By cs:ŠJů (Own work) [CC-BY-SA-3.0 (], via Wikimedia Commons

A crypto standards manifesto

Paul Crowley wrote “Our very best examples of crypto standards in commonplace use are so poor it's no wonder that developers end up hand-rolling their own broken alternatives. It's time we offered them something better.”


Paul Crowley wrote “In which our heroes make P2P applications several times more efficient using the mathematics of finite fields and some careful thought on what is efficient on today's processors”

Making the client do all the work

Paul Crowley wrote “This paper proposes to reduce the workload of SSL servers by making the clients carry as much of the crypto-related load as possible. I think it’s possible to do even better. Key agreement: In the above, the server only has to do an RSA public key operation, which is cheap if the exponent is low…”

A trust metric enabled Wikipedia?

Paul Crowley wrote “Wikipedia has been described as "the encyclopaedia that works in practice but not in theory". In theory, an encyclopaedia that anyone can edit should suffer from out-of-control trolling and vandalism, and collapse under its own weight in an instant. In practice, that hasn't happened; vandals attack Wikipedia daily, but it still does very well as a useful source of information, especially if you bear in mind that its primary competition is not Britannica or other paid-for sources, but the rest of the Internet. Nonetheless, a recent controversy over malicious insertion of false information into Wikipedia had some concluding that the very process by which Wikipedia has "incurable flaws".”

Looking for needles in haystacks

Paul Crowley wrote “Here's a proper programming challenge, simple to state, and in the end quite challenging to solve. A function produces a 64-bit output given a 64-bit input. It mostly behaves like a random function, so given a random input, most outputs occur with probability between 0 and 2-63; in other words, for a randomly-chosen 64-bit y, there are usually between 0 and 2 solutions to the equation f(x) = y. However, a few occur with much greater frequency - more like 2-32 or so. The function is pretty quick and easy to calculate, but its internal structure defies direct analysis. How would you identify these more frequent occurrences by experiment? How big a computer would you need to do it in something like a few hours to a few days? Think about it for a while before you read on.”

Truncated differential cryptanalysis of five rounds of Salsa20

Paul Crowley wrote “eSTREAM have just put my paper online: Truncated differential cryptanalysis of five rounds of Salsa20 (PDF) (discussion, Wikipedia on Salsa20). This doesn’t break the whole cipher, just a seriously reduced version. Experimentation played a key role in finding this result. I found the first differential by writing a short Python program that implemented a pretty…”

Understanding “Understanding Brute Force”

Paul Crowley wrote “D J Bernstein's draft paper Understanding Brute Force argues that the way we currently measure the cost of cryptanalytic attacks is highly misleading. The paper is a good example of Bernstein's unconventional style, and mixes quite informal writing with very formal and precise descriptions of cryptanalytic methods and costs. Though his conclusions are correct, I think he hasn't quite put his finger on how people have come to be misled in the past, so I shall have a go here at arguing what I think is the same point in different words. ”


Paul Crowley wrote “Of the many new ciphers proposed as part of the ECRYPT Stream Cipher Project, one of the most interesting is Christophe De Cannière and Bart Preneel’s TRIVIUM. TRIVIUM is designed to be very simple, admit a very low gate count implementation in hardware, and be reasonably efficient in both hardware and software, parallelizing in a…”