A perspective from the front row

Axolotl — the true namesake of the double ratchet based self-healing message protocol

When you find yourself seated in the front row, somewhere between Whitfield Diffie & Vitalik Buterin, listening to one challenging, stimulating talk after another, you know that you are at the right conference. Real World Crypto 2019, three back to back days: Jan 9, 10 and 11th in San Jose had me rapt.

Note that the word crypto in the title refers to cryptology. In deference to this sentiment, Zooko Wilcox of ZCash, now refers to Zcash as a cybercoin. You will have to wait until the end of this article to read more about what he had to say in the last talk of the conference. Since there were some 35 presentations; we focus on our personal favorites and refer in passing to some others. The entire conference will be available on youtube, where it was live-streamed. Slides are available on the program website. We await the 2020 conference in our backyard, New York City.

Since RWC was in San Jose, the giants of silicon valley were well represented; Google was prominent among them. Other big outfits like AWS, Visa etc were also present. Smaller fintech firms were in evidence, also in the lists of sponsors of the conference. There were brilliant shoals of students, recent students (post docs and others) and academics. We of course felt like a tortoise (not an axolotl), slightly out of place, slow moving but determined.

2019 Levchin Prize winners Mihir Bellare & Eric Rescorla at RWC 2019 San Jose (photo by VB)

Topics included actual implementations of cryptography at scale; presentations on hardware glitching techniques for side channel attacks; process boundary attacks on SGX; tooling around Noise, a protocol generator; formal verification techniques; new microprocessor architectures; regulatory matters; custody of cyber-coins etc.

What does a salamander have to do with cryptology? In particular with end to end encryption. The self healing property of the salamander Axolotl prompted the creators of the protocol (Whisper Systems) behind signal, whatsapp etc. to name their protocol Axolotl. Axolotls can regenerate entire limbs and even certain parts of their brain, due to neoteny which is being stuck in an embryonic or larval state due to iodine deficiency, which is the defining characteristic of that species. Axolotl is about Post Compromise Security (PCS) or Future Secrecy where the protocol heals itself even after a successful man in the middle attack. We will delve deeper into this in my next article concentrating on E2EE and the blockchain.

End to end encryption was a major theme; for those who think that end-to-end encryption is a pipe-dream; messaging systems and RPC mechanisms at scale have E2EE built-in as demonstrated in several talks. Sure, not all asynchrony, future privacy and forward privacy concerns have been addressed; there is also the specter of quantum computing hanging over the whole scene. In engineering, we prefer the improvement of practical strengths of today with our eyes wide open.

Talking of post-quantum, the partial govt shutdown affected us as well, as no one could present on the NIST competition candidates from the second round of the PQC; NIST folks were prohibited from traveling and presenting, even if RWC-2019 offered to pay. Essentially a gag order, without it being a gag order.

The conference opened with talks on messaging layer security (MLS) standardization efforts. The important considerations for MLS are:

The MLS standardization effort uses a Tree based KEM (Key Encapsulation Method) as opposed to a DH (Diffie Helman) based solution.

The first talk gave the status of this effort, including the implementations as well as the challenges.

Talking about cryptography at scale, there was a talk was on implementing End to End Encryption (E2EE) for Snap. Snap allows users to share ephemeral multi-media content with others. The system has about 190 million users who share 10 billion or so pieces of content every day in an asynchronous manner. Privacy is enhanced, by the evanescence of the content according to certain rules.

Elections & Cryptography was about the contentious topic of elections and election machines by Matt Blaze (uPenn).

Word from Congo election (Jan 16–2019) where the machines were used to check the manual count, to show that the results as certified pointed to widespread fraud; in other words machines to the rescue!

Noise Explorer (NE) an online tool that helps reason about a Noise protocol. Noise is protocol framework for Diffie-Hellman key agreement based crypto protocols. Noise generates a concrete protocol using tokens-> message patterns-> handshake patterns created through the use of DH functions, cipher functions and hash functions. The number of tokens limited to 8 (of which two are repeats). The number of protocols that it can generate is unbounded.

The presentation by Nadim Kobeissi (INRIA, Symbolic Software) was one of the most riveting presentations in the conference, due to the level of detail, the audience engagement and the subject matter. Noise Explorer does the following:

In short, a neat package that levers existing tools that makes the generation of a concrete Noise protocol secure, valid and efficient. Nadim gave a shout out to David Wong’s blog on cryptologie.net. He also thanked his adviser Karthikeyan Bhargavan who is a co-author of this talk (and presumably Noise Explorer) and also the the talk on MLS. Karthik gave another talk later on Verified Vectorized Cryptography, a way to generate correct crypto code targeted to multiple processors. Karthik’s work on F* could have great impact since the project is backed by Microsoft Research.

We also ran into the inimitable Trevor Perrin, the creator of Noise and major contributor to messaging protocols, including the Axolotl double ratchet. We had a conversation with TP about collaborating with Ursa, a cryptographic library being created in Hyperledger, for use across multiple DLT platforms. We saw Trevor following up with @MikeLodder, one of the chief maintainers of Ursa and we are excited about the potential and cannot wait to hear about the developments on that front.

Cryptographers and Engineers

All this brings us to the next theme of this conference. Lots of analysis has been done on developers and crypto code. On the whole, there was a certain disbelief about the kind of mistakes that developers make, lots of laughter and head-shakes; “I cant believe that they did that” among crypto-cognescenti. This leads to a certain feeling of smugness. The main take away is that best practice dissemination from cryptographers<->developers is a two way street. Cryptographers need engineers and vice versa.

Security is often bolted on at the end of a development process that is driven by commercial considerations and unrealistic deadlines; which leads to several sub-optimal and buggy approaches including

And many others. Bugs are not obvious until they are caught, even security bugs; when bugs are caught there is no need to roll in the aisles laughing, shaming and pointing. The gap needs to be closed, starting with a genuine respectful conversation and well tested tools that enhance correctness, even automatic generation of crypto code. We are moving in the right direction, but the distance is large between cryptographers and engineers.

In a session presented by Michelle Mazurek on understanding security mistakes that developers make, communication comes as the top culprit in the distance between specification and implementation. The data says that even for very basic implementations in the development contest, the vast majority of the errors are from “misunderstanding” or “no implementation”. Specification to implementation has been the bugbear of software development in all fields. Methods like Agile and Scrum have been developed to create a process to make adjustments using rapid feedback loops. Software development has always been mostly an art, so no surprises here. Formal analysis and model to code tools are of course creating ways to forge engineering from art.

Microprocessor Architecture

Microprocessor architectures have been a fertile ground for the arms race between the breakers and the fixers. In a talk about the art of we heard from side-channel attacks using forced and unforced electromagnetic leakage and measurements. It was fascinating to hear about fuzzing and the exploration of boundaries between breakdown and normal working of electronic components; it is in this boundary where many exploits lie. The systematic and artful exploration of these boundaries was the talk Practicing the art and science of side channel and fault attacks by Jasper van Woudenberg (Riscure).

Later we had the full Monty on Foreshadow, the widely publicized exploit on SGX, which calls into question the whole concept of security enclaves. It was a deliberately hilarious talk (have a look at the slides from the program site). Of course, high drama does not equate to the exploit being widely used in the wild. However, the highly baroque architecture of the Intel technical stack does not inspire either; maybe due to years of success and requirements for backward compatibility and the takeover of a serious engineering enterprise by marketers and hype-meisters.

This is why the excitement around RISC-V is understandable, since it is a sweep of the decks with modern concepts of clean-slate design and modularization, designed for growth via extensions. No license fees and higher level languages also spurs adoption. Just the participation curve in RISC-V conferences seems to predict good times. Intel may get into the act themselves, but it is difficult to see how people who have been suckling on the license teat letting go without a difficult and bitter weaning.

Of extreme interest to us was the talk by Srini Devdas of MIT on the latest design thinking Towards Open Source Formally Verified Processors. The main idea is the architectural isolation of processes. This would remove the side-channel vector of shared cache space combined with speculative execution which was the way in which Spectre among other attacks succeed against SGX. Srini took us through spatial and temporal isolation combined with cryptography in Sanctum and some other micro-processor architectures and the minimal hardware extension techniques that would provide better security. Today, turning off hyper-threading can protect the SGX enclave from Foreshadow, but the performance hit would be tremendous. Turning off speculative execution completely has a 3x slowdown. Srini’s team was able to reduce this to around a 10% slowdown by selectively turning off speculation backed by increasing temporal (to prevent timing attacks)and spatial separation in DRAM and caches. Of course as implied by the word “towards” the solution is aspirational, since some challenges remain.

Blockchain @ RWC-2019

During lightning talks we asked the community to have an open mind about Blockchain and invited cryptographers to the community around Hyperledger including the crypto lib Ursa; since we would all (cryptographers and engineers) benefit from this collaboration. We did get positive signals from multiple cryptographers about this brief announcement, including a nod from Dan Boneh one of the leaders of #RealWorldCrypto. The BPASE conference that he heads is just around the corner.

The last session of the conference was devoted to Blockchain. This included the talk on analysis of IOTA by Neha Nerula that we mentioned before. Details of custody and protection of cryptocoins and digital tokens was a talk by the creators of Unbound tech. The Unbound solution uses MPC and Threshold ECDSA. Parts of the solution is open sourced and available on github. Cryptocurrency protection needs three settings; exchanges (for high turnover and volume- we may need large, medium and small vaults and different protection to be offered on each), sustody solutions are necessary only for high value, low turnover settings, customer solutions like wallets.

Zooko Wilcox closed the session with an inspiring and hopeful talk filled with idealism and vision. Some points that he made:


Real World Crypto 2019 was a real conference with real speakers talking about real world solutions and challenges. The vast amount of new material that we had to deal with as a non-cryptographer was significant; however new ideas and connections were being sparked in multiple areas. In particular, work on end to end encryption gave us hope that we are moving toward real individual privacy. This is significant in the negative climate that we live in now, with authoritarian governments expanding their powers of surveillance and the takeover of our minds using information harvested from our own daily activities. The yin and yang of cryptography and cryptanalysis and how they strengthen the solutions that we use through the build break cycle was also on display. Hope we are able to transmit a portion of the excitement, knowledge and hope that we experienced!

Engineer, Blockchain Enthusiast, Poet