by Anca Nitulescu, Chief Cryptographer, Cosmian
I recently traveled to New York to attend the Real World Crypto Symposium (RWC 2020) that took place at Columbia University.
This is an amazing academical environment also charged with lots of good memories for me, since I spent a summer during my PhD as a visiting student in the crypto group at Columbia University.
So personally, for me this year’s RWC provided the perfect combination of location, great crypto event and catching up with old crypto friends and people I admire.
Having spent the last past years in academia doing fundamental research, most of the crypto conferences I attended so far were focused on more theoretical topics from the general domain of cryptography. At RWC, I was excited to find a broader audience, around 650 participants, many of them with strong industry and engineering backgrounds and it did not take me long to mingle with the crowd.
One might hastily conclude that RWC and academic conferences have little in common, but this conclusion could not be further from the truth!
So what is RWC?
The symposium’s mission is ambitious! It aims to support academic research to join forces with industry actors in order to provide great cryptographic tools to the real-world deployment.
Who speaks at RWC?
This ambitious goal can be easily seen in the symposium’s program: The lineup of speakers is outstanding: representing both industry and research, RWC received many major companies such as Facebook, Apple and Google as well as high-profile academic institutions such as Stanford University and Israel’s Institute of Technology Technion.
What are the talks about at RWC?
The Symposium brings in the spotlight the state-of-the-art crypto tools available to practical use today. Talks are diverse and cover a broad range of topics like e-voting, side-channels attacks, new communication standards, and secure multiparty computation.
Great place for networking!
RWC provides the perfect communication platform for academics and engineers, to enable them to exchange ideas, solutions, and to let them learn from each other.
Some personal thoughts
Lots of attacks…
I was impressed by the number of cryptanalysis talks that pointed out how many cryptographic schemes get outdated really fast faced to motivated attackers.
The amount of successful breaks of hardware and software in the past year confirms us that attacks only get better and even certified cryptographic schemes can fall victim to them!
These fast-paced improvements on attacks are scary, but as a positive-mind cryptographer I am only looking forward for the future privacy-preserving tools that will be developed to counterbalance the weaknesses and the endless possibilities they will provide!
Too much crypto?
An entertaining talk “Too much crypto” was particularly intriguing to me, because I personally disagree with most of the statements made by the speaker.
The main message of the talk was to relax privacy and security guarantees in favor of more efficient solutions.
In my opinion, there is not such a thing as “too much” when it comes to security and privacy and this is no place for compromises.
Unfortunately, security in our crazy tech era seems to become more of a luxury. As an advocate of privacy, my guideline will always be: if we can afford extra security, we should go for it, the right of any individual to security and privacy should be seen as fundamental and not negotiable.
It was comforting to see there were many engineers and researchers at RWC that shared the same vision and the general direction is to bring new research closer to practical realisations.
Did you know?
• In 2012, initiated by practice-oriented academic researchers Kenny Paterson and Nigel Smart, one of Cosmian’s advisors, the first edition of the Real World Crypto Symposium was organized.
• The yearly winners of the prestigious Levchin Prize, which honours innovations that have a significant impact on the practice of cryptography, is announced at RWC.
• The Levchin Prize 2020 was awarded to two great contributions in cryptography: one went to Ralph Merkle ”For fundamental contributions to the development of public key cryptography, hash algorithms, Merkle trees, and digital signatures.” the second one was awarded to Xiaoyun Wang and Marc Stevens “For groundbreaking work on the security of collision resistant hash functions”.
The usual suspects
Kevin Yeo talked about a recently released project at Google, which aims to protect accounts from credential stuffing attacks while preserving the users’s privacy.
The developed protocols allow users to privately perform Stolen Password Checks to see if their username and password has been compromised. Crucially, these password checks can be performed in a novel fashion that does not require the users to reveal username or password to the queried server.
Jon Millican from Facebook gave an interesting talk about the plan for making their Messenger application end-to-end encrypted, while still being able to provide all the actual features, such as sharing photos, for the encrypted conversations.
Apple launched their so called “Find My” Service. Engineer Yannick Sierra from Apple explained how their new tools can help people to find lost devices using any other iOS gadget they own as “finder”. The ”finders” report what is around them without compromising the privacy of the “finder” or the lost device. Interestingly, the service does not leak any information beyond the IP addresses of the involved devices.
Mozilla gave a great talk about their new privacy-preserving site blocking telemetry. Their tool addresses the question of protecting user’ privacy in the setting where the software provider is still able to collect information about the blocked cookies on certain websites(domains) from their users. They avoid heavy crypto tools like MPC and traditional zero-knowledge proofs and introduce Prio: new proof system for secret-shared data.
Breaking in order to reinforce
A fun part of developing secure systems is breaking existing insecure ones. Lovers of software and hardware attacks did not come up short at RWC, there were plenty of talks on new attacks.
Researchers from France and Singapore presented the first practically feasible attacks on SHA-1 .
Their results are the culmination of a long line of works that started back in 2005, but took more than 14 years to produce the first feasible real-world attack.
Unfortunately, SHA-1 signatures continues to enjoy widespread use in a large number of applications. SHA-1 is the default hash function used for certifying PGP keys in the legacy branch of GnuPG.
The PGP/GnuPG Web of Trust is a trust model used for PGP that relies on users signing each other’s identity certificate, instead of using a central PKI. The authors highlighted the practicality of their attack by using it to forge GnuPG keys and emphasized the need to abandon SHA-1 in favor of its successor SHA-3.
In a breakthrough result, Tetsu Iwata presented over a series of practical attacks on the standardized authenticated-encryption scheme OCB2, which was believed to be secure for 15 years. Iwata’s results are based on a recent work of Inoue and Minematsu from September 2018, who pointed out possible flaws in the security proof of OCB2. The work of Inoue and Minematsu triggered a series of attacks, eight in three months to be concrete, starting with a forgery attack and culminating in a full plaintext recovery attack.
What is necessary to be stressed out here is that these attacks were possible despite an existing security proof supposedly showing that OCB2 should have been secure. Nevertheless, the general structure of OCB is sound and the attack is not applicable to OCB1 and OCB3, these seem to have correct proofs of security (we do not encounter the same error as in OCB2).
The presented attacks are an important reminder that proofs can contain subtle mistakes and that any published result requires significant scrutiny from other researchers.
In another talk Google Software Engineer Chandler Carruth reviewed a class of cache attacks best known as the SPECTRE attacks, which take advantage of speculative executions, a popular optimization technique in CPUs. The message of Carruths talk was clear: SPECTRE attacks are still a widespread problem and as of January 2020 there are still no clear proposals for how to prevent this type of attacks. To make things even worse, new attacks like NetSpectre show how that speculative code execution can be exploited remotely.
RWC confirmed that the tendency in applied cryptography is to question old schemes for vulnerability, while searching for new innovative advancements to replace them. One quickly emerging technology finding its way into practice in the last few year is secure multiparty computation (MPC). Cosmian is proud to be part of the young adepts of MPC and its deployment in real world use cases.
A series of talks at RWC were dedicated to presenting technical overviews of MPC, new software frameworks and great MPC-based solutions to privacy- preserving machine learning and classification.
Software for MPC
Marcella Hastings from the University of Pennsylvania presented a comprehensive overview of existing end-to-end MPC frameworks, which compile high-level code into full-fledged secure computation protocols.
Her survey compared the nine most popular frameworks, namely the EMP- toolkit, Obliv-C, ObliVM, TinyGarble, SCALE-MAMBA, Wysteria, Sharemind, PICCO, and ABY.
She highlighted the problems that developers face when trying to use these frameworks and compared their usability, functionality, documentation, and performance.
Her comparisons showed that all of the frameworks are challenging to use for developers that do not have any prior knowledge in MPC. A logical conclusion drawn by Hastings was that all of the frameworks would benefit from a closer collaboration between engineers of secure computation protocols and developers of software compilers.
The Cosmian team fully agrees with this perspective and is actually currently already developing a new compiler in Rust!
Another issue with all evaluated frameworks, is the lack of documentation. Without thorough documentation using these frameworks in practice is virtually impossible. Marcella pointed out as an exception SCALE-MAMBA framework among few others. Cosmian, in a joint effort with Nigel Smart, is proud to be an active contributor to the SCALE-MAMBA software framework and its documentation.
Even though the survey is less than 2 years old, there are already six new frameworks (EzPC, JIFF, MP-SPDZ, FRESCO, HyCC, and ABY3) that have been developed after the survey was concluded. All this goes to show that secure computation is a very active research area with many developments happening in short periods of time.
Surveying these software frameworks is a tedious and work intensive task. Cosmian would like to thank the authors of this work, which can be found here SoK: General Purpose Compilers for SecureMulti-Party Computation.
Detecting Financial Fraud with Secure MPC
The startup Inpher, working with Goldman Sachs and Standard Chartered, presented their solution for detecting financial crimes from the FCA Financial Crime TechSprint, a week-long Global Anti-Money Laundering competition. Detecting money laundering is a very challenging task. Money launders often use dozens of banks for their criminal activities. From the perspective of each bank independently, suspicious transactions and activities are difficult to detect. If all banks were to collaborate and share their data, however, such crimes could be detected with much better success. Unfortunately, sharing private bank data among different banks is not an option due to privacy regulations.
Secure multiparty computation provides a novel approach for solving the problem described above. Rather than sharing their data in plain, all banks can jointly run an MPC protocol that uses all of the transaction data to tell each bank individually which of their transactions are suspicious and should be inspected more carefully.
Inpher (www.inpher.io) used recent advances in MPC in combination with clever distributed algorithms to implement a solution to this problem. Looking a tiny bit under the hood of what happens in Inphers’ solution, their protocol computes a large encrypted graph in which accounts represent nodes and trans- actions represent edges. Using learning algorithms, the banks then jointly analyze the encrypted graph to detect anomalies, which are then linked to suspicious activities. For performance reasons, their solution encrypts every account/node in the graph separately, but does not hide the graphs shape. Further research is needed to see how much information is leaked by the graph structure itself. Anyhow, the talk showed the great achievement of MPC tool that reached now the maturity for practical deployment at a large scale.
Other fun facts:
- During the Symposium, David Wong, a security engineer at Facebook, announced his new book ”Real World Cryptography”. In contrast to many of the existing technical books on cryptography, this work aims to provide a gentle introduction to the topic, which should be accessible by a broad range of non-expert readers. If you always wanted to know more about the fundamental basics of cryptography and how research in privacy and security turns into real-world solutions, then this book is perfect for you! A large selection of topics are covered in an accessible and enjoyable manner.
- One of the greatest moments of this years conference was the motivational and witty speech of Ralph Merkel, who was awarded the Levchin Prize. The world-renown cryptographer gave the audience a glimpse into his experiences and struggles as young student trying to publish new revolutionary ideas. The main takeaway of this speech was that novel ideas can require quite some perseverance from young researchers, but are always worth fighting for. More details on his story can be found online.
Merkle pointed out that unfortunately, visionary ideas that anticipate the importance of data-privacy and security in a digitalized era continue to be rejected even nowadays by conservative minds.
Merkle’s speech resonated strongly with Cosmian’s credo, since we believe in innovation and we are fighting to bring novel privacy-preserving solutions in real-world-applications.
After great insights into real-world applications of cryptography, real-world attacks, and real-world problems of developer tools, seems like the takeaway message of RWC 2020 is that we need more of these security solutions and they need to be more widely available for use in the Real World.
- SHA1 — https://eprint.iacr.org/2020/014.pdf
- Too much crypto — https://eprint.iacr.org/2019/1492.pdf
- Cryptanalysis of OCB2 — https://eprint.iacr.org/2019/311.pdf
- SoK: General Purpose Compilers for Secure Multi-Party Computation — https://marsella.github.io/static/mpcsok.pdf
- RWC Program and Slides https://rwc.iacr.org/2020/program.html