 Thank you everyone for joining We have the opportunity and I'm very honored to be sitting in this table right now with these amazing cryptographers and people So I'm not gonna introduce them because I'm gonna ask them to introduce themselves, but You probably know most of them. It's not all of them. So Thank you the photo to the five of you to to be here We had this idea of having all this day going Going through talks and learning about what the different standard efforts are doing and so on and we thought you know What is the best way to conclude the day? Well, we can't get everybody here to start working on standards because there is too little time and too many topics So we thought, you know, let's have a conversation and see what is the what are the kind of? hardest parts of creating a standard and so on so Without for do I'll just ask to have a couple of minutes each to introduce yourself and Tell us a bit. What's your encounter with the standardization and if you have any anecdote that you find is worth Maybe bringing up You want to start sure? Okay, I'm Hugo Kravchik I'm considered one with a lot of experience in standards I've been involved with with the ITF since mid 90s I think Ran told me that he was telling some anecdotes about me So, I don't know if you guys were there and I wasn't in his talk So, I don't know what version of anecdotes he told but in the 90s It was very hard to work in the ITF for someone that was talking about proofs and Definitions and stuff like that So it was not an easy time, but I'm a stubborn person and somehow Yeah, but then the H mark Came at a time in which MD5 it was started breaking MD5 and What's the name? Doberty, doberty and a German researcher that people here too young, but He he had the first words and basically breaking or showing some weaknesses of MD5 and So at the time that we were trying to promote H mark He came with his work and I So I sent him email saying Do you think that you can break H mark with MD5 under your attacks and the answer was no I have no idea. I don't think I can do that. So I asked him Can I send this to the IPsec mailing list? He said yes, and I think that was the most important part in In getting this accepted But the reason I'm telling this is because actually the fact that there was a proof in H mark became You know an important point in in this history of trying really to move crypto in practice into more theoretical of well-founded Yeah science Did say that you were pushing for the security part of the of the standard like that. Yeah, no He said that he mentioned my friend Bill Simpson He has he had the famous sentence saying That he doesn't talk to self for self-proclaimed Cryptographers anyway, that's about Definitely not a photographer I think that means I'm a person I have is actually why I am on this boundary between so I have long interest Couple of decades in reliability and secure systems. I'm kind of a little boundary whenever there's a Byzantine failure I'm interested in it and that means I'm touching on crypto cryptocurrency and I guess I have a series of life anecdotes that keeps dragging me into applied So it starts with my postdoc. I joined 18 t-labs and My crater at the time who came from for now really wanted me To join but he was working in a security group So I joined a security group. I was the only non applied photographer there. The only person. I'm sorry. The only person then I assume the faculty position at the Hebrew University after my postdoc and Again as a distributed systems person, but there was nobody to teach the intro to Cryptography and the advanced course in cryptography at the time because I was left for sabbatical and Michael then are Was doing quantum computing at the time and my Caribbean was spending all this time at Harvard Well, that's me to teach you the courses. I had to teach the security courses and Then while I was there No, I'm son complexity theorist and later Game theory nothing to do with photography Our daughters Took swimming lessons together. So we would sit by the pool No, I'm an eye watching them swimming and chatting about computer science and at some point they the girls started pulling each other under water and You know norm jumped and saved them and all of that and somehow out of that came fair play You know the system that says isn't it time to to actually see if we can Practically implement if you're with multi-party computation and just how expensive that is so So that's how I get into that area and I can continue but this is This is very personal Thanks for sharing I'm around Romer. I'm a professor of computer science at Tel Aviv University and the research scientists at Columbia University Let me share my origin story how I got my powers One to spider So I used to be a person and then So I was working Well, I was already on the slippery slope to become a cryptographer working on a side channel attacks and cash attacks and the such And then I got wondering it was this theory about your knowledge proofs Kind of impossibility results for complexity lower balance. Wow. That's what's that good for well? Maybe it's good for proving the integrity of computation as it was envisioned before it became a theoretical complexity theory tool and maybe the kind of very fine integrity of computation that your knowledge books can do Can be a way to mitigate the attacks that we were studying if you cannot trust the computing platform because of various physical Attacks, maybe you can just make it prove to you that it operated correctly And maybe you can actually implement this by building on the theoretical results So wow, that's kind of cool. So I was them idea at a time We took it to the NSF. We submitted the proposal and the response came back that no no way this will ever work But you know what if this ever did work? It would be kind of useful. So here are a few dollars don't spend them all in one place They had a sugar program for exploratory research Keeps you just above the water and we started working with that and It actually started picking pace Then I teamed up with Alessandro, yes, my hope of students and the elements of so on to actually use the cutting edge PCB techniques to build it even further and to build some prototypes one thing led to another and We actually showed the virus wave by which you know jobs can actually work And we say great. So now the problem is solved. The world is saved We can go back to our bad cable whatever and do theoretical research because everybody will just pick up these zero knowledge and use it Well, nothing happened enough to guard and so we started looking for applications ourselves and starting reaching around and we heard about that You think Bitcoin that sort of had privacy, but didn't and if we only use your knowledge proofs, maybe we could make it have real privacy So we teamed up with people working on that We published this your cash paper, which was one of the first plausibly real world use applications of Your knowledge proofs and we said, okay now surely everybody will use it and we can go back to the lab and do our stuff Because blockchain right and that didn't happen either because no one knew what is that what the way they call it the moon man Of your knowledge proofs. How can you ever trust it? No one would ever use it bitcoins with enough So we had to roll up our sleeves and create a new company that to actually do the engineering to deploy this became the Zcash cryptocurrency which is alive and well and there's a whole bunch of Other cryptocurrencies that forked off from this and many other projects that were Inspired by it to use your knowledge proofs in numerous other applications whether blockchain or other Daniel is from KDT company that commercializes these applications in the enterprise context for disclosure right by them and there are many others and This is why I'm sitting here because those Your knowledge proofs that where you know would never work, but if they did might actually be useful Have become useful. I'm seeing many applications and we'd like to make sure that they're using it, right? Hello everyone My name is Luis Brando. I guess if the time to talk is proportional to the experience I'll have just a little bit of time. I haven't been around for that long. I finished my PhD in 2016 As a cryptographer, I guess My my core area is secure to party computation As I was doing my PhD, I did I I'm originally from Portugal. I did a PhD between Lisbon Portugal and Pittsburgh, Pennsylvania in the West and while I was in the US. I had the opportunity to do a Short summer visit at NIST and that's where I met Runea who I mostly work with now We match very well in terms of interests related to privacy And while I was still doing my PhD Runea came with a problem where Basically, the government is trying to implement a system of broken identification where It's gonna make everything easier because you can have no citizens identifying to relying parties With the help of identity providers, but because there's a privacy constraint where The identity providers should not know where the where the person is going to The government is trying to solve that by putting Some entity in the middle that is going to mediate everything so that now the identity providers don't know where the the citizens are going and It's like we look at this. Okay, sure, but who's the Who's the person in the middle and it would be a government controlled entity? And so that would end it up actually being quite an interesting Problem to look at from the perspective of privacy where actually secure computation ended up providing quite an interesting Results showing that okay, even if you have to have that that person in the middle because of it's very well justified You can actually make sure that it's not gonna learn anything about the transactions that are gonna happen Anyway, this is how I got connected to NIST and Runea and then once I finished my my PhD I kind of NIST looks a nice place to To try out and so here I am for the for the past two years just to try maybe a little bit of anecdote This was just a few months ago And this just to mention something about I mean, I think it's something always present namely in conferences the aspect of NIST like No, oh you're working at NIST like are you one of the good guys or one of the bad guys? interestingly an interesting Interaction a few months ago at a conference in Europe You know just coffee time saying hello to people and I say hello to this person and then kind of just showing the name And the person says to me oh you're at NIST. I'm so sorry for you And I like oh really why is that? Oh because NIST sabotage is tender Etc. And Actually, I had a quite a quick answer. I just occurred to me say oh well then I I guess I'm glad I'm there to make sure that It doesn't Happen anymore or at least that I can help that not happen So it does it does feel to me that actually being at NIST is a is an interesting place to be to indeed Bring in some interest for privacy and really making sure that we're doing good standards but of course don't trust my words but But that's what it is. That's what I'm trying to do And it does look like a very as I was saying in the presentation earlier this morning Even though I may not have a large enough historical perspective of things I do think I bring a fresh perspective for some things and I do I really feel excited about Looking that this is the time where some of these things what we're calling a best Cryptography is coming about in terms of standardization. So it's so it's a cool time to be here All right, so my name is Tanya Lange from the University University in Eindhoven Unlike my co-speakers. I don't know why I'm here, but since I have the word anyway, am I tells my endo's? So growing up in Europe in cryptography We've always been looking at the standards ie NIST slash NSA standards as something which is probably there in order to be against us So we've been always looking at those things as something we're okay figure out what it's like We always knew that we're a little bit paranoid, but well, it was not the good feeling. Hey, this is something standardized It's good. It was more like hmm. Are they trying to shove something down our throats, which is Helping them spy on us. Well, and then some years later Snowden came around and well, at least there were some which were made to be well looking Well, not in order to make us more secure But in order to make it possible for them whoever they them are to look at what we're doing and get information They were not supposed to do now My first step at that point was do a lot of archaeology. So I spent a long time digging through all the fire requests About do least see so if you want to learn more about the history how it was possible that these things happened If you saw the approach it will run releases then there's like the NSA bragging about an exercise in finesse and you go like Yeah, okay fine show me what it is. I Mean, this is their annual report and when you tell your boss. Hey, I did well. Please give me a raise You will also say hey, it was an exercise in finesse but actually worse now digging through all the details is that the way that these standards work and a particular thing at ISO is Somebody has to write this document and then magic somebody is willing to take it over and do all the work and So what happened to that point was that the US representative says well look You just got another 40 pages of feedback with lots of nitpicky remarks And the Germans don't like this definition and the French and the British and they are complaining How about this? He is our new and shiny and nicely written and we already did the work of formatting it the right way in ISO style, which is not the way you would write your things, but it looks like I just how how about this and Everybody said oh, yeah, sure That's an exercise in finesse just Praying on the laziness of people Okay, so it was a little funny. I could give some talks about it. I could show how this is a back door We showed how the back door could be exploited in real life because Director of the NSA was going like well, I'll buy you a beer if you can show that this actually is usable You never thought up on that but then It's fun, but it doesn't get you anywhere. It doesn't make the world safer And so eventually it was like fine. I probably have to roll up my sleeves and actually go to those meetings and Yep, it's still the same if anybody is willing to do something they get a shitload of work so well, please join and help so that the next sentence are better and Please join only if your name tag doesn't say NSA or no, we can't say that but We need more eyes on this We need more people who actually have the background Because normally people who have time to go to standardization bodies I don't really have time to go there and I can't go to all of them and it's so easy to slip some and when you look at ISO for instance, I've now been to ISO meetings There are now a bunch of photographers in the room at the SC 27 well JDC one SC 27 working group 2 Which is meant to be the one for doing crypto standards And there's a good number of people with different interests and I'm happy to see the NSA there and happy to see the Russians They are and the Chinese and so on and a whole bunch of free world cryptographers And we are all keeping each other in check and reviewing things But even this one working group there is a huge flood of documents. I can't possibly keep up on all of them Maybe together we can But then there are other eyes of working groups. So there is the eyes of working group on financial standards So the financial system has their own crypto things. There is something on small devices There's something on this and this and this and it turns out that if your crypto cannot get into the SC 27 working group 2 you can just go to working group 3 For instance QKD, which several of us have some loathe against Didn't manage to get into working group 2 and so now they're trying to get into working group 3 Which is actually there once there is a standard that they Determine how to qualify and how to measure this well They skip in the standard part and they just go into 3 and probably every customer will just say ours and ISO standardized check That's fine. So it's a huge time thing But if each of us maybe does a little bit we can do it now The reason why I'm saying I have no idea why I want this panel is that my normal work is low level crypto Trying to get signatures encryption stuff, right? I dabbled a little bit in higher level protocols have done some pairings and such doing mostly post-com these days so I can't really help much with the Fancy stuff But then again the lessons learned on being on those standardization meetings is probably similar to what we encounter elsewhere and Well, maybe if each of us does a little bit it can work So just to kind of address these points of I don't know why I'm here Like I think you're really find somebody else really answering your own question Like we want to bring all these people from different walks of life, right? I think a louis was sorry run run was mentioning this this morning that It's important to bring you know people from theory pre from from there are developing open source People from advanced cryptography not advanced cryptography people that work in standards people that don't work in standards and all all walks of life in some sense But but these also kind of brings me to to think a bit in retroactively as as to the difference that I at least seen in some sense from The past way of doing standard as standardization at least in cryptography and the new way and I think I want to ask you like Well, what why are standards important if at all, right? I mean there is in some instances where they may not be important There may be taken advantage of and others that not so If I ask you all that question our standards important when are they? You want us in order or okay, so if anybody wants to answer, please just It depends So I would say if you need something where multiple people do something has to be interoperable It helps to have a standard if you just need something for yourself for your own product be it open source software be it commercial product And you have the expertise to select something you don't actually the standard and Standards will get in your way in the sense of speed of product development, whatever There is another place where standards can help namely if you want to have some Certification or some form of verification at the end of it There are a bunch of companies which are well set up to test things that are in these standards And if something is a new fangled protocol or new fangled cryptographic primitive They don't have the expertise I'm not saying that all of those things help Well, I think they help I'm not saying that all of those things work We have seen for instance open SSL FIP certified had a sec fold in something which should have been tested and working But there were probably other things that were caught in the certification So some things it helps and some other things well Couldn't be bothered I guess Maybe as a compliment. I think a standard is a reference that people can refer to and In good use cases, there's there will certainly be bad use cases as well But in good use cases they can potentially serve to To be a reference for best practices. So for example taking the example of Threshold schemes for cryptographic primitives where one of the goals is to have a way of Enhancing certain security properties such as for example Better resilience against key leakage. So if there are scenarios where it's likely that a key is under attack There's some adversary trying to reach a key Then maybe at some point in the development of these schemes one can say, okay Maybe some threshold schemes would be a best practice to protect High value target keys And so once we have that reference that's a reference of comparison if somebody loses a key and was not using that Maybe it's an indication. Well, it should have been using that possibly another Thing that I think can be a benefit. Maybe it's a secondary benefit, but I think it's also relevant related to Samuel's conversation talk today is a standard may also indeed constitute a period of higher peer review of a particular Method or operation and it will probably lead to a better specification of a particular Technique and that may have its own benefit, I guess So in general things products that That different manufacturers Companies generate and they need to work with each other require standards. So in the case of cryptography Most cryptography really require standard in that sense because you don't want just one company to be able to produce the products Even different vendors and to interoperate. So in that sense, there is this operational reason for for standards But beyond that in cryptography, we want to educate the world not to invent their own crypto Usually doesn't work well If you don't want these Companies to invent their own crypto, you need to give them the solutions and this is one Fundamental reason for for standards in this in this area And then there is the question of this the issue of best practices Which is also somehow determined by the standards I'm not saying that our standards actually Standardize on the best practices, so it is not necessarily the case But if we want this to be the case we can help by being involved with these things one example of best practices that So best practice also in this area are important for regulations so, you know when we people have regulations on privacy or security related stuff, then the standards also are a guide for for regulators and What I always you know that now People work on search and encrypted data, for example, and there are different methods one one of them for range queries is the terministic Order preserving encryption which is terministic encryption and therefore not a great encryption So the question is when when a when a regulation or a law says that data needs to be encrypted It doesn't say need to be encrypted with semantic security, right? So that the word encrypted is not sufficiently descriptive If if there is a standard to site with in relation to that then then you get a much more More information on what really is needed or meant I Think another consideration is lowering the barriers to adoption Especially for technology. That's as new and some of the things we are dealing with here Where knowledge is not yet ubiquitous for anyone to just pick it up and do it in-house Then we need standards for the same rope that we put guiding graze and handholds on the hiking trails Right, they may save some experienced hikers from falling to their net But also they will encourage less experienced hikers to take the trail in the first place and with the very complex and nuanced Cryptographic primitive that we are dealing with here There are many people who are cognizant of the dangers of doing it wrong and so would only start the hike if They feel that it's well marked and others that we will save from certain that they try to just Wing it and I think this discussion is important because it shows that there are different considerations for the different phases of the evolution of the standards In the initial ones where we are the informational aspect is crucial whereas later on it's the normative one That's essential for interoperability that I believe takes over Maybe if I can just kind of follow up on that it's a great it's a great point for the next question But also like when you mean lower the barriers for adoption It's also in some sense lower the barriers for entry, right? The fact that when you can give this tool or the standard to someone that is not That doesn't have the money to implement this stuff Maybe we can just take the standard implemented without having to go through a long process, right? But so in terms of adoption, right? We have this kind of question of or this tension I would say where In some cases technology is just being adopted by companies and that's when Sometimes the motivation to create a standard comes into place In other cases you have right a open source for example projects that sort of create an ad hoc standard, right? So what really goes first like a standard or adoption, right? This is I think a question That may resonate with some of you Standardizing effort But I do want to say One of the advantages but also where I would see a need for You know so some drawbacks or some cons for this Standardization is You know we're fundamentally I agree with everything that's said here We're living with a advanced crypto message that fundamentally are addressing Decentralized trust so bringing distrusting parties to automate the processes and the interaction between them So how can I bring somebody that doesn't trust me? If we don't even agree on the formats or the standards or the primitives Clearly there's that need. There's also a need to consider the societal Impact of the technology that we create And if you just let open source ad hoc or even products Create facts, you know an ad hoc standards You might not have the responsibility and the protection of regulatory oversight And generally you know even economist or legal advice as to how to best Create technology that we can be accountable for and that takes into considerations all these aspects Related to that is the issue of transparency That's one of the things that you want to to Guarantee or provide provide as much as you can We we have examples of mist is a perfect case of extreme non transparency and extreme transparency the non transparency with the famous The random generator And great transparency in all these competitions Yes, and the hash and now That is very open and so you mean the period of next pre-luis and post-luis. No, no I mean, I think that they when a yes started the Louis was in high school or something like that But Yeah, anyway in general the issue of transparency and even in cases where Standards are developed in some chaotic way, but with transparency. That's that's already some level of Assurance no guarantee of something great, but at least assurance that Things were put on the table So I think guidance is wonderful and definitely desirable But when I see of standard, I think of something which is unique There's the standard for doing something whereas when I hear guidance or something new then I think okay fine A it doesn't mean that we have selected which of those It's just like everybody who does something should also give guidance on how to implement it properly and How to take into kind whatever considerations belong to this protocol, but that to me is not a standard Who was since you just mentioned the the So one number generate, I mean that's the one where the dual EC is in this was in some sense an open process They had two conferences where people could give feedback, but it was not a competition It was something were missed posted this thing as they post. I don't know 20 or 30 things per year Send them and you can be on the mailing list. You get a notification. Hey, there's a draft Please comment on it, but to me this is more like a denial of service attack I don't have time to look at all of those and so in the end I go like yeah fine and the same happens with eyes of the same happens IDF There's too many things and if we now say you want to have even more standards that means we're spreading even more thinly and So that's why I'm thinking let's hold back on things. Let's do Community focus on a few things that we can actually handle and I'm happy to see this doing post one. I'm happy to see this doing lightweight. I'm happy to see this doing Advanced crypto, but does NIST and does the community actually have enough manpower or cryptographer person power To handle all of those or are we losing focus on things and yes, I do see that you would like to have Some advanced things that it would be nice to have a standard on zero knowledge But you also want other people to to have reviewed it and where do they come from because they're currently busy with the other standards So on the question of when time is right to start standardizing And it should be in standardize before there's adoption. Well first sometimes yes For example with post quantum there is no substantial adoption of post one cryptography But we all understand that it needs to happen ASAP and it needs to be highly interoperable But even for things that are much fuzzier like your large groups It While it's definitely too early to have normative standards for specific algorithms that everyone should use There are already fragments that are very useful to standardize like interoperability at lower levels of the stack Benchmarks conventions and terminology Because they enable the conversation Even this conversation is useful for the practitioners who can already use these components Crucially, it's also useful for the researchers in academia who are building these components because they can talk to each other more effectively They can fairly compare things in their performance using common conventions for benchmarking and often the conversation also raises new research problems For example, the work that Ryan Kennedy presented earlier about UC modeling Emerged from the first ZK proof standardization workshop and the need to recognize there to better capture these properties So I think We should not overreach and not become rigid and it's too soon or aim to Solve the very difficult problem of whose skin is best, but we should look for the places where meaningful impact can be made Earlier Solutions There's certainly a conflict there especially with very rich functionality where for example performance depends drastically on the application domain The approach that we taking to this in the ZK proof standardization effort at this point is a Descriptive rather than prescriptive one. We are trying to comprehensively describe the different approaches and the main trade-offs to help petitioners place themselves in the large engineering landscape of possible approaches. I Assume that this will eventually converge into smaller choice of concrete Okay, I think that we just have a different idea of what standards Of what standardization means to me. It's like a standardization body says something Whereas what you're saying is the community working on this gets together and comes up with hey How do we decide to write these things down and it's not a selection of an algorithm. It's the selection of a presentation way of a evaluation way and so on That's This is the component that I stress so far. It certainly goes beyond that for example In the ZK proof security track that deal with algorithms and security definitions There is an ever-evolving survey of the specific algorithms and approaches Not not just the conventions used to designate them in the implementation part there is a detailed discussion of the modules and best practices for implementations and Involving taxonomy of existing implementations and the properties So there's a lot to do that is just that it is descriptive level and yet is substantial So One note that I think addresses what Tanya was saying with respect to the denial of service problem Which I think it's a it's a real problem and in the aspect of the of the right time for standardization. I think Another element that we can look at is not Necessarily whether it's the right time to standardize but whether it's the right time to have a standardization process And so then we can what we can tune is the speed at which the process goes And so I think if we if we realize that we have a potential for the denial of service because there's not a lot of people We can potentially Go slower until we actually I mean whoever's leading a standardization effort can Can be aware of that and can make sure look guys We're only gonna advance if we actually have collaboration. So at least from the perspective of We I mean the privacy-enhancing cryptography team is having At least now with respect let's say with with zero notes proofs is that we're emphasizing this aspect of developing reference material And and positioning. I mean we even put it that as a disclaimer when we made our Initial comments that were not this doesn't mean an endorsement for standards was really because we feel that that process is important So the process of building reference material is a time during which we are getting informed We're also putting our contribution. And so I think that aspect of speed not only of so basically not looking at a particular time for standardization To act to have a standard but a time to have the standardization process I think that gives us more flexibility to have a more secure process Here's a concrete example Right now there is a call for proposals by DARPA for the SEAF program for building zero-knowledge proof systems It's going to be funded by many tens of millions of dollars and consist of multiple teams Constructed into several tiers and there's TA1 which deals with the specific applications for zero knowledge And TA2 that deals with creating the back edge that actually runs the zero-knowledge protocols And here's the thing there will be performers Dozens of researchers funded by DARPA and some will be building these applications and some will be building these back ends And they need to talk to each other and some groups most of them probably will be Will only be building the higher part or the lower part So how do we make any of these talk to any of those? Right. So this is essential for a project that the US government has been essential for national security And it requires yes some form of standards And specifically for these And similar applications We're developing the ZK interface standard as part of the ZK proof standardization effort that aims to make to achieve interoperability at the level of Conveying the statements to be proven in zero-knowledge between the application layer and the cryptographic layer So we have seen this kind of concrete engineering needs already at this very early deployment even research stage So Maybe I want to even take a bit of a step back when both of you were also answering at the beginning of this class question We were mentioning a lot this idea of right as a responsibility and accountability and transparency And I think maybe even going back to what Tanya was also saying before this idea that there is kind of very little involvement from academia because Usually or traditionally Industry has been driving the standards or standard bodies have been driving standards for industry But now we're kind of seeing and I hope that this is the case that maybe standard is a way to bridge Academia and industry right and this is a way to bring accountability because there is sort of inherently different interests from both both sides So my question I guess is is two-fold one is is standardization the only way to bridge academia and industry the other question is is more on the lines of I Guess what is what is the best? What is the better way to standardize through standard bodies or through community efforts, right? so I think that yeah, there are many ways different ways of having Community efforts the industry academia partnerships standards one one way and It depends a lot on Whether the interests of the academia and of the industry align and they happen at the same time When I mentioned the Mid 90s when you know when I was working in the ITF There are very very few cryptographers involved with that even though Things very very important things were happening because you know the things that happened at the beginning It's a very hard to hard to change them later But there was no awareness in the academic community that actually The something is happening in the world and we are not participating So definitely the standards is one one way of doing it depends on the type of standard some standards that no academician will be able to work because they are boring and they are bureaucratic they are closed and You need to be a member or so so there are different constellations that right now I Mean what when these things happen together is the best now in In the last years we saw it for the development of TLS 1.3. I mean an amazing joint work of the industry of the experts and TLS from the industry side and Cryptographers and security people and formal methods people I mean really a huge collaboration that hopefully Ended in a good protocol we see in the years to come but the truth is that there is very good the track record that when cryptography is done with proofs and Professional cryptographers the result I'm not saying that they will be perfect, but they they stand time much better Yeah, so Again, I won't say that there is one model that always works better than the others, but the point is that The the weakest link are the are us the researchers because we like to work only on what we like to work And if something requires too much involvement with details and stuff like that then Many of us we will not do that So it's really a responsibility on our side. I mean we cannot wait for the industry to come and say please please help us This is a very very important point, right? I mean, I don't want to stop anybody else from answering the question But how do we incentivize researchers right? Cryptographers to be in these things. This is kind of going back to what are the the different interests? The support was who I was saying look, do you know if anyone nobody who made tenure because of the contribution to There's just academia Traditionally does not have the recognition or the resources to invest in this really really important noble holy work, and it's not a work of you know one month. It's a lot a lot of investments time investment and it is Grad work and talking to people and things that scientists are not In the reason you're now seeing You know some convergence is because academia is becoming much much more industry Friendly anyway, everybody's doing standards. Everybody has business. So now there is Resources and the incentives there are resources incentives both on advanced prominent scientists But my providing answer is unless you have the business reward and credit to do that Historically people Don't cover Smith I mean Sure, but I mean the academic system is not the academic system is not set up to reward you for wasting your time on standards Well, I don't have money to go. I don't have time to go. It's against publications So I mean I'm doing it because for the good of the world, but I'm a total idiot for doing it so so a But I think that when you say I talk about working standards, and when I say talking working standards, I think we have a different Different Feeling about this. I wrote many papers Thanks to my involvement with standards People were defining things and I was You know, we are talking about photography we're talking about developing photography inventing Defining proving so this is part of our research work It's true that you have to spend time interacting with the engineers interacting with industry, which I usually find painful on one hand, but also a great educational experience and a great source of problems to work I Think there's one big difference between what I'm talking about what you're talking about you're talking about Standardizing your own Algorithms, so you're mentioning a yes mentions are three So you have an inherent motivation to see these things getting Used and yes, then it's totally worthwhile to invest a little bit extra Or a large bit extra to push this into a standardization. What is your motivation to go for the? Year or two years while this is in discussion What I'm talking about is that there are a lot of standards which are being written which are being pushed by Industry for their own interest and they have the same idea. Hey, look, we have this thing one of our designers did this we now would like to have a stamp of approval of ITF ISO Etsy, what have you or not and Spending time on reviewing and cleaning up the mess that is there That is not very rewarding But it's also necessary to do because we see those things getting used in products And if you were yesterday at whack every single paper was showing a really fatal flaw in real world deployed things And essentially everything was based on the standard where the standard was just flawed Because we as a community don't have enough time to review all of those And I'm not talking about a yes or shall free that was lots of community involved I'm talking about all these other things which fly by and say hey, do you want to give the comment on this? standard I very much agree with that and we think that not just in the heavy weight ISO processes But also in the community driven ones where a lot of the effort is a bit of like Polklock party everybody comes along with their thoughts and pet peeves and you need to somehow call this all of these together into something coherent and the most effective way is to Leverage those pet peeves into you know, what if you're so pissed about that? Why don't you write that chapter and sometimes for it? Often it doesn't often they have the full intent to do it But once they fly back and have their teaching obligations and their deadlines and their grant reports then The energy dissipates and I think we're still learning the ropes of how to create these skills out of people's per time and best intentions just a comment on standards I I Conceived that the notion of standard does include the case where people want to standardize their own things Just for the sake of standardization it becomes a reference So I think the where the issue may be is how do people recognize standards and Which standardization bodies with particular missions recognize particular standards? So this was actually a question posed in a previous presentation where I Mean I pose this question about okay if maybe one of the benefits of standardization is that it goes under a Better peer review and better specification Okay, if that's the only thing that that standard is achieving then if people know that then it's not a problem It's it's basically a paper So To a certain extent I guess depending on the application sometimes what we need are actually meta standards Which are standards saying these are the approved standards? Actually to a certain extent miss does that in in a particular settings It says these are the particular standard that we accept for signatures, etc. And that particular vendors need to use if they do business with the government for example So Yeah, I think I mean I felt this even while I was preparing the presentation for this workshop The question of what is the standard comes? Back and forth and usually we're talking about standards and we have an implicit mindset So maybe sometimes it's better that we decent this ambiguous What we're talking about Okay, thanks. I think we're gonna we spoke a lot about like the origins of standards Like where do we're the standards originate how what is the best way to proceed with that? What are the incentives on now? I want to ask like okay now we assume that we have some standard for example There is this tension that we kind of are all aware maybe maybe secretly aware that Standards can somehow stop innovation, right? So right companies can adopt some standard they implemented they put it in their product They integrate it and everything's good and then you know a few years later suddenly it's broken or there is a better Standard right our researchers motivated to look into this new this direction when now there is a standard And you know that maybe it's not gonna be adopted What's the tension here? How do we form standards so that we don't stop innovation, right? Are we talking about good standards or bad? Well, I think the the quality of being good or bad can actually be a it's it's a contextual property It can change over time. I think I mean I think the answer can go both ways. So If we develop a good standard in a particular good point in time that can promote adoption can promote innovation Can be a good reference for people to do more research and innovation along that line now if we have a context where compliance with a standard is required and The standard becomes obsolete and the standardization context is not able to Revise the standard retired withdraw the standard Or replace it by some something else then that's a problem again. I think In a big part that may be an issue not with the standard because I mean at least in this use case The standard may have been good when it was designed. It may be a problem with the structure That that holds the standard. So let's say that a yes, I think it's a great standard. It has It it went through a good problem a process. It's holding fine. Let's say that next year. It's broken Can we change it immediately? If we can't then we have a problem, but is it because the standard was bad? Well, it was bad now We know it but previously it was a good standard But correct me if I'm wrong you're talking about more like the process, right? So they're on one hand you have the process on the other hand you have the adoption part So talking for example TLS. I think this could be a good example a new standard was created for TLS 1.3 But how many companies or how many like services adopted TLS 1.3 at this point? Special case in which the adoption is going very fast, but that's that's mainly because once the browser support and all the browser vendors Adopting very fast. So that's relatively fast, but Standards like TLS I mean these that they are not the block site not basic primitives but protocols or Most of operations This should be built in some flexible way so that at least the components of it can be can be replaced So that's a very important consideration to have in mind when you develop a standard Make it I mean that there is a tension between making it Flexible making it too flexible Standards that have too many options Problems of interoperability or complexity So so you need to find some balance, but definitely there needs to be an element of Flexibility agility in which you can change the components. Anyway When when it's standard is finalized the interest of the Designers goes down, but the interest of the cryptanalyses Because now you can write a paper. I broke TLS 1.3. I broke the So there is I don't think anything If anything, I've seen in my life a lot of standards, not just in photography Cobra and just computing P4 by networking where the standard or Sometimes it's just a de facto technology standard has some Let's say limitations of the straights and there's a whole ecosystem and research field born just Around dealing with the constraints that the technology is created and overcoming If anything, I would be concerned about you know all this energy Ranking or dealing with Hope we can't So maybe maybe a bit more I don't know technical question, but along these lines of of having a standard already set in place like The question is really like we're talking about advanced cryptographic standards But really to be honest all these advanced cryptography actually uses Use primitives that are not so advanced or whatever we define as advanced, right? What do we do with these standards, right? These are common like if I put this specific example of threshold cryptography homomorphic encryption and zero knowledge Right at some point or another you're using some commitment scheme or at points. You're gonna be using some signature Maybe not all of these are standardized. Are we too early standardizing advanced cryptography? And what do we do about these common primitive? Do we all standardize them individually for different? Applications, how do we deal with this stuff? To some extent we are Jumping ahead by leaving some of the easier tasks behind by we I mean the human race not we specifically we are standardizing what we care about but There are many simpler primitive that Aren't fully standardized things that are much better understood. In fact three years ago Nigel smart and several of his associates wrote a Pointed letter to NIST asking for a more attention to standardization of Cryptographic tools that are pretty well understood For example, zero knowledge proofs, but not the fancy general ones that we're dealing with now But rather things like a Sigma protocol for discrete log and Peterson commitments and the properties Oblivious transfer gobbled circuits is a bit pushing it and these are things that Especially the first few have converted nicely. They are building blocks in many Existing protocols in industry as well as the protocols that we are dealing with here, and it would have been nice to have those covered By the way with the with the soon-to-be Approval of at the SA they essentially contains a ZKP of the split block Embedded in it just just one thought So I think as we move further into the future and assuming that we will be standardizing more generic SMPC I think there will be a point indeed where It will make sense to have a good reference definition slash Reference Some something that we can reference if not An actual standard of some things like maybe garbled circuits oblivious transfer some commitment schemes But going immediately to those without knowing. What is it that we're going to want to do with them? Might not be the best Option if there's a possibility that when actually we go for the more advanced things then we actually needed a little tweak of The commitment scheme now having said this. I actually think that threshold cryptography Is in a kind of a sweet spot in the following sense It does require for let's say for the multi-party setting. It does require Exercising some SMPC in certain cases, but the actual scope of threshold cryptography I mean if we look at it from one of your threshold schemes for approved cryptographic primitives It actually has a very well-defined scope. So even though we might be looking at Maybe we can call it a large number of possible standardization elements It's still it it comes down from a small number of primitives. Let's say we may want to do threshold RSA threshold DCDSA Threshold at the assays Although the post quantum is still in the evaluations it may take a little bit more time The point I wanted to make is the following if we say that what we want Let's say in the next one or two years is a threshold version of ECDSA or RSA key gen and we know that we're going to have to use let's say an oblivious transfer there then We're talking about one standard that is going to use one primitive So maybe the actual exercise of doing the full standardization Is what we need to actually define within that own standard one? implementation of one let's say oblivious transfer and I think that's a good exercise without having to commit that we've Standardized oblivious transfer because now when we go for the next maybe more advanced SNPC protocol That also requires oblivious transfer then we can analyze okay Should can we use the one that we already used and then if you can we can just refer to it We can even if we want at that point actually remove it to a standalone document But then we also retained the possibility of saying you know what for this Primitive it was a good exercise to have done that oblivious transfer But now we want a slightly tweaked version so I guess a summary of what I'm saying is while we have a Small scope where we're just going for one or two advanced concrete protocols I don't see it as a big deal to actually embed in the standards the primitives that we're using And then when we start defining three four or five advanced protocols, then we can we can by then We have learned with the experience One thought Thanks So I I want to kind of ask a bit of a Technical question, but I think it's a very interesting one where Going back to the tension between academia and industry and interests in the industry We have kind of a legal framework for for processes and for applications and things that are already established Right almost trust models, but also like a legal punishment for behavior for malicious behavior Let's call it right so can we justify the effort from from let's say our side from as researchers to Right ensure or enforce Non-malicious active behavior in these cryptographic protocols when we know that whenever there is going to be a cheater There's going to be a kind of a breach of contract and legal consequence, right? And and attached to this question is kind of the idea so can standards kind of help Define regulatory and legal frameworks, right? So you want to define Standards for detection and for punishment, right? So so in some sense cryptography can enforce behavior or can catch by behavior, right? So put out a wise you saying why even bother with the fully malicious model when we can assume that everybody is honest But curious because if they are if they behave maliciously they'll be thrown to jail as long as they come exactly and that's the answer, right? so We have scenarios where people are not associated with robust identities and are not accountable in the standard World of legal enforcement, and maybe the clearest one is blockchain, right? You are a respecting transactions that were posted by unknown people and the only way to Make this work is by not assuming that there is any recourse other than a cryptographic one to ensuring the correct behavior There are other scenarios where There might be fallback alternatives using society's legacy ways of enforcing correct behavior, but those are very expensive It's true that humanity has spent the last few maybe tens of thousands of years building civilization aka way to enforce norms but it has many costs it has in liberty in resources in Performance of these systems and to the extent that we can replace norms enforced the good old way With real-time cryptographic protocols often there is a benefit to that and these places that they think are being monetized by Many of the names you'll see on the sponsor list of this workshop Figuring out that this can just make their current processes work better with fewer assumptions I'm one element announcement about One thing that you cannot expect is the judicial system to understand Cryptography, so to this day the digital signatures Still Has a problem dealing with them and accepting Forgeable paper signatures, right? and word of gentleman is still better than Zero knowledge proof or explicit proof full knowledge proof. So I think that there is an issue Which is The issue for regulations, right? It's a it's a big deal and We have to work in that direction even if it works very slowly, but it's a very important aspect I Basically constitution right all modern society Unless you committed a crime, you will not get punished. I think there's a very dangerous Social rating Yeah, I think I do have some concern with the premise of of the question which is well assuming that we can catch people and I mean, even if you even if we catch people Misbehaving that does not necessarily mean that we can enforce some some punishment and And I guess a full answer to the question would also Have to be parameterized with what is the cost of being caught versus the cost of Actually achieving whatever we were trying to get to the malicious behavior, but one extra two extra thoughts one is one potential problem of Standardizing let's say semi honest secure passively secure protocols that completely break down in an active in a with an active adversary is Is the problem of misuse? So now you have a protocol that is stamped this has been Zero knowledge proof or SMPC in the same honest case and then for the people are not cryptographers Oh, we're using a secure system. Therefore we can just do whatever you want, right? So it's the it's the problem of the false sense of security and I think the I mean in general the problem of misuse of protocols of devices and all that it's it's a huge problem in cryptography so I would tend to say if we can do maliciously secure Actively secure or secure against malicious adversaries, then I think we should go for it at least in the SMPC arena The there has been a convergence with respect to the costs Previously it was like 40 let's say 40 times difference and then in a lot of settings those the factor of difference has decreased a lot just a Final note is that at least in the SMPC area we actually have the I mean a good characterization between Semi-honest malicious and then we have the covered adversaries or the covered adversary model where which is actually Exactly measures the case where Adversaries behave based on the probability that they can they can be caught and so I want to strongly agree this goes back to the responsibility You know fundamentally creating Very very serious technologies here, and if you give a false sense of security because we are experts Probably what we created is secure the responsibility and the accountability is on us, so we should aim for the lowest denominator But we're just one extra technicality in this I mean it's really here again is where I think a societal scholars Lawyers and communists should be involved in the process not just us technologies. Yeah One one technical aspect where it's kind of It would be an analogous question to which I have more hesitation in answering is the case of adaptive adversaries versus static adversaries Where in the secure multi-party computation at least there's a lot of cases where we We can do the proof for static adversaries We can't we don't have the protocol for adaptive adversaries But at the same time we don't know of a real practical attack that would Breakdown system and so in those cases it's a little harder to say And so I guess what I want to say is I would be inclined to accept a static malicious So a protocol securing the static malicious model If I don't know of any Practical attack in an adaptive scenario, and I don't know any protocol that is efficient at least in an adaptive scenario Where is for the semi honest versus malicious case? It's a much easier answer like go for the malicious Also boils down to what Aaron was saying before that we need a lot of user guidance that it's actually Less important to have like the concrete scheme, but it's important to see to say on the annotations What does this achieve what do we expect and what can you expect to come out of it? many of the things are context The context application So when you when you build a primitive that primitive We have more questions, but there's basically like 15 20 minutes left and I want to open it for for Q&A So if you have any questions you want to come to one of the microphones and ask anything you're interested in hearing from the panelists to ask one question, which is about formal methods methods and How do you think this technology may be used in the photography or standards? whether is it like Usable right now for customization Processes or Is it does it needs to be improved right now? So who already mentioned the the role that form methods played in the definition of till as 1.3 I think that's a great achievement At the same time what I as the rather layman user would like to see is that I can actually Uses on things that I'm kind of prototyping or something and so Yes, I think more has to happen has to be easier for me to try it but yes, please be involved and You saw that the previous talk was easy could being used on On a case. I think this is helpful and if they are candidate solutions It would be nice to get them formally verified or shown to be not verifiable in which case I should be fixed I don't think that there is any excuse to have something Standard or an important component there is no excuse not to To be analyzed through these Tools, you know, I I'm not sure about the completeness of these tools, but they are great debuggers I mean again here. That's 1.3 is an excellent example What people have been working with running these tools and you know, they found problems. They found issues Give you guidance on the design so I think that No, but we have a bootstrapping problem. We have a bootstrap ring problem No, I mean really I think that We should be analyzing stuff as much as we can we're using the Which will keep improving Thank you Thank you very much for this discussion I found it really interesting and I appreciated the balance of Say like the positives of standards efforts and some of the things to be concerned with I guess I have to interrupt You'll say that your talk, you know, they are you see how do you call it? Yeah, so see it's an excellent example It's not the Automated tools but really building stuff in a way that you can actually Apply these tools or these these formal logic Thank you Just wait till what I was gonna ask Totally derailed I Have big big questions kind of about how to you know know Like what are the things to watch out for like what would it mean for a standard to be bad or to go wrong? That there might be pitfalls to learn from but I wanted to phrase it as a more maybe hopefully interesting question Like do you have any horror stories or like anecdotes of standards gone wrong? Maybe like the second worst standard to the dual you see one that we might learn from as a counter example Every single talk yesterday at WEC WEC the workshop yesterday workshop on attacks in crypto Essentially everything was standardized and broken. So there was Bluetooth There was WPA 3 very new standard and also broken. So these are the Last two talks that I might have but everything before that as well. And what is there to learn from those though? Like is there So some of those I would say are closed community No feedback from the outside kind of standards and I think this is kind of a warning flag for me by now It would be much more surprising to me if something which had gotten a lot of community Feedback and review women like for instance, you mentioned fall methods if there has been pieces now with tears 1.3 with all the praise. It's still not in one model as deep everything together So there still are some little cracks where things could go wrong But I would be much more surprised with things like that going wrong than with something which was cobbled together Because somebody needed something and nobody ever looked at it These two standards clipper and capstone Including chip manufacturing was broken within less than I don't know 60 days Matt plays among other people at AT&T loves Showed how to break that but basically this was supposed to be the only way you encrypt audio You know audio signal transmission By a government standard and luckily cryptographer or crypt analysts in this case broke it So they kind of died a peaceful inside and death. That was a horror I think another cesspool of horrible standards is blockchain what we have is Many block chainish projects out there who are building what are the factor standards because they are Actually executed by interoperable network consisting of many thousands of nodes So they may not use the s-word, but that's what they're building and somehow they think it's fine to do so without even having a Specification for for their protocol let alone any form of analysis or review process and because it's ternary rather than binary Then it must be fine For example Oh, yeah, so if there's one thing that we need to stomp out is this The Comfort that those fractions of the cryptographic community broadly construed Have with just putting random bit operations together or some field elements and group elements because they kind of type match or you can type cast them and then they type match and Calling this a cryptographic protocol that people are actually interesting with many millions perhaps billions of dollars This is the elephant in the room right some of these people are probably fine, but many of our colleagues Or colleagues or those who couldn't have been our colleagues are actually out there right now doing very evil stuff You think knowingly or by incompetence I mean do you think malicious or just they're calling together with the best intentions and just don't get it right I think most of these are incompetence or Or The very closely related meeting the deadline and not bothering with the advice they got to actually overconfident By the way, I was thinking during this discussion that we should standardize on the notion of standard Because I think that one thing that we don't necessarily agree here is what what does standard mean? But anyway, this is an example which I don't see why you call it standard. Well, if you're so pleased then why don't you write that chapter? Okay, so Since you asked the question like how can you recognize a bad standard? What does it smell like? so find some standardization body where the membership fees are high the access fees are high and the They charge for attending meetings If you take all three of those Fairly likely not gotten any review and they randomly pick people from different countries. You can embellish this. Yes Yeah This I wanted to You use the term bad or good I would like you to look at standard as something living with a life cycle as any asset in the enterprise It has got a life cycle and one thing that I would recommend in any of your work is put a version It's you consider it as a block or an asset cryptographic thinking Model of the world put it a version to it and look at it My experience is 25 years of running People services, I don't build them. I use them and I have to replace asset number With asset number three And that's what I do as a leader. So try to think of it as is Yes, you have a very good tool as a version and but 20 years I'll have to replace it. I'm sorry So please look at it as something that is a living Architecture that we have to maintain One or two generation. Thank you. That is a very very good point The issue of really of agility and flexibility That that we need to put into all these things from the beginning In some way the fact that things like your knowledge are not mature enough really to be a standard. Maybe Advantage because you're less likely to you know to put something very You're already already has a version 0.1 And This agility is also proving useful for the research that will lead to the consolidation of the standard For example, it allows us to plug and play with different approaches schemes and compared them in terms of performance because It was built in the first place to allow you to change the back end in a very convenient way Even if you use a different representation, that is the ideal that we're striving for that the interface makes some headway towards so to the extent that standards are intended to Foster this competition and collaboration and putting the TA1 and the TA2 that they discussed earlier that plays very well also with the Fluidity and agility that come later on Thank you. So Before before kind of wrapping it up completely I just wanted to kind of say a couple of conclusions that I got from this and thank you all for for sharing your experience in your views It seems like, you know cryptography is still at a very early stage, right? We really started, you know, 50 years ago, right? 60 years ago or something with computers and Advanced in some sense and now we're at a point where we see that really academics are getting more involved with industry Whether it's because the industry is asking for it or because there is more incentives in the industry than there is in academia right and Hopefully now we're gonna see this trend where Adoption is done in the right way, right? Like if you think about how like, I don't know physics and engineering Right came up to be and how it transferred knowledge transferred from academia to the industry, right? People wouldn't have thought to put people into a rocket and shoot them out the space if it wasn't with the proper set of Physicist and validation of techniques, right? This is kind of the analogy that we need to get that we wouldn't deploy Secure systems where billions of dollars are based on without the correct processes and correct very validations So in this sense, I guess either we need to change the incentives that exist in academia Or we need to make sure that the industry can counter that by by asking and providing those incentives, right? So in general, I would just say if if you're in the industry and you're building something then make sure you involve academics and If you're in the academia and you want to standardize standardize something because you think it's useful Make sure it's useful before right? It kind of goes both ways Yeah, if there is any more questions otherwise Any more comments on your end maybe some conclusion remarks that you also want to share so maybe let's Thanks the speakers and the panelists