Show threadDeirdre Connolly¹ ²Mar 10
Throw in a KEM alá PQXDH (ML-KEM prekeys) and you get hybrid-PQ security #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Might deploy it when taking advantage of other breaking changes such as PQ auth #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Next up, 'A Call to Action: Transitioning Signal's Private Group System to Quantum-Safe', presented by Rolfe Schmidt #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
💯 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
💯 (Signal is the only e2ee messenger that has strong protections on this stuff) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Current design, not PQ eprint.iacr.org/2019/1416 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
👀 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Pretty pls, I would like a pony #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
😭 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Expensive #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
[TOO MANY THINGS CALLED HYBRID] #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
The verifiable encryption, verified by the server, seems to be the most expensive/difficult part #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
If clients can validate, we have new possibilities, and can simplify the system a lot #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Sigs instead of anon creds; re-randomizable to maintain privacy (as seen in Zcash!! <3) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Very cool (classically...) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Exactly compatible with regular ML-DSA/Dilithium signatures #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Many more features that need to be supported #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
[um] #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Migrating a whole system, complex, scalability issues #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Q: Are you sure about hybrid signatures? A: No not necessarily, if we're confident in the pq option then we may not #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Next up, 'End-to-End Encrypted Collaborative Documents', presented by Christian Knabenhans and Zayd Maradni #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
What do we need to serve journalists working on collaborative online documents? #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Code: github.com/spring-epfl/... #realworldcrypto

GitHub - spring-epfl/signal-co...
GitHub - spring-epfl/signal-collaborative-documents

Contribute to spring-epfl/signal-collaborative-documents development by creating an account on GitHub.

GitHub
Show threadDeirdre Connolly¹ ²Mar 10
Existing solutions aren't quite enough #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
We need secure reconciliation mechanisms #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Apparently secure group messaging fulfills this! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
nice #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Using the Signal Groups to collaborate on docs #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
In prod, the network dominates performance #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
hm #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
The faster typer and receive, decrypt, and reconcile the slower typer's edits before they type their next character 👍 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Tested with the 20-page USENIX paper that this work is published in :D #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Future directions #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Q: Side channel leakage when sending every character on the wire? A: Don't protect metadata, timing #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Q: Would this overwhelm Signal? A: This is a small group of journalists, at scale there would be a more robust deployment #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Next up, 'Random-Access AEAD for Fast Lightweight Online Encryption', presented by Andres Fabrega and Gregory Rubin #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
FLOE! eprint.iacr.org/2025/2275 #realworldcrypto
Show threadDeirdre Connolly¹ ²
Sometimes AES-GCM doesn't work well when you are doing very very large plaintexts #realworldcrypto
Mar 10 at 7:20amWeb
Show threadDeirdre Connolly¹ ²Mar 10
Need a streaming AEAD that is FIPSable and random-access #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Previous work almost made it... #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
FLOE! 🧊 #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Supports exabytes #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
What type of security are we trying to achieve? nOAE(2) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Tweak nOAE to get randomized raAE notion #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
There are no existing commitment notions [!] #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Encoding positions as parameters #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Modeled in random access real-or-random setting #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Existing schemes (Tink streaming, STREAM) remain secure under ra-ROR #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Construction reduces to mu-PRF security of HMAC-Expand -SHA-384 and mu-ROR$ security of the AEAD (AES-GCM) #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
#realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Define context commitment for raAE, ra-CMT #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Performance #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
FLOE spec w/ reference impls in multiple lang github.com/Snowflake-La... #realworldcrypto

GitHub - Snowflake-Labs/floe-s...
GitHub - Snowflake-Labs/floe-specification: Official specification and reference code for Fast Lightweight Online Encryption (FLOE)

Official specification and reference code for Fast Lightweight Online Encryption (FLOE) - Snowflake-Labs/floe-specification

GitHub
Show threadDeirdre Connolly¹ ²Mar 10
FLOE C2SP spec: github.com/C2SP/C2SP/bl... #realworldcrypto

github.com/C2SP/C2SP/blob...
C2SP/FLOE.md at main · C2SP/C2SP

Community Cryptography Specification Project. Contribute to C2SP/C2SP development by creating an account on GitHub.

GitHub
Show threadDeirdre Connolly¹ ²Mar 10
Q: This would be great for secure backups of things like DBs A: Yes! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Coffee time! #realworldcrypto
Show threadDeirdre Connolly¹ ²Mar 10
Next up, 'What is cryptography hiding from itself?', presented by Diego Aranha and Nikolas Melissaris #realworldcrypto