david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

ECC 2015 in Bordeaux

posted October 2015

defense

After defending my master thesis in Labri's amphitheatrum I thought I would never have to go back there again. Little did I know, ECC 2015 took place in the exact same room. I was back in school.

Talks

badge

It was a first for me, but for many people it was only one more ECC. Most people knew each other, a few were wandering alone, mostly students. The atmosphere was serious although relaxed. People were mostly in their late 30s and 40s, a good part was french, others came from all over the world, a good minority were government people. Rumor has it that NSA was somewhere hidden.

logjam

Nothing really groundbreaking was introduced, as everybody knows ECC is more about politics than math these days. The content was so rare that a few talks were not even talking about ECC. Like that talk about Logjam (was a good talk though) or a few about lattices.

Rump Session

wine

http://ecc.2015.rump.cr.yp.to/

We got warmed up by a one hour cocktail party organized by Microsoft, by 6pm most people were "canard" as the belgium crypto people were saying. We left Bordeaux's Magnificient sun and sat back into the hot room with our wine glasses. Then every 5 minutes a random person would show up on stage and present something, sometimes serious, sometimes ridiculous, sometimes funny.

Panel

The panel was introduced by Benjamin Smith and was composed of 7 figures. Dan Bernstein that needs no introduction, Bos from NXP, Flori from the french government agency ANSSI, Hamburg from Cryptography Research (who was surprised that his company let him assist to the panel), Lochter from BSI (German government) and Moody from NIST.

panel

It was short and about standardization, here are the notes I took then. Please don't quote anything from here, it's inexact and redacted after the fact.

  • Presenter: you have very different people in front of you, you have exactly 7 white people in front of you, hopefuly it will be different next year.

  • The consensus is that standardisation in ECC is not working at all. Maybe it should be more like the AES one. Also, people are disapointed that not enough academics were involved... general sadness.

  • Lochter: it's not good to change too much, things are working for now and Post-Quantum will replace ECC. We should start standardizing PQ. Because everything is slow, mathematics takes years to get standardized, then implemented, etc... maybe the problem is not in standardization but keeping software up-to-date.

  • Hamburg: PQ is the end of every DLP-based cryptosystem.

  • Bos: I agree we shouldn't do this (ECC2015) too often. Also we should have a framework where we can plugin different parameters and it would work with any kind of curves.

  • Someone: why build new standards if the old/current one is working fine. This is distracting implementers. How many crypto standards do we already have? (someone else: a lot)

  • Bos: Peter's talk was good (about formal verification, other panelists echoed that after). It would be nice for implementers to have tools to test. Even a database with a huge amount of test vectors would be nice

  • Flori: people don't trust NIST curves anymore, surely for good reasons, so if we do new curves we should make them trustable. Did anyone here tried generating nist, dan, brainpool etc...? (3 people raised their hands).

  • Bernstein: you're writing a paper? Why don't you put the Sage script online? Like that people won't make mistakes or won't run into a typo in your paper, etc...

  • Lochter: people have to implement around patents all the time (ranting).

  • Presenter: NSA said, if you haven't moved to ECC yet, since there will be PQ, don't get into too much trouble trying to move to ECC. Isn't that weird?

  • Bernstein: we've known for years that PQ computers are coming. There is no doubt. When? It is not clear. NSA's message is nice. Details are weird though. We've talked to people at the NSA about that. Really weird. Everybody we've talked to has said "we didn't see that in advance" (the announcement). So who's behind that? No one knows. (someone in the audience says that maybe the NSA's website got hacked)

  • Flori: I agree it's hard to understand what the NSA is saying. So if someone in the audience wants to make some clarification... (waiting for some hidden NSA agent to speak. No one speaks. People laugh).

  • Hamburg: usually they say they do not deny, or they say they do not confirm. This time they said both (the NSA about Quantum computers).

  • Lochter: 30 years is the lifetime of secret data, could be 60 years if you double it (grace period?). We take the NSA's announcement seriously, satelites have stuff so we can upgrade them with curves (?)

  • Presenter: maybe they (the NSA) are scared of all the curve standardization happening and that we might find a curve by accident that they can't break. (audience laughing)

  • Bos: we have to follow standards when we implement in smartcards...

  • Lochter: we can't blame the standard. Look at Openssl, they did this mess themselves.

  • Moody: standards give a false sense a security but we are better with them than without (lochter looks at him weirdly, Moody seems embarassed that he doesn't have anything else to say about it).

  • Bernstein: we can blame it on the standard!

  • Lochter: blame the process instead. Implementers should get involved in the standardization process.

  • Bernstein: I'll give you an example of implementers participating in standardization, Rivest sent a huge comment to the NIST ("implementers have enough rope to hang themselve"). It was one scientific involved in the standardization.

  • Presenter: we got 55 minutes of the panel done before the first disagreement happened. Good. (everybody laughs)

  • Bos: we don't want every app dev to be able to write crypto. It is not ideal. We can't blame the standards. We need cryptographers to implement crypto.
Well done! You've reached the end of my post. Now you can leave me a comment :)

david

some better notes: https://ellipticnews.wordpress.com/2015/10/01/ecc-2015-bordeaux-france-september-28-30-2015/