• Implementing Optimized Cryptography for Embedded Systems

    FALCON is a novel post-quantum signature algorithm based on Fast-Fourrier Lattice-based Compact Signatures over NTRU. Signing in FALCON involve the use of complex numbers, which can be approximated with IEEE-754 double precision (binary64) floating point numbers. This presents a problem when targeting ARM Cortex-M4. As mentioned above, the processor optionally supports single precision floating point numbers only. How do we solve this dilemma?

  • Fast and Secure Implementations of the Falcon Post-Quantum Cryptography Signature Algorithm

    Falcon is new lattice-based post-quantum signature algorithm, which offers compact signatures and keys, and good performance. An efficient, portable and secure implementation is published, that can work on both big servers, and small embedded constrained systems.

  • The Longest Blockchain is not the Strongest Blockchain

    A common misunderstanding of Nakamoto Consensus, even present in the original Bitcoin whitepaper and implementation, is that the miners follow the chain with the greatest number of blocks. The 'longest' blockchain is not necessarily the 'strongest' blockchain, and there are several attacks that network participants can execute in the case where the longest chain is considered the valid one.

  • The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations

    On May 15th, I approached Yuval Yarom with a few issues I had found in some TLS implementations. This led to a collaboration between Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, Yuval Yarom and I. Spearheaded by Eyal, the research has now been published here. And as you can see, the inventor of RSA himself is now recommending you to deprecate RSA in TLS.

  • Bitcoin Orphan Transactions and CVE-2012-3789

    Before developing or reviewing blockchain client software, surveying previously known blockchain software vulnerabilities (notably, Bitcoin, given the amount of audit it received) should be done.

  • Undefined Behavior Is Really Undefined

    In C and C++, there is such a thing as 'Undefined Behavior', by which the relevant standards mean to say that anything goes. They really mean it.

  • Ethereum Top 10 Security Vulnerabilities For Smart Contracts

    I am pleased to announce the launch of the Decentralized Application Security Project (DASP), an open and collaborative project to categorize and rank all known smart contract vulnerabilities.

  • Confidential Transactions from Basic Principles

    Bitcoin today publicly reveals how much Bitcoin is sent in every transaction. Some cryptocurrencies wish to make these values private by default, but this comes with some mathematical challenges. We explain here what it takes to construct confidential transactions, assuming a basic background in cryptography and algebra.

  • New Practical Attacks on 64-bit Block Ciphers (3DES, Blowfish)

    A pair of researchers from INRIA have identified a new technique called Sweet32. This attack exploits known blockcipher vulnerabilities (collision/birthday attacks) against 64-bit block ciphers like 3DES and Blowfish. It affects any protocol making use of these "light" blockciphers along with CBC-mode for a long period of time without re-keying. While cryptographers have long known that combining block ciphers with long lasting connections have these security implications, but it is relatively easy for product maintainers or users of various software to create vulnerable conditions.

  • What are State-sized adversaries doing to spy on us? Or how to backdoor Diffie-Hellman

    In the history of American cryptography, companies wanting to export their products abroad would have needed to comply to a few official laws called the U.S. Export rules. These stated that no strong cryptographic algorithms could be shipped outside of the country, unless weakened down to brute-forceable sizes (for the government). Some exceptions were made, notably in the Lotus Notes software, where an asymmetric backdoor had to be implemented in exchange for the right to use stronger cryptography.

  • Real World Crypto 2017

    Real World Crypto is THE convention anyone interested in cryptography – but usually annoyed by most of the too theoretical conventions of the field – should attend. It seeks to bridge the world of applied-cryptography to the one of academia. The speakers and the audience come from both the industry and universities to mingle together for a few days in what is in my eyes the most amazing convention about cryptography.

  • The Noise Protocol Framework

    WhatsApp just announced their integration of the Signal protocol (formerly known as the Axolotl protocol). An interesting aspect of it is the use of a TLS-like protocol called Noise Pipes. A protocol based on the Noise protocol framework, a one-man work led by Trevor Perrin with only a few implementations and a moderately long specificiations available here. I thought it would be interesting to understand how protocols are made from this framework, and to condense it in a 25 minutes video. Here it is.

  • Beyond the BEAST Returns to Black Hat USA

    Last year we premiered a new training course we developed as a back-to-back sold-out offering at Black Hat in Las Vegas. This year we’re offering it again at Black Hat. Since debuting last year, we’ve offered the course more than a half-dozen times, and gotten outstanding feedback that has helped us improve it each successive offering. We’ve updated the course significantly since last year - improving the layout, content, and exercises. We’ve taken a few existing topics and added a few more to create the new Subverting Signatures module, retooled our coverage of Randomness to include more analysis on PRNGs in the abstract and more exploiting specific broken PRNGs, and included more information about ECC - both background and attacks.

  • Hash-Based Signatures Part IV: XMSS and SPHINCS

    This is the last blogpost on this series on hash-based signatures. We will finally see how the state-of-the-art hash-based signatures schemes XMSS and SPHINCS works on the surface.

  • Hash-Based Signatures Part III: Many-times Signatures

    This is part 3 of our series on hash-based signatures. We will see the first practical hash-based signature scheme invented by Merkle and built on top of one-time signature schemes.

  • Hash-Based Signatures Part II: Few-Times Signatures

    This is part 2 of our series on hash-based signatures. After seeing how one-time signatures can be made out of hash functions, we will see how we can build schemes that allow us to sign a few times without security issues.

  • Hash-Based Signatures Part I: One-Time Signatures (OTS)

    PQCrypto recently announced their initial recommendations for post-quantum cryptographic algorithms. For signatures two algorithms were listed, both hash-based signatures schemes, XMSS and SPHINCS. Such schemes are built on top of what we call one-time signatures schemes (OTS). Here's an explanation of what they are.

  • Announcing an east coast offering of our Beyond the BEAST Crypto Training

    November 17th and 18th will be an offering of our Beyond the BEAST training in New York City, previously seen at Black Hat. Contact us right away to reserve your seat!

  • Factoring RSA Keys With TLS Perfect Forward Secrecy

    Florian Weimer from the Red Hat Product Security team has just released a technical report entitled "Factoring RSA Keys With TLS Perfect Forward Secrecy

  • Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA

    Common previous applications of SAT solvers in cryptanalysis include directly encoding the cryptographic primitive into logical equations and then trying to solve such equations. The unknown variables are typically the secret key bits (or unknown message bits, in attempts to obtain a pre image of a hash function) and the equations are built using known plaintext/ciphertext or hash digest. Such attempts, however, typically go only through a small number of rounds of a cryptographic primitive, as the problem the SAT solver is given is equivalent to the problem of breaking the cryptographic primitive. In this work, we show that if we give up on attempting to use the SAT solver for direct cryptanalysis, SAT can still be a very useful tool in cryptanalysis, particularly, e.g., in the domain of differential/boomerang attack verification. Using an off-the-shelf constraint solver URSA (which translates C-like code into SAT equations), we analyze differential trails specified in previous literature and show that probabilistic analysis of several of these trails is flawed.

  • A back-to-front TrueCrypt recovery story: the plaintext is the ciphertext

    One of our clients recently approached us for assistance with recovering data from a laptop hard drive which had been encrypted using TrueCrypt. A hardware repair gone wrong had led to problems booting the operating system, and a variety of attempted fixes had been unsuccessful. They had already sent the drive to a specialist data recovery firm, who imaged the disk successfully but found the contents to be encrypted, and couldn’t make any progress. NCC took on the engineering required to turn an opaque encrypted drive and passphrase back into business-critical bits.

  • OpenSSL Audit

    We're excited to announce that as part of the Linux Foundation's Core Infrastructure Initiative, and organized by the Open Crypto Audit Project, Cryptography Services will be conducting an audit of OpenSSL. This is an amazing opportunity to dive deeply into one of the pieces of software that so much of the world relies on, and we're honored to have been chosen to conduct it.

  • Truecrypt Phase Two Audit Announced

    Cryptography Services will be conducting the second phase of the Truecrypt Audit, focusing on the cryptography of the project as it is used in the most common configurations. This follows up iSEC's Phase One Audit, and will complement the work done there.

  • CS Debuts Crypto Training at Black Hat

    Cryptography Services will be debuting our Crypto Training Course: Beyond the Beast: Deep Dives into Crypto Vulnerabilities at Black Hat Vegas this summer.

  • Code Execution In Spite Of BitLocker

    BitLocker in Windows 8 removed the custom Elephant Diffuser, and uses only the extremely malleable AES-CBC mode (despite statements saying this mode was unacceptable when BitLocker was introduced in 2006). Removing Elephant allows us to perform fine-grain attacks on the inert, encrypted disk - and lets us achieve arbitrary code execution in spite of the cryptographic protection.