I am attending this week Eurocrypt in lovely Vienna, Austria. It started with the co-located workshop AWACS: A Workshop About Cryptographic Standards, which was held on Sunday. It was organized by CryptoExperts who invited excellent speakers from the field. The main topics were the trust in cryptographic standards, insights from within the crypto working groups, current and future trends as well as political and societal aspects of cryptographic standards.
It started with the Keynote by Phillip Rogaway who gave his view on the topic and listed 10 important points for cryptographic standards. I hope the presentation is shared later on, such that I can list them here as well, since they are worth to read.
Next, Eric Rescorla talked about the new version of TLS, 1.3, which he is responsible for as part of the IETF TLS Working Group. He gave insights about what they focus on and how they are working. I especially liked how he explained the challenges of building a secure protocol and make sure that the real-world adopts it. There are many aspects of the deployment of the protocol which must be considered during the design phase. After all, how useful is a perfect secure protocol, if nobody uses it.
Right after the coffee break, the first session started with Kenny Paterson. He talked about the Crypto Forum Research Group (CFRG), a research group of the IRTF. If you always wondered where these RFCs are coming from, Kenny explained it. There were valuable insights in the organization of IETF and IRTF. Kenny mentioned that they are currently working on:
- new curves with ECDH and EC-based signatur schemes
- hash-based signatures
- AES-GCM-SIV
- password hashing: adoption of ARGON2
- requirements for PAKE protocols
- figuring out what to do in the post-quantum world
Most of their work is volunteer based and actually everybody can participate in discussions and help IRTF to achieve there goals. So get involved!
The workshop continued with Liqun Chen talking about ISO/IEC. We learned a lot about how the crypto working group of this standardization body works and Pascal Paillier provided his insights as well. There was a controversy discussion about Simon and Speck, and how certain agencies could influence the standardization process. Some ISO related aspects were further discussed during the panel discussion, where Kenny and Pascal shared their experienced as well.
Session 2 was about standards and trust. It started with another entertaining talk from Daniel J. Bernstein, who put the black hat on and showed how standards could be compromised. There were many great points he made, but a particular one sticked in my head: “denial of service” approach. Flood the review community with many proposals and it is likely that at least one weak proposal will slip through. I also liked the list of standards published by NIST during the SHA-3 competition. Do we have assurance that the standards have been properly reviewed by the crypto community, when they were focusing on the competition? Worth to think about it…
Next talk in the second session was given by Thomas Baignères. He discussed the concept of rigidity. Most often a cryptographic system has certain parameters they operate on (e.g. curve for ECDSA). Crypto standards not just standardize the algorithm but also specify a specific set of parameters, which should be used. Since there are many possible parameters, how can we be sure that secure ones have been selected. Current standards due lack in this respect and Dual_EC_DRBG showed how catastrophic the result can be. He proposed one possible (partial) solution known under the catchy name “Million Dollar Curve“. Check out the details!
Last talk in this session was given by Steve Babbage from the Security Algorithms Group of Experts (SAGE) of ETSI. Unfortunately, he was not able to come, but he recorded the talk which was replayed for the audience. However, the contribution to the workshop was great. He gave insights about the processes of the crypto standards for GSM, 3G etc.. We all know how bad GSM crypto is, but it was interesting to get background information from somebody from the inside.
Session 3 was all about Post-Quantum Standards. Due to the recent announcement of NIST, post-quantum cryptography is getting a lot of attention lately, especially outside the crypto community. Michele Mosca started the session discussing the quantum threat to cybersecurity and the process for mitigating its risk. Although, quantum-computers are not here yet, they will be reality some day. He mentioned that the a valid believe is that there is a 1/7 chance breaking RSA-2048 by 2026 and a 1/2 chance in 2031. There was one aspect he discussed which is often not considered by cybersecurity responsiblea: future quantum computers are a threat for current communication. We know that there are entities with the power to collect/record a lot of encrypted communication and store it. Once quantum computers are ready, this communication could be readable. Obviously, not all information must be kept secret for decades, but some are. Don’t forget that!
The session continued with Lily Chen from NIST. She provided insights and background information about NIST’s plan on developing post-quantum cryptography standards. This fall the call for proposals will be published and the submission deadline will be fall 2017. Looking forward to the proposals!
The session ended with Tanja Lange’s talk about recommendations for long-term secure post-quantum systems issued by the PQCRYPTO project (checkout also this site). We have potential candidates we could use, where some give more assurance than others. Hash-based signature schemes seem to be one of the most promising. Tanja provided a great overview. Unfortunately, the time was running out. I would have liked to hear more.
Finally, the workshop concluded with a panel discussion. The main question discussed was how we can re-establish the trust in cryptographic standards. My impression was that we all know what the issues are and have potential solutions for them, but do we have enough power to actually influence the processes of standardization bodies?
Bottomline this was an excellent workshop with very important discussions in my opinion. I would like to see these discussions more often and accessible to a wider audience. Due to the (in)famous example of Dual_EC_DRBG, cryptographic standards got a significant loss in trust, also outside the crypto community. Unfortunately, we learned in this workshop, that there are many more issues we are facing and other bad examples exist. Re-establishing trust will take time and efforts.
