Last week, Crypto 2017 took place at UC Santa Barbara. There were more than 425 attendees for this year’s 4-day conference, with 72 papers being presented.

Monday morning was interrupted by a very special coffee break: the **ecliptic curve cryptography coffee break**, a.k.a. viewing the solar eclipse. General Chair Steve Myers had very conveniently ordered solar eclipse glasses for everyone (from a legitimate vendor!). The sky was cloudy during the coffee break, but the eclipse occasionally peeked through, and the skies cleared afterward for a clearer view of the eclipse.

Later that morning, John Martinis, a physicist from UCSB, gave an invited lecture on the prospects of a quantum factoring (and, presumably, discrete logarithm-ing) machine.

On Monday afternoon, Yehuda Lindell gave a talk on his paper **Fast Secure Two-Party ECDSA Signing**. Fast protocols exist for many factoring-, discrete logarithm-, and elliptic curve-based signature and public key encryption schemes. DSA and ECDSA are tricky because signing involves operations both additive and multiplicative operations using $k$ and $k^{-1}$, but in a threshold scheme this must be done without knowing $k$. Past work by MacKenzie and Reiter (Crypto 2001) and Gennaro, Goldfeder, and Narayanan (ACNS 2016) gives two-party protocols for computing ECDSA using multiplicative sharing of the signing key $x$ and ephemeral secret $k$ and then Paillier encryption to combine their equations. Proving honest behaviour ends up being quite expensive, unfortunately. Lindell showed how to improve performance by simplifying the shared tasks that one of the party participates in while still using Paillier homomorphic encryption. The key idea is that the second party, before releasing the signature, can check whether the first party behaved honestly simply by checking the final signature, which is publicly checkable efficient by definition of a digital signature scheme. The paper reports experimental results that show that two-party signing for ECDSA (with the NIST P-256 curve) can be run in approximately 37 milliseconds. The techniques also apply to DSA.

Tuesday featured the three **award papers**. Sam Kim and David J. Wu won the best student paper award for Watermarking Cryptographic Functionalities from Standard Lattice Assumptions. Best paper awards went to Nico Döttling and Sanjam Garg for Identity-Based Encryption from the Diffie-Hellman Assumption and Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov for The first collision for full SHA-1.

Döttling and Garg’s paper showed how to construct **identity-based encryption from the computational Diffie–Hellman problem** in any group, including elliptic curve groups. Previous results had shown it impossible to construct IBE in a black-box way from CDH, so this paper had to make non-black-box use of the underlying cryptographic primitives. While the scheme is polynomial-time, this non-black-box use ends up making the scheme quite inefficient. On Wednesday another paper expanded the set of assumptions from which one can construct identity-based encryption: Identity-based Encryption from Codes with Rank Metric.

Tuesday evening featured the annual **rump session**, including the program chair’s report, reminiscences, announcements, songs, joke talks, and, unfortunately, some serious talks too. Most poignant was the second talk, entitled “Forty years and still running”. **Jean-Jacques Quisquater** presented a list of cryptosystems still running after 40 years, including the DES/Triple-DES algorithm and the RSA cryptosystem. In fact, 2017 marks the 40th anniversary of the invention of RSA, and Quisquater had arranged a wonderful surprise: Ron Rivest, Adi Shamir, and Leonard Adleman were all present for the rump session, and they took the stage to commemorate this milestone.

Later in the rump session, Michael Naehrig, co-inventor of the Barreto–Naehrig (BN) family of elliptic curves, performed (via Youtube) his original song **The Sound of Quantum**.

On Wednesday, Cédric Fournet of Microsoft Research Cambridge gave the second invited talk on **Project Everest**, a massive multi-institution multi-year project to create a fully verified efficient implementation of the TLS protocol. One component of Everest is a verified implementation of Curve25519 in a language called HaCL*, which compiles down to verified C code. This invited lecture was a joint talk between Crypto 2017 and the 30th IEEE Computer Security Foundations Symposium (CSF), also taking place at UCSB last week.

The full proceedings of Crypto 2017 are available on SpringerLink:

Crypto 2018 will take place in August 2018 at—where else?—UC Santa Barbara.

— Douglas Stebila