Kevin Lewi

Cloudflare is now verifying WhatsApp Key Transparency proofs as a way to help ensure public keys integrity. Details are in the blog blog.cloudflare.com/key-transparen…

@matthew_d_green Potential hardware flaws which if exploited could give attackers access to... a *super* talkative personal assistant that has access to your phone's data / messages / notes / photos...?

Finally, there are so many invisible sharp edges that could exist in a system like this. Hardware flaws. Issues with the cryptographic attenuation framework. Clever software exploits. Many of these will be hard for security researchers to detect. That worries me too. 18/

So Apple has introduced a new system called “Private Cloud Compute” that allows your phone to offload complex (typically AI) tasks to specialized secure devices in the cloud. I’m still trying to work out what I think about this. So here’s a thread. 1/

@dfaranha @hdevalence @zmanian @str4d Ristretto255 hash-to-curve is used in OPRFs which is used in OPAQUE which is used in encrypted backups for WhatsApp and Messenger E2EE

@hdevalence @zmanian @str4d Does that make it the largest deployment ever of a hash-to-curve implementation?

TIL (thanks to @str4d) that Signal's username feature is built on top of cryptography work I did a few years back. When you publish low-level work it can feel like you're putting ripples out into the void. It's really nice to see how they reverberate :) wired.com/story/signal-l…

We've made our library publicly available in the hopes that other encrypted messaging apps looking to deploy key transparency to a large user base can do so more easily -- github.com/facebook/akd Open to PRs and general feedback!

AKD (WhatsApp's key transparency library) was recently audited by NCC Group. Thanks to Elena Bakos-Lang, @gerald_doussot, Kevin Henry, @BearSSLnews, and others for the great work on this!

under-remarked in this Apple announcement is the fact that for the first time in a decade or more, there is now an aspect in which Signal is behind the state of the art in secure messaging. huge congrats to the team, it’s a massive leap forward! security.apple.com/blog/imessage-…

@hdevalence @kryptoklob In WhatsApp we also have this! Plus an open-source repo (github.com/facebook/akd) with the ability to publicly audit our append-only proofs (of consistency)

@kryptoklob actually that’s not hard at all. it is the state of the art. no other messenger attempts to solve this problem.

Oh wow, key transparency is coming to iMessage? 🤯 security.apple.com/blog/imessage-…

@dionyziz @WhatsApp Yes, that’s right. The server needs to be trusted during binary distribution (and app install-time). Efforts like binary transparency, and ways to allow clients to recompile the binary given its source code, would help to make this assumption more realizable in practice…

@_klewi @WhatsApp Hi Kevin! Thanks for the very considerate response here, and sorry if my initial question here was rude. Follow up: Is the server trusted at some moment in time and then assumed to become corrupted? Otherwise how does the client trust the binary distribution?

When @_klewi came to Stanford to present their work on @WhatsApp end-to-end encryption, I asked what the threat model is. The question was dismissed as "philosophical". Do you guys have a threat model?

@dionyziz @WhatsApp IIRC a question came up during my visit around whether or not an implementation of E2EE should actually be considered E2EE if it is not open-source. It was out of scope for my talk at the time, but perhaps it is in scope for twitter 😄

@dionyziz @WhatsApp Hi! Our threat model for key transparency is, roughly speaking, “untrusted server” but “trusted client device”. Apologies if I directly dismissed your question during the presentation, as I certainly didn’t intend to come across that way!

@sweis @deanpierce We also need to assume that there isn't a copy of the signing key on these HSMs stored anywhere else. Presumably they need this in order to provision more Orbs, but this also means that if it were to leak, adversaries could sign anything they want...

@deanpierce Ah, some of their marketing copy made it sound like a cryptographic fuzzy hash. It’s not and is just a way to encode the biometrics. I think they heavily rely on the Orbs physical security, regardless.

I can't find any details of WorldCoin's IrisHash and based on the lack of any security details, would presume it's going to be broken.

There will be 1000 write-ups criticizing the technology, approach, or distribution of @worldcoin. In fact, it's pretty easy to do this for any person with crypto/security background. + You'll get a lot of media attention. But I think it's important to take a step back, imagine the potential of what if this actually works, understand the technical limitations, and see how we can solve one problem at a time. The project is still in the early phases of development. After browsing the docs for a few hours (they're very good for an early-stage project), here're a few low hanging recommendations to the team. * Make the audits public. Seems there were two audits done by Nethermind & Least Authority. The audits are not public yet. whitepaper.worldcoin.org/other-resources * Run public security contests and bug bounties. e.g., using @immunefi and @code4rena. * Clearly state the assumptions. In any crypto/security system, it's important to understand the roots of trust. The assumptions should be of the form: "We trust that (a) the Orb is not compromised, (b) the PKI around the Orb is secure, (c) the ZK proof by Groth16 is secure, (d) the user's device storing the key is secure, etc." * State the assumptions around the Orb. e.g., The Orb generates an iris code of length X such that for all scans of all Orbs of the same person, the Hamming distance between any two pairs of scans is < Y, and for all pairs of iris scans that belong to different people, the Hamming distance is greater than Z. * It wasn't clear to me where the iris data is stored and not stored. Make that very explicit. Which devices / services have access to the full iris data vs its fingerprint? Is the fingerprint lossy or cryptographically secure? [i.e., no info about the pre-image, the iris sequence itself, can be extracted from the public info (statistically) vs its protected using crypto and holds private under some crypto assumptions]. * Anticipating a backlash of academic papers breaking the protocol, pro-actively engage with them. e.g., create research grants for folks to write a paper breaking some part of the protocol && suggesting a way to fix and improve it. * Start an open-source research / development program for alternatives to the Orb hardware implementation. cc @mnovendstern, @sama , @chriswaclawek

Excited to announce the 1st Workshop on Cryptography Applied to Transparency Systems (CATS)! Nov 30, 2023, co-located with ACM CCS in Copenhagen. Submissions due Sept 1. More details here: catsworkshop.dev

@winterdeaf @kientuong114 Unfortunately not yet... but hopefully soon!

@kientuong114 @_klewi +1

There's some neat behind-the-scenes crypto involved to link WhatsApp E2EE sessions across devices... without QR codes!

@kostascrypto @backaes Sounds like C2PA (c2pa.org). Also reminds me of this RWC 2023 talk by @TrishaCDatta that you might be interested in: iacr.org/submit/files/s…

@_klewi @backaes For anything not verifiable show a warning that authenticity cannot be verified. Ie it’s ✅ if the uploaded image was signed by: a) an enclave (ie iPhone screenshot signed by the enclave) b) by the source website (through export/download, not plain screenshot).

Every online news site should digitally sign their posts (for each edited action as well - some posts are revised) to slightly reduce misinformation by photoshop. Then Twitter, FB and co should verify screenshot sigs, during upload and obviously before misinformation spreads.

@matthew_d_green The definition of MPC went from "two or more parties compute a joint function on their private inputs" to "a protocol in which parties interact with each other in some way" 🤦‍♂️

The only thing funnier than crypto not meaning cryptography anymore is watching crypto folks misuse ZK, MPC, SNARK and STARK.

@kostascrypto @backaes > Twitter and FB should not allow plain (unsigned) screenshots. 🤔

@backaes You cannot get screenshots arbitrarily, the news website should have a signed export “simulated” screenshot. Twitter and FB should not allow plain (unsigned) screenshots.