Title: A collection of historical vulnerabilities in cryptographic standards

Abstract
In this talk, we will survey a handful of interesting cryptographic vulnerabilities arising out of vague language, misunderstandings, malicious behavior, backwards compatibility, and other historical artifacts that found their way into cryptographic standards. While cryptography is often seen as one of the few areas of security that we know how to get "right", many cryptographic primitives can be quite fragile in the face of implementation vulnerabilities or incorrect parameter selection. The situation can be even more complicated given the differing incentives and complex dynamics between parties involved in a standardization effort.

Title: Lessons learned from the recent TLS attacks

Abstract
This talk gives an overview of our research on TLS attacks. Our attacks affect major TLS libraries and servers, and exploit different protocol properties ranging from outdated cryptographic algorithms to complex state machines and dangerous cryptographic shortcuts. With these examples, we shed light on various protocol misspecifications and problems.

To prevent such attacks during the development, we introduced an open-source TLS test suite called TLS-Anvil. With TLS-Anvil, we found two new exploits, five issues directly influencing cryptographic operations, and 15 interoperability issues. While the detected issues prove the usefulness of TLS-Anvil, we also show that building such a test suite directly from the specification is not straightforward.

Title: Advancing Science and Software through Specifications

Abstract
Modern software innovation, creation, and deployment is a highly collaborative process. Success typically requires alignment between all stakeholders throughout the development lifecycle, starting with a problem statement and ending with running code. Alignment helps ensure the vision of what needs to be done is clear, the solution is sound, and the end result is deployed to make a meaningful impact on end users. Pushing an idea through this process requires bridging the gap between different stakeholders along the way. Importantly, engineers, product managers, and researchers all need to interface with one another to improve confidence in the end result. In today’s highly distributed environment, the most effective interface between these communities is the technical specification. A technical specification is a common interface for the design, development, and analysis of software solutions; it is a target for researchers to analyze to help ensure soundness; it is a reusable abstraction in the design of higher-layer systems and protocols; and it is the basis of interoperable implementations to help ease deployment. This talk will describe how technical specifications play an important role in helping transfer ideas from the scientific community into running software for the end user. It will also cover how specifications drive iteration between computer scientists and engineers. Finally, it will conclude with opportunities for researchers to contribute to ongoing specification activities to help solve some important problems facing the industry today.

Title: Tackling advanced cryptography … toward standards?

Abstract
The standardization of “basic” cryptographic primitives and techniques has tremendously impacted digital society. Further impact can be expected from future developments in “advanced cryptography”, namely from techniques for protecting computations and enhancing privacy, often in multi-party settings. The scope of techniques includes threshold schemes (for decentralized computations), zero-knowledge proofs (for proving correctness of computations), and homomorphic encryption (for meaningful computations on top of encryption), which in turn may rely on “friendly” primitives (from symmetric and asymmetric cryptography) with special features. Their future standardization is expected to galvanize innovative collaborations with combined data utility, security and privacy. Yet, enhanced challenges in advanced cryptography may require considering creatively enhanced standardization processes.

This talk will overview the “NIST First Call for Multi-Party Threshold Schemes” (NISTIR 8214C ipd) as one process for tackling advanced cryptography in a standardization body. This “Threshold Call” aims at a structured process for collecting “reference material” about advanced cryptographic techniques. The call has a very wide scope, yet guided by a focus on threshold schemes: enabling evaluation of cryptographic primitives while the needed secret material is distributed across multiple parties. Future submissions in reply to the call should include security characterization, technical description, open-source implementation, and performance evaluation. The public analysis to ensue will help devise (i) recommendations on best practices, and (ii) recommendations on subsequent processes that should emerge in differentiated ways across various subcategories of primitives.

The talk will also set the stage for an interactive conversation in the rest of the session, where the attendees are encouraged to informally share their thoughts. Here are some topics:

1. On the timing and speed of processes: what is too soon, too late, too slow, and too fast?
2. What value is there in still pursuing new standards for quantum-breakable primitives?
3. How to handle the standardization tension between innovation and interoperability?
4. Which cryptographic functionalities/features make sense to prioritize for standardization?
5. What synergies should we aim for between academia, industry, gov and standards bodies?