Deirdre Connolly¹ ²Ethnography proposes 'exists' statements, not 'for all' statements
#realworldcrypto
Coffee time
#realworldcrypto
'Defending the Open Internet: TLS, Passkeys, and the Privacy Stakes of Digital Identity', by Christopher Harrell
#realworldcrypto
Q: How do I resolve the dilemma that if i work on this, governments will use it to discriminate [against children, women, etc]
A: Build primitives that work with trust lists, group of issuers we trust [um we trusted the US until we didn't, oops]
#realworldcrypto
Q: Device-bound means i lose my creds
A: Cloud-based HSM [narrator: 🙄]
#realworldcrypto
Q: The nice ZKs going to PQ change the computational/privacy properties
A: Depending on the construction (BLS vs ML-DSA, relying on the symmetric guts of certain constructions)
#realworldcrypto
Next up, 'Zero Knowledge (About) Encryption: On the Security of Cloud-based Password Managers', presented by Matteo Scarlata and Giovanni Torrisi
#realworldcrypto
We don't trust the server, should only have access to the vault plaintext if you have access to the master password
#realworldcrypto
Heisenberg Attack: 'nothing to do with Breaking Bad, although we're gonna break it pretty badly 😈'
#realworldcrypto
Ways to mitigate security issues in these risky features: key transparency, better designs for key recovery
#realworldcrypto
No time for Q's, aw
Next up, 'Improving Account Security for Victims of Account Compromise through Client-Side Access Logging', presented by Carolina Ortega Pérez and Paul Gerhart
#realworldcrypto
Trying to help victims of intimate partner violence experiencing tech abuse
#realworldcrypto
If we sync keys we can prevent ghost users
#realworldcrypto
Q: Pubkey for each device, does that not act like a device id, impact on privacy?
A: Actually different keys for different sessions
#realworldcrypto
I gave a talk on new hybrid KEM constructions!
iacr.org/submit/files...
eprint.iacr.org/2025/1397
#realworldcrypto
iacr.org/submit/files/s...
iacr.org/submit/files/s...
Next up, 'Efficient Threshold ML-DSA', presented by Sofia Celi and Thomas Espitau
#realworldcrypto
First an ID protocol, slap some Fiat-Shamir on it, signatures??
#realworldcrypto
Really want th-ML-DSA signatures to be exactly compatible with singleton ML-DSA verification
#realworldcrypto
Must not be able to distinguish between th-ML-DSA and singleton ML-DSA bc the sampling distributions between them are different
#realworldcrypto
2 offline, 4 online rounds, first is independent of the message, allows pre-processing, safe for concurrency
#realworldcrypto
Q: Identifiable abort?
A: Not this construction, there are options but they break other things
#realworldcrypto
Next up, 'XHMQV: Better Efficiency and Stronger Security for Signal's Initial Handshake based on HMQV', presented by Rune Fiedler
#realworldcrypto
XHMQV: Better Efficiency and Stronger Security for Signal’s Initial Handshake based on HMQV
The Signal protocol is the most widely deployed end-to-end-encrypted messaging protocol. Its initial handshake protocol X3DH allows parties to asynchronously derive a shared session key without the need to be online simultaneously, while providing implicit authentication, forward secrecy, and a form of offline deniability. The X3DH protocol has been extensively studied in the cryptographic literature and is acclaimed for its strong "maximum-exposure" security guarantees, hedging against compromises of users' long-term keys and medium-term keys but also the ephemeral randomness used in the handshake. This maximum-exposure security is achieved by deriving keys from the concatenation of 3–4 Diffie–Hellman (DH) secrets, each combining two long-term, medium-term, or ephemeral DH shares. Remarkably, X3DH's approach of concatenating plain DH combinations is sub-optimal, both in terms of maximum-exposure security and performance. Indeed, Krawczyk's well-known HMQV protocol (Crypto '05) is a high-performance, DH-based key exchange that provides strong security against long-term and ephemeral key compromise. One might hence wonder: why not base Signal's initial handshake on HMQV? In this work, we study this question and show that a carefully adapted variant of HMQV, which we call XHMQV, indeed enables stronger security and efficiency while matching the constraints of Signal's initial handshake. Most notably, HMQV does not work as a drop-in replacement for X3DH, as the latter's asynchronicity requires the protocol to handle cases where one party runs out of ephemeral keys (pre-uploaded to the Signal server). Our XHMQV design hence augments HMQV with medium-term keys analogous to those used in X3DH. We prove that XHMQV provides security in all 3–4 compromise scenarios where X3DH does and additionally in 1–2 further scenarios, strengthening the handshake's maximum-exposure guarantees while using more efficient group operations. We further confirm that our XHMQV design achieves deniability guarantees comparable to X3DH. Our security model is the first to capture Signal's long-term key reuse between DH key exchange and signatures, which may be of independent interest.
Sometimes you run out of prekeys and have to reuse one, this is 'reduced mode'
#realworldcrypto
More efficient, one less group exponentiation, stronger maximum exposure, but still doesn't help with exhaustion of prekeys
#realworldcrytpo
