This is a summit inspired by the OTRv4 summit held last year. It is a summit where people from different places (academia, industry, open source implementations, and legal perspectives) talk about the latest problems and advancements on the secure messaging sphere.
This form takes inspiration from the pl-hci-school-2020 organized by Sarah Chasins, Elena Glassman, Shriram Krishnamurthi and Hila Peleg, and by the Fourteenth Algorithmic Number Theory Symposium, ANTS-XIV organized by Steven Galbraith.
The event will be entirely virtual.
The summit will run over two days, on the first week of September: the 3rd and 4th of September. It’ll end up being centered around times convenient to the morning in the Americas, the afternoon in Europe and Africa, and the evening in Western Asia. We are very sorry with the people from Central, East, South, Southeast, North Asia and the Australian continent. The next edition will prioritize the times for those places.
The times, therefore, are:
After each session, there will be a time for socializing, if wanted.
The schedule for the 3rd will be (the times are on EDT and CEST):
|EDT Time||CEST Time||Talks|
|8:45 - 9:00||14:45 - 15:00||Welcome!: Introduction and guidelines|
|9:00 - 9:45||15:00 - 15:45||‘The Simulation Paradigm and Deniable Communications’ by Rosario Gennaro|
|9:45 - 10:30||15:45 - 16:30||‘Resolving Concurrency in Group Ratcheting Protocols’ by Paul Rösler|
|10:30 - 11:15||16:30 - 17:15||‘Messaging Layer Security (MLS)’ by Raphael Robert|
|11:15 - 12:00||17:15 - 18:00||‘Mobile Private Contact Discovery’ by Daniel Kales|
|12:00 - 12:45||18:00 - 18:45||‘How to Avoid Invisible Salamanders: Cryptographic Tools for Moderation in Encrypted Messaging’ by Thomas Ristenpart|
|12:45 - 13:30||18:45 - 19:30||‘What user studies tell us about secure messaging?’ by Nikolas Unger|
|13:30 - 14:15~||19:30 - 20:15~||Socializing time|
The schedule for the 4th will be (the times are on EDT and CEST):
|EDT Time||CEST Time||Activities|
|11:00 - 11:30||17:00 - 17:30||Welcome!: Introduction and guidelines|
|11:30 - 12:20||17:30 - 18:20||Initial statement by panelists|
|12:20 - 13:10||18:20 - 19:10||Open discussion|
|13:10 - 13:30||19:10 - 19:30||Open discussion with audience|
|13:30 - 14:30~||19:30 - 20:30~||Socializing time|
The list of confirmed speakers for the 3rd are:
Rosario Gennaro, from the City College of New York, with the talk:
The Simulation Paradigm and Deniable Communications
In this talk, Gennaro will survey the area of Deniable Communication and the use of the Simulation Paradigm to define and prove what deniability is. He will discuss the fundamental differences between zero-knowledge and deniability simulations, and then focus on the specific application of deniable authentication and key-exchange. He will conclude by presenting recent work that analyzes the deniability of widely used messaging protocols, such as Signal.
Nikolas Unger, from the University of Waterloo, with the talk:
What user studies tell us about secure messaging?
Are people concerned about mass surveillance? How do users perceive end-to-end encryption and people who use it? Did the Snowden revelations alter user perceptions of encryption? What security properties are important to users? What security properties do they erroneously expect? How do these concerns vary among sub-populations? Should we show ciphertext to users? What threat actors are users concerned about? How do we visually communicate security? What metaphors should we use for security and privacy? Does secure messaging make messaging secure? Why is everyone using Zoom and Telegram? How do people perceive SMS and landline calls? What happened to PGP? Is adoption of secure messaging limited by poor usability? How should we design trust establishment ceremonies? Are trust establishment ceremonies even important? Are the values of users and developers aligned?
In the past 25 years, user studies have investigated the answers to these questions and more. This talk surveys the most notable results from user studies in the academic literature with respect to questions about the usability and deployability of secure messaging technology. These results do not tell the whole story, but they do provide useful insights for protocol designers and software developers.
This talk will not be recorded.
Paul Rösler, from the Ruhr University Bochum, with the talk:
Resolving Concurrency in Group Ratcheting Protocols
Post-Compromise Security, or PCS, refers to the ability of a given protocol
to recover—by means of normal protocol operations—from the exposure of local
states of its (otherwise honest) participants. Reaching PCS in group messaging
protocols so far either bases on
n parallel two-party messaging protocol
executions between all pairs of group members in a group of
n users (like in
the Signal client), or on tree based group ratcheting protocols (e.g.,
developed in the context of the IETF Message Layer Security initiative). Both
approaches have great restrictions: parallel pairwise executions induce for
each state update a communication overhead of
O(n). While tree based
protocols reduce this overhead to
O(log n), they cannot handle concurrent
state updates. For resolving such inevitably occurring concurrent updates,
these protocols delay reaching PCS up to
n communication time slots
(potentially more in asynchronous settings such as messaging). Furthermore,
a consensus mechanism (such as a central server) is needed in practice.
In this talk, based on a joint work with Alexander Bienstock and Yevgeniy
Dodis, the speaker will discuss the trade-off between PCS, concurrency, and
communication overhead in the context of group ratcheting. In particular, he
will explain why state updates, concurrently initiated by
t group members
for reaching PCS immediately induce a communication overhead of
message. He will show a new group ratcheting construction that resolves the
aforementioned restriction of concurrency but reaches a communication overhead
O(t + t\*log(n/t)), which smoothly increases from
O(log n) with no
O(n) with unbounded concurrency. Thus, we present a protocol
in which each group member can (nearly) immediately recover from exposures
independent of concurrency in the group with almost minimal communication
overhead. We believe that this result is of interest for the IETF Message
Layer Security (MLS) standardization effort; but more general and more
importantly for distributed messaging environments where concurrency is
This talk will be recorded.
Daniel Kales, from the Technical University of Graz, with the talk:
Mobile Private Contact Discovery
Mobile Contact Discovery is a process executed by messaging applications to find contacts from a user’s local address book that are also using the messaging service. Naive solutions can pose problems for the privacy of the user’s contacts, especially, those not actually using the messaging service themselves. This talk will cover the basics of Mobile Contact Discovery and explore different variants of a cryptographic solution (Private Set Intersection) to this problem. We discuss some of the problems (performance-related and others) of using such protocols as a solution for Mobile Contact Discovery, in large-scale messaging services with potentially hundreds of millions of users.
This talk will be recorded.
Thomas Ristenpart from Cornell Tech
How to Avoid Invisible Salamanders: Cryptographic Tools for Moderation in Encrypted Messaging
Encrypted messaging provides strong confidentiality guarantees for user communications by ensuring that even service providers learn nothing about message contents. But this end-to-end guarantee complicates service providers’ goal of mitigating abuse, such as harassment of one user by another. In this talk, he will describe their work on understanding what cryptographic tools we need to enable secure, effective reporting of abusive content by users of encrypted messaging services. He will cover: Facebook’s message franking approach and vulnerabilities they discovered in it; new requirements for, and designs of, symmetric encryption to support applications like message franking; asymmetric message franking to allow user-driven abuse reporting when messaging is anonymous; and message traceback to identify the source of forwarded abusive messages.
This talk will cover joint work with Yevgeniy Dodis, Paul Grubbs, Julia Len, Jiahui Lu, Ian Miers, Nirvan Tyagi, and Joanne Woodage.
This talk will be recorded.
Raphael Robert from Wire
Messaging Layer Security (MLS)
MLS is a security layer for encrypting messages in groups of size two to many. It is being built by the IETF MLS working group and designed to be efficient, practical and secure.
This talk will give a short introduction to the subject and highlight the following subjects:
This talk will be recorded.
The topics that they will present vary from deniability, message franking, group messaging, mobile private contact discovery, and concurrent ratcheting.
The list of confirmed participants on the panel for the 4th are:
The topics the panel will touch upon are: The ‘EARN IT’ bill, the increase of surveillance with covid-19 pandemic over messaging applications, the monopoly of companies creating messaging applications, the Hong Kong security law, and more. We will explore the challenges, threats and advantages that secure messaging faces on different regions of the world (Hong Kong, Tibet, Latin America and US) from a legal, political and even sociological perspective.
The panel will be recorded.
There are many great people in this area, and we’re sorry we can’t invite all of them. If this goes well, hopefully we’ll have more of them in the future!
The talks and panel might be recorded prior consent from the speakers.
We have no idea how much demand there will be. We will provide a registration form starting from August.
Registration will open on the 10th of August and end on the 30 of August. Times for opening and closing registration will be on UTC-5.
We require that every participant represent themselves by the name that they use for their professional work (this can be a pseudonym that they generally use for their professional work). No participant can impersonate another person.
On the Internet, signing up is cheap. Showing up is hard. Check your calendar to make sure you’re free, and block off the dates: commit to participating before you sign up. Do not sign up until you’ve blocked out the dates in your calendar.
Nevertheless, we understand that things can change. If you have signed up but won’t be participating, let us know.
To be provided on the 10th of August at 7:00 UTC-5. It will close on the 30 of August at 23:00 UTC-5.
Note that you have to provide a valid email address at registration, as subsequent communications regarding the event will be sent to that address.
There are two ways of registering:
firstname.lastname@example.org, with the following information (
You can send encrypted emails for registration and subsequent communications by
using PGP. The public key of
email@example.com can be found
The fingerprint is:
8D6F D710 7F9A 2EC7 9634 4A8D C83B FA0F BDDA 279F.
If you send encrypted emails, first please either send your public key or
upload it in a server where it can be publicly found.
This isn’t a place for people to be exclusionary or for harassment. This event has a code of conduct and we’ll use the SNAPL Friendly Environment Policy.
This is nicely sponsored by NLnet.
You can be another sponsor if you like! ;)