Cryptography FM Nadim Kobeissi

Every year, the IACR Real World Cryptography symposium brings together researchers, engineers and practitioners in applied cryptography to discuss cryptography that matters, in the real world. To me, this is the big one! The one cryptography conference that matters the most. Who needs proceedings when you’ve got so much excitement in the air, and so many results and projects that actually have a measurable impact on how cryptography affects the real world?


This year’s program is maybe the most exciting yet, with talks on secure channel protocols, multiparty computation, formal methods, post-quantum cryptography, humans, policy and cryptography, hardware, cryptocurrency, cryptography for the cloud, anonymity and more. So many exciting talks! So much new research to discuss! Like every year, Real World Crypto is shaping up to be a veritable who’s who of applied cryptography.


In this special episode of Cryptography FM, I’m joined by fellow researcher Benjamin Lipp in order to just… candidly go through the program of Real World Crypto 2021 and covering each talk’s abstract briefly.


We’re going to have another special episode after Real World Crypto 2021 as a post-conference episode in order to discuss the highlights of the conference. And hopefully we’ll do this every year here on Cryptography FM!


Music composed by Toby Fox and performed by The Consouls.
Special Guest: Benjamin Lipp.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

The race for post-quantum cryptographic signature primitives is in its final lap over at NIST, which recently announced DILITHIUM, FALCON and Rainbow as the three signature primitive finalists. But a paper recently published by KU Leuven researcher Ward Beullens claims to find serious weaknesses in the security of Rainbow, one of those three finalists. In fact, the paper claims that the weaknesses are so severe that Rainbow’s security parameters now fall short of the security requirements set out by the NIST post-quantum competition.


But how does Rainbow work, and how do these weaknesses affect it? And why weren’t they spotted until now? We discuss this and more in this week’s episode of Cryptography FM.


Links and papers discussed in the show:



Improved Cryptanalysis of UOV and Rainbow
SQISign: compact post-quantum signatures from quaternions and isogenies


Music composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Ward Beullens.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext.


In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you.


Links and papers discussed in the show:



How to Abuse and Fix Authenticated Encryption Without Key Commitment
Mitra, Ange's software tool for generating binary polyglots
Shattered and other research into hash collisions


Music composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Ange Albertini and Stefan Kölbl.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Before there was Signal, before there was WhatsApp, the realm of secure encrypted messaging was ruled by the Off-the-Record secure messaging protocol, created as an alternative to PGP that introduced security properties like forward secrecy and deniability that were considered exotic at the time.


Now, more than a decade later, Off-the-Record messaging, or OTR, has been largely sidelined by Signal variants. But a small team of cryptography engineers is still working on pushing Off-the-Record messaging forward by focusing on use cases that they argue aren’t sufficiently covered by Signal. But what even is deniability, and how much does it matter in the real-world context of secure messaging? Sofía Celi joins us in today’s episode to talk about this and more.


Links and papers discussed in the show:



OTRv4


Music composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Sofía Celi.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Elliptic-curve signatures have become a highly used cryptographic primitive in secure messaging, TLS as well as in cryptocurrencies due to their high speed benefits over more traditional signature schemes. However, virtually all signature schemes are known to be susceptible to misuse, especially when information about the nonce is leaked to an attacker.


LadderLeak is a new attack that exploits side channels present in ECDSA, claiming to allow real-world breaking of ECDSA with less than a bit of nonce leakage. But what does “less than a bit” mean in this context? Is LadderLeak really that effective at breaking ECDSA, with so little information to go on? Joining us this episode are LadderLeak co-authors Akira Takahashi, Mehdi Tibouchi and Yuval Yarom to discuss these questions and more.


Links and papers discussed in the show:



LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage


Music composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Akira Takahashi, Mehdi Tibouchi, and Yuval Yarom.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Secure messaging protocols like Signal have succeeded at making end-to-end encryption the norm in messaging more generally. Whether you’re using WhatsApp, Wire, Facebook Messenger’s Secret Chat feature, or Signal itself, you’re benefiting from end-to-end encryption across all of your messages and calls, and it’s so transparent that most users aren’t even aware of it!


One area in which current secure messaging protocols have stalled, however, is the ability to scale secure conversations to groups of dozens, hundreds and even thousands of people. But the IETF’s Messaging Layer Security, or MLS, effort aims to make that happen. Bringing together a collaboration between Wire, Mozilla, Cisco, Facebook, as well as academia, MLS wants to become the TLS of secure messaging, and make it possible to hold secure conversations scaling to thousands of participants.


But what are the real-world implementation risks involved? Are conversations even worth securing when you’ve got hundreds of potential leakers?


Links and papers discussed in the show:



MLS Website


Music composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Raphael Robert.
Sponsored By:
Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.