the year in crypto
play

The Year in Crypto Daniel J. Bernstein University of Illinois at - PowerPoint PPT Presentation

Nov 29, 2022 •396 likes •1.18k views

The Year in Crypto Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger University of Pennsylvania Tanja Lange Technische Universiteit Eindhoven Candidate Indistinguishability Obfuscation

  1. The Year in Crypto Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger University of Pennsylvania Tanja Lange Technische Universiteit Eindhoven

  2. Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits Sanjam Garg Craig Gentry Shai Halevi UCLA IBM Research IBM Research sanjamg@cs.ucla.edu craigbgentry@gmail.com shaih@alum.mit.edu Mariana Raykova Amit Sahai Brent Waters IBM Research UCLA University of Texas at Austin mariana@cs.columbia.edu sahai@cs.ucla.edu bwaters@cs.utexas.edu July 21, 2013 Abstract In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C 0 and C 1 of similar size, the obfuscations of C 0 and C 1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C . Using the key SK C to decrypt a ciphertext CT x = Enc ( x ), yields the value C ( x ) but does not reveal anything else about x . Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all

  4. Understanding Cryptography mathematical problems factoring, discrete log, . . . RSA, Diffie-Hellman, DSA, AES, RC4, SHA-1, . . . cryptographic primitives protocols TLS, SSH, PGP, . . . OpenSSL, BSAFE, NaCl, . . . library implementations software applications Apache, Firefox, Chrome, . . .

  5. The Cryptopocalypse

  7. A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic Improvements over FFS in small to medium characteristic Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, Emmanuel Thomé 1 Introduction The discrete logarithm problem (DLP) was first proposed as a hard problem in cryptography in the seminal article of Diffie and Hellman [DH76]. Since then, together with factorization, it has become one of the two major pillars of public key cryptography. As a consequence, the problem of computing discrete logarithms has attracted a lot of attention. From an exponential algorithm in 1976, the fastest DLP algorithms have been greatly improved during the past 35 years. A first major progress was the realization that the DLP in finite � O ((log N ) α (log log N ) 1 − α ) � fields can be solved in subexponential time, i.e. L (1 / 2) where L N ( α ) = exp . The next step further reduced this to a heuristic L (1 / 3) running time in the full range of finite fields, from fixed characteristic finite fields to prime fields [Adl79, Cop84, Gor93, Adl94, JL06, JLSV06]. Recently, practical and theoretical progress have been made [Jou13a, GGMZ13, Jou13b] with an emphasis on small to medium characteristic finite fields and composite degree extensions. The most general and efficient algorithm [Jou13b] gives a complexity of L (1 / 4 + o (1)) when the characteristic is smaller than the square root of the extension degree. Among the ingredients of this approach, we find the use of a very

  8. Fact: All the public-key crypto we use relies on three assumptions: factoring integers into primes discrete log modulo primes discrete log in elliptic curve groups

  9. factoring

  10. discrete log modulo primes

  11. elliptic curve discrete log factoring

  12. Discrete log over small characteristic fields (Not actually used in any deployed crypto.) • Factoring, discrete log have subexponential-time algorithms. • No big algorithmic improvement since 1993. • All progress has been Moore’s law, implementation details, etc.

  13. Discrete log over small characteristic fields (Not actually used in any deployed crypto.) • Factoring, discrete log have subexponential-time algorithms. • No big algorithmic improvement since 1993. • All progress has been Moore’s law, implementation details, etc. Until December 2012: 2012-12-24 1175-bit and 1425-bit Joux 2013-02-11 F ∗ Joux 2 1778 2013-02-19 GGMZ F ∗ 2 1971 2013-02-20 L (1 / 4 + o (1) , c ) Joux 2013-03-22 Joux F ∗ 2 4080 2013-04-11 F ∗ GGMZ 2 6120 2013-05-21 Joux F ∗ 2 6168 n O (log n ) algorithm for F ∗ 2013-06-18 Barbulescu, Gaudry, Joux, Thom´ e p n

  14. Extrapolated impact of hypothetical factoring algorithm improvements Current general-purpose factoring running time for integer N : � (64 / 9) 1 / 3 (ln N ) 1 / 3 ∗ (ln ln N ) 2 / 3 � L ((64 / 9) 1 / 3 , 1 / 3) = exp Small-characteristic field DL improvement from L (1 / 3) → L (1 / 4) → n O (log n ) . bit length of N 1024 2048 4096 L ((64 / 9) 1 / 3 , 1 / 3) 86 116 156 current state → L ((32 / 9) 1 / 3 , 1 / 3) 68 92 124 improved constant → L ((64 / 9) 1 / 4 , 1 / 4) 49 63 81 improved exponent → bit-security of key

  15. • Researchers in area agree that small-characteristic techniques can’t be adapted to factoring or large primes • Reminder that sometimes big progress can be made on old problems. • There is no proof that factoring/discrete log are hard. (Polynomial heirarchy would collapse if they were NP-hard.) • Elliptic curve discrete log totally different story: index calculus unlikely to work. (Already Miller 1986, Koblitz 2000.) Some recommendations: • Don’t hard-code algorithms or key sizes. ∗ If you must, use conservative choices. • Listen to cryptographers. This is old news. • Think about adopting elliptic curves. (More on this later.)

  16. January 2013 A user actually tries to use crypto!

  17. January 2013 A user actually tries to use crypto! . . . and fails.

  18. January 2013 A user actually tries to use crypto! . . . and fails. Close to #epicfail.

  19. January 2013 A user actually tries to use crypto! . . . and fails. Close to #epicfail. “It’s really annoying and complicated, the encryption software. . . . He kept harassing me, but at some point he just got frustrated, so he went to Laura.” —Glenn Greenwald, quoted in “How Laura Poitras helped Snowden spill his secrets”, New York Times Magazine, 18 August 2013 Picture credit: Reuters via www.popularresistance.org

  20. February 2013: timing-padding-oracle attacks against TLS This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal. —RFC 5246, “The Transport Layer Security (TLS) Protocol, Version 1.2”, 2008

  21. February 2013: timing-padding-oracle attacks against TLS This leaves a small timing channel, since MAC performance depends to some extent on the size of the data fragment, but it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal. —RFC 5246, “The Transport Layer Security (TLS) Protocol, Version 1.2”, 2008 This timing side-channel can then be “wrangled” into reveal- ing plaintext data via careful statistical analysis of multiple tim- ing samples. As we shall show, other natural methods for han- —AlFardan and Paterson, “Lucky Thirteen: breaking the TLS and DTLS record protocols”, IEEE Symposium on Security and Privacy 2013

  22. February 2013: TLS algorithm agility to the rescue! Typical vendor response:

  23. February 2013: TLS algorithm agility to the rescue! Typical vendor response: To mitigate this vulnerability, configure the client-side SSL profile to prefer RC4-SHA ciphers.

  24. February 2013: TLS algorithm agility to the rescue! Typical vendor response: To mitigate this vulnerability, configure the client-side SSL profile to prefer RC4-SHA ciphers. Successful upgrade: RC4 was used for > 50% of TLS traffic in February 2013.

  25. March 2013: attacks against RC4 in TLS A statistical analysis of ciphertexts forms the core of our attacks. We stress that the attacks are ciphertext- only: no sophisticated timing measurement is needed on the part of the adversary, the attacker does not need to be located close to the server, and no packet injection capa- bility is required (all premises for Lucky 13). Instead, it suffices for the adversary to record encrypted traffic for later offline analysis. Provoking the required repeated encryption and transmission of the target plaintext, how- —AlFardan, Bernstein, Paterson, Poettering, Schuldt, “On the security of RC4 in TLS”, USENIX Security Symposium 2013

  26. Taiwan Citizen Digital Certificate Government-issued smart cards allow citizens to • file income taxes, • update car registrations, • transact with government agencies, • interact with companies (e.g. Chunghwa Telecom) online.

  27. As reported at 29C3: Collected 3 million certificiates with RSA public keys. Factored 103 keys using GCD algorithm: N 1 = pq 1 N 2 = pq 2 gcd( N 1 , N 2 ) = p Oops, bad RNG. End of story?

  28. Most commonly shared factor appears 46 times c0000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 000000000000000000000000000002f9

  29. Next most common factor appears 7 times c9242492249292499249492449242492 24929249924949244924249224929249 92494924492424922492924992494924 492424922492924992494924492424e5

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops

- The First Crypto Merchant - Crypto Payment Crypto Payment for online shops for retail shops Did you know? Our payment system has ZERO FEES for processing payments How it works? It takes only a few minutes to complete Merchant Initiate

269 views • 11 slides
Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on

Javascript Crypto & The Case Against Crypto Reductionism Ben Adida Mozilla Workshop on Real-World Crypto January 2013 promote openness, innovation & opportunity on the Web. previously easy to deploy easy to use privacy

610 views • 22 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides
Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information Sciences

Crypto intro Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example Encryption: modes of operation Computer Security: Secret Key Crypto B. Jacobs Institute for Computing and Information

856 views • 73 slides
Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Outline Public key crypto RSA Essentials Computer Security: Public Key Crypto Public Key Crypto

Public key crypto Public key crypto RSA Essentials RSA Essentials Public Key Crypto in Java Public Key Crypto in Java Radboud University Nijmegen Radboud University Nijmegen Public key protocols Public key protocols Diffie-Hellman and El

448 views • 16 slides
w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals

Aditus Luxury Access Platform for Crypto A ffl uents Presentation 21 Nov 2017 w w w . a d i t u s . n e t Crypto-currencies have created a new class of a ffl uent individuals Crypto-currency values have been the best performing asset class

206 views • 19 slides
Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO

Algorithms, cryptography and protocols DONT EVER ROLL YOUR OWN PROTOCOL, CRYPTO ALGO, CRYPTO Use this space to add an image. IMPLEMENTATION, OR CRYPTO RNG Insert an image and change the scale to cover this box. ALSO, KEY MANAGEMENT IS

1.01k views • 81 slides
19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a

Is 2 255 19 big enough? What marketing says Generate public keys 56-bit crypto: Broken. on a strong elliptic curve 128-bit crypto: Okay. over the field Z (2 255 19). 256-bit crypto: High security! Is that safe? 512-bit

121 views • 11 slides
Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform

Ethereum and the crypto landscape Different Crypto Value Propositions Name Payment Platform Stable Coin Dapps Sum $ Bitcoin 154.00 $ Ethereum 29.00 $ XRP 18.70 $ BCH 7.70 $ EOS 7.20 $ LiteCoin 7.00 $ BNB 4.70 $ Tether

160 views • 12 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

1.29k views • 94 slides
Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020,

Future Challenges for Lightweight Cryptography F.-X. Standaert UCL Crypto Group Crypto for 2020, Tenerife, January 2013 Outline 1 1. Past results 2. Future challenges 1. Block ciphers 2 TEA, NOEKEON, AES, SERPENT, ICEBERG, HIGHT,

844 views • 68 slides
Data and Infrastructure in Digital Assets One of the crypto sub-sectors well poised to produce

Data and Infrastructure in Digital Assets One of the crypto sub-sectors well poised to produce

Data and Infrastructure in Digital Assets One of the crypto sub-sectors well poised to produce its own unicorns as within other ecosystems More than 50 companies Over $286M raised with 44 deals completed $47.8M average per year and

744 views • 14 slides
no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with:

no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with:

no more downgrades : protec)ng TLS from legacy crypto karthik bhargavan INRIA joint work with: g. leurent, c. brzuska, c. fournet, m. green, m. kohlweiss, s. zanella-beguelin TLS: a long year of downgrade aFacks POODLE TLS 1.2 SSLv3

487 views • 22 slides
Announcement Mike Krummhoefener Material Properties 2 RIT Alum (1992) Technical

Announcement Mike Krummhoefener Material Properties 2 RIT Alum (1992) Technical

Announcement Mike Krummhoefener Material Properties 2 RIT Alum (1992) Technical Director / Digital Artist for Pixar will be visiting RIT: Friday, April 13th Gravure Press Pit (Building 7B) 9:00am (reception) / 9:30am

276 views • 6 slides
HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One

HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One

Network Share with three people: HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One Way I Lead. 2 logos / url social Follow us! AGENDA 8:45AM HOW I LEAD 9:30AM New Hampshire Women in

1.11k views • 52 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Class 3: Voltage Divider and Installation Day Activity 3 Install ALICE and Pixel Pulse,

Class 3: Voltage Divider and Installation Day Activity 3 Install ALICE and Pixel Pulse,

Class 3: Voltage Divider and Installation Day Activity 3 Install ALICE and Pixel Pulse, Voltage Divider Dr. Mahmood A. Hameed ECSE Department Rensselaer Polytechnic Institute Intro to ECSE Derivation of Voltage Divider Equation * Y "

610 views • 7 slides
For Thursday Read Weiss, chapter 4, section 3 Homework: Weiss, chapter 7, exercise 15

For Thursday Read Weiss, chapter 4, section 3 Homework: Weiss, chapter 7, exercise 15

For Thursday Read Weiss, chapter 4, section 3 Homework: Weiss, chapter 7, exercise 15 Quicksort homework from ReggieNet Extra Credit Opportunity 2005 CS alum Brandon Dewitt VP of Engineering at MoneyDesktop Giving a talk

729 views • 17 slides
Carbon Pricing 4. Industrial Competitiveness - free allocation and border adjustments Among the

Carbon Pricing 4. Industrial Competitiveness - free allocation and border adjustments Among the

Carbon Pricing 4. Industrial Competitiveness - free allocation and border adjustments Among the main political obstacles to strengthening carbon pricing is concern about adverse effects on industrial competitiveness A risk for only a few

616 views • 24 slides
Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features The Salice system for concertina doors has been designed to open both doors on one side only, giving good access

512 views • 10 slides
Introduction to CRUs pricing service Scott Yarham Pricing Development Manager CRU Aluminium

Introduction to CRUs pricing service Scott Yarham Pricing Development Manager CRU Aluminium

Introduction to CRUs pricing service Scott Yarham Pricing Development Manager CRU Aluminium World Conference 24 April 2019 About CRU CRU's reputation with customers across mining , metals and fertilizers is for integrity, reliability,

429 views • 12 slides

More recommend