About Cryptography Services
Cryptographic operations tend to concentrate the confidentiality, integrity and authenticity assurances of an entire application into a very small high-value target. A specialized review of cryptographic implementation ensures that systems are designed, implemented, and operate correctly. Organizations often underestimate the need for cryptographic consulting as vulnerabilities can be obscure and poorly understood yet devastating. Systems operate seemingly correctly, but actually insecurely - a lurking risk that is taken advantage of at the worst time and in the worst way.
NCC Group’s Cryptography Services practice is a specialized team of consultants focusing exclusively on the most challenging projects involving cryptographic primitives, protocols, implementations, systems, and applications. The team combines years of experience in security with a life-long passion in cryptography to provide a unique and unmatched offering. We have a wealth of experience advising, building, breaking, fixing and deploying cryptographic solutions that our customers rely on for their core business, data protection, compliance, and security needs.
Service Offerings
- Strategic Cryptographic Advice
- Applied Cryptographic Design & Architecture Review
- Applied Cryptographic Software Assessment
- Core Cryptographic Primitive Review
- Blockchain and Crypto Reviews
- Protocol Review
- Product Review
- Applied Cryptography Training
Projects
Current and former members of Crypto Services have been involved in several projects:
- BearSSL and Constant-Time Toolkit (CTTK) were built by and are currently maintained by Thomas Pornin.
- CryptoHack (cryptohack.org), a platform with CTF-style cryptographic challenges, was co-founded by Giacomo Pope. It offers challenges covering all sorts of cryptography: hash functions, block ciphers, lattices, zero-knowledge proofs, and more.
- The Matasano Crypto Challenges, aka CryptoPals Challenges were written by former members of the Crypto Services team.
- The CryptoPals Guided Tour was created by Eli Sohl and includes screencasts covering each challenge in detail. The first 19 challenges are available on YouTube either in a playlist on NCC Group’s channel or on Eli’s channel.
- The DASP project and OTF or Open Crypto Audit initiatives such as the OpenSSL audit and TrueCrypt audit.
About NCC Group
Offering a total information assurance solution for your business, NCC Group protects against risk. We provide freedom from doubt that business critical information, data, websites, applications and infrastructure are available, protected, and operating as they should be at all times. Our services include software escrow and verification, security testing, website performance, software testing and domain services.
Blog Archive (2019 and before)
Below is a list of blog post and research from 2019 and before:2019
- Implementing Optimized Cryptography for Embedded Systems
- Fast and Secure Implementations of the Falcon Post-Quantum Cryptography Signature Algorithm
- The Longest Blockchain is not the Strongest Blockchain
- The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
2018
- Bitcoin Orphan Transactions and CVE-2012-3789
- Undefined Behavior Is Really Undefined
- Ethereum Top 10 Security Vulnerabilities For Smart Contracts
2017
2016
- New Practical Attacks on 64-bit Block Ciphers (3DES, Blowfish)
- What are State-sized adversaries doing to spy on us? Or how to backdoor Diffie-Hellman
- Real World Crypto 2017
- The Noise Protocol Framework
- Beyond the BEAST Returns to Black Hat USA
2015
- Hash-Based Signatures Part IV: XMSS and SPHINCS
- Hash-Based Signatures Part III: Many-times Signatures
- Hash-Based Signatures Part II: Few-Times Signatures
- Hash-Based Signatures Part I: One-Time Signatures (OTS)
- Announcing an east coast offering of our Beyond the BEAST Crypto Training
- Factoring RSA Keys With TLS Perfect Forward Secrecy
- Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
- A back-to-front TrueCrypt recovery story: the plaintext is the ciphertext
- OpenSSL Audit
- Truecrypt Phase Two Audit Announced
- CS Debuts Crypto Training at Black Hat
2014
Recent Publications
Public Reports
- Google Private AI Compute Review
- VetKeys Cryptography Review
- Meta Whatsapp message summarization service
- VeChain JavaScript SDK Cryptography and Security Review
- WhatsApp Contacts Security Assessment
- Keyfork Implementation Review
- Google Privacy Sandbox Aggregation Service and Coordinator
- Aleo snarkOS Implementation and Consensus Mechanism Review
- Security Review of RSA Blind Signatures with Public Metadata
- Aleo snarkVM Implementation Review
Research Papers
- Simpler and Faster Pairings from the Montgomery Ladder
- Constant-Time Code: The Pessimist Case
- Radical 2-isogenies and cryptographic hash functions in dimensions 1, 2 and 3
- Cryptography Experiments In Lean 4: SHA-3 Implementation
- SQIsign2D-West: The Fast, the Small, and the Safer
- An Algorithmic Approach to (2,2)-isogenies in the Theta Model and Applications to Isogeny-based Cryptography
- FESTA: Fast Encryption from Supersingular Torsion Attacks
- A Direct Key Recovery Attack on SIDH
- A Note on Reimplementing the Castryck-Decru Attack and Lessons Learned for SageMath
- BAT: a Fast and Small Key Encapsulation Mechanism
Blogposts
- Announcing the Cryptopals Guided Tour Video 18: Implement CTR
- Technical Advisory – Hash Denial-of-Service Attack in Multiple QUIC Implementations
- Real World Cryptography Conference 2024
- Cranim: A Toolkit for Cryptographic Visualization
- Announcing the Cryptopals Guided Tour Video 17: Padding Oracles!
- Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)
- On Multiplications with Unsaturated Limbs
- SIAM AG23: Algebraic Geometry with Friends
- Real World Cryptography Conference 2023 – Part II
- Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG
Presentations
- Post-Quantum Cryptography Auditing (U30c)
- SQIsign2D: Dimensional Goldilocks, Univeristy of Bristol, Bristol (United Kingdom)
- Superspecial Cryptography: Computing Isogenies between Elliptic Products, SIAM Conference on Applied Algebraic Geometry, Eindhoven (Netherlands)
- Generating NTRU trapdoors the Lattice workshop talk
- Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone