Slides 2.3: Finish! + move the PQ stuff to Topic 2.7

slides/2-3.tex

@@ -16,12 +16,6 @@
 	\titlepage
 \end{frame}
 
-\begin{frame}{Slides not complete and may contain errors}
-	\begin{itemize}
-		\item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet.
-	\end{itemize}
-\end{frame}
-
 \section{The Dark Ages}
 
 \begin{frame}{The Dark Ages}
@@ -1797,7 +1791,7 @@
 	\end{alertblock}
 \end{frame}
 
-\section{Group Secure Messaging (WORK IN PROGRESS)}
+\section{Group Secure Messaging}
 
 \begin{frame}{The Group Messaging Problem}
 	\begin{columns}[c]
@@ -1929,33 +1923,127 @@
 	\end{columns}
 \end{frame}
 
-\begin{frame}{TreeKEM}
-	\bigimagewithcaption{treekem.pdf}{Source: Joy of Cryptography}
+\begin{frame}{Quick note: HPKE}
+	\begin{columns}[c]
+		\begin{column}{0.5\textwidth}
+			\textbf{Hybrid Public Key Encryption (RFC 9180)\footnote{\url{https://www.rfc-editor.org/rfc/rfc9180.html}}}
+			\begin{itemize}
+				\item Combines asymmetric + symmetric crypto
+				\item Encrypts to public key, no interaction needed
+				\item Used in TLS 1.3, MLS, and more
+			\end{itemize}
+			\textbf{Two-step process:}
+			\begin{enumerate}
+				\item \textbf{Encapsulation}: Generate shared secret
+				\item \textbf{Seal}: Encrypt data with that secret
+			\end{enumerate}
+		\end{column}
+		\begin{column}{0.5\textwidth}
+			\textbf{Simple Example:}
+			\begin{exampleblock}{Sender (Alice)}
+				\ttfamily\scriptsize
+				// Bob's public key: pk\_bob\\
+				(enc, ctx) = HPKE.Setup(pk\_bob)\\
+				ciphertext = ctx.Seal("Hello Bob!")\\
+				// Send: (enc, ciphertext)
+			\end{exampleblock}
+			\begin{exampleblock}{Receiver (Bob)}
+				\ttfamily\scriptsize
+				// Bob's private key: sk\_bob\\
+				ctx = HPKE.Setup(enc, sk\_bob)\\
+				plaintext = ctx.Open(ciphertext)\\
+				// plaintext = "Hello Bob!"
+			\end{exampleblock}
+			\textbf{Key benefit:} One-shot encryption without prior key exchange!
+		\end{column}
+	\end{columns}
+\end{frame}
+
+\begin{frame}{TreeKEM: use a tree to manage group AKE}
+	\begin{columns}[c]
+		\begin{column}{0.5\textwidth}
+			\textbf{Tree of Subgroups:}
+			\begin{itemize}
+				\item Each node = subgroup with secret (e.g., $s_{abc}$)
+				\item Corresponding public key (e.g., $\texttt{pk}_{abc}$)
+				\item Example: $s_{abcde}$ is the group key
+			\end{itemize}
+			\textbf{Member Knowledge:}
+			\begin{itemize}
+				\item Member $b$ knows: $s_{ab}$, $s_{abc}$, $s_{abcde}$
+				\item Only secrets on path to root
+				\item Cannot compute sibling secrets
+			\end{itemize}
+		\end{column}
+		\begin{column}{0.5\textwidth}
+			\textbf{Updating Keys (Commit):}
+			\begin{itemize}
+				\item Member $b$ updates its path:
+				      \begin{itemize}
+					      \item $s_{ab} \rightarrow s'_{ab}$
+					      \item $s_{abc} \rightarrow s'_{abc}$
+					      \item $s_{abcde} \rightarrow s'_{abcde}$
+				      \end{itemize}
+				\item Encrypt to siblings:
+				      \begin{itemize}
+					      \item $\func{hpke}{\texttt{pk}_c, s'_{abc}}$
+					      \item $\func{hpke}{\texttt{pk}_{de}, s'_{abcde}}$
+				      \end{itemize}
+			\end{itemize}
+			\begin{alertblock}{Efficiency Win}
+				For $n$ members: Only $\log(n)$ encryptions!\\
+				Example: 8 members = 3 encryptions
+			\end{alertblock}
+		\end{column}
+	\end{columns}
 \end{frame}
 
 \begin{frame}{TreeKEM}
-	\bigimagewithcaption{treekem_update_1.pdf}{Source: Joy of Cryptography}
+	\bigimagewithcaption{treekem_a.png}{Source: Théophile Wallez}
 \end{frame}
 
 \begin{frame}{TreeKEM}
-	\bigimagewithcaption{treekem_update_2.pdf}{Source: Joy of Cryptography}
+	\bigimagewithcaption{treekem_b.png}{Source: Théophile Wallez}
 \end{frame}
 
-\begin{frame}{TreeKEM}
-	\bigimagewithcaption{treekem_update_3.pdf}{Source: Joy of Cryptography}
-\end{frame}
-
-% MLS critique
-
-\section{Post-Quantum Secure Messaging}
-% PQ3
-% PQX3DH
-% https://github.com/signalapp/SparsePostQuantumRatchet/
-
-\begin{frame}{Slides not complete and may contain errors}
-	\begin{itemize}
-		\item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet.
-	\end{itemize}
+\begin{frame}{MLS: reality check}
+	\begin{columns}[c]
+		\begin{column}{0.5\textwidth}
+			\textbf{The Complexity Problem:}
+			\begin{itemize}
+				\item \textbf{Massive specification}: RFC 9420 is 132 pages!
+				\item \textbf{Implementation nightmare}:
+				      \begin{itemize}
+					      \item Multiple tree operations
+					      \item Complex state management
+					      \item Intricate error handling
+				      \end{itemize}
+				\item \textbf{Correctness is hard}:
+				      \begin{itemize}
+					      \item Easy to get wrong
+					      \item Subtle security bugs
+					      \item Few complete implementations
+				      \end{itemize}
+			\end{itemize}
+		\end{column}
+		\begin{column}{0.5\textwidth}
+			\textbf{Developer Hostility:}
+			\begin{itemize}
+				\item \textbf{No standard API}:
+				      \begin{itemize}
+					      \item Each implementation different
+					      \item No drop-in replacement
+					      \item Steep learning curve
+				      \end{itemize}
+				\item \textbf{Infrastructure requirements}:
+				      \begin{itemize}
+					      \item Need custom delivery service
+					      \item Complex server-side logic
+					      \item State synchronization issues
+				      \end{itemize}
+			\end{itemize}
+		\end{column}
+	\end{columns}
 \end{frame}
 
 \begin{frame}[plain]

slides/2-7.tex

@@ -22,6 +22,23 @@
 	\end{itemize}
 \end{frame}
 
+\section{Post-Quantum Secure Messaging}
+% PQ3
+\begin{frame}{Apple iMessage: PQ3}
+	\bigimagewithcaption{pq3_apple.png}{Source: Apple Security Engineering and Architecture (SEAR)}
+\end{frame}
+
+\begin{frame}{Signal: PQXDH}
+\end{frame}
+
+% https://github.com/signalapp/SparsePostQuantumRatchet/
+
+\begin{frame}{Slides not complete and may contain errors}
+	\begin{itemize}
+		\item This slide deck is not finished, may contain errors, and is missing important material. Do not rely on it yet.
+	\end{itemize}
+\end{frame}
+
 \begin{frame}[plain]
 	\titlepage
 \end{frame}

website/index.html

@@ -210,6 +210,7 @@
 							<li><i class="icon ph-duotone ph-scroll"></i>Ange Albertini, Thai Duong, Shay Gueron, Stefan K&#xF6;lbl, Atul Luykx, and Sophie Schmieg, <a href="papers/#key-commitment"><em>How to Abuse and Fix Authenticated Encryption Without Key Commitment</em></a>, USENIX Security Symposium, 2022.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Michael Luby and Charles Rackoff, <a href="papers/#luby-rackoff"><em>How To Construct Pseudorandom Permutations From Pseudorandom Functions</em></a>, Society for Industrial and Applied Mathematics, 1988.</li>
 							<li><i class="icon ph-duotone ph-arrow-square-out"></i>Nick Sullivan, <a href="https://blog.cloudflare.com/killing-rc4-the-long-goodbye/"><em>Killing RC4: The Long Goodbye</em></a>, Cloudflare Blog, 2014.</li>
+							<li><i class="icon ph-duotone ph-arrow-square-out"></i>Apple Security Engineering and Architecture (SEAR), <a href="https://security.apple.com/blog/imessage-pq3/"><em>iMessage with PQ3: The new state of the art in quantum-secure messaging at scale</em></a>, Apple Security Research, 2024.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin and Paul Zimmermann, <a href="papers/#imperfect-dh"><em>Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice</em></a>, ACM CCS, 2015.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Cas Cremers, Niklas Medinger and Aurora Naska, <a href="papers/#pcs-impossibility"><em>Impossibility Results for Post-Compromise Security in Real-World Communication Systems</em></a>, IEEE Symposium on Security and Privacy, 2025.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Chris Alexander and Ian Goldberg, <a href="papers/#otr-auth"><em>Improved User Authentication in Off-The-Record Messaging</em></a>, Workshop on Privacy in the Electronic Society, 2007.</li>
@@ -225,6 +226,7 @@
 							<li><i class="icon ph-duotone ph-scroll"></i>Cas Cremers and Dennis Jackson, <a href="papers/#prime-order"><em>Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman</em></a>, IEEE CSF, 2019.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Project Everest Team, <a href="papers/#everest-perspectives"><em>Project Everest: Perspectives from Developing Industrial-Grade High-Assurance Software</em></a>, Microsoft Research, 2025.</li>
 							<li><i class="icon ph-duotone ph-arrow-square-out"></i>Matthew McPherrin, <a href="https://letsencrypt.org/2025/06/11/reflections-on-a-year-of-sunlight/"><em>Reflections on a Year of Sunlight</em></a>, Let's Encrypt Blog, 2025.</li>
+							<li><i class="icon ph-duotone ph-arrow-square-out"></i>Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp and Christopher Wood, <a href="https://www.rfc-editor.org/rfc/rfc9180.html"><em>RFC 9810: Hybrid Public Key Encryption</em></a>, RFC Editor, 2022.</li>
 							<li><i class="icon ph-duotone ph-arrow-square-out"></i>Daniel J. Bernstein and Tanja Lange, <a href="https://safecurves.cr.yp.to"><em>SafeCurves: choosing safe curves for elliptic-curve cryptography</em></a>, SafeCurves, 2017.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin and Stefano Tessaro, <a href="papers/#scrypt-memory"><em>Scrypt Is Maximally Memory-Hard</em></a>, IACR Eurocrypt, 2017.</li>
 							<li><i class="icon ph-duotone ph-scroll"></i>Hugo Krawczyk, <a href="papers/#sigma-ake"><em>SIGMA: the 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols</em></a>, IACR Crypto, 2003.</li>
@@ -525,10 +527,8 @@
 								<li><i class="icon ph-duotone ph-scroll"></i>Martin R. Albrecht, Benjamin Dowling and Daniel Jones, <a href="papers/#whatsapp-groups"><em>Formal Analysis of Multi-Device Group Messaging in WhatsApp</em></a>, IACR Eurocrypt, 2025.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Paul Rösler, Christian Mainka and Jörg Schwenk, <a href="papers/#group-chats"><em>More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema</em></a>, IEEE European Symposium on Security and Privacy, 2018.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>David Balbás, Daniel Collins and Phillip Gajland, <a href="papers/#sender-keys"><em>WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs</em></a>, IACR Asiacrypt, 2023.</li>
-								<li><i class="icon ph-duotone ph-scroll"></i>Felix Linker, Ralf Sasse and David Basin, <a href="papers/#pq3-analysis"><em>A Formal Analysis of Apple’s iMessage PQ3 Protocol</em></a>, USENIX Security Symposium, 2025.</li>
+								<li><i class="icon ph-duotone ph-arrow-square-out"></i>Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp and Christopher Wood, <a href="https://www.rfc-editor.org/rfc/rfc9180.html"><em>RFC 9810: Hybrid Public Key Encryption</em></a>, RFC Editor, 2022.</li>
 								<li><i class="icon ph-duotone ph-scroll"></i>Théophile Wallez, <a href="papers/#wallez-thesis"><em>A Verification Framework for Secure Group Messaging</em></a>, PSL Université Paris, 2025.</li>
-								<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, <a href="papers/#pqxdh-analysis"><em>Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging</em></a>, USENIX Security Symposium, 2024.</li>
-								<li><i class="icon ph-duotone ph-scroll"></i>Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, <a href="papers/#triple-ratchet"><em>Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</em></a>, IACR Eurocrypt, 2025.</li>
 							</ul>
 						</div>
 					</div>
@@ -594,6 +594,10 @@
 							<h5><i class="icon ph-duotone ph-file-plus"></i>Optional Readings</h5>
 							<ul>
 								<li><i class="icon ph-duotone ph-scroll"></i>Manuel Barbosa, Deirdre Connolly, João Diogo Duarte, Aaron Kaiser, Peter Schwabe, Karolin Varner and Baas Westerban, <a href="papers/#xwing-hybrid"><em>X-Wing: The Hybrid KEM You’ve Been Looking For</em></a>, IACR Communications in Cryptology, 2024.</li>
+								<li><i class="icon ph-duotone ph-arrow-square-out"></i>Apple Security Engineering and Architecture (SEAR), <a href="https://security.apple.com/blog/imessage-pq3/"><em>iMessage with PQ3: The new state of the art in quantum-secure messaging at scale</em></a>, Apple Security Research, 2024.</li>
+								<li><i class="icon ph-duotone ph-scroll"></i>Felix Linker, Ralf Sasse and David Basin, <a href="papers/#pq3-analysis"><em>A Formal Analysis of Apple’s iMessage PQ3 Protocol</em></a>, USENIX Security Symposium, 2025.</li>
+								<li><i class="icon ph-duotone ph-scroll"></i>Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer and Rolfe Schmidt, <a href="papers/#pqxdh-analysis"><em>Formal Verification of the PQXDH Post-Quantum Key Agreement Protocol for End-to-End Secure Messaging</em></a>, USENIX Security Symposium, 2024.</li>
+								<li><i class="icon ph-duotone ph-scroll"></i>Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest and Rolfe Schmidt, <a href="papers/#triple-ratchet"><em>Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol</em></a>, IACR Eurocrypt, 2025.</li>
 							</ul>
 						</div>
 					</div>