The Real World Crypto Symposium (often abbreviated as RWC) is an annual, 3-day conference for applied cryptography research organized by the International Association for Cryptologic Research (IACR).  It strives to bring cryptography researchers and developers who work on real-world cryptography systems together in the same space, to foster conversation between academia and industry. This year, it was held at Columbia University in New York City, and at 642 attendees, it was the largest Real World Crypto to date.

I managed to nab a seat there this year, though I am quite the average computer science undergraduate student, and this conference is not intended for undergrads.  But in the three days your clueless author spent floating around Alfred Lerner Hall, she learned some new things, had a couple adventures, and gained a few new stories to tell.

Here are my favorite talks and highlights of the year (or rather, the ones I sort of understood), so sit back, relax, and enjoy this slightly-bewildered-very-jetlagged-undergraduate’s take on this year’s RWC.

Transport Layer Security (TLS)

The first lectures of the conference centered around TLS (cryptographic protocols designed to provide communications security in networks) – the newest version, some attacks to be wary of, and privacy-preserving oracle protocols.

The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods

Johanna Amann presented her paper, which is the first study of TLS 1.3 deployment since its standardization in August 2018.  There are many reasons to prefer TLS 1.3 over previous versions: it’s faster, more secure, and good for privacy. This study used active scans to measure deployment across 275 million domains, and it revealed that TLS 1.3 has been adopted much faster than previous versions.  But, most of this can be attributed to 3 major players: Google, Cloudflare, and Facebook. (Facebook even has its own Facebook-specific version!) 

Given that one of the major improvements introduced in TLS 1.3 was better security, hopefully this faster adaptation of TLS 1.3 indicates that companies are beginning to give security higher priority than before.

The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations

Eyal Ronen thankfully makes wonderful, straightforward slides (good for newbies like your author).  There is a specific part of the TLS protocol called a “TLS handshake” that is used for authentication and secure key exchange between a TLS server and client.  RSA key exchange was once the most popular TLS key exchange option, and it is still used in older clients. But, Ronen and his team have found new techniques to attack this part of TLS by using a MiTM downgrade attack to force even modern clients to use RSA key exchange.  This then renders 7 out of 9 different TLS implementations vulnerable to Bleichenbacher’s Attack, which is a cache based attack that exploits the PKCS #1 v1.5 padding scheme used in RSA key exchange versions of the TLS handshake.

TL;DR:  Don’t use RSA key exchange.  There are better alternatives out there.  But, if you really have to use RSA, separate your client certificates.

Ronen explains all this much better than me with awesome diagrams of cookies and Cookie Monster, so do check out his slides on the RWC website (link provided in the section called “More topics and reading”).

Cryptography and Government

In which governments both wage war against and make use of cryptography. 

The Evolving Crypto War

Though there is a long history of government opposition to strong encryption, Jennifer Granick has pointed out that this opposition to encryption is not consistent across all branches of government; different agencies in the United States tend to feel differently about strong encryption.  For example, the State Department wants to use encryption to protect human rights, and the FTC wants to protect privacy for individual users.

Meanwhile, she says that the case for strong encryption was looking pretty strong several years ago.  After Snowden’s revelations and Apple’s victory in court against the FBI, it seemed that there was a push by companies to provide individuals with tools to encrypt their own data.  But there seems to be a shift in recent years; Australia, for example, now has mandatory decryption laws, so that police can demand key disclosure in cases deemed necessary. Meanwhile, in the United States, the argument against strong encryption has shifted from rooting out terrorism to targeting child pornography.  But since end-to-end encryption is clearly here to stay, lawmakers and technologists must now figure out how to best manage online abuse even with end-to-end encryption that respects users’ privacy.

Granick also makes the case that in the search for a solution, we cannot afford to ignore other methods that might undermine civil liberties or system security even without requiring decryption.  User metadata, law enforcement hacking, and client-side scanning for illegal materials are all legitimate concerns that we need to be aware of.

Weaknesses in the Moscow internet voting system

Internet voting failed in Switzerland, so Russia tried to do it too.

The context wasn’t exactly peaceful – there had been protests that July and August due to rejection of opposition candidacies, and there were up to 20,000 participants in Moscow alone.  Meanwhile, Russia set up public testing of the new online voting system, a bounty program of up to 2 million rubles, and source code was made public on GitHub. (Though everything was written in Russian.  Clearly, user-friendliness for the international security community was a priority.)

The first attack solved the encryption scheme, and the first update was published on August 20.  The second attack, by speaker Pierrick Guadry, found a leaked bit that allowed for identification of the candidate for each ballot – clearly not a good thing for voters who would like to preserve the privacy of their vote.  But then drama ensued: the developers seemed to deny the Gaudry’s attack had actually happened, but silently changed the code without updating the Github. Another public test was conducted, and the Github was finally updated… an entire 2 days before the election.  And somehow, the blockchain that was intended to help voters query the server to see whether or not their ballot was in the system managed to disappear a few hours after the election took place.

Gaudry helpfully provides a timeline of the drama in his presentation:

Overall, Russia did a good job in publishing their code for all to see.  But, the system itself was not implemented well. Weak encryption aside, the overall protocol did nothing to guarantee privacy and coercion resistance, nor did it enforce measures to prevent vote buying.  So though the encryption was improved by the time of the election, there was still much to be desired.

Gaudry sums up the situation quite well:  “Thanks to us, they now have a reinforced door on a house made of cardboard.”

Multi-Party Computation

Multi-party computation “allows a group of mutually distrustful parties to compute a function on their joint inputs without revealing anything beyond the output ” (as defined by Marcella Hastings, speaker of the first presentation below).  It’s been used by the Danish National Research Agency to determine the price of sugar beets.  It’s been used in Estonia for fraud detection, to see if there is anyone committing fraud without actually looking at each and every individual.  And closer to home, it’s been used by the Boston Women’s Workforce so that companies would share their data in studies on wage gaps.

General Purpose Frameworks for Secure Multiparty Computation

Traditionally, multi-party computation engines had to be custom built for each use case, back when multi-party computation was first introduced in the 1980s.  As such, multi-party computation was deemed too inefficient to be practical.

Hastings and her team at UPenn surveyed 9 modern general-purpose frameworks and 2 circuit compilers.  Turns out, most of them are in pretty good shape! They’re accessible, open-source, and compilable; they’re high-level languages that support a diverse set of threat models and protocols.  But, Hastings does note that most of them share one critical problem: poor documentation. The limited language documentation results in errors that are extremely frustrating and at times, hilarious (for example, one framework used the words “alice” and “bob” as keywords without telling users).

Hastings points out that this lack of documentation is a widespread problem in academia, and that researchers should do their best to improve documentation of their work; after all, the more user-friendly their framework or research is, the more likely people will want to use it in practice.

Hastings does break down the different categories and design features of the frameworks and circuit compilers, so check out her slides on RWC’s website if you’re interested in more!

Find My: Cryptographic privacy for finding offline devices

I’m not entirely sure how this is multi-party computation, but RWC decided to categorize it as such, so I will too.

In 2010, Apple introduced the application Find My iPhone.  In 2011, Apple introduced Find My Friends. Yannick Sierra explained the many privacy problems that naive implementations of these applications posed, and the intricate encryption Apple used to solve these problems.

To prevent local tracking, they implemented unlinkable rotating public keys for each device that are generated on the fly with precomputed values.  To protect finder anonymity, they used time and location data only. To protect the locations of both finder and owner, they used ECIES (Elliptic Curve Integrated Encryption Scheme) end-to-end encryption.  And to solve “device compromise resilience,” they used “key separation.” Maybe that makes more sense to you than it does to me.

But all in all, Sierra’s talk was awesome.  The way the system works is very, very cool.  I can’t do it justice here with a laundry list of challenges and solutions.  Sierra’s slides are not posted on the RWC website, but you can find recordings of the entire conference on YouTube.  I highly recommend you check out a recording of this presentation, though if your CS/crypto background is similar to mine, please remember to schedule a short break in the middle for snacks and brain cell recovery.  This stuff gets complicated.

Privacy Preserving Primitives

“Primitives” are pretty much what they sound like:  building blocks, basic tools, or simple applications of standard things in cryptography.  Privacy preserving primitives are ones that are implemented specifically to preserve user privacy.

They did cover another application of privacy preserving primitives in public transportation networks, but my brain overheated after the first talk on Firefox.

Privacy-preserving telemetry in Firefox

I concede that I didn’t understand the actual cryptography going on here, but the basic idea was really cool.  Henry Corrigan-Gibbs explained the methods Firefox uses to aggregate user data without seeing any individual user’s data (which is great for privacy).  But why would they want to aggregate user data in the first place, and how can this be done? One reason why they might want to aggregate user data is to see how many Firefox users blocked tracking cookies from a given website.  This information allows them to assess how effective their tracking protection is. And so, each user has a string in which each bit corresponds to one of the approximately 2,500 domains on their “tracking-protection blocklist.” The bit is one if the user has blocked cookies from that specific domain, and zero otherwise.  By adding up all the users’ strings, they can successfully aggregate user data without worrying about what each of the users are doing.

The next part of the process starts getting a bit too technical for me, but basically, given two non-colluding servers, they can receive the summation of the user strings without knowing any individual user’s string.  I think they said Firefox is still looking for a third-party to host one of these servers, so if you know anyone, definitely let Mozilla know.

At any rate, the next time you suspect your browser’s stalking you, understand that Firefox, at least, is trying very hard not to.

More topics and reading

Apart from TLS, cryptography in the context of government, multi-party computation, and privacy preserving primitives, other topics included hardware, side channels, certificates, 5G security, machine learning and cryptography, blockchains, and much, much more.  For a full listing of the program and all of the speakers’ slides, check out this link.

You can also rewatch the entire conference on RWC’s YouTube channel (heads up though, their playlist is in backwards order).

Other Highlights: the non-technical bits

As cool as the presentations and awards ceremonies  are (Marc Stevens, Xiaoyun Wang, and Ralph Merkle won the 2020 Levchin Prizes for real-world cryptography!), there are plenty of other wonderful, wonderful things about RWC.

Lightning Talks!

These were a glorious 35 minutes.  Essentially, anyone who wanted to could stand up to make a PSA of their choosing, with only a minute of stage time each.  As expected for a room in which people say things like “RedShift [KPV19] is a post-quantum snark” with great enthusiasm and understand each other perfectly, this was wild.  Announcements ranged from project recruitment and product promotion to crazy chains of acquisition and heads-ups on new research findings.  There was a PhD student reminding everyone that some endomorphism-thing patents expire in December, and regulars like Brian LaMacchia who came to recruit for Microsoft (apparently, people see each other at crypto conferences around the world every year and know each others’ faces if not their names).  Facebook is releasing ten grants for people to do research on cryptography in advertising, and Twitter is the cryptographer’s choice of social media.

Oh, and as a postscript: this was an announcement from earlier in the conference, but if anyone’s looking for some cash and has a more powerful brain than me, RSA offers thousands of dollars in bounties.  Happy hunting.

Meals/Coffee breaks

At first, the atmosphere during coffee breaks and meals can be a bit intimidating.  Everyone clumps together to talk about their work in cryptography, and distinguished academics and industry experts cluster together around tables of food.  The delicious muffins, fruits, and juice provide some consolation, but still, it is quite easy to feel very small.

But turns out, the trick is just to go for it.  People are so incredibly kind and excited to meet new members of the crypto community, including clueless undergraduates.  I ate lunch with Flavio Bergamaschi on the second day (or rather, I sat down awkwardly across from him at a table and gawked at everyone there until he spoke to me).  He was a Senior Research Scientist at IBM and scheduled as a speaker for the third day of the conference. Even so, he not only reached out to a random college student trying to resist shrinking under the table cloth but also explained his work on homomorphic encryption to me.  (Mr. Bergamaschi, if you ever read this, thank you).

The Reception

The reception after the first day of the conference was much like the coffee breaks, but significantly more crowded, and filled with the din of people catching up over plates of prosciutto.

During the reception, I also got to meet Lisa Yin (one of the original breakers of SHA-1, a widely used hash function in many security applications and protocols, including all secure communication over the internet).  My interactions with her made me realize something quite important: the entire conference is live streamed, and slides are posted online afterwards.  What makes going to RWC special are the people in the seats beside you.  It is one of the only places in the world in which every person will laugh at jokes describing blockchain as malware.  It is not just a gathering of brilliant minds, but rather, a community of brilliant minds.  “You come to RWC for your friends,” says Dr. Yin.  And watching her strike up casual conversation with legends like Moti Yung of Google, looking out at table after table of people laughing and chatting and catching up and sharing their work, it’s clear that cryptographers are here for both the cryptography and the community.

In Conclusion

TLS 1.2 and below, RSA key exchange in TLS handshakes, and blockchain voting are all (among other things) quite broken.  Don’t use those anymore. But hey, advanced cryptography such as multi-party computation is becoming more practical, and companies like Apple and Mozilla are using cryptography to protect user privacy.

But RWC is not just about hearing what’s good, bad, new, or broken (though that is a huge part of it). It’s about seeing old friends, meeting new people in the field, and telling jokes only this room of people will laugh uproariously at.  RWC is about catching up with both people and cutting edge technology, about making an announcement or two yourself to share your research, promote a product, recruit some experts, or find a business partner. Cryptographers are a rare breed of technologist to begin with, and RWC brings people together from all over the world, from both academia and industry.  The point of RWC is not just cryptography, but also community and collaboration.

So while RWC is not a conference intended for undergraduates, it really is the place to be for anyone interested in cryptography and a wonderful way to dive headfirst into this amazing community.

Hope to see you next year… either online or in Amsterdam, for RWC 2021!