Advertise on podcast: Cryptography FM

Benjamin Wesolowski talks about his latest paper in which he mathematically proved that the two fundamental problems underlying isogeny-based cryptography are equivalent. Links and papers discussed in the show: The supersingular isogeny path and endomorphism ring problems are equivalent Episode 5: Isogeny-based Cryptography for Dummies! Music composed by Toby Fox and performed by Sean Schafianski. Special Guest: Benjamin Wesolowski. Sponsored By: Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns. Capsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.Links: The supersingular isogeny path and endomorphism ring problems are equivalentEpisode 5: Isogeny-based Cryptography for Dummies!

A team of cryptanalysits presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, they show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time 240 GEA-1 evaluations and using 44.5 GiB of memory. The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design. Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2 Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Gaëtan Leurent and Håvard Raddum. Links: Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2

TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols. ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. Links and papers discussed in the show: ALPACA Attack Website Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Marcus Brinkmann and Robert Merget. Sponsored By: Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns. Capsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.Links: ALPACA Attack

Nadim talks with Peter Schwabe and Matthias Kannwischer about the considerations — both in terms of security and performance — when implementing cryptographic primitives for low-level and embedded platforms. Links and papers discussed in the show: Optimizing crypto on embedded microcontrollers Implementing post-quantum cryptography on embedded microcontrollers Optimizing crypto on embedded microcontrollers (ASEC 2018) Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Matthias Kannwischer and Peter Schwabe. Sponsored By: Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns. Capsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.

Wi-Fi is a pretty central technology to our daily lives, whether at home or at the office. Given that so much sensitive data is regularly exchanged between Wi-Fi devices, a number of standards have been developed to ensure the privacy and authentication of Wi-Fi communications. However, a recent paper shows that every single Wi-Fi network protection standard since 1997, from WEP all the way to WPA3, is exposed to a critical vulnerability that allows the exfiltration of sensitive data. How far does this new attack go? How does it work? And why wasn’t it discovered before? We’ll discuss this and more in this episode of Cryptography FM. Links and papers discussed in the show: Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Release the Kraken: New KRACKs in the 802.11 Standard Music composed by Toby Fox and performed by Sean Schafianski. Special Guest: Mathy Vanhoef. Sponsored By: Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns. Capsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.Links: Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation — In this paper, we present three design flaws in the 802.11 standard that underpins Wi-Fi. One design flaw is in the frame aggregation functionality, and another two are in the frame fragmentation functionality. These design flaws enable an adversary to forge encrypted frames in various ways, which in turn enables exfiltration of sensitive data. We also discovered common implementation flaws related to aggregation and fragmentation, which further worsen the impact of our attacks. Our results affect all protected Wi-Fi networks, ranging from WEP all the way to WPA3, meaning the discovered flaws have been part of Wi-Fi since its release in 1997. In our experiments, all devices were vulnerable to one or more of our attacks, confirming that all Wi-Fi devices are likely affected. Finally, we present a tool to test whether devices are affected by any of the vulnerabilities, and we discuss countermeasures to prevent our attacks.Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd — We systematically analyze WPA3 and EAP-pwd, find denial-of- service and downgrade attacks, present severe vulnerabilities in all implementations, reveal side-channels that enable offline dictionary attacks, and propose design fixes which are being officially adopted.Release the Kraken: New KRACKs in the 802.11 Standard — We improve key reinstallation attacks (KRACKs) against 802.11 by generalizing known attacks, systematically analyzing all hand- shakes, bypassing 802.11’s official countermeasure, auditing (flawed) patches, and enhancing attacks using implementation-specific bugs.

Contact discovery is a core feature in popular mobile messaging apps such as WhatsApp, Signal and Telegram that lets users grant access to their address book in order to discover which of their contacts are on that messaging service. While contact discovery is critical for WhatsApp, Signal and Telegram to function properly, privacy concerns arise with the current methods and implementations of this feature, potentially resulting in the exposure of a range of sensitive information about users and their social circle. Do we really need to rely on sharing every phone number on our phone in order for mobile messengers to be usable? What are the privacy risks, and do better cryptographic alternatives exist for managing that data? Joining us are researchers looking exactly into this problem, who will tell us more about their interesting results. Links and papers discussed in the show: All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Alexandra Dmitrienko, Christian Weinert, and Christoph Hagen. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.Links: All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers — Contact discovery allows users of mobile messen- gers to conveniently connect with people in their address book. In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods. Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, large- scale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service. We present interesting (cross- messenger) usage statistics, which also reveal that very few users change the default privacy settings. Regarding mitigations, we propose novel techniques to significantly limit the feasibility of our crawling attacks, especially a new incremental contact discovery scheme that strictly improves over Signal’s current approach. Furthermore, we show that currently deployed hashing-based contact discovery protocols are severely broken by comparing three methods for efficient hash reversal of mobile phone numbers. For this, we also propose a significantly improved rainbow table construction for non-uniformly distributed inputs that is of independent interest.

Secure multi-party computation is a fascinating field in cryptography, researching how to allow multiple parties to compute secure operations over inputs while keeping those inputs private. This makes multi-party computation a super relevant technology in areas such as code signing, hospital records and more. But what does it take to bring secure multi-party computation from the blank slate of academia and into the messiness of the real world? Today on Cryptography FM, we’re joined by Dr. Yehuda Lindell and Dr. Nigel Smart, from Unbound Security, to tell us about their research, their experiences with real world secure multiparty computation, and more. Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Nigel Smart and Yehuda Lindell. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

On March 1st, 2021, a curious paper appeared on the Cryptology ePrint Archive: senior cryptographer Claus Peter Schnorr submitted research that claims to use lattice mathematics to improve the fast factoring of integers so much that he was able to completely “destroy the RSA cryptosystem” -- certainly a serious claim. Strangely, while the paper’s ePrint abstract did mention RSA, the paper itself didn’t. Two days later, Schnorr pushed an updated version of the paper, clarifying his method. Does Schnorr’s proposed method for “destroying RSA” hold water, however? Some cryptographers aren’t convinced. Joining us today is Leo Ducas , a tenured researcher at CWI, Amsterdam who specialises in lattice-based cryptography, to help us understand where Schnorr was coming from, whether his results stand on their own, and how the influence of lattice mathematics in applied cryptography has grown over the past decade. Links and papers discussed in the show: Schnorr's ePrint submission Leo Ducas's implementation of Schnorr's proposed algorithm in Sage Music composed by Toby Fox and performed by Sean Schafianski. Special Guest: Léo Ducas. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.Links: Fast Factoring Integers by SVP Algorithms by Claus Peter Schnorr — "[...] This destroys the RSA cryptosystem."Testing Schnorr's factoring Claim in SageMath

Zero-Knowledge proofs have broadened the realm of use cases for applied cryptography over the past decade, from privacy-enhanced cryptocurrencies to applications in voting, finance, protecting medical data and more. In 2018, Dr. Eli Ben-Sasson and his team introduced ZK-STARKs, a new zero-knowledge construction that functions without trusted setup, thereby broadening what zero-knowledge systems are capable of. We’ll talk about ZK-STARKs and more with Eli in this episode of Cryptography FM. Links and papers discussed in the show: Scalable, transparent, and post-quantum secure computational integrity Cairo Language Cairo Workshop, 14-15 March 2021! Music composed by Toby Fox and performed by Sean Schafianski. Special Guest: Eli Ben-Sasson. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.Links: Scalable, transparent, and post-quantum secure computational integrityCairo LanguageCairo Workshop, 14-15 March 2021!

Every year, the IACR Real World Cryptography symposium brings together researchers, engineers and practitioners in applied cryptography to discuss cryptography that matters, in the real world. To me, this is the big one! The one cryptography conference that matters the most. Who needs proceedings when you’ve got so much excitement in the air, and so many results and projects that actually have a measurable impact on how cryptography affects the real world? This year’s program is maybe the most exciting yet, with talks on secure channel protocols, multiparty computation, formal methods, post-quantum cryptography, humans, policy and cryptography, hardware, cryptocurrency, cryptography for the cloud, anonymity and more. So many exciting talks! So much new research to discuss! Like every year, Real World Crypto is shaping up to be a veritable who’s who of applied cryptography. In this special episode of Cryptography FM, I’m joined by fellow researcher Benjamin Lipp in order to just… candidly go through the program of Real World Crypto 2021 and covering each talk’s abstract briefly. We’re going to have another special episode after Real World Crypto 2021 as a post-conference episode in order to discuss the highlights of the conference. And hopefully we’ll do this every year here on Cryptography FM! Music composed by Toby Fox and performed by The Consouls. Special Guest: Benjamin Lipp. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

The race for post-quantum cryptographic signature primitives is in its final lap over at NIST, which recently announced DILITHIUM, FALCON and Rainbow as the three signature primitive finalists. But a paper recently published by KU Leuven researcher Ward Beullens claims to find serious weaknesses in the security of Rainbow, one of those three finalists. In fact, the paper claims that the weaknesses are so severe that Rainbow’s security parameters now fall short of the security requirements set out by the NIST post-quantum competition. But how does Rainbow work, and how do these weaknesses affect it? And why weren’t they spotted until now? We discuss this and more in this week’s episode of Cryptography FM. Links and papers discussed in the show: Improved Cryptanalysis of UOV and Rainbow SQISign: compact post-quantum signatures from quaternions and isogenies Music composed by Toby Fox and performed by Sean Schafianski. Special Guest: Ward Beullens. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.

Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext. In reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you. Links and papers discussed in the show: How to Abuse and Fix Authenticated Encryption Without Key Commitment Mitra, Ange's software tool for generating binary polyglots Shattered and other research into hash collisions Music composed by Toby Fox and performed by Sean Schafianski. Special Guests: Ange Albertini and Stefan Kölbl. Sponsored By: Symbolic Software: This episode is sponsored by Symbolic Software. Symbolic Software helps you bring in the experience and knowledge necessary to design, or prove secure, state-of-the-art cryptographic systems for new solutions. We've helped design and formally verify some of the world's most widely used cryptographic protocols.