NIST Threshold Cryptography Workshop 2019

Latest updates:

All visitors to the NIST campus must be pre-registered.  There is no onsite registration for meetings at NIST.

Join the conversation about this workshop using #NTCW2019.

A description of the keynotes and a list of accepted submissions is posted below.

Click here for a printable PDF version of the workshop schedule.

 

Schedule

All talks take place in the Green Auditorium in the Main Building (101) at the NIST campus in Gaithersburg, MD, USA

Badge pick-up (for on time and late arrivals) is done in front of the the Green auditorium — attendees need to pre-register to attend the conference.

Expected speakers are highlighted in bold.

Monday, March 11, 2019
8:00am--9:00am	Badge pick-up; light refreshments available.
Opening
9:00am--9:10am	NIST Computer Security Division welcoming Matthew Scholl (NIST, USA)
Session I.1: Threshold Schemes Chair: Rene Peralta (NIST, USA)
9:10am--9:25am	Enter the Threshold (The NIST Threshold Cryptography Workshop) Luís Brandão (NIST, USA)
9:25am--10:15am	Invited Keynote: Threshold Cryptography: Ready for Prime Time? Hugo Krawczyk (IBM Research, USA)
10:15am--10:40am	Platform for Robust Threshold Cryptography Christian Cachin (University of Bern, Switzerland), Hugo Krawczyk (IBM Research, USA), Tal Rabin (IBM Research, USA), Jason Resch (IBM, USA), Chrysoula Stathakopoulou (IBM research, Zurich, Switzerland)
10:40am--11:10am	Coffee break
Session I.2: NIST Standards  Chair: Andrew Regenscheid (NIST, USA)
11:10am--11:40am	The NIST Standardization Approach on Cryptography ─ Past, Present, and Future Lily Chen (NIST, USA)
11:40am--12:00pm	NIST Status Update on Elliptic Curves and Post-Quantum Crypto Dustin Moody (NIST, USA)
Session I.3: Threshold Post-Quantum Chair: Daniel Apon (NIST, USA)
12:00pm--12:25pm	Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme Michael Kraitsberg (Unbound Technology, Israel), Yehuda Lindell (Bar-Ilan University, Israel; Unbound Technology, Israel), Valery Osheter (Unbound Technology, Israel), Nigel P. Smart (KU Leuven, Belgium; University of Bristol, UK), Younes Talibi Alaoui (KU Leuven, Belgium)
12:25pm--1:45pm	Lunch
Session I.4: Threshold Signatures Chair: Daniel Apon (NIST, USA)
1:45pm--2:10pm	Fully Distributed Non-Interactive Adaptively-Secure Threshold Signature Scheme with Short Shares: Efficiency Considerations and Implementation Benoît Libert (CNRS and ENS de Lyon, France), Marc Joye (OneSpan, Belgium), Moti Yung (Google Inc. and Columbia University, USA), Fabrice Mouhartem (ENS de Lyon, France)
2:10pm--2:35pm	A Multiparty Computation Approach to Threshold ECDSA Jack Doerner (Northeastern University, USA), Yashvanth Kondi (Northeastern University, USA), Eysa Lee (Northeastern University, USA), abhi shelat (Northeastern University, USA)
Session I.5: Panel on Threshold for DSS  Chair: Hugo Krawczyk (IBM Research, USA)
2:35pm--3:35pm	Threshold Protocols for the Digital Signature Standard Moderator: Hugo Krawczyk (IBM Research, USA) Panelists: Rosario Gennaro (CUNY, USA), abhi shelat (Northeastern University, USA) Samuel Ranellucci (Unbound Tech, Israel)
3:35pm--4:05pm	Coffee break
Session I.6: Validation Chair: Michael Cooper (NIST, USA)
4:05pm--4:45pm	Quo Vadis, Crypto Validation? Apostol Vassilev (NIST, USA)
Session I.7: Discussion Chair: Michael Cooper (NIST, USA)
4:45pm--5:30pm	Open discussion Moderator: Nicky Mouha (NIST, USA)

 

 

Tuesday, March 12, 2019
8:00am--8:45am	Light refreshments available
Session II.1: Threshold Circuit Design    Chair: Meltem S. Turan (NIST, USA)
8:45am--9:10am	Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off Dušan Božilov (NXP Semiconductors, Belgium; COSIC KU Leuven and imec, Belgium), Miroslav Knežević (NXP Semiconductors, Belgium), Ventzislav Nikov (NXP Semiconductors, Belgium)
9:10am--9:35am	The pitfalls of threshold cryptography in hardware Marco Macchetti (Kudelski Group, Switzerland), Karine Villegas (Kudelski Group, Switzerland), Claudio Favi (Kudelski Group, Switzerland)
09:35am--10:00am	Threshold Cryptography against Combined Physical Attacks Lauren De Meyer (KU Leuven, Belgium)
10:00am--10:25am	VerMI: Verification Tool for Masked Implementations Victor Arribas (KU Leuven, imec-COSIC, Belgium), Svetla Nikova (KU Leuven, imec-COSIC, Belgium), Vincent Rijmen (KU Leuven, imec-COSIC, Belgium)
10:25am--10:55am	Coffee break
Session II.2: Panel on TIS Chair: Svetla Nikova and Vincent Rijmen (KU Leuven, Belgium)
10:55am--12:10am	Theory of Implementation Security Panel Moderators: Svetla Nikova (KU Leuven, Belgium) Vincent Rijmen (KU Leuven, Belgium) Panelists: Nigel Smart (KU Leuven, Belgium) Ventzislav Nikov (NXP Semiconductors, Belgium) Mike Hutter (Rambus, USA) Junfeng Fan (Open Security Research, China) Ruggero Susella (ST Microelectronics, Italy) Emmanuel Prouff (ANSSI, France)
12:10pm--1:30pm	Lunch
Session II.3: Other Threshold Primitives  Chair: John Kelsey (NIST, USA)
1:30pm--1:55pm	Efficient Leakage Resilient Secret Sharing Peihan Miao (UC Berkeley, USA), Akshayaram Srinivasan (UC Berkeley, USA), Prashant Nalini Vasudevan (UC Berkeley, USA)
1:55pm--2:20pm	DiSE: Distributed Symmetric-key Encryption Shashank Agrawal (Visa Research, USA), Payman Mohassel (Visa Research, USA), Pratyay Mukherjee (Visa Research, USA), Peter Rindal (Visa Research, USA)
Session II.4:  Threshold Cryptography Applications and Experience Chair: Michael Davidson (NIST, USA)
2:20am--3:10pm	Invited Keynote: Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context Andrew Poelstra (Blockstream, USA)
3:10pm-3:40pm	Coffee break
3:40pm--4:05pm	SplitKey Case Study Maximiliaan van de Poll (Cybernetica AS, Estonia), Aivo Kalu (Cybernetica AS, Estonia)
4:05pm--4:30pm	Practical Threshold Cryptography for Cloud and Cryptocurrencies Jakob Pagter (Sepior, Denmark)
4:30pm--4:55pm	Practice Based Recommendations for Standardization of Threshold Cryptography Daniel Shumow (Microsoft Research, USA)
Closing
4:55pm--5:15pm	Final remarks Moderator:  Luís Brandão (NIST, USA)

 

Keynote 1 (Monday, March 11)

Speaker: Hugo Krawczyk (IBM Research, USA)

Title: Threshold Cryptography: Ready for Prime Time?

Abstract: The trend in trust decentralization together with the ever increasing value of digital assets (cryptocurrencies, blockchains, mega data repositories, key (mis)management, intellectual property, privacy, etc.) and the need to protect these assets for secrecy and availability, make threshold cryptography a most relevant technology whose time has come. We need to see more targeted applications as well as software platforms on which to build solutions that take into account real-world considerations such as asynchronous networks, support for diversified architectures, hardware enclaves, and more. Additionally, we need to refresh the set of techniques supporting threshold cryptography with advances in areas such as multi-party computation, quantum-resistant primitives, and blockchain-inspired consensus protocols. In addition to arguing these points, the talk will discuss some recent applications of threshold cryptography in the domain of key and password management, blockchain, and how threshold cryptography can be relevant to the #metoo movement.

Bio: Hugo Krawczyk is an IBM Fellow and Distinguished Research Staff Member with the Cryptography Group at the IBM T.J. Watson Research Center whose interests span theoretical and applied aspects of cryptography. He has contributed to the cryptographic design of numerous Internet standards, particularly IPsec, IKE, and SSL/TLS, and is a co-inventor of the HMAC message authentication algorithm. His most recent work in this area includes designs for TLS 1.3, the next generation TLS, and HKDF, the emerging standard for key derivation adopted by TLS 1.3, Signal, WhatsApp, Facebook Messenger and more. He has contributed to multiple areas of cryptography including to the theory and practice of key exchange, threshold and proactive cryptosystems, password authentication, and search on encrypted data. He is a Fellow of the International Association of Cryptologic Research (IACR) and the recipient of the 2015 RSA Conference Award for Excellence in the Field of Mathematics, the 2018 Levchin Prize for Contributions to Real-World Cryptography, and of multiple IBM awards, including two corporate awards.

 

Keynote 2 (Tuesday, March 12)

Speaker: Andrew Poelstra (Blockstream, USA)

Title: Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context

Abstract: Bitcoin, started in 2009, is a digital currency in which all activity is publicly verifiable. Coins are controlled by spending policies expressed in Bitcoin Script, a simple stack-based programming language which supports hash preimage challenges and digital signatures. Included in Bitcoin Script is a basic form of threshold ECDSA signature: a list of public keys and a threshold is specified; the coins can then be moved if threshold-many valid ECDSA signatures are provided in sequence.

This threshold scheme is inefficient in terms of both signature size and verification time (both linear in the threshold size), which are the two most important considerations for cryptosystems designed for inclusion on blockchains. Being explicitly specified, they also represent a fungibility loss as threshold-controlled coins are visibly distinct from non-threshold-controlled coins. However, they achieve several practical goals which have proved difficult to preserve in more efficient threshold schemes: they are noninteractive; they require no persistent state during signing; they work in the plain public-key model and require no interactive key setup; their security follows immediately from the security of the underlying ECDSA scheme even when signing counterparties are considered to be adversarial.

In this talk we describe our work in developing a multisignature scheme for Bitcoin, called MuSig, which supports an extension to threshold signatures, over the last several years. We describe how consideration of both practical use cases and formal security models guided the evolution of our goals, and the unexpected tradeoffs that we found ourselves forced to make.

Bio: Andrew Poelstra is a Mathematician at Blockstream. He has dabbled in software development for the last twenty years, in open-source cryptography for ten. He became involved in Bitcoin in late 2011, and joined Blockstream cofounders Greg Maxwell and Pieter Wuille in developing the high-performance cryptography library libsecp256k1. His latest major project has been Mimble Wimble which is described as a blockchain design with no script support and blinded amounts. Like proverbial black holes, transaction outputs have no hair. This simplicity allows aggressive compaction and aggregation, resulting in a blockchain with much better scalability than any other design to date. He has a Bachelor of Science in Mathematics from Simon Fraser University. While completing his Masters of Arts at the University of Texas at Austin, he wrote and co-wrote several papers about Bitcoin, practical cryptography and mathematics.

 

Accepted panels:

• Threshold Protocols for the Digital Signature Standard. Organizer: Rosario Gennaro. Panelists: Rosario Gennaro¹, abhi shelat², Samuel Ranellucci³, Hugo Krawczyk⁴ (moderator). (¹ CUNY, USA; ² Northeastern University, USA; ³ Unbound Tech, Israel; ⁴ IBM Research, USA)
• Theory of Implementation Security Panel. Organizers: Organizers: Svetla Nikova¹, Vincent Rijmen¹. Panelists: Nigel Smart¹, Ventzislav Nikov², Mike Hutter³, Junfeng Fan⁴, Ruggero Susella⁵, Emmanuel Prouff⁶. (¹ KU Leuven, Belgium; ² NXP Semiconductors; ³ Rambus, USA; ⁴ Open Security Research; ⁵ ST Microelectronics; ⁶ ANSSI, France)

 

Accepted papers:

• Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme. Michael Kraitsberg³, Yehuda Lindell^1,3, Valery Osheter³, Nigel P. Smart^2,4, Younes Talibi Alaoui². (¹ Bar-Ilan University, Israel; ² KU Leuven, Belgium; ³ Unbound Technology, Israel; ⁴ University of Bristol, UK)
• Fully Distributed Non-Interactive Adaptively-Secure Threshold Signature Scheme with Short Shares: Efficiency Considerations and Implementation. Benoît Libert^1,2, Marc Joye³, Moti Yung⁴, Fabrice Mouhartem². (¹ CNRS, France; ² ENS de Lyon, France; ³ OneSpan, Belgium; ⁴ Google Inc. and Columbia University, USA)
• A Multiparty Computation Approach to Threshold ECDSA. Jack Doerner, Yashvanth Kondi, Eysa Lee, abhi shelat. (Northeastern University, USA)
• Efficient Leakage Resilient Secret Sharing. Peihan Miao, Akshayaram Srinivasan, Prashant Nalini Vasudevan. (UC Berkeley, USA)
• DiSE: Distributed Symmetric-key Encryption. Shashank Agrawal, Payman Mohassel, Pratyay Mukherjee, Peter Rindal. (Visa Research, USA)

 

Presentation proposals:

• Platform for Robust Threshold Cryptography. Christian Cachin¹, Hugo Krawczyk², Tal Rabin², Jason Resch³, Chrysoula Stathakopoulou⁴. (¹ University of Bern, Switzerland; ² IBM Research, USA; 3 IBM, USA; ⁴ IBM research, Zurich, Switzerland)
• Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off. Dušan Božilov^1,2, Miroslav Knežević¹, Ventzislav Nikov¹. (¹ NXP Semiconductors, Belgium; ² COSIC KU Leuven and imec, Belgium)
• The pitfalls of threshold cryptography in hardware. Marco Macchetti, Karine Villegas, Claudio Favi. (Kudelski Group, Switzerland)
• Threshold Cryptography against Combined Physical Attacks. Lauren De Meyer (KU Leuven, Belgium)
• VerMI: Verification Tool for Masked Implementations. Victor Arribas, Svetla Nikova, Vincent Rijmen. (KU Leuven, imec-COSIC, Belgium)
• SplitKey Case Study. Maximiliaan van de Poll, Aivo Kalu. (Cybernetica AS, Estonia)
• Practical Threshold Cryptography for Cloud and Cryptocurrencies. Jakob Pagter. (Sepior, Denmark)
• Practice Based Recommendations for Standardization of Threshold Cryptography. Daniel Shumow. (Microsoft Research, USA)

 

NIST presentations

• NIST Computer Security Division welcoming. Matthew Scholl
• Enter the Threshold (The NIST Threshold Cryptography Workshop). Luís Brandão
• The NIST Standardization Approach on Cryptography ─ Past, Present, and Future. Lily Chen
• NIST Status Update on Elliptic Curves and Post-Quantum Crypto. Dustin Moody
• Quo Vadis, Crypto Validation? Apostol Vassilev
• Open discussion. Nicky Mouha

 

Organization (NIST Computer Security Division)

• Co-chairs and program committee: Luís Brandão, Nicky Mouha, Apostol Vassilev
• Administrative organization: Sara Kermans, Pauline Truong, Mary Lou Norris
• (Non-panel) Session Chairs: Rene Peralta, Andrew Regenscheid, Daniel Apon, Michael Cooper, Meltem Sönmez Turan, John Kelsey, Michael Davidson

 

Call for submissions

NIST is interested in promoting the security of implementations of cryptographic primitives. This security depends not only on the theoretical properties of the primitives but also on the ability to withstand attacks on their implementations. It is thus important to mitigate breakdowns that result from differences between ideal and real implementations of cryptographic algorithms.

Threshold schemes for cryptographic primitives have the potential to strengthen the secrecy of cryptographic keys, as well as to enhance integrity and availability of the implemented primitives, including providing resistance against side-channel and fault attacks.

NIST seeks to discuss aspects of threshold cryptography (used as an umbrella term) in a wide range of application environments and the potential future standardization of threshold schemes for cryptographic primitives. Therefore, NIST is soliciting papers, presentations, panel proposals, and participation from any interested parties. NIST will post the accepted papers and presentations on the workshop website; however, no formal workshop proceedings will be published.

Topics include, but are not limited to:

• Security criteria, resource requirements and characteristics of real-world applications of threshold cryptographic systems

• Threshold techniques, including techniques related to secure multi-party computation and intrusion-tolerant distributed systems, both in hardware and software

• Case studies of deployed threshold systems

• Evaluation of security, reliability, threats and attacks in threshold cryptography

• Design, analysis and implementation of threshold schemes for cryptographic primitives

• Challenges in testing and validation of threshold cryptographic systems

• Benchmarking of threshold schemes in hardware and software

• Countermeasures against side-channel and fault attacks using threshold approaches

• Threshold cryptography for blockchain, cloud computing, hardware security modules (HSMs), and the Internet of Things (IoT)

---

Important dates

Submission deadline: December 17, 2018

Notification deadline: (Tentative) February 08, 2019 (previous January 15 deadline was postponed due to Government Shutdown)

Registration deadline: February 18, 2019 Extended to March 04, 2019 and is now closed. 

Workshop: March 11-12, 2019

---

How to submit

Submissions must be provided electronically in PDF format. Paper submissions should not exceed 15 pages. Proposals for presentations or panels should be no longer than 5 pages; panel proposals should identify possible panelists and an indication of which panelists have confirmed their participation.

Please submit to ntcw2019 [at] nist.gov (ntcw2019[at]nist[dot]gov):

• Contact details of the authors

• The paper, presentation or panel proposal in PDF format as an attachment.

Click here for a PDF of this call for submissions.