shielded addresses, since they are the only truly ZK addresses.
• The use of viewing keys to selectively expose transaction details to regulators made it easier for ZCash to be approved.
• Knowledge is the best antidote to fear.

Conclusion

Real World Crypto 2019 was a real conference with real speakers talking about real world solutions and challenges. The vast amount of new material that we had to deal with as a non-cryptographer was significant; however new ideas and connections were being sparked in multiple areas. In particular, work on end to end encryption gave us hope that we are moving toward real individual privacy. This is significant in the negative climate that we live in now, with authoritarian governments expanding their powers of surveillance and the takeover of our minds using information harvested from our own daily activities. The yin and yang of cryptography and cryptanalysis and how they strengthen the solutions that we use through the build break cycle was also on display. Hope we are able to transmit a portion of the excitement, knowledge and hope that we experienced!