There once was a smooth curve in F_p.

Projective it is,

And no cusps be on this,

With a point at infinity,

For use in cryptography. — Asra

NIST recommendation for the GCM mode of operation says that the total number of invocations of the authenticated encryption with the single key should not exceed 2^32. Given that Amazon is using AES-256-GCM with random nonces for their AWS key management service, achieving the sufficient level of security across their whole user base was previously impossible. That’s why Shay Gueron and Yehuda Lindell developed the new scheme for significantly extending the lifetime of a key. The idea is to derive a new key for each encryption by applying the key derivation function to a master key and a nonce. This method dramatically improves the security bounds, allowing 2^40 users to securely encrypt 2^50 messages each, for example. If you want to know more details, the full paper is available here.

Not really a crypto talk, but interesting one nonetheless. Over the years, Google’s internal KMS has become a critical dependency for a lot of internal services, so it had to be overhauled to satisfy the new high availability requirements. Anand talked about the key-wrapping and the key-versioning, which were the key principles that led to stateless servers, thus enabling the much needed horizontal scaling. At the end of the talk, he announced the new crypto library with built-in key-versioning called CrunchyCrypt. Although it looks very interesting, it also creates a confusing situation—now that Google has open-sourced CrunchyCrypt, Keyczar, and Tink, I no longer have a clue which one is recommended.

Zcash is the only cryptocurrency that I care about. It was created by a group of extremely smart people (one of them being Matthew Green, for example) who really knew what they were doing. One of the main goals of Zcash was to fully protect the privacy of its users; contrary to popular belief, Bitcoin is not really anonymous, which is why this was one of the best quotes of the conference:

You might wanna think of Bitcoin as Twitter for your bank account.

The talk was not about the technical details behind Zcash (if you want to know more about the its cryptography, read this brilliant series of posts). Ian talked about some really cool stuff, including the ceremony for the secure parameter generation. He also briefly touched on the subject of regulation, but his answers were not very clear. The talk before this one was about MimbleWimble, and in this one we learned about the Jubjub. Who says that cryptography has to be boring?

Yasemin Acar: Comparing the usability of cryptographic APIs

Cryptographic API usability is one of my favorite topics, which is why I was very excited to learn that somebody is finally trying to measure it. The sample of people participating in this research was small (only 256 people finished the given tasks), and it included only Python developers. The talk also left some important questions unanswered. For example, I was wondering how the authors defined the secure mode of operation, so I downloaded the original paper, only to find this questionable definition of security:

We scored the ECB as an insecure mode of operation and scored Cipher Block Chaining (CBC), Counter Mode (CTR) and Cipher Feedback (CFB) as secure.

Despite the flaws I just mentioned, I really liked the talk, and I think this research is a very important step forward.

This was a fantastic talk: professionally delivered, very informative, and extremely easy to understand even if you were previously unfamiliar with the topic. It covered almost everything that you need to know about the Certificate Transparency. Google singlehandedly managed to force certificate authorities to comply with the CT project, which is a good thing, but it also left me thinking more about the enormous power we have placed in Google’s hands, and what would happen if Google’s goals were no longer aligned with the needs of its users. The talk ended with the great question from Nick Sullivan about the differences between HPKP and CT.

Pierre Karpman was part of the group of people that have finally broken SHA-1 in practice last year. He presented the evolution of the attack, without diving into technical details (if you are interested in that, you can read their paper here). According to the frequency of laughter, this was the second funniest talk of the conference (first place goes to David Benjamin). But it was also very informative, especially the part about the complexity of the attack. We often talk only about the asymptotic complexity, but in practical settings every constant matters—factor of two can mean the difference between success and failure. Also, saying that an algorithm takes 2^50 operations doesn’t really reveal much; running it on ASIC, CPU, and GPU will produce vastly different results. We also learned how to measure the cost of an attack by comparing the amount of energy it needs with the amount of water that you can boil instead:

Spectre and Meltdown marked the end of the civilization as we know it. Jann Horn was without a doubt the star of this year’s conference, and you could feel the excitement in the air before his talk. The talk itself was great, of course, and you should absolutely watch it. Also, if you have been living under the rock for the last few weeks, here are the blog posts and papers describing these fascinating attacks in more details:

Reading privileged memory with a side-channel

Meltdown

Spectre Attacks: Exploiting Speculative Execution

An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience

David Benjamin: TLS ecosystem woes

Or why David Benjamin has a hard life. Easily my favorite talk of the conference. It was a hilarious, 25 minute long rant about how difficult it is to work with TLS in presence of buggy servers and ridiculously broken middleboxes (one of the vendors actually said “we just wanted to sell the customers a box that did something”). If you have the time to watch only one talk, make it this one.

Trevor Perrin: The Noise protocol framework

Noise Protocol Framework is one of the most exciting projects in cryptography in recent years. It’s a framework for building modern cryptographic protocols based on Diffie-Hellman key agreement. In this great talk Trevor described the ideas behind the modern protocol design, why secure channels are still not a completely solved problem, and what goals was Noise designed to achieve. Approved by Hugo Krawczyk.

Torben Brandt Hansen: InterMAClib: beyond confidentiality and integrity in practice

InterMAC is a simple, intuitive, and provably secure scheme for authenticated encryption designed for dealing with the ciphertext fragmentation in the SSH protocol. Originally described in the paper Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation, it was finally implemented and tested in practice last year, achieving good results. Unfortunately, in its current state it looks like an academic project only, but it would be really great if it could find its way into OpenSSH, replacing all the other horrible ciphers.