1st Workshop on Advanced Cryptography Standardization

Sunday August 18, 2019

Located in Corwin West, UCSB

General Information

Sunday August 18, 2019

Affiliated event to Crypto 2019 -

Located in Corwin West, UCSB


Tancrède Lepoint (Google) & Daniel Benarroch (QEDIT)


The past decade has witnessed the first successful deployments of encrypted computing, multiparty computation, and cryptographic zero-knowledge proofs as privacy preserving technologies. In order to enable the mainstream use of these technologies and educate application developers, several community based standardization groups have been created (,, and standard organizations (ISO, NIST, IETF) are already considering how to standardize these advanced cryptographic techniques.

This workshop focuses on bringing together a community of researchers, practitioners, and organization bodies to highlight the importance and challenges around the standardization of these complex cryptographic protocols. The workshop covers many topics from applications, to security, to formal verification, to APIs and enterprise adoption.

The first edition of the workshop focuses on zero-knowledge proofs, fully homomorphic encryption and threshold cryptography. The workshop features a keynote by Luís Brandão (NIST) who will update the community with NIST’s views on standardization of these technologies.

Supported by

This event is part of the DIMACS/Simons Collaboration in Cryptography, supported by the National Science Foundation under grant number CNS-1523467.


Session 1 - Keynotes (9h00 - 10h30):

    • Opening Remarks
    • Luís Brandão (NIST) A perspective on standardization of advanced cryptography at NIST

This talk will present a perspective on the potential role of NIST in standardizing advanced cryptographic schemes and protocols. Traditionally, NIST has focused on “basic” primitives, such as block-ciphers (DES in 1977), hash functions (SHA-1 in 1994), signatures (DSA in 1997), and pair-wise key agreement, public-key encryption and DRBGs (in the 2000s), as well as some “basic” operation modes (e.g., of encryption). Following the revelations about Dual_EC_DRBG in 2013, the NIST cryptographic technology group (CTG) revised the process for developing cryptographic standards, formalizing important principles in NISTIR 7977, such as openness, transparency and integrity. The CTG has experience in driving successful open processes based on public contributions, as used to select the AES (2001) and SHA-3 (2015) standards. Ongoing endeavors include the standardization of lightweight cryptography and post-quantum cryptography primitives, respectively anticipating the Internet of things and quantum computers.

This talk will focus on challenges and opportunities related to two areas with developing potential for standardization: threshold cryptography, with a focus on threshold schemes for cryptographic primitives; and privacy-enhancing cryptography, which includes a plethora of techniques such as secure multiparty computation, zero-knowledge proofs and homomorphic encryption. Finding a proper approach for standardization in both these areas is especially challenging, due to the more complex nature of protocols, with multiple possibilities for interfaces, components, system models, and even security definitions. Overall, this talk also intends to constitute an invitation for stakeholders to engage with NIST in open and transparent processes towards standardization of advanced cryptography.

    • Kristin Lauter (Microsoft) ——a Community Effort

This talk will describe the formation and launch of this 2-year old community to standardize Homomorphic Encryption. There will be information on how to get involved and time for questions and discussion.

Coffee Break (10h30 - 11h)

Session 2 - ZKProof, FHE, IETF (11h - 12h45):

    • Ran Canetti (Boston University and Tel Aviv University) — Towards Standardizing Zero Knowledge.

I will overview the ZKProof standardization effort: Its main goals, the main challenges, the road taken so far and the road ahead. Specifically, I will describe the efforts to create a common language among the different constituents, to partition the problem space, and to make sure that both efficiency and security guarantees are expressible and realizable. I will then dive into the challenge of obtaining composable security while guaranteeing realistic efficiency for succinct non-interactive zero-knowledge, and discuss how such security can be used to inform the emerging standard.

    • Mariana Raykova (Google) — Advanced Cryptography on the Way to Practice.

This talk will overview recent developments in several areas of advanced cryptography such as secure multiparty computation, zero knowledge, differential privacy. We will focus on system implementations using these techniques and the efficiency they offer. We will try to give a perspective of how the practical efficiency of such tools has evolved over time and the major hurdles that are the focus of future work.

    • Riad S. Wahby (Stanford) — BLS signatures, hashing to curves, and more: dispatches from the IETF.

We discuss advanced cryptography standardization at the IETF. We start with an overview of the process of writing an RFC with the Crypto Forum Research Group, and then talk about lessons learned from our ongoing work on the BLS signatures and hash-to-curve standardization efforts.

Lunch (12h45 - 14h00)

Session 3 - Threshold Cryptography (14h00 - 15h30):

    • Samuel Ranellucci (Unbound) — Standardizing Threshold Cryptography.

Standardization of threshold cryptography has many questions that need to be answered. 1) What is the purpose of standardization? 2) How can standardization go wrong? 3) How should we build standards for threshold cryptography? 4) What should we standardize first?

I will discuss these questions. I will provide lessons about standardization from an expert in a field that has strict standards. I will talk about recent works on the (in)security of OT extension and discuss why OT extension should be one of the first things to be standardized. Finally, I will describe ways to write standards effectively based on my experience writing protocol specifications for software.

    • Karim Eldefrawy (SRI) — Computer-aided Verification and Software Synthesis for Secure Multi-Party Computation Protocols.

Secure Multi-Party Computation (MPC) enables n distrusting parties to jointly compute a function using private inputs. MPC guarantees correctness of computation and confidentiality of inputs if no more than a threshold t of the parties are corrupted. To the best of our knowledge there are currently no publicly available high-assurance implementations of formally verified and machine-checked MPC withstanding active adversaries. By high-assurance we mean automatically (and verifiably) synthesized from protocol specifications that were mechanically checked using an interactive theorem prover. The closest is the high-assurance secure two-party computation software based on garbled circuits (for semi-honest parties) by Almeida et. el. from ACM CCS’17.

This talk summarizes our recent progress in developing such high-assurance implementations of MPC. We formalize in EasyCrypt several abstract variations of secret sharing, then MPC protocols building on them. We implement and perform computer-checked security proofs of concrete instantiations of all required (abstract) protocols in EasyCrypt. We then implement the BGW protocol in the case of MPC and thus as a side contribution perform the first computer-aided verification and automated synthesis of this fundamental protocol. As part of this work we developed a new toolchain to extract high-assurance executable implementations of protocols specified and verified in EasyCrypt, that goes from EasyCrypt to WhyML and finally to OCaml. The performance overhead of our high-assurance executables compared to manually implemented versions using the Python-based Charm framework is (surprisingly) low. We argue that the small overhead of our high-assurance executables is a reasonable price to pay for the increased confidence about their correctness and security.

Coffee Break (15h30 - 16h00)

Session 4 - Panel & Further Discussion (16h00 - 17h30):

    • Panelists: Hugo Krawczyk (Algorand Foundation), Dahlia Malkhi (Calibra), Eran Tromer (Columbia & TAU), Luís Brandão (NIST), Tanja Lange (Eindhoven University of Technology)
    • Moderator: Daniel Benarroch (QEDIT)
    • Topics:
      • Why are standards important if adoption by companies is already here? If adoption is not there yet, is standardization the only way of bridging the gap between academia vs industry?
      • How to resolve the tension between adoption and continuous innovation in advanced cryptography?
      • Is it too early to standardize such (complex) protocols when we continue to disagree on how to access the security of their inner cryptographic primitives?
      • For large industries, is the overhead cost of malicious security justified when malicious behavior can lead to a breach of legal contract?
      • Working concurrently on many cryptographic standards at the same time, that use different techniques and security models, necessarily reduces the quantity (and perhaps quality) of the cryptanalyses against the candidate proposals. Should we really pursue all efforts simultaneously? What should we standardize first?
    • Discussion, Q&A, and Closing Remarks.