Vegas, Baby!

Vegas, Baby!

SCW's Picture
SCW #episode #security #cryptography #vegas #hacking #quantum-computing #fiat-shamir

We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there’s some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuff

SCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhat-2025

Watch on YouTube: https://www.youtube.com/watch?v=tbnhsmRZniI

Links:

This rough transcript has not been edited and may have errors.

David: Yeah, in America, we just speak clear text over radio like adults.

Deirdre: Hello. Welcome to Security Cryptography Whatever. I’m Deirdre.

David: I’m David.

Thomas: I’m awake. I’m awake before noon.

Deirdre: Yay.

David: Congratulations, Thomas.

Deirdre: We’ve been talking way too much before we hit the record button. How many computer experts does it take to find the record button? Well, we found it. Yay.

David: Once again, we would like to start out with reminding everybody that we are throwing a party mixer in Las Vegas during Black Hat again this year. Someone called it SCW podcon last year. The name has stuck and we were told the vibes were immaculate last year. And so we’re aiming for the same thing this year. The event is sponsored by Teleport, the infrastructure identity company that gives you SSO for ssh. And thank you again to Rob Picard from Teleport for setting this up. Rob used to run Observa, which was our sponsor last year, but pivoted from consulting, ending that consulting life, to just what if they became the security team for Teleport? Yeah. Thank you to Teleport.

Thomas: I love teleport. I think teleport is awesome. Teleport is like the backbone of all of the SoC2 stuff that we do at Fly. So Teleport is like an SSH server. It’s a certificate based SSH system. Right. So it’s like cattle fleet ssh. I mean, you can use it for a single server.

Thomas: It’s really easy to set up and all that, but it really shines as a cattle fleet SSH kind of dealy. So we’re getting like SSO integrated logins for all of our internal SSH stuff. This is all behind our kind of like tailscale VPN situation. So none of this is exposed to the Internet, but it is our internal control system for who can get what. But the really cool thing about it is it keeps transcripts of all the SSH sessions, which is a pretty handy if you’re just trying to figure out how another engineer fixed a problem with LVM2 or something a week ago. But B, once you have transcripts for all your SSH sessions, then any of the business processes that you have in your org that run through terminal commands. If you pop an IRB for a Rails app or something like that, and that’s how you add or remove groups or things like that, you now have an audit trail for it. Nice.

Thomas: Which is all SOC2 auditors care about is their documentation for whatever it is you do. So we got to knock out so much shit just because we had teleport set up. I would say teleport is probably the second most valuable tool just in a SoC2 and compliance sense, the second most valuable tool after SSO. It would be the second thing I would set up after SSO if I took a security role at a big company. Awesome. Teleport. Awesome. We love it.

Thomas: We love Rob too, but we love teleport more.

Deirdre: Yeah.

David: One cool thing about SSH certificates is they are not x 509.

Deirdre: Yeah, I think, I think, I think.

Thomas: Only we care about that. Like, I don’t think in the back of really, you’ve gotten pushback from people like SSH certificates. This certificate nonsense again?

David: No, I just get generic pushback against the concept of X509.

Deirdre: Yes, exactly. I think when you hear certificates, you start cringing internally if you are aware of the existence of X509 and then you hear, no, no, no, no, no, it’s not. It’s a completely different thing. And you’re like.

Thomas: I’m not aware of.

David: Anyone that, like, was going to deploy that, like, would not have deployed SSH certificates until they learned that it was not X509. I don’t know that that’s a person that exists.

Thomas: Yeah, I share this sentiment completely and I feel the same way about it. And I’ve done an implementation of SSH certificates and been delighted by it. Right. But I think it’s only a voice. So whenever I write about SSH certificates, I always write a little caveat, that these aren’t X509. Right. But I think only the three of us care.

Deirdre: No, literally, it’s just you tell someone. No, no, no, it’s not x509. And they like this sort of like cloud lifts from your soul. It’s not. It doesn’t have to have an actual case that has happened in real life. It’s just the lightness of being in these kinds of certificates as opposed to the most dominant kind.

David: Deirdre, weren’t you just saying that your name is like a Celtic myth about someone who has no likeness of being?

Deirdre: Yeah. My name is from like a story of a princess who ran off with her lover and she was trapped in a tower, married to some old king. And then the king. No, different, different. And then the old king chased them down and killed her lover. And then she. She collapsed, crying on top of his slain body. And the name means raging and sorrowful.

Deirdre: The end. End of story.

David: There’s a fair point because she thought SSH used x509.

Thomas: There’s also a Fairport Convention song about that too.

David: So, anyway, we’re throwing a party. Teleport is sponsoring it. Thank you to Teleport. Once again, the party is near the In N Out Burger. So we can all go get In N Out Burger at the most impressive In N Out burger in the country. That is an operation there on the strip.

Thomas: Extremely, extremely overrated burger.

David: It may be an overrated burger, but I’m just impressed by how many people they get in and out, literally in and out of that, of that physical location when, like, everybody is smashed and how quickly they’re able to like, reproduce their. Their what some people would refer to.

Deirdre: Yes, yes. Near. It’s near the In N Out, the event. When you register for the event, you will find out where it is. But afterwards we tend to go to the in and out the one time we’ve done this before. Cool. What we got?

David: So, Vegas, Deirdre, I heard you had some life updates.

Deirdre: Oh, yeah. I’m no longer working for my former employer. I am now fun employed. But I’m also taking. Taking bids for my time and energy.

Thomas: You’re not fun employed, you’re funsulting.

Deirdre: I am fun salting. I’m also taking it easy on, you know, what sort of fun salting I may be doing. So like, if something cool comes up, let me know.

David: If not, you gotta come to Deirdre with good projects and then be happy when she selects you, at least for.

Deirdre: The next couple of months. And then I might get a little bit antsy and be like, hello, can I interest you in some cryptography?

David: You’re all adults, so I’m sure you can figure out how to contact her.

Deirdre: Yeah, I’m on the Internet. You can find me there. Yeah, but we’re going to Vegas for other reasons besides SCW podcon. What’s happening at Black Hat? I do not know what’s happening at defcon, but I. I have no idea.

David: What’S happening on defcon. I think we talked last year about how much I dislike going to DEF con, so.

Deirdre: No, I like going to DEF con, but I think last year I was doing PQ thingies at the Crypto Village and I don’t haven’t been able to participate very much in this year. But for Black Hat, we’ve got a couple of things on the crypto track.

David: Yeah, there is one talk about someone found some scatter slash protocol that’s apparently called OPC ua. I don’t know where and how these are used or if they’re Internet exposed. My understanding from a bunch of research from Census is that all the SCADA stuff is like exposed on port 8080 via HTTP and not via like modbus or something. Right. You just find the admin panels, not the underlying protocols. Yeah, but regardless, the underlying protocol here has a bunch of 90s era crypto volumes, which is kind of funny. And padding oracles make Thomas happy.

Thomas: I mean, those are fun projects and fun talks. A really hardcore new side channel vulnerability is not going to have the kind of payoff that you’re hoping for in a talk or whatever. It’ll be meaningful cryptographically and it’ll be meaningful to computer science, but it won’t be dramatic. Like, it won’t Hollywood, whatever the application is. And this, this talk looks like there are some Hollywood vulnerabilities in it. So I do, I do love a Hollywood crypto vulnerability.

Deirdre: What? How do you define a Hollywood crypto vulnerability?

Thomas: A Hollywood crypto vulnerability is one where you can write an exploit where you have a random string that’s rotating quickly on the screen and gradually a character at a time is revealing itself, like in the Hollywood movies. That’s not. It’s not my term. That’s Tai Dong’s term. That’s a real. You should know this as a cryptographer, because that’s a real term.

Deirdre: I missed that post on their blog, but no, yeah, that sounds about right. I think this is something we would see in. What’s that movie with you? Jackman. Swordfish.

Thomas: Yes.

Deirdre: He’s undergoing torture while trying to hack into something for some reason. And there’s all these graphics. Okay. Yeah.

Thomas: It’s been too long since we’ve had a Hollywood vulnerability and a more recent construction, probably because we spent the 2000 and tens eradicating those vulnerabilities. But they do a comeback now that we’re doing post quantum stuff. We should find new ways to.

Deirdre: Oh yeah, I’m worried about those sort of things for this sort of reason, because stuff that you haven’t touched in a long time that is like, all right, fine. And now you have to go touch it and you have to shove something new shaped into it or something larger, for example, because all the PQ stuff is larger. And then suddenly things just kind of go. Just the cracks start showing.

Thomas: And then we have a talk there on fault injection attacks on post quantum signatures, which is entirely you, Deirdre.

Deirdre: Yeah, let me go.

Thomas: Did you say you had no idea that what was going on at blackhat you were a viewer for Black Hat?

Deirdre: Def Con. Def Con.

Thomas: Oh, defcon. Okay.

Deirdre: Defcon. This is targeting verification logic. What? Who cares?

David: Yeah, what actually is a fault, right? RSA fault injection was like a big thing. And at this point I don’t actually know what a fault is and I’m kind of afraid to ask.

Deirdre: It’s like a way to like twiddle with everything.

David: Just like a random bit flip in.

Deirdre: Your signature and like you’re.

David: And then that reveals your private key.

Deirdre: Or, or whatever you’re able to cons. Like in this one, you’re able to construct a forgery without breaking the underlying primitive. So it’s like the cryptographic assumptions are solid, the algorithms for signing and verifying and keygen is solid, the implementation on the surface is solid. And then this is you trying to do some bit flips or some voltage shenanigans or whatever, and you’re able to futz with the actual execution of a correct algorithm and you’re able to produce a result that you know is bad. And like, in this case, it’s like forgeries of signatures. Yeah, like real microcontrollers. These are, you know, things you have to be able to be aware of when you have. When those things are in your threat model.

David: You should. I mean, like, let’s think about rsa. I don’t know the specifics of how this works and yeah, those quantum signatures, presumably we can go to this talk and learn. But like in rsa, like a number of years ago, like five years ago or something, like everyone collectively decided, oh, we should like make sure that like, we don’t output an invalid signature if there’s a bit flip from RSA libraries and basically double check your result. And there’s a cheap way to do that without like doing all the computation. And everyone added that to their RSA libraries except apparently like Baidu. So like some researchers at San Diego and CU Boulder were just like monitoring TLS connections for a passive tab on their campuses and just like looking for bit flips and signatures. And the answer, and they found four.

David: And all of them were for Baidu because it turned out that like everybody except Baidu had updated their libraries to like defend against this. And once you have a couple of them, you just like crt out the private key. So if you want a conspiracy theory, there it is.

Deirdre: Several signatures from the same key pair.

David: Yeah, if you have like more than one fault from the same key pair, you can just crt out the private key.

Deirdre: I don’t know, I don’t remember from the submission if this, like, if that sort of attack is leverageable or it sounds like they’re just able to produce a forgery when they have direct, you know, injectable attacks against the thing that’s actually doing signing or something like that.

David: Yeah, it’s really just RSA that has this fun property where when you do anything wrong, private key just pops out.

Deirdre: Well, you know, this not for fault injection, but, you know, ECDSA has had issues with new bias nonsense and things like that. So it’s not just an RSA thing or you know, factor things based on multiplying primes together, but it shows up in different ways. So the way you construct the signature can really matter with what sort of things you’re opening yourself up to, even if it’s not directly about fault injection or fault attacks. I’m trying to see if there’s a mitigation about at least the Sphinx plus one, which got Sphynx plus got turned into SLHDSA as the FIPS 2.05. Yes. And everyone both loves it. And there are people who are like, hey, let’s use SLHDSA for TLS signatures. And some people are like, yes, I love that because I need it for reasons.

Deirdre: And other people are like, why would you ever do this on the secure Internet? Sorry. On the secure web, why would you ever serve these certificates for the web? And they’re like, we’re not. We use TLS and other places besides the web and it suits us really well in those places. So some people want to use slhdsa.

David: This is what everyone puts in the hardware, right? Like if you have a hardware.

Deirdre: Yes, yes.

David: Hardware verification of like your own firmware tends to.

Deirdre: Yep, sla. I’m not finding countermeasures real quick here.

David: We’ll just have to go to the talk and learn.

Deirdre: Yes, yes, Tetra.

Thomas: Yeah. So Tetra is like really big in Europe, right? Like it’s a big deal, like public safety protocol or whatever. Is it like what the police use or.

David: Yeah, cops, police and military use it a lot to like.

Thomas: So there’s like, there’s an end to end Tetra encryption thing. So the authors of this did a. Did a presentation and a paper on Tetra like two years ago. This is the second time Tetra has been on a black hat track and I guess. So I don’t know enough about Tetra, but I guess there’s some, I was going to say novel constructions there. Although I’m assuming it’s not novel in a computer science sense. It’s like novel in a. Internal standards came up with some random shit sense.

Thomas: And I Guess it’s like a suite of different things. And there’s an end to end protocol in it. And they broke in some ways the end to end protocol. A suite of tools we should have more to say about. Like, again, I think this is a really big deal in Europe and we’re just being blase about it because we’re Americans and have our superior American.

David: Yeah, In America we just pick clear text over radio like adults.

Deirdre: Okay. So they like reverse engineer out the end to end encryption protocol discovered several critical zero days in the radio. In the process, additional key extraction and covert implanting vulnerabilities. Awesome.

Thomas: So when we do these, like all three of us are reviewers for the crypto tracker plaque hat. And when we’re reviewing these things, you get a limited number of slots for each track and there are a lot of black hat tracks. Right. So we got more slots than I expected for cryptography this year. But there have been years where we’ve gotten like two. Right. So there’s like a knife fight at the beginning of the review thing for like if there’s any excuse to getting a talk off of your track and onto somebody else’s track. Like, there’s a lot of reversing in this.

Thomas: So maybe this isn’t a cryptography talk. Maybe this is a reversing talk. Right. Like you’ll take those excuses and move things. For us, it’s usually either like things get moved to networking because there’s a lot of network cryptography, or they get moved to reversing because there’s reversing involved in it. So it does say something about this talk, that it survived and stayed out on track and did not get pushed to reversing despite the fact that there is, from what I understand, a pretty compelling reverse engineering story about what happened here. Also, like, it’s actually a big thing in local politics where I am the fact that we’ve like the dispatch center has now encrypted all the police radio here, like just last year, which means that nobody can listen to scanners anymore. And they’re all very upset about it.

Thomas: But we voted not to encrypt. But we’re like part of a three municipality thing where the other two municipalities outvoted us. So. And I have like. So that’s like Motorola Star or Starcom or whatever. And I have no idea how that system works. So somebody out there listening knows how the Motorola encrypted public safety radio stuff works and they should contact us so we can do a show and then I can look really Smart in front of our village board and talk about stuff.

Deirdre: Now. Now I’m getting slightly nerd sniped about this.

David: I assume there’s some way that you could like have a, a lot of those police scanners have like a web portal and it seems like even if the whole thing was encrypted, you could just have a web portal and then I’d be like, oh, I can’. Have radio at home.

Thomas: Yeah, it is, it is funny to me that like, so it’s a really big deal that you can decrypt police radio in Europe and here it’s like, it’s a really big deal that they can encrypt police radio in the first place.

Deirdre: Yeah.

Thomas: And like, so most of my friends are like civil libertarian type people who really want transparency and are bothered by the fact that like, you know, we’re encrypting and making that stuff less transparent. But when you think about it, it is fucking ludicrous that if you’re like breaking into houses or whatever, you could just have a scanner with you. Just like, are they coming yet?

Deirdre: I mean, yeah, like, yeah, it seems.

Thomas: Like a non hypothetical actual public safety problem that you can like stalk the police. They’d literally be better off just using their cell phones.

Deirdre: Yeah. And I feel like they do do that, or at least other, you know, internal law enforcement services in the United States.

David: This is why I always coordinate my law enforcement action privately over signal. But then for transparency, I add the lead editor of the Atlantic to the group chat and that way everybody’s happy.

Deirdre: I add Jeff, and you don’t really check very hard about which Jeff, you’re adding.

Thomas: Well, well played both of you. That was very smooth. He just kind of worked it right in there.

Deirdre: But yeah, this, this is cryptography. It reduces 180, 128bit key to only 56 bits. There’s replay, there’s injection. This looks pretty cool.

David: It’s got all the good stuff.

Deirdre: Yeah. And nostr. I forgot about the noster.

Thomas: Yeah. I’m really, I’m really psyched about this. I’m very psyched about Thomas.

David: I feel like you get all of your joy in life from finding some like federated protocol that is more popular in Europe that does something security related. I’m just like on it. Just like, oh, these. It’s federated and it’s European. I bet it sucks.

Thomas: I’ve written enough hacker news comments that like ChatGPT can do a pretty convincing me just based on my name. Like you can ask other people to do it. And it will get my technical opinions correct. Right. So I think if you asked. If you. If you asked ChatGPT to do a comment from Tita Chick on hacker news about Federation insecure messaging protocols, it’ll rattle off a pretty convincing. I’ll write a better set of paragraphs, but it’ll do a pretty convincing take of what I believe about.

Thomas: And I don’t believe anything interesting. I just actually believe what Moxie Marlinspike said about federating. I don’t think there’s much more to it than that. Right. And I’m not like. I like Moxie Marlinspike fine. He seems like a fine person, but we’re not like friends or anything. But like, to me, what he said about the decisions that Signal made simply made sense and then were completely vindicated by what happened with Matrix, which is a team, like, kind of doing the best they can.

Thomas: Like, they wound up in some strange places, but they weren’t doing things for the sake of convenience. There are single competitors that had more features and were easier to use and had synchronized buddy lists and all that stuff. Right. And the reason that they were competing so favorably on usability was. Was that they had been making every possible decision in favor of UX and away from security. And that’s not Matrix. Matrix has taken the hard way for almost everything. Right.

Thomas: Including up to Thomas.

David: You’re so right. The AI does an incredible version of you. I’m sorry, I just asked it like, it’s. Oh, it’s got your voice down. It’s like it’s a fly IO blog post. Like right here.

Thomas: This is bad. Because what it really says is that I have chatgpt voice.

Deirdre: No, no, no, no. You. You. You have enough material out on the public Internet that’s been ingested.

Thomas: Yeah, it’s bad.

Deirdre: And you know, these large language models are actually quite good at the language shit that. I think that’s. That’s most of it. Do I look like I know what a JPEG is? Yeah. I don’t think this is very European though, either. It’s. It’s just yet another Jack Dorsey. I don’t.

Deirdre: What’s. What’s the drug of choice for. For Messrs. Dorsey? They don’t do two CI. What do they do? They go on the Ayahuasca. It’s some Ayahuasca inspired initiative from. From Messrs. Dorsey et al.

Thomas: Definitely it’s not European. And I can tell you why. The. From the opening on Wikipedia about Nostr. This is not me. This is Wikipedia. 51% of Wikipedians believe what I’m about to say, which is the NOSTR protocol was first written in 2020 by a right wing Brazilian open source developer known by the pseudonym Fiat Jaf. Nostr was created as a result of perceived moderation issues on Twitter.

Thomas: So yes, it’s awesome and everybody should be using it. And how I know that is that every time the topic of federated secure messaging or Signal comes up on hacker news, like three people come out of the woodwork to say that everybody should be using nostr. And yeah, this year at Black Hat we have a. We have a response.

Deirdre: Okay, so one what we’ll put a link in the notes. What Moxie, when he was leading Signal said about Federation was basically it’s hard to control all the ends of the protocol that interoperate with your secure end to end encryption privacy protocol because there’s the encryption part, but there’s other parts of Signal to service that are about privacy independent of the end to end encrypted messaging quote. It’s undeniable that once you federate your protocol, it becomes very difficult to make changes. That’s it. Signal wanted to be able to control all the ends, and they still do. This is also what WhatsApp does, but they don’t move as much. Well, they do, but they’re just moving and inject AI into every little corner of your of your app direction. But for Signal, they control their Android clients and their iOS clients and their desktop clients.

Deirdre: And that means that they’ve been able to move pretty quickly because they control all the ends of the entire protocol. When you’re federated, you don’t control all the clients. It’s this open protocol. Ostensibly, someone has to control the evolution of the protocol. And as some of us who pay attention to things in the ITF or Bitcoin or any other open protocol, that’s hard. It’s a lot of dirty human stuff about figuring out how to come to consensus or who is controlling the definition of the protocol. And then even if you have agreement about what the protocol is, getting all the clients to update to speak the protocol and have enough of them speak the same version of the protocol so that you get the guarantees that you need. And unfortunately, when you are trying to do this in a security setting, if you’re trying to improve security with a new version, you may have stragglers that might be on the old version.

Deirdre: You have to figure out what you want to do with people who haven’t upgraded yet. And if you have to worry about downgrades if you’re allowed to talk to the old version at all because of some security issue. And on and on and on and on and on.

Thomas: This has happened, I think this has happened three times with Matrix. Now the first was trying to make matrix default encrypted, which it wasn’t for a long time. For years they had, you know, a multi party, you know, end to end encrypted thing that couldn’t be enabled by default because a huge percentage of their clients simply didn’t support it. Right. And then when I think Kenny Patterson. Yeah, no, not Kenny Patterson. The Nemecadne. The Nemecabinet.

Thomas: Yeah, yeah, I apologize, yes, I apologize to both of them. But like when they totally wrecked that protocol and then trying to get matrix transitioned from that wrecked protocol to mls, which they still haven’t accomplished, but they could have reasonably quickly if they just controlled all the endpoints and they’re like in the middle of a coordinated update for a cryptographic vulnerability right now. That’s going to take a while. Just because they have a diversity of server implementations.

Deirdre: Is that, is that the one we’ve talked to, talked about in the past and they just haven’t been able to push the updates to everybody yet, or I forget.

Thomas: We keep like, I think we, we keep meaning to get the people from that team on, on the show and they should like I’m, I’m rooting for them. It never sounds like we are, but I am rooting for them.

David: Yeah, like the Nebuchadnezzar folks on the.

Thomas: Show, we had the Nebuchadnezzar folks on, but we haven’t had Matrix on to tell their side of the story or what they’re doing with it. And I think there was some ambiguity about which of the Nemecad, the nemechad Nezur vulnerabilities they were going to address directly and which they were going to stopgap and which things are addressed by mls.

Deirdre: Yeah, sure, it’s decentralized and federated, but like their proposal for encrypted end to end encrypted DMs was just bad by itself.

Thomas: This is Nostr.

Deirdre: Yeah, yeah.

Thomas: So like they, this talk, like the NOSTR talk at Black Hat was also, I think like just a week ago presented at IEEE Security and Privacy. So I mean it’s out there already like some of the details on it and I’d talk more about it, but what I really want to do is just get somebody from the team on the show and just go through it.

Deirdre: The NOSTR thing.

Thomas: Yeah.

Deirdre: All right. So the thing at ieee, this is bigger than just the end to end encrypted stuff.

Thomas: Oh yeah, no it is. It’s like when I reviewed this, my description of this was it looks almost exactly like Neba Cabnezar, which is like a fractal of things that could have gone wrong with like a complete ecosystem of like a secure messaging system. They found flaws in almost every component of that system and then tried to leverage them as far as they could. It seems like this is the same thing as that the IEEE one. Yeah, the ecosystem wide, except with a much dumber protocol than what Matrix started with.

Deirdre: Yeah, I think so.

Thomas: So I mean this talk is my happy place is how I would sum.

Deirdre: It up here they had a design sketch of the end to end encryption for messages and I don’t have it in front of me anymore. But yeah, the attack. Yeah, we sort of were touching on the federated nature of making that being makes any secure end to end encrypted or security based protocol much difficult to maintain and maintain period control period evolve or improve or fix vulnerabilities or fix issues in general. And this is not just nostr but basically any scenario that has federation. But that does not necessarily mean that you have a flawed end to end encrypted or whatever encrypted direct messaging design that allows you to forge encrypted direct messages. The subtle flaws in the design, event verification and link previews allowed to forge those messages, impersonate user profiles and leak confidential messages from quote encrypted DMs. Yeah, I love this.

Thomas: Yeah, it’s, it’s, it’s €s P and it’s not in the prophecies. Practical attacks on Noster.

Deirdre: I like, I like that name anyway.

David: Use signal is what we’re saying.

Deirdre: Yep.

Thomas: No, go to awesome crypto attacks where they in 2025 break a secure messaging system using wait for it, CVC malleability.

Deirdre: Yeah, it’s true. Yeah, yeah, it’s a good talk. Go, go, go Check it out at Black Hat in your end.

Thomas: If you’re listening and we know you are listening to us, Noster projects people come on the show and go through this talk with us. It looks really neat.

Deirdre: Yeah. I’m very curious about proposals for both how to do decent. Anytime someone is trying to bolt into an encrypted DMs or encrypted DMs onto a protocol, I’m very curious about how it goes because it tends to be a little bit difficult to Figure out the way to do it nicely, period. The best end to end encrypted chats are like that is the product first, like Signal. WhatsApp succeeded in that they controlled all of their clients. They were originally unencrypted and then they adopted the Signal protocol and they turned the entire billion plus user base to default end to end encrypted. And that’s probably the most successful thing that I’ve ever seen. But.

Deirdre: But again, the messaging was the product for nostr, for Bluesky, for things like Mastodon. I’ve seen proposals of how to do end to end encrypted DMS on the Mastodon protocol or whatever the actual protocol is underneath Mastodon. It’s always a little tricky and one it’s bolting it onto something that that’s not. The design of the system is about messaging first or private messaging first, but then second there’s federation involved. So I’m always curious about how these things work and evolve because it’s not easy and they, they vary a lot about, you know, the, the constraints that they’re trying to operate under and how they try to solve them.

David: So anyway, okay, let’s talk about quantum factoring because. Because this podcast is biased towards quantum resistant crypto.

Thomas: Before we do that, before that, real quick, because I was looking up the details for this NOSTR thing on the Euro SMP thing and also on the EUROSMP program from like last week or whatever, there is a talk on attacking and fixing the Android protected confirmation protocol. Yeah. So this is like bypassing a guarantee that the trusted execution environment makes. It’s a formal methods talk. They did a formal proof and then from that the only formal methods talk that I’m interested in are the ones where you formally model something and then find actual vulnerabilities. And they did. So I don’t have any more details than what’s in the program here, but I’m guessing that somebody who knows somebody that was in this, you know, in this research team at the University of Edinburgh and then in Ria and a couple of other French places that I don’t know, somebody knows one of these people. And we would love to talk to you.

Thomas: This is how we get all of our guests is I just do direct appeals to the world for research teams that find cool crypto vulnerabilities. And this is one of them. So you should also come on the show and explain to us how the APC protocol works and how you broke it. That also at IEEE €s and P. Pretty decent crypto track this year I feel like that’s all I got.

David: And you should come to Vegas.

Deirdre: Yeah, come, come to Vegas. Come to SCW podcon. We have told several people, like, they’re like, ah, I wasn’t going to do xyz. I don’t like this one. It was like you could just go fly in just for SCW podcon and then fire.

David: Do not need a Black Hat ticket.

Deirdre: No, you do not. This is not. Despite all of us having helped review submissions for the crypto track at Black Hat, this is not a Black Hat affiliated event. This is just us. You don’t need any other tickets.

David: This is just what I do for fun.

Deirdre: Yeah, quantum.

David: Yeah, let’s talk about quantum factoring. Speaking of things I do for fun. So there’s this paper that went viral called Replication of Quantum Factorization records with an 8 bit home computer and Abacus and a Dog by everybody’s favorite IETF commenter, Peter Gutman. And it makes the general point that in terms of like actual progress by quantum computers factoring things, we have so far managed to not quite factor the number 35 when given the factorization as an input. We’ve done 15, 21 and 35, basically.

Deirdre: I mean, yes. And we’ve done that for a while now. And I will say, I think the best, the biggest quote, physical qubit quantum computers that we have so far are, I think we have 100 physical qubits and recent results are showing that we have a very, very reliable, high fidelity, highly error corrected logical qubit that we.

David: Can’T do operations on. It’s just kind of, it’s more like quantum memory.

Deirdre: Sure. We, we basically a couple of, a couple of months ago, the Google Compute folks showed that you can, in fact, with better algorithms for error correction, make a more reliable qubit logical qubit by adding more physical qubits to do your quantum error correction. Previously this was theorized as possible, but they kept throwing physical qubits at it and they couldn’t, they couldn’t. The more it’s supposed to be like this, you know, nice scaling factor that like it’s not just purely linear. How many physical qubits you would throw at your error correction algorithm to give you a more reliable logical qubit. Because in terms of reliability, it’s literally the way that quantum algorithms work is by taking your logical qubits and you like put them together in a quantum circuit and you do a little thing, you do a little twiddle and then you reconfigure them into another quantum circuit and Then that’s the next transition and then another and another another. And if they degrade over time, you can’t do good algorithmic computations with them. So you need a high fidelity, reliable logical qubit.

Deirdre: We have one. We finally have one very good reliable qubit. I think it’s like 10 to the negative 6 or whatever errors or something like that. And they’re trying to get 10 to the negative nine or whatever it is. They have something very good and they think they can make it even better. But still it’s just the one. You can’t do much logic, quantum or digital logic with just the. Just the one.

Deirdre: So all of our quantum computers that we have so far are driving the field of quantum information and quantum computing forward, but they’ve still not shown any actual improvements on being able to execute Shor’s algorithm. The big threat against classical asymmetric cryptography, because they’ve all just been small, the best that the quantum computers can do has basically been the same or worse as the best that modern digital computers can do. This paper is making a point of that again by using an 8 bit home computer, an abacus and a dog to factor 35.

David: Yeah, I think that there’s like a valid argument about like in terms of prioritization, like is the security problem that you’re really concerned with like the fact that a quantum computer like might exist in the future versus say like can I patch vulnerable versions of Apache, whatever that. Like you know, yeah, the credit report kind of, I want to say Equifax had like an unpatched Apache something something and that’s why like Everybody in the US’s Social Security number leaked. But like, like it’s just not, it shouldn’t be high on the priority list for most organizations. Is that like a post quantum thing? In Maryland a few months back and Rob Joyce, former head of, of NSA Tau and maybe NSA generally was there and I did talk to him and I was like, look, who should, like obviously the US government cares about this, but like who should, who should actually care about this, like besides the US government? And his comment was basically anything that has to deal with national security systems and anyone who’s already worried about state level attackers should probably worry about this. And I think that’s like a decent way of looking at it. Like I, again I’m not sure that I would like even rank it above like you know, getting exploited by odes or something like that. But at the same time like, I don’t know, the US government has decided is important and so the reason that like all of this work is happening is because the US government has decided that it needs to happen. And like you, whether or not like we ever be, are able to factor 35 and outperform Peter Gutman’s abacus and dong, like, I don’t know, it kind of, it doesn’t matter because like the constraints that like we’re working with as well, the US government has decided that this is important for this class of systems.

David: Then the stuff that Deirdre and I work on for work are technology that is used in those contexts. And so we have requirements around it and we have to go solve them. Is that a full employment program for cryptographers? Sort of. Maybe, I don’t know. But I didn’t go to the government and advocate for this and I probably wouldn’t have pushed it as the highest priority thing. But like, yeah, arguing about, you know, we all know it’s not the most practical security risk right now, but like that, that’s not what is pushing it. Like what’s pushing it is we were told we have to solve it, so we’re solving.

Deirdre: Yeah. And I would make the argument of like, yes, if you want to be very, very kind of practical minded of like who right now or who in the next five, 10 years has to factor in this sort of threat into their threat model. Yes. State level national government systems, national security systems, and anyone who has to worry about state level adversaries. Okay. Nation state attackers. Okay. And we can think of the type of organizations that can fit into those buckets.

Deirdre: Cool. Great. All right, sure. I am also aware of how, because of the compute capability and the kind of shared resources, projects, protocols that everyone uses, it’s not unheard of for someone to start a business or start a project or something like that on aws, Google, Compute, Azure, whatever your compute platform may be. And then at some point you become big enough and important enough that someone starts to come after you because you became a victim of your own success. And then all of a sudden you didn’t think, I just do, you know, this little app, this little service, no one really cares about me. And then five to 10 years later, no, someone big, someone cares about you for some reason and they happen to have access to a cryptographically relevant quantum computer in their back pocket. But you didn’t think about that when you started building all of your shit.

Deirdre: If we have good secure cryptographic defaults into our compute infrastructure, into our protocols, into our software packages that everyone seems to rely on, you don’t have to worry about that. If they’re efficient enough and fast enough, then you shouldn’t even have to think about it. It’s not even like I could use this because it’s available to me. It’s a little too big, it’s a little too slow. Fuck it, I’m going to go use the faster one. There will be scenarios, depending on the constraints of your systems and your users that you may pick that. But if it’s like a toss up, like, yeah, sure, this is fine. I can use hybrid key agreement and it’s fine.

Deirdre: Or I can use the base level post quantum signature that’s now being offered by my package or my compute or my key management service or my certificate authority or whatever it is. You can just be like, yeah, sure, that works fine. And you don’t think about it and you don’t have to worry about the day where you become the victim of your own success and become targeted. That’s kind of like the world I’m looking towards is if hopefully we can just sort of be in a world where you don’t even have to think about this sort of thing and whether this is in your threat model because there may be totally like maybe today it’s not in your threat model, but there’s a possibility that it will become part of your threat model and it’ll be a lot harder for you to mitigate it when it becomes to that point and you might already be vulnerable to that sort of thing. So. So don’t worry about factoring by a dog. I don’t know.

David: Yeah, I mean, complaining to the IETF is like not gonna make a difference here, I don’t think.

Deirdre: Yeah, yeah, well, we’re trying the ietf. I’m actually quite pleased because I was complaining that we were moving too slow, but it seems like people are moving, so maybe we aren’t moving too slow, but we’ll see about that in the ietf. Just to tie a knot on that paper. Tldr. Yes. You can outperform or equally perform factorization of known small numbers the same as the best quantum computers we have because they’re small numbers. When the numbers get very, very big and we have an actual cryptographically relevant quantum computer if I’m pretty sure it’s going to be when, but like, you know, is it going to be in time for the targets or you know, is it going to be this kind of, you know, this catching up race forever and ever? We’ll see. But when the numbers get cryptographically big, that is where these algorithms are.

Deirdre: That’s where the threat is. Not when the numbers are this small. It’s not Shor’s algorithm as a test for like are the quantum computers like good yet for small numbers? Is that’s not the benchmark? It’s not a relevant benchmark for like seeing like are we there yet? Are we there yet? Are we there yet? No, it’s going to be like a step wise. It’s going to be where are these two different like growth curves? Like you know, it’s going to be the non quantum for a long, long time and then all of a sudden there’s this like boundary crossing thing where the quantum computer just completely blows it away and the, the other classical digital computers are just like, just cannot keep up and that’s when the computers are large enough to attack these large cryptographically relevant parameter sizes. So very good troll Peter Gutman.

David: I’m sure we’ll have some sort of long term support for classical computers anyway factoring small numbers.

Deirdre: We absolutely will. And as someone reminded me the other day, the classical computers are key parts of making the quantum computers go like how do you think they run those very important error correcting algorithms? They’re run on the classical computers. And it’s very important that those classical computers have all the good computer software and firmware and infrastructure security built into them because we don’t want the quantum computers to get pwned because the classical computers used to make the quantum computers compute is just like open to crazy vulnerabilities because I’ve heard some and I don’t like it. So just make sure you’re doing good security for your quantum computers as well.

David: We’ll add the, the, the YouTube channel three blue one brown which has a bunch of like math visualizations. Like a couple weeks ago or a month ago did a very, very good video about how Shor’s algorithm works and then the follow up video about how he lied about how Shor’s algorithm works with more details. Which is like a classic math thing.

Thomas: Right.

David: So I highly recommend everyone go watch it because he’s very, I’m forgetting the person’s name, but he’s very, very good math communicator and he wrote his own like visualization library basically to build all of these math visualization videos. He does, he has another really good.

Thomas: Now every, it used to be every math visualization or every math lecture video on YouTube was done in the style of Khan Academy. Yeah, like all with people like drawing and there’s little like neon Things on a black screen. And now every fucking math, you know video anywhere on YouTube is now done in three blue one brown style. Because he open sourced that library and made a video explaining how to do it.

David: Now, though, I will. Three Blue one Brown. Got to start working for Khan Academy. So.

Thomas: For fuck’s sake.

Deirdre: Okay, we have to. Oh, Grover’s. He’s okay. I was Googling. Sure. He did Grover’s algorithm.

David: Oh, yeah, sorry. He did Grover’s algorithm. Not for.

Deirdre: This is cool. I got to watch this.

Thomas: Am I the only person on the Internet who was not helped at all with Linear algebra by the three Blue one Brown videos? Like, it’s life changing for people. And I watched that. I like them fine. They’re like. They’re entertainment content for me. But, like, I come out of that with no greater facility for actually doing anything with, like, eigenvectors or whatever.

David: I took linear algebra before these videos existed.

Deirdre: Exactly. I did this. I took linear algebra in 2006. So I had a very good lecturer and he wrote the book that he gave to us. And I think that’s the best I’ve ever done in a math class at mit was my linear algebra class.

Thomas: I have to actually do problems to learn anything. Although.

David: Was it this one? String.

Thomas: That’s mine. That’s mine.

David: You were taught by string.

Thomas: You were taught by string.

Deirdre: He was lovely. He was an excellent teacher. I did great in that class. This might be why I’m bored with opinions here.

Thomas: Shocking. Deirdre likes Gilbert Strang.

Deirdre: No, but I think this might be why I’m bored with lattice math is because I’m like, oh, yeah. It’s just all like. It’s the thing I did best at my MIT undergrad.

David: I took it in 2012 with some professor who looked like Tom Cruise. And that’s like all I remember from the class. Linear algebra is one of those things that I’m incapable of, like, retaining for more than, like a month. And I learned it and then it just out the other ear.

Thomas: I learned it from that. From that book and then from the Gilbert Strang YouTube series from the 1803 class, which I gotta say, like, you gotta watch those videos. You gotta watch them at 2.5 speed and then towards the end of each lecture, cut it back to his normal speed so he sounds chopped and screwed. It’s awesome.

Deirdre: 1803 or 1806? I think it was 1806. 1806. Yeah.

David: And then at some point, you actually have to do math problems to learn it.

Deirdre: Yes, you do.

David: That’s the part that sucks.

Deirdre: Yes. Cool. And I have to catch up. I’ve never seen three blue, one brown. So now I have something to enjoy.

Thomas: Yeah, they’re great. It’s.

Deirdre: And like, especially because like I have a bunch of stuff queued up for like quantum information. There’s like an improvement of a, like a quantum attack algorithm. And now like this, this will re, you know, prime my brain cache for. Because they have a couple of quantum. Quantum information videos. Cool. Do we have one more thing?

David: We have one more paper which is how to prove false statements, which you already have a video about from January, but there’s like a quanta article or something, a pop sci article about this and people have been asking us to comment on it.

Deirdre: Okay.

David: And so we’ll just have Deirdre’s proof corner and Thomas and I’ll mute and go off camera while Deirdre explains why this paper is not that big of a deal.

Deirdre: Well, actually it’s. It’s not like the. It’s not like they’re. The paper was showing some sort of fundamental reorganization of like information provability, whatever. This is specifically about Fiat Shamir, the fiat Shamir transform that takes an interactive protocol. Sometimes like, usually they’re like a. Called a Sigma protocol where there’s like someone that makes a commitment. This is usually the kind of protocol that you apply fiat trimming or transport to someone makes a commitment to something like a nonce or something else.

Deirdre: They send that to another party, they make a challenge based on the commitment value, which is public, and they send the challenge over and then there’s a response based on the challenge and the commitment and any other information that they have to compute over. And there’s usually some sort of secret value that they. The only way that they can create a response that will validate with the whole protocol that they have access to the. The secret value or something like that. Then they send that over and then the validator, which is the responding party, checks everything and checks that it all computes and you smush all this down using a hash function or something like it, and you’re able to compute the challenge via the hash function of everything that comes before. So that you don’t need this interactive protocol anymore. It just turns into a non interactive thing. And this is how we have signatures like sort of like ecdsa.

Deirdre: ECDSA is a kind of funny bastardization of Shore Schnorr. Schnorr also did this lovely protocol and fiat mirror it and you get Schnorr signatures. But Fiat Shamir is very important for all of these zero knowledge proof protocols, for snark protocols that everyone in kind of the zero knowledge space and a lot of cryptocurrency spaces really, really, really like they go to town and they just throw fiat chamir on these big, big, big complicated protocols. And we knew that like especially the trail of bits folks did a lot of work prior to this paper about like it really, really matters of when you are taking a protocol and you are fiat shamiring it, that you include everything you need to include in that fiat shamir transform and you commit to it and use it when you’re computing these challenges and everything else. And that includes the public based parameters, all the public information that the quote adversary can see, public keys, the description of the protocol of like, you know, like there’s a lot of data that you might especially when you get into more complicated things like a ZKVM or something like that, or just like these much more complicated protocols than just like a signature scheme which is basically proof of identity or like kind of proof of possession. Those are very, very simple. But once you get a lot more complicated, there’s just a lot more stuff that’s very important to include in your Piatchio mirror transform. And it’s easy to forget something.

Deirdre: This paper basically was a dirty dirty hack, a brilliant dirty dirty hack where they were basically able to embed, they were able to embed into the actual transform the computation of. I forget if it was the. I think it was the challenge so that they’re able to prove something, they’re able to prove a false statement because they’re able to compute the thing inside it on the fly. And instead of it actually being computed ahead of time or deterministically or whatever, it’s this convoluted dirty, dirty hack. And we’ll include a link to my edit of doing a deep dive on it. It is not exactly about haha, we can just prove fake shit all the time. It is an abject lesson in it’s hard to do fiat shamir securely. The more complicated your protocol gets and the more complicated your statements are, are the things that are very simple.

Deirdre: The result of very simple fiat engineering, very simple protocols, sort of the way you get signatures and very simple kind of like zero knowledge commitment schemes or something like that. Those still seem fine, it’s just very simple. This paper is more like there’s a lot of things you have to get right to do this securely with more complicated protocols. And it’s also like it may be a death Knell for things like zero knowledge VMs which take an arbitrary circuit statement, like an arbitrary program, and they’re trying to prove execution in zero knowledge. That’s the whole kind of value statement of a zkvm. You can run something on the fly in your virtual machine in zero knowledge and just prove that it executed. And that’s correctly, and that’s all you’re doing. But you’re accepting arbitrary, arbitrary program, arbitrary quote circuit statements to the vm.

Deirdre: And it seems very clear that an attack like this is going to be very, very hard to just fully mitigate in a ZKVM construction. You’ll just be like, whack a mole. It’s going to make it really, really hard to provide the value that a ZKVM in theory would provide you while also mitigating every possible like, avenue of this sort of like attack. Yeah, for this paper that was written about in quanta, we construct an explicit circuit for which we can generate an accepting proof for a false statement.

David: And let’s see, this kind of reminds me, there’s like a class of people that think imaginary numbers aren’t real. And I mean that in the colloquial way and not the math way, which is definitionally true because they think it’s an affront to God. And so then they show you these proofs, this is like a real thing. And then they show you these proofs of how like I can’t exist because like you do like square some stuff, then you take like the half power, then you end up with something that looks like negative one equals one. And the problem with them is that all of these proofs are just like using the square root operator incorrectly. And like, then you just like end up losing a minus sign because like plus or minus or odd. And then you end up with like one or negative one. And yeah, that’s what this reminds me of.

David: Yeah, we’ve not broken all math.

Deirdre: No, abs. Absolutely not. Like the, the, the, the title of the paper is very good because that’s what they’re literally doing. They’re able to construct a circuit that is, and they’re able to make a proof. They’re able to send it to the scheme which has this, you know, it’s not covering everything completely. And so they’re able to prove something that’s not true. They’re able to produce a proof that is proving a statement that is not in fact true. And that’s, I think it’s, I think it’s, I forget which one.

Deirdre: It’s soundness or versus completeness. It’s like literally your soundness is like you’re you prove everything. Yes, the proof system is truthful, so whatever it proves is true versus completeness. It’s comprehensive so we can prove all true things. So it breaks down this because it’s producing a proof that validates of something that is not true. And then I’m just going to go through their conclusion because it’s quite good. We find the violation of fiat chamir of a standard and natural protocol to be very concerning. It raises the question about whether fiatiomir of other protocols is secure.

Deirdre: Is worthwhile to point out some specific properties of the GKR based protocol that we considered in this work which facilitated our attack. While we do not know text protocols do not satisfy these properties doesn’t mean these attacks don’t exist. It is useful to compare the modern applications of Yacht Mirror to those originally envisioned in the 80s and 90s, specifically in the context of constructions of digital signatures. Yep, the original uses applied to very specific identification schemes. In contrast, the modern usage is intentionally designed for protocols that are to prove general purpose computations. Our tech leverages this in order to invoke the proof system relative to a computation that involves the computation of the feature mirror hash function itself. Yes, as well as the polynomial commitment. Okay, so I remembered it right, but it was like how it’s computing its challenge via the hash function over the circuit that they were able to manipulate.

Deirdre: The GKR based protocol has a key property of the prover does not commit to the full computation trace is one of the most compelling features of the protocol. Unfortunately, the fact that the computation is not committed to also enables our attack. We could consider explicitly invoking the hash function without need to commit to the corresponding computation trace. Thus a natural common measure for this is to ensure that the circuit family is considered is not powerful enough to compute the hash function. This can be done in any natural computational research, but some natural ones are depth such as an arithmetic arithmetic circuit or potentially algebraic degree yada yada yada. Emphasizes that while we do not know how to attack protocols that places countermeasures, whether or not they’re actually secure is an open question. Oh, we lost David. David’s been having recording issues.

Thomas: Yeah, he gave us a command which is plug the event and end the episode.

Deirdre: Okay, so yeah, we can’t prove arbitrary false statements. This attack was a very clever Q tack against a very particular protocol. But the protocol itself has a kind of weakness that is both attractive. I forget why it’s probably more efficient or something like that but also is open up to this vulnerability because you’re not actually committing to the entire like thing you’re going to compute and therefore when the quote attacker hands you a thing to compute that includes in it the thing that computes the challenge AKA a hash function. It’s able to like it’s able to just turn it on its head and prove something false, produce a proof of a statement that’s actually false. It is mitigatable but it’s unclear if it’s mitigatable period for protocols like this and also how much mitigating this vulnerability will affect things like zkvms or other arbitrary computing in zero knowledge but that’s it. It’s very relevant for ZK people and people who care about vyatramir. Don’t worry.

Deirdre: Don’t worry about it.

Thomas: And with all that having been said, I would like to recommend everybody to come out to Vegas to the SCW podcon event where the vibes last year were immaculate and with that, because David asked me to, I have ended the episode.

Deirdre: Bye.

Latest Posts

Vegas, Baby!
58 min read

Vegas, Baby!

SCW's Picture
SCW
E2EE Storage Done Right with Matilda Backendal Jonas Hofmann and Kien Tuong Truong
61 min read

E2EE Storage Done Right with Matilda Backendal Jonas Hofmann and Kien Tuong Truong

SCW's Picture
SCW