Nadia Heninger

Lattices are an extremely useful mathematical tool for cryptography. This talk will explain the basics of lattices in cryptography and cryptanalysis.

It’s an exciting time for public-key cryptography. With the threat of practical quantum computers looming in the next few decades, it’s high time to replace the systems that can be broken by a quantum computer with ones that remain secure even if the attacker has a quantum computer. However, this is easier said than done – there is no consensus what replacements should be chosen and how secure the systems are. NIST has just started a 5-7 year competition with the target to recommend a portfolio of post-quantum encryption and signature schemes. Considerations will be speed, bandwidth, and of course security. Several of the submissions are based on lattices. At our current level of understanding, lattice-based cryptography offers relatively small public keys for both encryption and signatures, while having good performance and reasonably sized ciphertexts and signatures. While these features are nice and make us want to know more about lattices, that world can be a scary place full of discussions of Minkowski bounds, Gaussian distributions, and orthogonalized bases. We will show how these schemes work in accessible terms. Lattices have been used in cryptography for more than thirty years, but for most of that only as a tool to attack systems, starting with knapsack systems in the early 80’s. Lattices can also be used to break conventional public-key cryptosystems such as RSA or Diffie-Hellman when they are incorrectly implemented. This talk will explain these fun attacks in concrete terms, with code you can run at home. Algorithms will be presented as Python/Sage code snippets and will already be online before the talk at https://latticehacks.cr.yp.to. This is a joint presentation by Daniel J. Bernstein, Nadia Heninger, and Tanja Lange, surveying work by many people.

Other people: djb Tanja Lange

Earlier this year, we discovered that Diffie-Hellman key exchange – cornerstone of modern cryptography – is less secure in practice than the security community believed. In this talk, we’ll explain how the NSA is likely exploiting this weakness to allow it to decrypt connections to at least 20% of HTTPS websites, 25% of SSH servers, and 66% of IPsec VPNs.

Unlike the NSA, most of us don’t have a billion-dollar budget, but thanks to 1990s-era U.S. crypto backdoors, even attackers with much more modest resources can break the crypto for a sizable fraction of web sites. We’ll explain these flaws and how to defend yourself, and we’ll demonstrate how you too can experiment with Diffie-Hellman cryptanalysis from the comfort of your local hacker space. Diffie-Hellman key exchange lets two parties negotiate a shared secret key in the presence of an eavesdropper who can see every message they exchange. This bit of cryptographic magic underlies the security of the Internet, from TLS to SSH, IPsec, Tor, OTR, and beyond. Diffie-Hellman is widely believed to offer „perfect forward secrecy“ – after you’re done communicating, you can „forget" your secret key and not even the NSA can later reconstruct it. In recent years, this property led to the security community (us included!) promoting Diffie-Hellman over other crypto techniques as a defense against mass surveillance. We were wrong. We’re really sorry. In this talk, we’ll explain how a confluence of number theory, lazy implementations, and aging protocols has created a world where anyone willing to spend a few hundred million dollars is likely able to passively decrypt a huge fraction of Internet traffic. We’ll then go back for a close reading of the Snowden documents that were published at 31C3 and show how such a cryptanalytic exploit lines up exactly with several of the NSA’s most powerful known decryption capabilities. For those who prefer a more hands-on approach, we’ll tell you how you too can experiment with breaking Diffie-Hellman for the „export-grade“ 512-bit key sizes that were mandated in the 1990s by U.S. crypto regulations. About 8% of popular HTTPS sites still support these weakened keys for use with legacy browsers, but we discovered a TLS protocol flaw, which we named the Logjam attack, that allowed a man-in-the-middle to trick all modern browsers into accepting them. We’re pretty sure your browser has shipped a security update to fix this by now... We’ll conclude the talk by discussing what went wrong with communication between mathematical cryptographers and security practitioners, how we can prevent this from happening again, and what flavors of cryptography you should really be using to defend yourself. (Hint: It starts with „elliptic“ and ends with „curve“.)

Other people: J. Alex Halderman

Julia Angwin, Jack Gillum, and Laura Poitras will tell us stories about how they use crypto and privacy-enhancing technologies as high-profile journalists, and rant in an entertaining way about how these tools have failed or are horribly inadequate for their needs. They will also talk about their rare crypto successes.

Cryptography and privacy-enhancing technologies are increasingly part of a modern journalist's spycraft. But what does it look like when a reporter actually tries to protect herself and her sources with the best tools that the hacker/academic/activist/cipherpunk/technologist communities have produced? Disaster, chaos, crashes, and UI-sponsored opsec fails. In this talk, Julia Angwin, Jack Gillum, and Laura Poitras will tell us highly entertaining and disturbing war stories of using crypto in the field as high-risk targets, and excoriate the crypto and developer communities for failing to meet their needs while claiming success and security for all. We will hear how the crypto-nerd's utopia of deniable poker over the phone with an honest-but-curious adversary becomes a set of barely usable implementations and user expectation mismatches. We hope to provide some clarity on what works and what doesn't for those who develop or aspire to develop secure applications, and also a rough guide to usable opsec right now for sources, journalists, and other nontechnical users worried about sophisticated adversaries.

Other people: Julia Angwin Laura Poitras Jack Gillum

This was a busy year for crypto. TLS was broken. And then broken again. Discrete logs were computed. And then computed again. Is the cryptopocalypse nigh? Has the NSA backdoored everything in sight? Also, answers to last year's exercises will be given.

Other people: djb Tanja Lange