Tanja Lange

Software bugs and timing leaks have destroyed the security of every Chromebook ECDSA "built-in security key" before June 2019, ECDSA keys from several popular crypto libraries, the Dilithium post-quantum software, the Falcon post-quantum software, and more. Will we ever have trustworthy implementations of the cryptographic tools at the heart of our security systems?

Standard testing and fuzzing catch many bugs, but they don't catch all bugs. Masochists try to formally prove that crypto software does its job. Sadists try to convince you to do your own proof work and to let them watch. After years of pain, a team of fifteen authors has now proudly announced a verified crypto library: fast but unportable implementations of a few cryptographic functions specifically for CPUs that aren't in your smartphone. This is progress, but the progress needs to accelerate. This talk will highlight a way to exploit the power of modern reverse-engineering tools to much more easily verify crypto software. This relies on the software being constant-time software, but we want constant-time software anyway so that we can guarantee security against timing attacks. Constant-time software is also surprisingly fast when cryptosystems are selected carefully. This talk is meant as an introduction for a general audience, giving self-contained answers to the following questions: What are timing attacks? What is constant-time software? What are some examples of constant-time crypto? How can we be sure that code is constant-time? What do these reverse-engineering tools do? How does constant-time code help these tools? How do we get from reverse engineering to guaranteeing correctness? The talk will be given as a joint presentation by Daniel J. Bernstein and Tanja Lange.

Other people: djb

The world is finally catching on to the urgency of deploying post-quantum cryptography: cryptography designed to survive attacks by quantum computers. NIST's post-quantum competition is in full swing, and network protocols are exploring post-quantum extensions. This talk will take the audience on a journey through selected recent highlights from the post-quantum world.

Post-quantum cryptography has become one of the most active areas in cryptography, trying to address important questions from potential users. Is post-quantum cryptography secure? In the first ten months of this year we have seen several serious breaks of submissions to the NIST competition. At this point, out of the original 69 submissions, 13 are broken and 8 are partially broken. Are the remaining 48 submissions all secure? Or is this competition a denial-of-service attack against the cryptanalysis community? NIST will select fewer candidates for the 2nd round, but it is not clear whether there is an adequate basis for judging security. Does post-quantum cryptography provide the functionality we expect from cryptography? For example, the original Diffie-Hellman system provides not just encryption but also more advanced features such as non-interactive key exchange (not provided by any NIST submissions) and blinding. The era of post-NIST post-quantum cryptography has begun with the exciting new CSIDH proposal, which has non-interactive key exchange and is smaller than any NIST submission, but uses more CPU time and needs much more study. Is post-quantum cryptography small enough? Even for network protocols that rely purely on encryption, integration remains a major problem because of the bandwidth requirements of most post-quantum systems, especially the post-quantum systems with the strongest security track records. Experiments with integration of post-quantum cryptography into TLS have focused on encryption without post-quantum authentication. A new generation of network protocols has been designed from the ground up for full post-quantum security. Is post-quantum cryptographic software fast enough, and is it safe to use? Adding post-quantum cryptography to the cryptographic software ecosystem has produced a giant step backwards in software quality. Major areas of current activity include software speedups, benchmarking, bug fixes, formal verification, patent avoidance, and development of post-quantum software libraries such as Open Quantum Safe and libpqcrypto. The talk will be given as a joint presentation by Daniel J. Bernstein and Tanja Lange.

Other people: djb

Lattices are an extremely useful mathematical tool for cryptography. This talk will explain the basics of lattices in cryptography and cryptanalysis.

It’s an exciting time for public-key cryptography. With the threat of practical quantum computers looming in the next few decades, it’s high time to replace the systems that can be broken by a quantum computer with ones that remain secure even if the attacker has a quantum computer. However, this is easier said than done – there is no consensus what replacements should be chosen and how secure the systems are. NIST has just started a 5-7 year competition with the target to recommend a portfolio of post-quantum encryption and signature schemes. Considerations will be speed, bandwidth, and of course security. Several of the submissions are based on lattices. At our current level of understanding, lattice-based cryptography offers relatively small public keys for both encryption and signatures, while having good performance and reasonably sized ciphertexts and signatures. While these features are nice and make us want to know more about lattices, that world can be a scary place full of discussions of Minkowski bounds, Gaussian distributions, and orthogonalized bases. We will show how these schemes work in accessible terms. Lattices have been used in cryptography for more than thirty years, but for most of that only as a tool to attack systems, starting with knapsack systems in the early 80’s. Lattices can also be used to break conventional public-key cryptosystems such as RSA or Diffie-Hellman when they are incorrectly implemented. This talk will explain these fun attacks in concrete terms, with code you can run at home. Algorithms will be presented as Python/Sage code snippets and will already be online before the talk at https://latticehacks.cr.yp.to. This is a joint presentation by Daniel J. Bernstein, Nadia Heninger, and Tanja Lange, surveying work by many people.

Other people: djb Nadia Heninger

Last year your friend Karen joined the alternative music scene and sent you a sound track. The government is recording everything, and this year announced that alternative music is a gateway drug to terrorism (see http://www.theguardian.com/australia-news/2015/sep/25/radicalisation-kit-links-activism-and-alternative-music-scene-to-extremism). Fortunately, Karen encrypted the email.

Fast forward to 2035. Stasi 2.0 has risen to power and has decided that, to protect society, anyone who has ever been exposed to alternative music will be sent to a „better place“. They still have a copy of Karen’s ciphertext. And here’s the really bad news: They’ve just finished building a billion-qubit quantum computer.

Back in 2015, large general-purpose quantum computers haven’t been built yet, but the consensus is that they will be built, and that they will allow well-funded attackers to retroactively break practically all of today's deployed public-key cryptography. RSA will be dead. ECC will be dead. DSA will be dead. „Perfect forward secrecy“, despite its name, won’t help.

Fortunately, there are replacement public-key cryptosystems that have held up very well against analysis of possible attacks, including future quantum attacks. This talk will take a hands-on look at the two examples with the longest track records: namely, hash-based signatures (Merkle trees) and code-based encryption (McEliece).

The talk will be given as a joint presentation by Daniel J. Bernstein and Tanja Lange.

Other people: djb

This talk will explain how to work with elliptic curves constructively to obtain secure and efficient implementations, and will highlight pitfalls that must be avoided when implementing elliptic-curve crypto (ECC). The talk will also explain what all the buzz in curve choices for TLS is about. This talk does not require any prior exposure to ECC.

ECC is rapidly becoming the public-key technology of choice for Internet protocols. ECC was introduced in 1985 and has a much stronger security record than RSA. ECC research has found new ways of attacking implementations but has also found nicer curves that avoid such attacks. As a followup to the Snowden revelations, the TLS working group of the IETF has recently asked the crypto research group (CFRG) to suggest new curves for use in TLS, and NIST has publicly announced that they are considering new curves. This talk gives a hands-on description of how to compute with elliptic curves. It shows different ways to write elliptic curves and the consequences of this representation for secure and efficient implementation. Algorithms will be presented as Python code snippets and will already be online before the talk at http://ecchacks.cr.yp.to. The talk will be given as a joint presentation by Daniel J. Bernstein and Tanja Lange.

Other people: djb

This was a busy year for crypto. TLS was broken. And then broken again. Discrete logs were computed. And then computed again. Is the cryptopocalypse nigh? Has the NSA backdoored everything in sight? Also, answers to last year's exercises will be given.

Other people: Nadia Heninger djb