 Thanks a lot for coming to a mathematical talk so early in the morning I really be thankful to speak here about this and a topic of my talk today is more a to-do list then providing Unfinite wisdom to the Audience and I'm glad that a lot of people doing crypto parties and stuff like this And so I want to push your attention also to a crypto event taking part Today at 1400 and Hanu will make some remarks about this at the end of my talk And it's fit really very perfectly because we had the situation Which is a bit surprising that in the Snowden discussion At what Snowden made a statement not only that crypto works or even That crypto is not an aren't an art. It's a basic protection is a defense against a magic against Bad and dark attacks against us And so you might ask if crypto can deal with this Is it something like a kind of magic and we need people wearing funny hats to present it? And the solution is surprisingly nice. It's not magic It's mathematics and in mathematics in a very beautiful form and to make it also from a standpoint as a Scientist to make very clear if we use crypto in an appropriate way. We can turn a much little change the Word in which we communicate our digital words can Dramatical change from a situation where secret agencies and other organization wire traps everything With the world where the secret agencies wiretap everything and can do it nothing and I make it in this small Python statement if you encrypt with as a a message and send it out and It is a wiretap this communication They can only recognize very long very beautiful random And so it is a really a dramatic game changer and for us and in the crypto research community is a question now a very central one That that our work has become so important that we really should Take a good consideration. What are the social impacts in our work? And I'm very happy that my work is in a field where scientific Advances helps the weaker persons in the most scientific fields You have the situation if you develop something new It usually helps the powerful people in a case of cryptography. It helps really by definition the people to defend against very powerful Very powerful attacker Against our system to make it very clear even in our smart cutting or our sim in our Mobile phones can encrypt With a very simple algorithms in a way that Secret agencies cannot access to the communication the communication there in in the air to be very clear crypto source not every Kind of problems. So the main purpose is now how to use crypto in an environment where the secret agencies wiretap everything and so my Idea is very to present some stuff which helps the weaker people to empower The confrontation with the secret agencies and the situation is not so bad. It's becoming much Better than for instance for two years ago We have a lot of fields in where we cryptographer has to do some work But in some fields we have really remarkable Results within the last time and even better a lot of our results is now put to Internet standards and stuff like this. The main point I want to address is that we should ban a weak crypto this is a Field where we can really Chains the whole game by setting a check on the right place in Most cases is trust deactivating as he for a solution for the problem field in no area of the medical We have oops battery I love my Linux so Second part is the field of hash functions. That is a bit scary situation, but even this field is getting better Problem field I have really also a long tradition to rant about is elliptical curve crypto In this field we have a total mess and the total mess is Generated by the National Institute of standards if the National Institute of standards standard the size Backdoor, which is very open and easy to see Then they have to deal with the problems that nobody trusts their parameters and in the field of elliptical Cryptography we have a lot of critical Parameters and if we don't trust the Organization which provides us this critical Parameter we are in deep problem So elliptical curve is something where a lot of interesting research is going on nevertheless. It's a field where I have a Lot of worries about The last two parts are post quantum cryptography I think we should think about a post quantum Cryptography now. I don't know exactly and which state the attackers grunting computers are but the engineering Mindset in me as as that it's good to be safe. It's better to be safe than sorry So I think we have now the time to invest some money to for strange mathematicians Developing strange algorithms So we can deal better also in a world where quantum computer Real problem to make a short Explanation a quantum computer would dramatically break not only as a on different helman But even breaks in in a earlier step all elliptical curve cryptography So it's an interesting thing to put their some efforts in and I want to close with some Optimistical remarks. I think we have some social protocols and Some advanced cryptography which could be very helpful to generate an environment in a digital world How can we illuminate a weak crypto in our Cypher's I have written on these slides of the last millennium and I give a talk about window security Today in the evening and I have realized that the two main problems in the actual patch disaster of Microsoft are really coming from the old crypto wars the freak attack and the second thing is Using very weak a hash function So it's a very interesting point that even the transformation away from weak cypher's could Let to a lot of practical problems. We should also take into consideration That's a medical crypto can be solved in a pretty easy way. We should simply ban As if or this is a old Request by the cryptographic research community which comes now to internet standards, which disallow Using as if or and that's the good thing if you take a look at the history of as if or it's a amazing brilliant idea of one remiss but From an engineering standpoint it's much too elegant to be very secure and actual research results show that our worries I have announced directly after the Snowden case the idea that the NSA can break as if you're in real time Might be a good consideration as Bruce Schneier mentioned. So simply Just don't use as before we have IS IS There are some cryptographic worries, but they are far away from practical use. I would really suggest to use IS 256 some cryptographer say 128 is also a good solution, but I have the Main idea if you can really spend some processor cycle I think using longer keys is a very good idea and To make Small hacker remark if you don't trust IS Then you have from a mathematical hacker standpoint the idea to combine to systems That the attacker has to break both or at least the Harder one and if you combine this to cypher physics or you can simply prove That an attacker has to break the strongest of both algorithm and if you have a common Commutative solution, it's easy to see that an attacker has to break Both cypher if you exploit in appropriate mode you should check that a bit But I think it's funny that was one point where I have not been sure if I have been too paranoid To announce this construction using a two-fishing IS in crypto form Nevertheless, it's interesting to see that it's also in a white used Solution in true crypt and I was really very fleshed when I hear to that at what Snowden Bruce Nairth have discussed in Harvard about the idea to Cascade cypher in an appropriate way Bush now has criticized this I fear He was he might be right, but on the other hand I'm sure that the construction which has been suggested by me and other Researchers will provide a warm and fuzzy feeling in the trip. Oops. Sorry So next point is a bit scary I Have thought a lot of time For a better word to present this but I give you some background information We have the dramatic Situation that show one and MD5 is broken in a way that you can attack it in a successful way on a standard PC That is totally broken MD5 it's well known there have been other but also in the field of show one results in the last some Years have shown that these attacks are deeply practical some years ago there was a presentation by Applebaum and and and and another researcher shown that you can attack the certification framework of a Organization using MD5 and you can dance the almost the same story also on char one And this is actual problem. How actual is it? Yeah, as I mentioned I give a talk about windows 10 in the evening and I think in March there was an update from Microsoft going away from char one and To be very clear. I think it's now 20 years that they're using really a totally broken function now we have the really funny situation that we The char one function is designed by the NSA even there is a Funny story the first proposal from the NSA was there and was presented was in the standard procedure and they said Oh, well, we have forgotten something and added I think a rotation on a strange place making the system stronger without giving a good explanation So we're using an NSA a function where we Pretty sure that the only that there are only few fields where the NSA has an advance about the Public research and I fear in the field of hash function That might be a case if you take a look at the analysis of stooks nets you find some techniques Which are pretty interesting? The NSA has used some really hardcore crypto stuff to attack Here a system in a way Where it has not been necessary. So they have really shown that they have tools Which has not been necessary in a practical sense. So I can really state out that Hash functions is a field where a lot of good research or good or evil research Has been taken part in the NSA Why I tell this story because the the hash function which is now used by Microsoft char 265 is also designed by the NSA and has similar design to char one and The funny thing is that the NIST has stated out that the char three a competition Has been necessary because they are worried that somebody would break a char 265 and For some years there have been no results, but we have now the situation to char 200 265 is a NSA proposal which has not been nearly as good analyzed than the other ciphers and This is something what makes me also a bit worry Funny thing is I I told you that it's sometimes a strange idea I have used some times to do things double when I don't understand how secure it really is the funny thing is that as you might know Shard 256 is the main Algorithm or one of the main algorithms in Bitcoin and the funny thing is because the group the graph are behind Bitcoin are also pretty paranoid. They use it in a double way. So even if we have problems with shard 265 the guys of Bitcoin Bitcoin has done it double and so there is in in the case of Bitcoin a security margin even if the NSA would have Evil ideas against shard to nevertheless, it's not a very satisfying Situation things might be coming better the show what three function is a new function in the open competition With with with good explanation. There have been some worries regarding influence of ns of nist on the char three process, but main Critic points have been addressed by the nist and so char three might be a good idea Is it's totally other designs and char one and md5 and char 265 by the way It has been a requirement for char three competition not being these such designs as the NSA design cipher and This is a very interesting proposal. So I think char three would be the Best solution nevertheless. It's a very very new function. It's a new a hash function in town. And so we should Really invest also time and effort to analyze it in an appropriate way, but at the time now I would really recommend it to you char three Okay, coming to the ecc mess You know, I'm a one of the mean your Fractions of cryptographs which are pretty critical regarding I see elliptical curves One problem I have at the moment we have caused the nist by Implement by acknowledging by standardizing a back door and a very dilatantic a design back door We could not trust the nist regarding critical parameters in the field of elliptical curves anymore point This is something also nist employees have stated out that they have to work on trust in a new way The good news is in a cryptography. There might be a mathematical Solution also for this problem in the competition for instance for the is Advanced encryption standard. There was one requirement to justify that your parameters are Constructed in a way that there is not a back door possible That was the official requirement and we have to go back to the elliptical course cryptography and we have to invest a lot of research in this felt and we have We have to have really proof that some parameters are constructed in a way that they're not providing a back door To be very clear. Why do we need standardization one because elliptical curve is very complicated second? Besides the security consideration. It's another a Mind field in a field of elliptical curve within are I think some hundred patterns in that field and This is for practical use It's useful that somebody else checking this legal nightmare of patterns If you have a standardization the nist takes care about a lot of problems in the pattern stuff So even if you say I'm not caring about crazy Mathematician saying some elliptical curve group to be might not be secure enough You should really take care that you use standardize stuff if you not want to be involved in heavy heavy law suits and to make a mathematical evaluation about the most Patterns which has been in the field of elliptical is very short And most of them are totally ridiculous a Different base representation It's not something what a mathematician would accept Patent and even in this felt we should have a good discussion how to deal with this software and algorithm Patents and as I mentioned we need elliptical curve standardization also for this Problem stuff and on the other hand we have good news. There is a lot of research going on in Europe regarding Elliptical curves. There are good research by Langer and teacher Bernstein for instance There are also excellent work by brain pool And I think it's important that we can go to a place where we have also European standardization efforts to do this have there has been a lot of work done by the European cryptographic Communities and we should bring them now to standardization process another remark is We should take a close look Bruce Nyer has really stated. I think for more than 20 years We should use as a well understand crypto where we can and we should use elliptical curve in fields where we are very Limited it so I would really make the suggestion to use as a or even another Forgotten brother of RSA Rabin scheme which is heavily based on in a care field of Rebin it's a equivalent to Factorization this is the stuff we have understood for decades. It's the stuff which is simple to implement even the key generation is really very Very simple. It can be presented in one lesson if you give a cryptographic course at a university and This is a nice comparison. I need about 40-50 minutes to present As a key generation to my students I have advised the first elliptical curve a mathematical diploma thesis in 1999 or so I Don't understand elliptical curve Even through I have Dealed with them then for almost 20 years There are a huge amount of parameter They are really very critical and even if you do it 20 years of research in the field of a number They should you should be very careful and without choking I would make the statement everybody which has a deep knowledge in elliptical curve Has more worries than people use it in a in a in a heavy way Nevertheless elliptical curve is an interesting proposal and I heavily support Research in this felt and I think that is also a place where research Should throw some money in because elliptical curve is really very important in a lot of fields where we have really limited Environment for instance internet of things to make this magical best A word is Important to have good elliptical curves nevertheless even if we have a device like a mobile phone or something else I should make the statement that we should stick for as a 4096 for some more decays. I think even the propaganda stick evaluation of ECC performance Will show that For instance for checking as a signature so with a low expo low public experiment I'm not sure if elliptical curves are quick are faster in all the scenarios And I want to make also the remark that your rubbing Uses a public experiment to it's even more it's even quicker than checking as a with low public Exponents last five minutes so I come to current computing in the last five minutes what it's a bit a pity Because quantum computing is one very interesting a research field and whoops Sorry Oh Sorry quantum computing is a very interesting field to make a short Explanation of this at the moment. It looks like if we have a quantum computer. It's all our normal All our normal cryptography is dramatically broken I say is broken if your helmet is broken But something I really want to make a very loud remark about is if you have one computer they will very quicker Attack elliptical cars cryptography because they are much as much shorter keys 2056 in a lot of environments compared to 4069 So it's very clear if you have quantum computers We will have really problems with elliptical curves much earlier than with other fields and I Will want to make additional proposal. I think we have a lot of optimization possibilities to Attack elliptical cars even quicker than the actor research is a elliptic of its quantum cryptography even a quicker than Now is the state of the art in cryptographic research Last some slides is very funny thing I saw in this day is that this crazy stuff of mathematician Jumping around and saying if we have quantum computer if we have problems have now come also to Microsoft Microsoft has the first time more make a real proposal of post quantum cryptography Microsoft research and they have also presented Implementation for TLS and it's interesting to have the parameter If you take a look on the in the paper, we are now down to eight kilobyte Messages and about a performance probability of 21 percent and this is very good because In the older days we have to throw megabytes of data if you're using this way Very skilled and very fascinating post quantum cryptography last remark to post quantum cryptography is we can think To design protocols which survive quantum computing Attacks and one scary thing is I have been asked for was state channel Germany to make an evaluation about The security of Bitcoin and I made the statement. Yes There are problems because Bitcoin using elliptic of cryptography with 265 if we have quantum computers, but A Whole system is designed in a way that even a break in this field will not attack the whole Economic philosophy behind Bitcoin. And so it's really interesting if you take a look at Bitcoin We can learn how these are to design Crypto which also survives quantum Cryptography by the way the headline in the article in Wall State terminal was a Researcher warns because of quantum computer regarding elliptical curves cryptography Yeah, I have one, but the statement that Bit coin will have much lesser problems than normal money systems have been not Brought to a very central point. I am don't want to make a final statement about Bitcoin But in a cryptographic field this are nice people. These are people which Deep not too deep knowledge in crypto and they know that they don't have too deep knowledge in crypto Then design it in a conservative best engineering way and there's a kind of the best Cryptographic engineers you can have so the cryptography in Bitcoin is Some construction which makes me sometimes smile and that is not often the case if you take a look at Implementation So coming to the final Really final I'm a bit over time already a remarks what we should do only some statements We have advanced cryptography Which can be used to model social corporations in a better way One of the few things which is in heavy use is OTA in OTA We have really built with advanced cryptographic protocols things like a like Non-regulation That we can really discuss in a way where we have some Kind of authentication of message, but we vocal the authentication of message which makes us Gives us a chance to model communication of the record so that you can say something without Have the problem that somebody could take your statement and bring you to court and From a philosophical standpoint. It's important to try to bring some concepts of a private private talk also to the cryptographic world and Boris off and in Goldberg had to do fantastic work in this field There's also very cool stuff in the field of blind signatures And this is a second time I smile in this talk because I Was a bit angry that nobody use on implements Blind signature over the last 20 years and the good news is now 20 years are over most of the scary Software patents have been gone so we can use blind signature Without legal problems because we have spent so much time not implementing it and so I think it's a good thing To think about electronic voting. I'm a bit disappointed But that's some nice ideas of the private party like you could feedback didn't make the next step to to use advanced cryptographic technique to model Democratic processes But maybe we can find some time more the good thing is the software and the ideas are still available and Next generation might do it in a better way Can we give this? requirements for Edward Snowden we have more to a moral philosophical and technical commitment to do it and yeah, I Don't want to make jokes about it. I take it serious We are hackers are mathematicians. We are friendly people which want to hack some times and sit in the sun in a camp But now we are in a big battle In a big battle of our internet and the problem is the internet is not My maybe a problem may be a feature is not only our nice playground It had huge implication on the whole society and yes I think we have a moral philosophical and technical commitment to do it and so this is a point where I ask Hano to come to the state if he's still here and In that sense, I want really to make the Request to you Use your skills and make the world a better place. Can we do this what he's asked for and I think yes We can thank you for your attention Yeah, I just want to make a very quick announcement We will have a open crypto meeting at 2 o'clock in workshop 10 3 Which is just like get people interested in crypto to discuss Like what are the newest attacks on TLS and what new algorithms are interesting? Whatever you want to discuss open crypto meeting at 2 o'clock in workshop 10 3 We still have a few minutes left, so if you have any questions quick short questions Please line up on the microphones. I don't on the left or the right A remark on the ring learning with errors thing Pretty here As far as I know this is patented to so that's kind of bad the Microsoft ring learning with errors thing So the reason Websites today use It was only a sign that Microsoft Take some considerations to do this to stuff which has been really very esoteric Mathematical concepts along if there are patterns we have the normal problems there and not as a good thing I have not evaluated the Microsoft proposal. I think it on the first look. It is very optimistic what they do I'm not sure as a good idea the only statement. I want to give is that Microsoft now tries to Evaluate and implement stuff which has been esoteric mathematicians for esoteric mathematician for a long time Just one Statement maybe it's on quantum cryptography isn't it supposed to be Actually very resistant to man in the middle attack because when you actually have two entangled quantum particles You it is very hard to actually Carry out an MITM because if you change one then you affect the other and do you see that perhaps in future This could be it could become a standard which will be used to To avoid such kind of attacks Yeah, we we had to think in and to that direction. It's very hard to give a Short answer yet one pessimistic thing is if a quantum we have quantum computer every Cryptographic operation we use in public key cryptography elliptical curves or as a number is completely broken Promptly broken in a sense of completely broken that you get the secret key as a private key and to go to everything your question is interesting in that field that like Like in Bitcoin or other protocols you can Modify these protocols in a way to make even a completely break of the public key cryptography Not so harmful for the whole construction, but this is even Challenging cryptographic research. Yes. Thank you The reason most websites today use ECC in their ciphers is Because the size Needed to transmit during connection setup It's so big if you use RSA based things and it gets bigger if you use Another key like DHA we have a Perspective how to solve it because currently we are all using ECC and Can't go back to RSA To make following statement my maybe this is a bit a bit of an angry cryptographer We we talk about 4069 Bit as a versus 200 to K To okay, I have Recommendated four times six, but even to key Even worse In the regard to how much traffic you need to transfer traffic transfer Come on you make one key exchange at the beginning of the show and then you streams Gigabyte on gigabyte of games of thrones cats we do content and Yes, we we we group to cover should go into the edge because we Your mobile phone is much more powerful than my original IBM sync Without without without choking to be very clear Making your your point in a more even more aggressive way is using a As a wish to 4068 bit might harm our climber. Yes, it's might have Influence on on on using millions and billions of money for cryptographic operation and To be very clear. I think we might have systems where we have a long time as a 256 key and using for perfect river secrecy ECC curves with With 256, but I really would heavily recommend that we have a long time secrets and and and and signature keys we should make a heavily use of as the of as our 4069 and As I mentioned if you have environments where there are environments in the internet of things wealth as a 4069 is too heavy for these fields It might be a good idea to have also elliptical curve and this is a statement of Bruce Schneier if you have the options use as a If you have no options Or if you have the option to use no crypto or elliptical curve crypto use elliptical curve crypto And I think this statement is still right But it's a ideological discussion in in in cryptography and I admire that I have the minority position in this Thank you practical problem. Yes, sorry Thanks, you're Made it very clear that you're hesitant using elliptic curves in crypto Does that only apply to the NIST standardized curves or are you also hesitant regarding like EDA to 55 19 Goldilocks and so to be very clear a lot of Critic in this talk and and I focus really on the standardization problem is not valid for Langer and DTB group is not valid. It's not a critic. They do a fantastic work to be very clear They should be heavily supported they doing by the way also interesting stuff in grunting group Graphy I heavily supported I don't get me wrong Even though if I would be right to be as a is a more conservative and more secure thing I had really make a statement that we have and in a lot of fields where we heavily need elliptical curve And so we should use really a brain pool cause which have announced some problems and DTB has really Announced all the requirements. I've said to be backdoor free and the weather read DTB's paper in this field is very interesting and very Good point to do for further research to be very clear the critic regarding Standardization is not valid for DTB and not valid for brain cold cause so it's just the Not the rigidity of the curves and and this standardized curves It is that we have to use because we don't have TLS 1.3 still yeah Yes, but we have to address it and as I mentioned this problematic situation is also visible Inside the NIST and is all the time and we should Continue to have pressure on NIST because NIST has done fantastic work for decades It's very helpful for the whole humankind humankind to be very clear And this is one mistake and we should give them the chance to come back But it's not possible that they present any parameter which could have a backdoor without having it Where there's not a big choice and by the way, this is the official policy of NIST regarding the IS competition So what we what we ask with this power behind is just the position they have mentioned before Okay, thanks a lot. Thanks a lot for your attention