Skip to main content

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto (RWC) was in Zurich (you can find the conference full program here.). I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I eventually managed to attend :)

This short blog post is my brain dump of the event. If you want to know more you can find all the videos of the presentations in this youtube channel. The event lasted 3 days and every day was great. Event like this allowed me to meet personally many people I have interacted previously in a way or the other  and it turns out that a big percentage of people that do (applied) crypto was indeed attending. FWIW I was even able to shortly  ask to the great Prof Boneh about the now legendary Coursera Crypto II :D

Day I

The first day could not start any better. Shay Gueron (from Amazon) did a deep dive into the cryptography behind the AWS cloud. It basically described a  new method AWS uses to avoid the AES GCM Forbidden attack caused by key/nonce reuse (see the great blog post from agl for details). The  Key management services session continued with a talk from Anand Kanagala (Google) where he talked about Google internal KMS and told the story of Gmail outage and how one small bug can have a dramatic impact on billions of accounts and steps taken in order to change the system design. After a small break was the turn of the real crypto (lol) aka  Crypto currencies session
So there were talks about Mimblewimble (featured by Andrew Poelstra from Blockstream) the new crypto-child solution proposed in a text file posted on a Tor hidden service!!! Then (Ian Miers) talked about the genesis, the present and the future of my favorite crypto currencies aka ZCash. And eventually this session concluded with a third talk about some clever attack on Zero Knowledge protocol (Zero knowledge, subversion-resistance, and concrete attacks, tl;dr be careful who is doing the trusted setup in a Zero Knowledge protocol). Sweet.
With no break arrived one of the most important moment of the conference: the award ceremony of Levchin prize. And drumroll the well deserved winners were Hugo Krawczyk (for the development of real-world crytographic schemes with strong security guarantees and proofs) and the entire OpenSSL team (for dramatic improvements to the code quality of OpenSSL). Time for lunch and mingle. And here was the afternoon  sessions. Time for the Attack I session and my favorite talk of the day where Yuval Yarom (University of Adelaide) and Daniel Genkin (UPenn/UMD) showed (with brave demo included) a Side channel attacks on implementations of Curve25519. The day ended with the Usability and privacy session where Emily Stark (Google) talked about Certificate Transparency (great stuff). The day ended with the talk about end-to-end security of group chats where a glitch in Signal/Whatsapp was presented (see Matthew Green's post).

Day II

The second day  started with  the Post-quantum crypto and other new hardware session where people from Microsoft (Melissa Chase  and Patrick Longa) presented Microsoft's owned proposal for the Post-Quantum Cryptography NIST Standardization. After the break the Broken standards session started with a funny Shattered (aka the famous SHA-1 collision) talk delivered by Pierre Karpman. Then (and this is was probably the most awaited talk of the day) THE MAN aka Jann Horn in person presented Spectre and Meltdown. Awesome. Before lunch was the time for several 1 minute long Lightning talks. For the record there were many little rooms that people can use to study or whatever and. E.g. some of us tried to find their way toward zk-snark

The sessions resumed with the TLS session where the ever innovative Nick Sullivan pleased the audience with some pairing and identity-based broadcast encryption used in  Cloudflare's Geo Key Manager. The TLS session could not end without not one but 2 talks about TLS 1.3 delivered by Thyla van der Merwe (Royal Holloway) and David Benjamin (Google). Both were pleasant and (specially the one from David) funny (for us) talks. The day at  Volkshaus Zurich ended with Crypto in the clouds session where Manish Mehta (Netflix) presented the way Netflix handle secrets (in AWS) and the Facebook folks showed how to Scale backend authentication at Facebook . But while the official RWC day ended here pretty many of us were lucky enough to be invited in the Google Zurich Office for an after conference gathering sponsored by Google Research. Someone was even luckier to taste the fateful and tasteful SHA-1 Chartreuse formerly survivor of the Shattered battle

 courtesy of Ange. Thanks!!!


The third and last day was a bit shorter but as good as the others.  It started with fireworks , indeed Trevor Perrin presented his baby The Noise protocol framework in the New crypto session. Then was the time for an innovative use of Bloom Filter. The Attacks II session were a series of a bit shorter interesting talks and the day ended with the Verification and provable security session that had as highlight the talk about the new formal verification in Firefox.

This was the last talk hence

Risultati immagini per screw guys

see you (hopefully for me) next year for RWC 2019 in California.

I want to thank you anyone I interacted with on these 3 days. It was really fun and formative.

For more crypto goodies, follow me on Twitter.


Nick Szabo said…

Thanks for sharing about Real World Crypto Conference 2018 and also for the YouTube channel. The entire blog was very refined and precisely explained. I looking for some blog sites regarding crypto conferences and came across with yours and which seems to be very knowledgeable. Another resource I would like to suggest here is . I came accross with this website while I was researching. I must say he has come up with a lot of of wonderful blogs
ll said…
Thanks Nick!!!

Popular posts from this blog

OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)

Usual Mandatory Disclaimer: IANAC (I am not a cryptographer) so I might likely end up writing a bunch of mistakes in this blog post... tl;dr The OpenSSL 1.0.2 releases suffer from a Key Recovery Attack on DH small subgroups . This issue got assigned CVE-2016-0701 with a severity of High and OpenSSL 1.0.2 users should upgrade to 1.0.2f. If an application is using DH configured with parameters based on primes that are not "safe" or not Lim-Lee (as the one in RFC 5114 ) and either Static DH ciphersuites are used or DHE ciphersuites with the default OpenSSL configuration (in particular SSL_OP_SINGLE_DH_USE is not set) then is vulnerable to this attack.  It is believed that many popular applications (e.g. Apache mod_ssl) do set the  SSL_OP_SINGLE_DH_USE option and would therefore not be at risk (for DHE ciphersuites), they still might be for Static DH ciphersuites. Introduction So if you are still here it means you wanna know more. And here is the thing. In my last bl

Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516

tl;dr if you are using go-jose , node-jose , jose2go , Nimbus JOSE+JWT or jose4j with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption (JWE) hence many software libraries implementing this specification used to suffer from a classic Invalid Curve Attack . This would allow an attacker to completely recover the secret key of a party using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) , where the sender could extract receiver’s private key. Premise In this blog post I assume you are already knowledgeable about elliptic curves and their use in cryptography. If not Nick Sullivan 's A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography or Andrea Corbellini's series Elliptic Curve Cryptography: finite fields and discrete logarithms are great starting points. Then if you further want to climb the elliptic learning curve including the related attacks you might also want to visit https://s

The Curious Case of WebCrypto Diffie-Hellman on Firefox - Small Subgroups Key Recovery Attack on DH

tl;dr Mozilla Firefox prior to version 72 suffers from Small Subgroups Key Recovery Attack on DH in the WebCrypto 's API. The Firefox's team fixed the issue r emoving completely support for DH over finite fields (that is not in the WebCrypto standard). If you find this interesting read further below. Premise In this blog post I assume you are already knowledgeable about Diffie-Hellman over finite fields and related attacks. If not I recommend to read any cryptography book that covers public key cryptography. Here is a really cool simple explanation by David Wong : I found a cooler way to explain Diffie-Hellman :D — David Wong (@cryptodavidw) January 4, 2020 If you want more details about Small Subgroups Key Recovery Attack on DH I covered some background in one of my previous post ( OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ). There is also an academic pape r where we examine the issue with some more rigors.