Padding Oracle Attack or the Virtues of a Glomar response

Rohit Aggarwal wrote “While working on the excellent CryptoPals challenges, I came across the Padding Oracle Attack. The particular version of the attack I was working through, was on CBC mode Decryption when used with AES symmetric key cryptography. The attack has nothing to do with AES and everything to do with this block cipher mode of operation. Various forms of…”

Smart meters

David Ireland wrote “I’ve been using a micro-controller to automatically dim lights according to the time of day and ambient light conditions. At some point, I decided it would be easier to tinker with if I just used a raspberry pi, logged into it, and edited a python program. This doesn’t work: The pi basically can’t do PWM…”

Why I support the US Government making a cryptography standard weaker

Paul Crowley wrote “Documents leaked by Edward Snowden last month reveal a $250M program by the NSA known as Operation BULLRUN, to insert vulnerabilities into encryption systems and weaken cryptography standards. It now seems nearly certain that the NIST-certified random number generator Dual_EC_DRBG, adopted as the default in RSA Security's BSAFE toolkit, contains a back door usable only by the NSA which allows them to predict the entire future output of the generator given only 32 bytes. So it's not the easiest time for NIST to suggest they should make a cryptography standard weaker than it was originally proposed. Nevertheless, I support them in this and I hope they go ahead with it.”

Secure communication in the Cloud

David Ireland wrote “The internet does reliability end to end. That is, when a node A sends a message to node B, the message travels through many other nodes. These intervening nodes make a best effort at delivery, but if they don’t succeed, they just forget about it. B must confirm receipt, and A must try again if…”

CorePy problems and solutions

Paul Crowley wrote “In an earlier post I mentioned that I was using CorePy for my cryptographic fiddlings. Rather than writing the code in assember in the traditional way, I took advantage of CorePy to program directly against the x86 ISA in Python. In CorePy, machine instructions, registers and suchlike are first-class objects which can be composed to…”

“Cube attack” less effective against Trivium than we thought?

Paul Crowley wrote “It looks like there are errors in the tables at the back of the “cube attack” paper which show how to apply the attack to Trivium: some of the entries don’t work. This could mean simply that there are typos in the table, or it could mean that the attack is somewhat less effective against…”

Trivium, SSE2, CorePy, and the “cube attack”

Paul Crowley wrote “I present a new implementation of the stream cipher Trivium designed for cryptanalysts, in particular those interested in applying the "cube attack" to Trivium. It generates 128 simultaneous output streams using SSE2 intrinsics, and achieves under 1 cycle/byte, over four times faster than standard implementations. The entire program is in Python; SSE2 machine instructions are generated and called using the tool CorePy, an approach I am happy to recommend to others with similar needs. The code is under the MIT licence and may be found in this Mercurial repository.”

Squaring Zooko’s Triangle, part two

Paul Crowley wrote “A few days ago, in Squaring Zooko's Triangle, I sketched out a proposal for a new naming scheme which to a limited extent achieved all of the contradictory-seeming aims set out in Zooko's Triangle. Having discussed the essay with a few folk since, it seems like it might be worthwhile trying to clarify the ideas behind it. ”

Squaring Zooko’s triangle

Paul Crowley wrote “In this essay I propose a kind of name which is entirely decentralized, reasonably secure, and at least somewhat memorable. They look like this: Paul_Crowley:area-fluid-above-movie-start”

By cs:ŠJů (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

A crypto standards manifesto

Paul Crowley wrote “Our very best examples of crypto standards in commonplace use are so poor it's no wonder that developers end up hand-rolling their own broken alternatives. It's time we offered them something better.”

GF(232-5)

Paul Crowley wrote “In which our heroes make P2P applications several times more efficient using the mathematics of finite fields and some careful thought on what is efficient on today's processors”

Making the client do all the work

Paul Crowley wrote “This paper proposes to reduce the workload of SSL servers by making the clients carry as much of the crypto-related load as possible. I think it’s possible to do even better. Key agreement: In the above, the server only has to do an RSA public key operation, which is cheap if the exponent is low…”

Looking for needles in haystacks

Paul Crowley wrote “Here's a proper programming challenge, simple to state, and in the end quite challenging to solve. A function produces a 64-bit output given a 64-bit input. It mostly behaves like a random function, so given a random input, most outputs occur with probability between 0 and 2-63; in other words, for a randomly-chosen 64-bit y, there are usually between 0 and 2 solutions to the equation f(x) = y. However, a few occur with much greater frequency - more like 2-32 or so. The function is pretty quick and easy to calculate, but its internal structure defies direct analysis. How would you identify these more frequent occurrences by experiment? How big a computer would you need to do it in something like a few hours to a few days? Think about it for a while before you read on.”

Truncated differential cryptanalysis of five rounds of Salsa20

Paul Crowley wrote “eSTREAM have just put my paper online: Truncated differential cryptanalysis of five rounds of Salsa20 (PDF) (discussion, Wikipedia on Salsa20). This doesn’t break the whole cipher, just a seriously reduced version. Experimentation played a key role in finding this result. I found the first differential by writing a short Python program that implemented a pretty…”

Understanding “Understanding Brute Force”

Paul Crowley wrote “D J Bernstein's draft paper Understanding Brute Force argues that the way we currently measure the cost of cryptanalytic attacks is highly misleading. The paper is a good example of Bernstein's unconventional style, and mixes quite informal writing with very formal and precise descriptions of cryptanalytic methods and costs. Though his conclusions are correct, I think he hasn't quite put his finger on how people have come to be misled in the past, so I shall have a go here at arguing what I think is the same point in different words. ”

Trivium

Paul Crowley wrote “Of the many new ciphers proposed as part of the ECRYPT Stream Cipher Project, one of the most interesting is Christophe De Cannière and Bart Preneel’s TRIVIUM. TRIVIUM is designed to be very simple, admit a very low gate count implementation in hardware, and be reasonably efficient in both hardware and software, parallelizing in a…”