The highlights of the third day of CRYPTO were known ahead of time and yet did not disappoint: invited talk by Adam Langley on TLS, presentation of the best paper award, the business meeting followed by the beach barbecue.
Adam Langley, known for his work in Google on TLS and HTTPS, addressed the joint session of CRYPTO and CHES (Cryptographic Hardware and Embedded Systems workshop) with a talk “Why the web still runs on RC4”. A little background would be helpful here. A fast, simple, lightweight RC4 stream cipher was designed by Ron Rivest in the late 80s. It had had turbulent, eventful life, and in the peak of its popularity was the most common encryption mechanism in SSL/TLS. The young upstart—AES-CBC—was slowly gaining ground on it, and RC4 was seen to be nearing retirement from active service for several years now. However, several serious attacks against AES-CBC over the last two years made RC4 the cipher of choice again. It wouldn’t be so bad if RC4 offered rock-solid security but old and new attacks make it unsuitable for applications that support multiple encryptions of the same data.
In his talk that used refreshingly few slides (mostly for statistics and quotes), Adam Langley gave an overview of how we ended up in this sorry state. In short (and it was a repeating theme in his talk)—the web is a mess and full of bugs. There are several dynamics in play here—new attacks come out, patches are often easy but they break existing servers that relied on the old behavior (most often due to some bugs). Since no browser commands a dominant market share, a frustrated client becomes the browser’s problem, not the server’s. In a severe case of collective inaction, no browser is willing to apply the patches unilaterally, giving no incentives to the servers to update their software. There was, of course, more to the talk than just this observation. The talk will be available online and should be fun to watch.
The best paper award went to the paper by Faruk Gologlu, Robert Granger, Gary McGuire and Jens Zumbragel from University College, Dublin (Ireland). The paper broke records in solving the discrete logarithm problem in fields of small characteristic. They built upon Antoine Joux’s earlier work, and he and his co-authors improved upon Gologlu et al. just two months ago. The most important question, of course, is whether these methods that are applicable only to finite fields with very specific properties may be extended or adapted to prime field. Real men ask whether factoring would become easy. Although it is true that progress in discrete logarithm and factoring proceeded in lockstep, crossing the chasm from the fields of small characteristic to the RSA problem seems to be rather difficult (but, given the number of surprises at this CRYPTO, I would never say impossible).
The standard feature of Wednesday at CRYPTO is a business meeting. After taking care of official business of IACR (true to the name of the event), the current president of the association, Bart Preneel, explained rationale behind launching a discussion of rethinking how and where we publish. He stated several goals or principles, such as the end result should motivate submission to more journals, with higher impact ratings, and open access to all of papers published by IACR. Spirited discussion ensued that (in my estimate) changed no one’s opinion. I came away with the impression that the board of the association will formulate questions that the total membership will vote on.