 now what this is going to do is that these people are going to come up they are going to talk for a minute because we've got shed loads of them to get through and then they are going to pass the baton which is the microphone to the next person so this is going to be a bit like an olympics sprint okay so this is a bit like the olympics sprint and if you drop the baton then your team loses basically okay right so the first one go come on Cymru. Speed, speed, speed! Yes, my name is John Pacific. I'm a cryptographic engineer with a company called New Cipher. Briefly I'm going to speak about what we're doing with threshold proxy re-encryption. We're building a decentralized and distributed key management system for both consumer and enterprise grade. And we're using proxy re-encryption to empower something called Ursula, like between Alice and Bob, where Alice will generate a re-encryption key, split it using a Cymru secret sharing, distribute the fragments to Ursula's of N number, and then Bob can use his key to re-encrypt his Cypher text fragment for himself, and retrieve an M of N and combine them. Time out, let's go! Leave this way, quickly leave that way. Hi, I'm Angel Bertini. I crafted the PDF colliding files for Shawan. I work also on Malice's Shawan. So I like to play with five formats. I'm cryptography. I don't understand crypto much. I crafted a PDF that when you encrypt it with 3DS becomes a valid JPEG, which we encrypt with AES, it becomes a valid PNG. I'm doing a PDF latex package so that you can include that in all your next cryptographic papers so that they have some inner beauty. And if you have any crypto trick that you want to share, I don't understand much crypto, but if you have crypto tricks, I have file tricks. Thank you for your attention. I'm Bart Prinell from the University of Leuven. Real-world crypto is also about politics. And European Commission has released a statement last September saying that encryption in Europe will not be prohibited, weakened or restricted. But the same statement says that they're going to pay 96 extra people for Europol, that they encourage the countries to collaborate on a toolbox for alternative investigation methods. Are these zero days? Who should check all this stuff? If you want to discuss this together with Harry Halpin, the next project in the ECUPE CSA, we have a workshop in Brussels on January 22 and 23. In Brussels, please come and see me or Harry. We're going to discuss crypto politics in Europe. There are still a few speaking thoughts available. Please come and join us to discuss with the lawyers, people who discuss GDPR, people in the open source community, the commission to discuss what we should do with crypto in Europe. Hello everyone. My name is Marc Joa. I just want to let you know that NXP is hiring. We have several positions in our Crypto and Security Innovation Centre. We have job openings across Europe. So it is Germany, Austria, France, Belgium, UK, the Netherlands and also in the US. So if you want to have more information, so just please come to see me or my colleagues here. Thank you. Hello, my name is Yuval Yorom. I'm from the University of Adelaide, Australia. I wanted to give a head up on two events if I managed to put in one minute. The first one is Kanga Crypt that's a workshop about attacks on cryptography, whatever way you can break it. That's what we're interested in. It will take place in Adelaide in the fourth largest wine cellar in the southern hemisphere just after Asia Crypt. The second is if you are not doing attacks and you still want to do cryptography around December, is Space 2018 will take place in Cagapur in India. So we're looking forward for your words. Hi, I'm Tony Oresiri. I'm the primary author of Miscreant, a symmetric encryption library providing non-srease misuse resistance available in C-Sharp, Go, Python, Ruby, Rust and TypeScript. It also has a CAVI for CNC++ and plans to implement in Java and PHP. It uses three constructions all originally designed by Phil Rogaway. The first is AES in synthetic initialization vector mode. The second is a fully parallelizable variant of that, which substitutes PMAC for CMAC. Finally, it implements a construction called stream. So those last two constructions are offline modes. Stream turns them into online modes. That sounds interesting to you. Check it out at miscreant.io. Hi, so I'm Catril Cohn-Gordon. So yesterday you heard about how group messaging is kind of broken. We've been looking at how to make group messaging better in the signal style. Signal does continuous sort of ratcheting things where it derives new keys and mixes them in to the root chain to derive message keys out. You can't do that naively in a group because if you go and grep through the literature for group messaging all the protocols you find are interactive. They say, Alice, talk to Bob, get a message back, something, something, you get a key. Turns out actually this isn't necessary. There are non-interactive ways to derive a shared group key and you can use that to do something kind of like ratcheting, but in group messaging. So if you're interested, Google on end-to-end encryption. We want to build something that's really practical for people to use. So we're talking to companies as well to understand constraints and what people want to build. If you're interested, come talk to me. Hi, I'm George Tankersley. If you were here last year you might have seen my talk about anonymous rate limiting using blind signatures aimed at solving the cloudflare capture problem. Essentially you can solve one capture and receive tokens that you can redeem instead of solving future captures. I'm happy to report that this is now a thing that exists in the real world. It's called Privacy Pass and you can go get it on the Chrome Web Store. Thanks mostly to Alex Davidson from Royal Holloway. Yeah, who is great? So we updated the protocol from one in the talk to use Elliptic Curve OPRFs, which Dan suggested literally as we were walking off stage last year. And it's faster and more bandwidth efficient than you would expect Blind RSA to be. So once again that's Privacy Pass and you can go download it and install it in your browser right now and solve fewer captures while you're using Tor and VPNs. Hello, my name is Marcel. I'm a product security engineer for Qualcomm. We're also one of the sponsors indicated by the queue on the bottom. If you're interested in pursuing a career in product security, please find me and we can talk about options. Thank you. Hi, my name is Milofeining. I work at Philips Research and I want to announce today yet another good library for using crypto in Python. It's called PySnark and it's for programming verifiable computations and making ZK Snarks in Python. So yesterday we heard a lot about how you can use ZK Snarks, for instance, for privacy preserving transactions on the blockchain and for zero knowledge contingent transactions. But there's also other uses and the problem today is that it's quite hard to specify verifiable computations and PySnark changes that. You can just program them in Python and automatically there will be a proof and there will even be an automatically generated smart contract to verify that proof. If you're interested, go to PySnark.tk or find it on GitHub. Hi, I'm Jack Rigg. I'm an engineer with Zcash but I also work on a little thing called I2P, a privacy network that does onion routing stuff. Two years ago I talked about how fun we had migrating away from SHA1 in our signatures. We're about to do all that stuff again for some of our other protocol layers. So if you are interested in transport layer stuff, in particular obliviousness extensions to the noise protocol or writing Sphinx packet format libraries, come talk to me. Hello everyone, I'm Nicolas Gaill. I work at TPFL and today I want to talk to you about randomness. So as you know, randomness is very hard to get and in our lab we are not happy with it. So we devised decentralized beacon randomness which offers bias resistance and public verifiability. So this is called our latest advancement in this project. It's called DRAN. It's a software written in Go. You can check it out online, github.com.gd.d slash DRAN. And it's already ready to use. You can spin up a few decors and have a very good randomness. And if you want to know more about this, come talk to me. Bye. Hello, so I'm Mark of CoalWise. Some of you may know me from being a researcher as Microsoft Research and also from my work on Meteorless which won the left-chimp prize. So I'm now a faculty at the University of Edinburgh where I will try to bring the same rigor to blockchain and cryptocurrencies. I'm here to kind of say that we want to hire even more faculty to work in areas like this and I'm also looking personally for a number of students and postdocs to work on co-knowledge, snarks, blockchain privacy. And I'm also interested in doing more politics now at the new university. We seem to be doing very well. So we're now going to give the people who decide to come in later a little bit extra time. So they're now going to have one minute ten seconds each. Thanks Nigel. My name is Mike Ward. I work at Mastercard. I want to say a couple of things about EMV crypto. We are considering including ECC as well as RSA and to be obviously algorithm agile. We're going to be using Schnorr signatures for the card publicly certificates and Blinded Diffie Helman for creating a secure channel. I'm pleased to report that Blinded Diffie Helman has just recently been published as an ISO standard. It's patented, but the license is free. So that's for face-to-face transactions. For e-commerce, EMV Curve just published the 3D Secure 2.0 specifications. They're available on the website. They basically use TLS 2.0 minimum and the Hose standard as per IETFRFC 7516. Thank you. I'm Brent Zundell. I want to talk about the Sovereign Ledger. It's a global public utility for identity and verifiable claims. It's an implementation of INDI, which is a project at Hyper Ledger INDI from the Linux Foundation. It's live. It's operating worldwide with a network of nodes running a Byzantine fault-tolerant consensus protocol. It's an anchor point for digital identity that doesn't rely on a single trusted third party or require any centralized data silos. We allow verifiable anonymous digital credentials and a flow of data that puts information back into the hands of the people it belongs to. The verifiable credentials that are issued allow people to selectively disclose minimal pertinent data and proven zero-knowledge-only predicate values about their attributes. Many of this sounds interesting to you. Come talk to me. Hello. My colleagues and myself from Indian Statistical Institute and Sinvesta of IP in Mexico have proposed a disk encryption scheme called FAST, which is the fastest disk encryption available today with provable security. It is faster than both the IEEE standards of disk encryption. Moreover, we have also instantiated it for a more general scheme where the message can have a variable number of... I mean, it can have arbitrary length, and the tweak can have a variable number of... It can be a vector with an arbitrary number of components, which is exactly the case for Aadhar, popular Aadhar of India, and hopefully it will be considered by Indian government for Aadhar someday. So the software implementation is available in GitHub, and the paper is available in print if you are interested with reference number 849. Thank you. So I'm Mike Lauder. I'm from Evernim. Giving up here is called cryptographic anxiety. But I have been working on at Evernim a decentralized key management system that will be using Sovereign, where users can manage their keys and create a diffused web of trust for discovering keys, rotating their keys, sharing their keys, creating relationships. If any of that sounds interesting to you, where all of that is in the hands of the user and actually fixes GP, come talk to me. Hi. My name is Alrunen. I want to talk about joint work with Moni Nor and Benny Pincus called How to Not Share a Password. We want to solve the following problem. Service provider wants to find and blacklist popular passwords that are used by a large fraction of its users, and while still protecting the privacy of the user's passwords, even if the server itself is compromised. Such popular passwords can not only compromise individual users, but the whole ecosystem, like we've seen in the recent Mirai attack. Moreover, malicious attackers that control a subset of the users might want to try to hide these popular passwords in a protocol. We propose a novel technique for finding heavy eaters that is resilient to such malicious adversaries. We can also use this protocol for other possible malicious settings like Tor Network, and we are looking for a new test case. If you have something that you want to collect information in a safe and malicious resistant manner, please contact me. The full paper is available on input. Thank you. Hello, people. I'm George, and I work on the Tor Network. We recently launched the next generation of onion services. It includes some fancy crypto tricks, like distributed random number generation, blinded EDD 25.519 keys, and differential privacy for statistics. It's not like crazy Tesla stuff, but it's definitely real world, and it's definitely crypto, and it definitely works on the real internet right now. In the future, we're going to do more stuff like this. We're going to do post quantum key exchanges. We're going to do secure name systems. We're going to do various other stuff. If you like this sort of stuff, please get in touch. I will be at the conference today. Hi, my name is Astra, and I studied elliptic curves and modular forms, and I like crypto, so I wrote a little limerick about elliptic curves. I'm really nervous, but there once was a smooth curve in FP, projective it is, and no cost beyond this, with a point at infinity for use in cryptography. You see? We prefer this kind of stuff to all this kind of stuff about cracking. Give us some more jokes. Right, go. I'm a bit nervous after this kind of fun stuff, but still, I'm Gaurav Bansodd. I'm from India. I've done a bit work on the lightweight crypto systems. I've designed recently a new block cipher called as ANU, which means atom, which is small in size but has a greater strength. We got unbelievable results that it consumes very less power as compared to the very popular cipher called as present. If just typed on the Google ANU lightweight cipher, you'll find it's open access, and my theory is keep learning and keep bashing. Thank you. Good afternoon. My name is Leon. I'm with PEP, which stands for Pretty Easy Privacy, and with PEP, we want to introduce privacy by default and basically do that for e-mail and then messaging and SMS. So PEP wants to do basically what Skyped it for voiceover IP, make it easily accessible to everybody automatically. And PEP is all open source with code reviews. It is multi-crypto and fully compatible with SMIME and PGP and then basically improves security from there. So for version 2.0, it's planned to integrate GNUnet to also provide metadata anonymisation. Today it's ready to pilot with Outlook, Android and Thunderbird. An iOS version is coming soon. And it can also solve issues in apps or IoT, like for example the need to have end-to-end encrypted messages for Swift, for example. So some very interesting announcement concerning our collaboration with GNU-PG will be coming shortly. And if you're interested in piloting or partnering, just contact me here or email me at leon at PEP-security.net. OK, so if anyone, everyone's come up and they're giving like websites or people to contact or whatever. If you have given a lightning talk and some are still left, we will. If you just post on Twitter what your lightning talk was about and any contact details, then everyone knows. So use Twitter as a bulletin board. Oh, and the hashtag is hash real world crypto, not RWC. Remember, that's the Rugby World Cup. This is not... We could do some rugby on the station, maybe not. OK, right, off you go. Hello, I'm Geoff Burgess. I work at Inria. I do some things with mixed networks. In particular, some things around trying to make the key exchanges post-quantum, that's much trickier than you would expect. Come talk to me if you're interested in that. Also, I've done some work on a project called Taller, which is a... It's essentially David Chom's e-cash, but modernized, and there's a nice zero-knowledge proof in it that the money is not being transferred in... Sorry, that the money is not being transferred in some sort of illicit way. Anyway, come talk to me if you're interested in actually efficient anonymized transactions. All right, I'm Agiles Gagias and I'm at the University of Edinburgh and IOHK. So, as we heard from Marklwf Colwais just a few minutes ago at Edinburgh, we are hiring at pretty much every possible level. So, we have an assistant professor position open. We have a PhD student position open and also postdoctoral researchers. So, if you're interested, talk to me or Marklwf Colwais or Vasili Ziggas, we're all here. And next, IOHK. So, we're also hiring at IOHK. If you're interested in working on real-world blockchain systems, come talk to me anytime during the day today. Thank you. These academics always putting out job adverts. It's terrible, isn't it? I would never do that. Hi, I'm Rob Percival and with Google's certificate transparency team. I just want to talk about an open-source project that we've been working on, which currently powers a number of certificate transparency logs and key transparency as well. So, it's an extension and generalization of the ideas behind certificate transparency. We have a number of local trees, but much bigger. So, it scales up to billions of leaves. The idea being that we want to be able to hold all the certificates ever issued and issued for the foreseeable future. But we've generalized it as well so you can put anything in there. It doesn't have to be certificates. It could be binary blobs, it can be public keys, anything like that. You can run it in a log mode or map mode so you can have an account. It's cryptographically verifiable so know what the log operator or anyone else can't go back and delete anything or modify anything without it being obvious to outside observers. The map mode allows you to do key to value mapping. Again, you can verify that the history hasn't been tampered with. For example, if you're using that for public keys for instant messaging the public key hasn't been changed at any point by any attacker. You can look back and see yes, only the public keys I knew about have been used. There are plenty of use cases for this since we've generalized it so if anyone is interested in using it for anything firmware transparency for example come find me. Double act. Hello, I'm Nadim Kobaisi and I'm the CEO of the company in Paris and Q53. I'm a shirt in Sweden. Great. Working together we discovered a vulnerability in thunderbird and enigmail. If you're using PGP in thunderbird enigmail you should know that until a few months ago there was a bug that would allow for the full man in the middle and the encryption of all PGP traffic. This is a combination of two bugs. One is the hijacking attack also known as a homo-glyff attack. A homo-glyff attack. But anyway with their powers combined they are captain planet and they can hijack PGP so the bugs were fixed and you can read up more about the details of the vulnerability on the enigmail website which is the PGP extension for thunderbird. Thank you. Thank you. I'll just start while they get the microphone back. This is a brief announcement for the security standardisation research conference to be held in Darmstadt, Germany in December 2018. This is a conference with proceedings seeking all contributions in the area of security standards or if you break standards, comment on standards, proposed new standards and so on. Program coaches are Kass Grimers and Anja Lehmann who is running this event here. Call for Papers will be out soon. Submission deadline will be around June. Thank you. Greg Rose from a little start-up company called Allocrypt based in sunny San Diego USA. In the real world people like to make money out of crypto and I don't mean bitcoin. If there are any people out there who want to invest their hard-earned bitcoin wealth in a start-up we're accepting we have a round open for investment. If you want to invest your bitcoin wealth in supporting next year's conference then please let us know and we will also accept bitcoins to support real world crypto. Last night so you can invest your bitcoins in real world crypto soon. Thank you. My name is Benink Burns and I'm from Stanford and I quickly want to advertise our new paper bullet proofs which Andrew talked a little bit about yesterday because it can make range proofs a lot shorter but bullet proofs can do a lot more so they're general zero knowledge proofs for arithmetic circuits just like a snark and just like a snark the bullet proofs are short but they don't have a trusted set up so you don't need the whole ceremony or anything the downside where a snark is that verification takes a lot longer than a snark but there's lots of applications for this outside of range proofs or outside of the world of cryptocurrencies and so for example verifiable shuffles or if you have any sort of more complicated zero knowledge proof where you might use a sigma protocol you're probably better off using bullet proofs which also only relies on the discrete log assumptions so google bullet proofs on eprint or crypto.stanford.edu slash bullet proofs or come talk to me if you have any sort of application for this. Thank you. Hi my name is Robert and I'm from the UN University Bochum and one and a half years ago we released the TS attack to a TS attacker and I only wanted to inform you that in the last one and a half years we highly improve the protocol attacker and that you can check out the newest version on github TS attacker 2.3 at the moment and if you're interested in attacking TS attack implementations or just want to deploy your attack check it out or talk to me. Hello. So I work for the company that is up there in the middle, ARM my name is Roberto Alansi and I'm going to tell the PhD students and the postdocs among you that we are hiring both in ARM research and in the architecture team of which I am part we are looking for people that fulfill two requirements the first one you have to like scotch whiskey the second one you're interested in one or more of the following fields all aspects of cryptography especially those that might get us money architecture security micro architecture security hardware security so if you want to try something really cool talk to me OK oh one more one more oh someone's sneaking in at the end it's alright don't worry my name is my name is Manish Mela and I'm from Netflix we have a very extensive TLS used inside our company one of the things that we were bothered by was the failure of most of the browsers to do the name constraints in the certificates properly I think yesterday somebody talked about you know how TLS clients are basically not performing verification one of the things you do is basically do the name constraints anyway so we have a website called bettertls.com which basically came up as part of this frustration we originally wanted to name it name constraints because people don't do it right but it basically has a set of test suits that you can run your clients through and basically see how well you do so hopefully that will help people make a perform the name constraint properly in the TLS connections thank you very much ok so let's thank all of those speakers once more