Show threadDeirdre Connolly¹ ²Mar 9
Also looked at Signal's Contact Discovery Service #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Found timing leakages in the previous impl #realworlcrypto
Show threadDeirdre Connolly¹ ²Mar 9
clang transformed the code, breaking the constant-time guarantees the source code had tried to achieve #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Tying it all together #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
ʕ·͡ᴥ·ʔ #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Q: Do you document the verification boundary of your toolchain with any formalism? A: Difficult to achieve this; described in english in various papers #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Next up, 'mlkem-native: a unified, fast and verified ML-KEM library', presented by Hanno Becker #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
C90! 😭 Very portable #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Front of house, back of house #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
As we saw constant-time guarantees can be difficult to ensure #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Proving all assembly is memory-safe using HOL Light; running proofs continuously in CI #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
By ensuring type safety, ensure the correct modular reductions in the right places #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
There are still some gaps tho #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
The models are hand-written, there could be a bug in there, try to address with extensive testing; but is it the 'best' level of abstraction? #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
I love this idea (SOUNDNESS.md) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Doing the same for ML-DSA! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Next up, 'Formally Verifying Circuits for Zero Knowledge Proofs', presented by Alex Ozdemir #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Can't have a formal verification session without SMT #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
😹 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
We really hate circuit bugs! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Next up, 'Compositional Formal Verification of SNARKs with ArkLib', presented by Quang Dao #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Multiple zkSNARK verifiers in Ethereum #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
ArkLib: verified SNARKs in Lean #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
(oops) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
The core of a SNARK is an interactive argument, usually with Fiat-Shamir slapped on top #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Reductions can compose: #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
HYPERCUBE #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
neato #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
large models are now pretty good at LEAN, this is helpful to arklib; the AI can prove faster than Quang! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Q: Why are there so many Fiat-Shamir instantiation mistakes out there? A: We lack to right tooling to auto catch these issues; must be secure in the spec first #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Next up, 'TEE.fail: Breaking Trusted Execution Environments via Memory Bus Interposition', presented by Christina Garman and Daniel Genkin #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
i think we get a live demo 🤓 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Chocolate + coffee + Daniel = hardware attacks #realworldcrypto
Show threadDeirdre Connolly¹ ²
The demo computer survived the TSA! #realworldcrypto
Mar 9 at 8:38amWeb
Show threadDeirdre Connolly¹ ²Mar 9
A scheme originally intended for disk encryption, not for RAM #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
aTtEsTaTiOn #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
"Please don't crash, please don't crash—" #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
It worked! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Attestation is...a bit of a fragile thing in practice #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Protections were removed to improve performance at customer demand 😭 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
😹 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
lmao #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Q: You believe these protections only got removed bc of performance? A: Yes I do, we talked to the engineers, they were so upset and repeatedly saying "I told you so" etc #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Next up, 'Migrating a Silicon Root of Trust to Post-Quantum Crypto', presented by Jade Philipoom and Hien Pham #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Goal is to PQ secure boot chain #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
ML-DSA is dominated by SHA-3 and SHAKE operations #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Faster than non-PQ options for most operations! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
'We can do better' #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
🐰 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Found some speedups in rejection sampling #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
🤤 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 9
Future treasuremap #realworldcrypto