Program

The videos are now available on Youtube.

Session 1 - Keynotes (9h00 - 10h30):

• Opening Remarks
• Luís Brandão (NIST) — A perspective on standardization of advanced cryptography at NIST. [Video]

This talk will present a perspective on the potential role of NIST in standardizing advanced cryptographic schemes and protocols. Traditionally, NIST has focused on “basic” primitives, such as block-ciphers (DES in 1977), hash functions (SHA-1 in 1994), signatures (DSA in 1997), and pair-wise key agreement, public-key encryption and DRBGs (in the 2000s), as well as some “basic” operation modes (e.g., of encryption). Following the revelations about Dual_EC_DRBG in 2013, the NIST cryptographic technology group (CTG) revised the process for developing cryptographic standards, formalizing important principles in NISTIR 7977, such as openness, transparency and integrity. The CTG has experience in driving successful open processes based on public contributions, as used to select the AES (2001) and SHA-3 (2015) standards. Ongoing endeavors include the standardization of lightweight cryptography and post-quantum cryptography primitives, respectively anticipating the Internet of things and quantum computers.

This talk will focus on challenges and opportunities related to two areas with developing potential for standardization: threshold cryptography, with a focus on threshold schemes for cryptographic primitives; and privacy-enhancing cryptography, which includes a plethora of techniques such as secure multiparty computation, zero-knowledge proofs and homomorphic encryption. Finding a proper approach for standardization in both these areas is especially challenging, due to the more complex nature of protocols, with multiple possibilities for interfaces, components, system models, and even security definitions. Overall, this talk also intends to constitute an invitation for stakeholders to engage with NIST in open and transparent processes towards standardization of advanced cryptography.

• Kristin Lauter (Microsoft) — HomomorphicEncryption.org—a Community Effort. [Video]

This talk will describe the formation and launch of this 2-year old community to standardize Homomorphic Encryption. There will be information on how to get involved and time for questions and discussion.

Coffee Break (10h30 - 11h)

Session 2 - ZKProof, FHE, IETF (11h - 12h45):

• Ran Canetti (Boston University and Tel Aviv University) — Towards Standardizing Zero Knowledge. [Video]

I will overview the ZKProof standardization effort: Its main goals, the main challenges, the road taken so far and the road ahead. Specifically, I will describe the efforts to create a common language among the different constituents, to partition the problem space, and to make sure that both efficiency and security guarantees are expressible and realizable. I will then dive into the challenge of obtaining composable security while guaranteeing realistic efficiency for succinct non-interactive zero-knowledge, and discuss how such security can be used to inform the emerging standard.

• Mariana Raykova (Google) — Advanced Cryptography on the Way to Practice. [Video]

This talk will overview recent developments in several areas of advanced cryptography such as secure multiparty computation, zero knowledge, differential privacy. We will focus on system implementations using these techniques and the efficiency they offer. We will try to give a perspective of how the practical efficiency of such tools has evolved over time and the major hurdles that are the focus of future work.

• Riad S. Wahby (Stanford) — BLS signatures, hashing to curves, and more: dispatches from the IETF. [Video]

We discuss advanced cryptography standardization at the IETF. We start with an overview of the process of writing an RFC with the Crypto Forum Research Group, and then talk about lessons learned from our ongoing work on the BLS signatures and hash-to-curve standardization efforts.

Lunch (12h45 - 14h00)

Session 3 - Threshold Cryptography (14h00 - 15h30):

• Samuel Ranellucci (Unbound) — Lessons about standardization. [Video]

Standardization of threshold cryptography has many questions that need to be answered. 1) What is the purpose of standardization? 2) How can standardization go wrong? 3) How should we build standards for threshold cryptography? 4) What should we standardize first?

I will discuss these questions. I will provide lessons about standardization from an expert in a field that has strict standards. I will talk about recent works on the (in)security of OT extension and discuss why OT extension should be one of the first things to be standardized. Finally, I will describe ways to write standards effectively based on my experience writing protocol specifications for software.

• Karim Eldefrawy (SRI) — Computer-aided Verification and Software Synthesis for Secure Multi-Party Computation Protocols. [Video]

Secure Multi-Party Computation (MPC) enables n distrusting parties to jointly compute a function using private inputs. MPC guarantees correctness of computation and confidentiality of inputs if no more than a threshold t of the parties are corrupted. To the best of our knowledge there are currently no publicly available high-assurance implementations of formally verified and machine-checked MPC withstanding active adversaries. By high-assurance we mean automatically (and verifiably) synthesized from protocol specifications that were mechanically checked using an interactive theorem prover. The closest is the high-assurance secure two-party computation software based on garbled circuits (for semi-honest parties) by Almeida et. el. from ACM CCS’17.

This talk summarizes our recent progress in developing such high-assurance implementations of MPC. We formalize in EasyCrypt several abstract variations of secret sharing, then MPC protocols building on them. We implement and perform computer-checked security proofs of concrete instantiations of all required (abstract) protocols in EasyCrypt. We then implement the BGW protocol in the case of MPC and thus as a side contribution perform the first computer-aided verification and automated synthesis of this fundamental protocol. As part of this work we developed a new toolchain to extract high-assurance executable implementations of protocols specified and verified in EasyCrypt, that goes from EasyCrypt to WhyML and finally to OCaml. The performance overhead of our high-assurance executables compared to manually implemented versions using the Python-based Charm framework is (surprisingly) low. We argue that the small overhead of our high-assurance executables is a reasonable price to pay for the increased confidence about their correctness and security.

Coffee Break (15h30 - 16h00)

Session 4 - Panel & Further Discussion (16h00 - 17h30)

• Panelists: Hugo Krawczyk (Algorand Foundation), Dahlia Malkhi (Calibra), Eran Tromer (Columbia & TAU), Luís Brandão (NIST), Tanja Lange (Eindhoven University of Technology)
• Moderator: Daniel Benarroch (QEDIT)
• [Video]
• Topics:
  • Why are standards important if adoption by companies is already here? If adoption is not there yet, is standardization the only way of bridging the gap between academia vs industry?
  • How to resolve the tension between adoption and continuous innovation in advanced cryptography?
  • Is it too early to standardize such (complex) protocols when we continue to disagree on how to access the security of their inner cryptographic primitives?
  • For large industries, is the overhead cost of malicious security justified when malicious behavior can lead to a breach of legal contract?
  • Working concurrently on many cryptographic standards at the same time, that use different techniques and security models, necessarily reduces the quantity (and perhaps quality) of the cryptanalyses against the candidate proposals. Should we really pursue all efforts simultaneously? What should we standardize first?
• Discussion, Q&A, and Closing Remarks.