SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Signal adds quantum-resistant encryption to its E2EE messaging protocol [bleepingcomputer.com]:

Signal adds quantum-resistant encryption to its E2EE messaging protocol

Signal has announced that it upgraded its end-to-end communication protocol to use quantum-resistant encryption keys to protect users from future attacks.

Quantum computers that use qubits (superpositions of 0 and 1) have the potential to be much more powerful and faster than current systems, allowing them to perform computations that would typically take years in a short time.

While Quantum computers are not a threat yet, large tech firms [bleepingcomputer.com] and other stakeholders [bleepingcomputer.com] are already preparing for their game-changing advent.

One of the threats this emerging technology poses is to weaken current encryption schemes, allowing protected data to be decrypted quickly and gaining access to encrypted secrets.

Predictions on when powerful enough quantum computers might emerge vary from 5 years to never. Nonetheless, we already face the risk of "harvest now, decrypt later [wikipedia.org]," making the adoption of quantum-resistant algorithms important.

Quantum-resistant E2EE

For communication apps, like Signal, that use end-to-end encryption to protect communication between two parties, the concern is that encrypted communications can be intercepted and deciphered to expose the contents of the communication.

Signal explains that its "X3DH [signal.org]" (Extended Triple Diffie-Hellman) key agreement protocol has been upgraded to "PQXDH [signal.org]" (Post-Quantum Extended Diffie-Hellman), which incorporates quantum-resistant secret key generation mechanisms for Signal's end-to-end encryption (E2EE) specification.

Specifically, PQXDH uses both X3DH's elliptic curve key agreement protocol and a post-quantum key encapsulation mechanism called CRYSTALS-Kyber.

CRYSTALS-Kyber is a NIST-approved [nist.gov] quantum-resistant cryptographic algorithm suitable for general encryption and speedy operations that require a quick exchange of small encryption keys.

"We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe, we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem," explains Signal [signal.org].

"Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people's communications."

Signal emphasizes that the transition to PQXDH is just the initial move toward achieving quantum-resistant E2EE.

Over the coming years, further upgrades and adaptations will be rolled out to fill data security gaps or address emerging challenges from ongoing research.

safe-from-the-ai-boogeyman dept.

D. J. Bernstein / Talks [cr.yp.to]:

D. J. Bernstein / TalksD. J. Bernstein [soylentnews.org]Talks

Reverse chronological order. Some statistics:

• 517 lectures. 517 done. 461 with slides online here. 25 with audio online here. 23 with video online here.
• 367 invited lectures (74 for students at conferences, 198 for researchers at conferences, 85 seminars/colloquia/etc.); 67 refereed lectures; 83 contributed lectures; 0 uncategorized.
• 359 invited lectures of known length, totalling 19563 minutes, averaging 54.5 minutes.
• 147 other lectures of known length, totalling 3087 minutes, averaging 21.0 minutes.
• Lecture locations, by country: 12 Australia. 6 Austria. 19 Belgium. 11 Brazil. 1 Bulgaria. 32 Canada. 2 China. 4 Colombia. 3 Croatia. 3 Cuba. 1 Czech Republic. 13 Denmark. 13 England. 18 France. 61 Germany. 9 Greece. 15 India. 4 Ireland. 6 Israel. 1 Italy. 7 Japan. 6 Luxembourg. 1 Malaysia. 3 Mexico. 1 Morocco. 53 Netherlands. 1 Norway. 21 online. 5 Poland. 2 Russia. 2 Senegal. 2 Singapore. 1 South Africa. 8 South Korea. 9 Spain. 9 Switzerland. 23 Taiwan. 3 Turkey. 120 USA. 6 Vietnam.

• 2023.07.11 09:2020 mininvited lectureNetherlandsresearchers[horizontal PDF slides] [soylentnews.org] Machine-Checked Mathematics. Lorentz Center, Universiteit Leiden. "Formal proofs in applied cryptography." 2023.06.15 15:00 DC time60 mininvited lectureonlinelocal researchers[horizontal PDF slides] [soylentnews.org] Seminar, Federal Reserve TechLab. "Post-quantum cryptography: risk assessment." 2023.02.01 11:00 Bangkok time90 mininvited lectureonlinestudents[horizontal PDF slides] [soylentnews.org] IACR School on Applied Cryptography, Chulalongkorn University, Bangkok, Thailand. "Hash-based signatures." 2022.12.29 20:00 Berlin time40 minrefereed lectureonlineresearchers[horizontal PDF slides] [soylentnews.org] FireShonks 2022. "Post-quantum cryptography: detours, delays, and disasters." Talk given jointly with Tanja Lange. 2022.12.14 15:20 Kolkata time25 minrefereed lectureonlineresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Indocrypt 2022. TCG-CREST, Kolkata, India. "A one-time single-bit fault leaks all previous NTRU-HRSS session keys to a chosen-ciphertext attack." 2022.11.10 17:00 Berlin time90 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org] Seminar, Präsidiumsarbeitskreis "Datenschutz und IT-Sicherheit" der Gesellschaft für Informatik, Germany. "NSA's influence on cryptographic standards." 2022.08.25 09:40 Tampa time40 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org] USF-QSancus Workshop on Post-Quantum Cryptography. USF Research Foundation, Tampa, Florida, USA. "Introduction to post-quantum cryptography." Talk given jointly with Tanja Lange. 2022.08.20 10:10 Taipei time45 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org] HITCON 2022: Hacks in Taiwan Conference 2022. Nangang Exhibition Center, Taipei, Taiwan. "Post-quantum cryptography: detours, delays, and disasters." Talk given jointly with Tanja Lange. 2022.08.12 15:00 Bristol time30 minrefereed lectureonlineresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Algorithmic Number Theory Symposium (ANTS) XV. University of Bristol, England. "Fast norm computation in smooth-degree Abelian number fields." 2022.07.12 13:30 Taiwan time75 mininvited lectureonlinestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Post-Quantum Crypto Minischool. Academia Sinica, Taiwan. "Lattice-based cryptography, part 2: efficiency." 2022.07.12 10:45 Taiwan time75 mininvited lectureonlinestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Post-Quantum Crypto Minischool. Academia Sinica, Taiwan. "Lattice-based cryptography, part 1: simplicity." 2022.04.01 15:3060 mininvited lectureTaiwanlocal students[horizontal PDF slides] [soylentnews.org] Class talk, National Taiwan University. "Hash-based signatures I: hash functions and one-time signatures." 2022.04.01 13:00120 mininvited lectureTaiwanlocal students[horizontal PDF slides] [soylentnews.org] EECS International Distinguished Lecture Series, National Taiwan University. "The transition to post-quantum cryptography." Talk given jointly with Tanja Lange. 2022.01.14 14:3525 mininvited lectureTaiwanresearchers[PDF slides] [soylentnews.org] Post-Quantum Cryptography Forum. National Taipei University of Technology. "U.S. activities in post-quantum cryptography." 2022.01.14 10:5040 mininvited lectureTaiwanresearchers[PDF slides] [soylentnews.org] Post-Quantum Cryptography Forum. National Taipei University of Technology. "Lattice KEMs, the round-3 candidates: NTRU, NTRU Prime, SABER, Kyber, Frodo." 2021.12.12 14:30 Jaipur time150 mininvited lectureonlinestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Tutorial session; INDOCRYPT 2021. "Quantum cryptanalysis." 2021.11.26 14:5545 mininvited lectureTaiwanresearchers[horizontal PDF slides] [soylentnews.org] HITCON 2021: Hacks in Taiwan Conference 2021. Academia Sinica, Taipei. "Fast verified post-quantum software." 2021.09.03 11:00 Eastern time30 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org] ICMC 2021: International Cryptographic Module Conference. "Fast verified post-quantum software." Abstract:

  Cryptographic performance pressure produces many different cryptographic specifications, and a much larger number of pieces of software trying to make those cryptographic functions run quickly in various environments. The pre-quantum software ecosystem is already large and complicated but the post-quantum software ecosystem is rapidly shaping up to be much more complicated. We’ve already seen the post-quantum optimization process producing disastrous mistakes that weren’t caught by tests, and at this point we have only a limited understanding of what further mistakes to expect.

  Fortunately, there are tools to verify that optimizations work for all possible inputs, and there are some cases where these tools have been successfully applied to post-quantum software. This talk will look at what these tools mean for the post-quantum software engineer.

  2021.08.20 13:20 Eastern time60 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to][video at a European ISP] [surfdrive.surf.nl] Plenary talk. SIAM Conference on Applied Algebraic Geometry 2021. "S-unit attacks." Abstract:

  Within post-quantum cryptography, lattice-based cryptography has attracted attention for its efficiency. Typical proposals for lattice-based encryption systems fit public keys and ciphertexts into only about 1KB, and take very little CPU time. This efficiency relies on using systems built from algebraic number fields. The most common choices are cyclotomic number fields, such as the smallest field containing the complex number ζ=exp(πi/512), a 512th root of −1.

  Lattice-based cryptosystems are frequently claimed to have proofs of security assuming the "worst-case" hardness of certain lattice problems. For a cyclotomic lattice system, the problem is to find a short nonzero element of I, given a nonzero ideal I of the smallest ring containing ζ. The conjecture that this problem is hard is frequently claimed to be well studied. However, the problem has in fact suffered dramatic security losses.

  This talk will introduce the audience to recent advances in algorithms to solve this problem, with an emphasis on techniques to exploit multiplicative structure in general, automorphisms in the Galois case, extra subfields when they exist, and additional features of cyclotomic fields. The audience is not assumed to be familiar with algebraic number theory.

  2021.06.09 10:50 D.C. time15 minrefereed lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Third PQC Standardization Conference. "Fast verified post-quantum software, part 1: RAM subroutines." [white paper [soylentnews.org]] 2021.06.08 15:25 D.C. time15 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Third PQC Standardization Conference. "NTRU Prime: round-3 updates." 2021.05.14 14:2075 mininvited lectureTaiwanlocal students[horizontal PDF slides] [soylentnews.org] Class talk, National Taiwan University. "Hash-based signatures I: hash functions and one-time signatures." 2021.01.15 11:00 D.C. time60 mininvited lectureonlinelocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] NIST 3rd Round Seminar Series. "Valuations and S-units." Abstract:

  This talk reviews a standard infinite-dimensional number-theoretic lattice that simultaneously shows how large numbers are and how they factor. The ability to decode this lattice in some surprisingly large cases plays a critical role in a new wave of attacks against ideal-lattice problems. This talk will focus on defining the lattice, with many examples to illustrate.

  This is an introductory talk aimed at a broad audience. Prerequisites: mathematics education up to and including a course in undergraduate abstract algebra (commutative rings and fields).

  2020.10.07 14:00 EDT5 minrefereed lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Virtual Workshop on Considerations in Migrating to Post-Quantum Cryptographic Algorithms. "OpenSSLNTRU: experiences integrating a post-quantum KEM into TLS 1.3 via an OpenSSL ENGINE." 2020.10.07 16:00 Taipei time30 mincontributed lectureonlineresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Post-Quantum Cryptography for Embedded Systems. "Constant-time square-and-multiply." 2020.10.04 03:00 Taipei time90 mininvited lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] Post-Quantum Cryptography for Embedded Systems. "Does cryptographic software work correctly?" 2020.09.12 16:2050 mininvited lectureTaiwanresearchers[horizontal PDF slides] [soylentnews.org] HITCON 2020: Hacks in Taiwan Conference 2020. Academia Sinica, Taipei. "Post-quantum cryptography." Talk given jointly with Tanja Lange. 2020.08.13 12:30 PDT15 minrefereed lectureonlineresearchers[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to] USENIX Security Symposium 2020. "McTiny: fast high-confidence post-quantum key erasure for tiny network servers." Talk given jointly with Tanja Lange. 2020.07.21 16:1055 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 2: efficiency." Part 2. 2020.07.21 13:5560 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 2: efficiency." Part 1. 2020.07.20 16:1055 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 1: simplicity." Part 2. 2020.07.20 13:5560 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 1: simplicity." Part 1. 2020.07.06 03:0555 mininvited lectureonlineresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Workshop on the Mathematics of Post-Quantum Crypto. "Exploring the parameter space in lattice attacks." Talk given jointly with Tanja Lange. 2020.02.19 14:4545 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Lattices: Geometry, Algorithms and Hardness. Simons Institute for the Theory of Computing. "Challenges in evaluating costs of known lattice attacks." Talk given jointly with Tanja Lange. 2020.02.06 16:3060 mininvited lectureGermanylocal researchers[horizontal PDF slides] [soylentnews.org] Security Network Munich, Talking Heads. Giesecke + Devrient. "Crypto horror stories." Talk given jointly with Tanja Lange. 2020.01.30 09:3060 mininvited lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] The Quantum Wave in Computing Boot Camp. Simons Institute for the Theory of Computing. "Post-quantum cryptography." 2020.01.20 17:3030 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Symmetric cryptography. Schloss Dagstuhl. "Speed, speed, speed." 2019.12.29 17:3060 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] 36C3: 36th Chaos Communication Congress. Congress Center Leipzig. "High-assurance crypto software." Talk given jointly with Tanja Lange. 2019.11.27 13:0060 mininvited lectureGermanylocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CASA Distinguished Lecture, Ruhr-University Bochum. "Sorting integer arrays: security, speed, and verification." Abstract:

  This talk will explain (1) the security concept of "constant-time" software; (2) how to build constant-time software to sort arrays of integers; (3) how to make constant-time sorting software run so quickly that it beats Intel's "Integrated Performance Primitives" library; and (4) how to automatically verify that the resulting software works correctly for all possible inputs.

  2019.10.15 11:1530 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Quantum Cryptanalysis. Schloss Dagstuhl. "Challenges in evaluating costs of known lattice attacks." 2019.10.03 10:45105 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "Symmetric crypto, part 2." 2019.10.01 14:3045 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "Introduction to symmetric crypto." 2019.09.23 14:0015 mincontributed lectureNetherlandsresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] SHARD: Bridging the Gap Between Software and Hardware Security. Lorentz Center, Leiden University. "Is branch prediction important for performance?" 2019.08.24 14:0015 mininvited lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] Second PQC Standardization Conference. University of California at Santa Barbara. "NTRU Prime: round 2." 2019.08.23 14:4520 minrefereed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Second PQC Standardization Conference. University of California at Santa Barbara. "Comparing proofs of security for lattice-based encryption." 2019.08.23 11:3520 minrefereed lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] Second PQC Standardization Conference. University of California at Santa Barbara. "Visualizing size-security tradeoffs for lattice-based encryption." 2019.07.15 09:1560 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] MWCC 2019: Munich Workshop on Coding and Cryptography. Technical University of Munich. "McTiny: McEliece for tiny network servers." Talk given jointly with Tanja Lange. 2019.07.10 11:0025 mininvited lectureSwitzerlandresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Minisymposium on Isogenies in Cryptography. SIAM Conference on Applied Algebraic Geometry 2019. University of Bern. "Quantum attacks against isogenies." 2019.07.01 14:0045 mininvited lectureNetherlandsstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Executive School on Post-Quantum Cryptography 2019. Technische Universiteit Eindhoven. "Quantum algorithms II." 2019.07.01 11:4545 mininvited lectureNetherlandsstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Executive School on Post-Quantum Cryptography 2019. Technische Universiteit Eindhoven. "Quantum algorithms I." 2019.06.14 09:0090 mininvited lectureColombiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Cryptographic software engineering, part 2." 2019.06.13 15:3090 mininvited lectureColombiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Cryptographic software engineering, part 1." 2019.06.11 11:0090 mininvited lectureColombiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "What do quantum computers do?" 2019.06.10 11:0090 mininvited lectureColombiastudents[horizontal PDF slides] [soylentnews.org] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Post-quantum cryptography." Keynote talk given jointly with Tanja Lange. 2019.05.21 14:4025 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] Eurocrypt 2019. Darmstadtium, Darmstadt. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies." 2019.05.18 09:0060 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CBC 2019: 7th Code-Based Cryptography Workshop. Technische Universität Darmstadt. "McTiny: McEliece for tiny network servers." 2019.05.16 10:1530 mininvited lectureCanadaresearchers[horizontal PDF slides] [soylentnews.org] ICMC 2019: International Cryptographic Module Conference. JW Marriott Parq Vancouver. "Does open-source cryptographic software work correctly?" 2019.02.22 17:0060 mininvited lectureEnglandpublic[horizontal PDF slides] [soylentnews.org] King's College Alan Turing Lecture. University of Cambridge. "Post-quantum cryptography." 2019.02.05 10:0060 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Workshop on quantum algorithms for analysis of public-key crypto. American Institute of Mathematics, San Jose. "Quantum walks." 2018.12.28 23:3060 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org][video] [cr.yp.to] 35C3: 35th Chaos Communication Congress. Congress Center Leipzig. "The year in post-quantum crypto." Talk given jointly with Tanja Lange. 2018.12.14 11:0090 mininvited lectureAustraliapublic[horizontal PDF slides] [soylentnews.org] Seminar, Optus Macquarie University Cyber Security Hub. "Quantum computers: the future attack that breaks today's messages." Talk given jointly with Tanja Lange. 2018.12.04 21:005 mincontributed lectureAustraliaresearchers Asiacrypt 2018. Queensland University of Technology, Brisbane. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies." 2018.11.20 19:323 mincontributed lectureJapanresearchers[horizontal PDF slides] [soylentnews.org] ECC 2018: Elliptic-Curve Cryptography. Osaka. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies." 2018.11.16 13:30120 mininvited lectureSouth Koreastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Future Crypto Workshop 2018. Seoul National University. "Lattice-based public-key cryptosystems." 2018.11.15 14:0090 mininvited lectureSouth Korearesearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Future Crypto Workshop 2018. Ramada Hotel Seoul. "Can cryptographic software be fixed?" 2018.09.27 17:0060 mininvited lectureGreecestudents[horizontal PDF slides] [soylentnews.org] NIS Summer School 2018. Galaxy Hotel, Heraklion. "The libpqcrypto software library for post-quantum cryptography." 2018.09.26 15:3045 mininvited lectureGreecestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] NIS Summer School 2018. Galaxy Hotel, Heraklion. "What do quantum computers do?" 2018.09.18 13:30105 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "Examples of symmetric primitives." 2018.08.18 16:0060 mininvited lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] WAC: Workshop on Attacks in Cryptography. University of California at Santa Barbara. "Cryptanalysis of NISTPQC submissions." Talk given jointly with Tanja Lange and Lorenz Panny. 2018.08.14 15:3075 mininvited lectureCanadastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] S3 2018: SAC Summer School. University of Calgary. "Cryptographic software engineering, part 2." 2018.08.14 13:4575 mininvited lectureCanadastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] S3 2018: SAC Summer School. University of Calgary. "Cryptographic software engineering, part 1." 2018.07.19 17:155 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ANTS 2018. University of Wisconsin at Madison. "Generating random primes faster." 2018.07.11 14:0060 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Colloquium, Informatics Institute, University of Amsterdam. "Sorting integer arrays: security, speed, and verification." Abstract:

  This talk will explain (1) the security concept of "constant-time" software; (2) how to build constant-time software to sort arrays of integers; (3) how to make constant-time sorting software run so quickly that it beats Intel's "Integrated Performance Primitives" library; and (4) how to automatically verify that the resulting software works correctly for all possible inputs.

  2018.06.29 16:4545 mininvited lectureTaiwanresearchers[horizontal PDF slides] [soylentnews.org] Post-Quantum Cryptography Forum Workshop. Institute for Information Science, Academia Sinica, Taipei. "NTRU Prime." Talk given jointly with Tanja Lange. 2018.06.27 16:4065 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Institute for Information Science, Academia Sinica, Taipei. "Lattice-based public-key cryptosystems, part 2." 2018.06.27 13:5575 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO Mini-School. Institute for Information Science, Academia Sinica, Taipei. "Lattice-based public-key cryptosystems, part 1." 2018.06.21 10:0060 mininvited lectureFranceresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CAEN 2018: Cryptographie et théorie AlgorithmiquE des Nombres. Université de Caen Normandie. "Algorithms for multiquadratic number fields." 2018.05.09 14:1530 mininvited lectureCanadaresearchers[horizontal PDF slides] [soylentnews.org] ICMC 2018: International Cryptographic Module Conference. Shaw Centre, Ottawa. "The libpqcrypto software library for post-quantum cryptography." 2018.05.013 mincontributed lectureIsraelresearchers[horizontal PDF slides] [soylentnews.org] Eurocrypt 2018. Hotel Dan Panorama, Tel Aviv. "libpqcrypto." 2018.04.29 15:5050 mininvited lectureIsraelresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Lightweight Crypto Day. Hotel Dan Panorama, Tel Aviv. "Small cryptographic bytecode." 2018.04.11 15:0515 mincontributed lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] First PQC Standardization Conference. Pier 66 Hotel, Fort Lauderdale. "Post-quantum RSA." 2018.04.11 10:5525 minrefereed lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] PQCrypto 2018. Pier 66 Hotel, Fort Lauderdale. "Asymptotically faster quantum algorithms to solve multivariate quadratic equations." 2018.04.10 17:153 mincontributed lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] PQCrypto 2018. Pier 66 Hotel, Fort Lauderdale. "libpqcrypto." 2018.03.05 20:307 mincontributed lectureBelgiumresearchers[horizontal PDF slides] [soylentnews.org] FSE 2018. Oud Sint-Jan, Bruges. "Announcement of the CAESAR finalists." 2018.02.01 15:4545 mininvited lectureSpainresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Combined event on post-quantum cryptography. Hotel Jardin Tropical, Costa Adeje, Tenerife. "Classic McEliece: conservative code-based cryptography." 2018.01.12 11:3525 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "Better proofs for rekeying." 2017.12.28 22:1560 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] 34C3: 34th Chaos Communication Congress. Congress Center Leipzig. "LatticeHacks: Fun with lattices in cryptography and cryptanalysis." Talk given jointly with Nadia Heninger and Tanja Lange. 2017.11.23 13:45105 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "The DNS security mess." 2017.10.11 11:3090 mininvited lectureGreecestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ECRYPT-NET School on Correct and Secure Implementation. Porto Platanias, Chaniá, Crete. "Cryptographic software engineering, part 2." 2017.10.09 14:0090 mininvited lectureGreecestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ECRYPT-NET School on Correct and Secure Implementation. Porto Platanias, Chaniá, Crete. "Cryptographic software engineering, part 1." 2017.10.03 09:0050 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Quantum Cryptanalysis. Schloss Dagstuhl. "Challenges in quantum algorithms for integer factorization." 2017.09.20 19:003 mincontributed lectureCubaresearchers[horizontal PDF slides] [soylentnews.org] Latincrypt 2017. Universidad de la Habana. "Quantum computing: a new record." 2017.09.19 14:0090 mincontributed lectureCubastudents ASCrypto 2017: Fourth Advanced School on Cryptology and Information Security in Latin America. Universidad de la Habana. "Internet integration: the DNS security mess, part 2." 2017.09.18 09:0090 mincontributed lectureCubastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ASCrypto 2017: Fourth Advanced School on Cryptology and Information Security in Latin America. Universidad de la Habana. "Internet integration: the DNS security mess, part 1." Slides are for both part 1 and part 2. 2017.08.15 11:0075 mininvited lectureCanadastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] S3 2017: SAC Summer School. University of Ottawa. "Public-key cryptography, part II: factorization." 2017.07.31 15:0025 mininvited lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] Minisymposium on Applications of Computational Algebraic Geometry to Cryptology. SIAM Conference on Applied Algebraic Geometry 2017. Georgia Institute of Technology, Atlanta. "Short generators without quantum computers: the case of multiquadratics." 2017.07.20 16:3015 mininvited lectureUSApublic[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Panelist at Open Meeting of the Committee on Technical Assessment of the Feasibility and Implications of Quantum Computing of the National Academies of Sciences, Engineering, and Medicine. Stanford University. "Cryptographic readiness levels, and the impact of quantum computers." 2017.07.11 15:3050 mininvited lectureSpainresearchers[horizontal PDF slides] [soylentnews.org] FoCM 2017: Foundations of Computational Mathematics. Universitat de Barcelona. "Short generators without quantum computers: the case of multiquadratics." 2017.06.27 15:1525 minrefereed lectureNetherlandsresearchers[horizontal PDF slides] [soylentnews.org] PQCrypto 2017: Eighth International Conference on Post-Quantum Cryptography. Domstad, Utrecht. "Post-quantum RSA." 2017.06.23 15:0590 mininvited lectureNetherlandspublic[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Executive School on Post-Quantum Cryptography 2017. Technische Universiteit Eindhoven. "Quantum algorithms." 2017.06.22 13:3030 mininvited lectureNetherlandsstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer School on Post-Quantum Cryptography 2017. Technische Universiteit Eindhoven. "Lattice-based cryptography: Episode V: the ring strikes back." 2017.06.07 09:3050 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Workshop on Hardware Benchmarking 2017. Beckmann's Hof, Ruhr University Bochum. "How cryptographic benchmarking goes wrong." 2017.05.29 12:1545 mininvited lectureNetherlandspublic[horizontal PDF slides] [soylentnews.org] Security in Times of Surveillance. Eindhoven Institute for Protection of Systems and Information. "Thomas Jefferson and Apple versus the FBI." 2017.05.19 13:4040 mininvited lectureUSApublic[horizontal PDF slides] [soylentnews.org] International Cryptographic Module Conference 2017. Westin Arlington Gateway, Washington, DC. "Thomas Jefferson and Apple versus the FBI." 2017.05.02 22:073 mincontributed lectureFranceresearchers[horizontal PDF slides] [soylentnews.org] Eurocrypt 2017. Maison de la Mutualité, Paris. "Countering quantum FUD." 2017.03.07 16:573 mincontributed lectureJapanresearchers[horizontal PDF slides] [soylentnews.org] FSE 2017: 24th International Conference on Fast Software Encryption. Tokyo International Forum. "Challenges in Authenticated Encryption." 2016.12.16 14:0045 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Cryptography Working Group. Kargadoor, Utrecht. "Standardization for the black hat." 2016.12.08 13:45105 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "The DNS security mess." 2016.12.02 14:0060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 6." 2016.12.01 15:3060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 5." 2016.11.30 15:3060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 4." 2016.11.30 14:0060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 3." 2016.11.29 15:3060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 2." 2016.11.28 15:3060 mininvited lectureVietnamstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 1." 2016.11.16 14:0045 mininvited lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] Escar Europe 2016: Embedded Security in Cars. München Marriott Hotel. "Long-term security for cars." Talk given jointly with Tanja Lange. 2016.11.15 14:0060 mininvited lectureGermanylocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Colloquium, CYSEC, Technische Universität Darmstadt. "Usable verification of fast cryptographic software." Abstract:

  The pursuit of performance has produced a tremendous volume of critical cryptographic software. Many different cryptographic algorithms are in widespread use, with many more implementations tuned for speed on different platforms.

  A tiny bug anywhere in this code base can have disastrous consequences for security. For example, Brumley, Barbosa, Page, and Vercauteren exploited a miniscule carry bug in the commonly used OpenSSL cryptographic library to steal an SSL server's entire private key, allowing easy interception and forgery of user data.

  Standard software-testing techniques catch many bugs but did not catch further OpenSSL carry bugs announced in January 2015 and December 2015. Expert audits caught these bugs but certainly have not caught all bugs: auditing is far too time-consuming to scale to the entire cryptographic code base, never mind the question of whether the auditing is reliable.

  This talk will present a successful example of a new strategy to integrate highly automated proofs of correctness into real-world cryptographic software engineering. This is joint work with Peter Schwabe.

  2016.11.02 13:3060 mininvited lectureNetherlandsresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] HighLight: High-Security Lightweight Cryptography. Lorentz Center, Leiden. "Engineering cryptographic software." 2016.10.19 15:3060 mininvited lectureNetherlandsresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] SPEED-B: Software performance enhancement for encryption and decryption, and benchmarking. BCN Utrecht. "Benchmarking benchmarking, and optimizing optimization." 2016.08.18 21:123 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CHES 2016: Cryptographic Hardware and Embedded Systems. "The inverse Faraday challenge." 2016.07.19 14:0060 mininvited lectureNorwayresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ArcticCrypt 2016. Radisson Blu Hotel Spitsbergen. "NTRU Prime." 2016.06.28 13:3030 mincontributed lectureNetherlandsresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCRYPTO mini-workshop. Vergaderruimte Utrecht. "The post-quantum Internet." 2016.06.23 10:1545 mininvited lectureNetherlandsresearchers[horizontal PDF slides] [soylentnews.org] Black Hat Sessions Part XIV. Hotel en Congrescentrum De Reehorst, Ede. "Crypto horror stories." Keynote lecture. 2016.06.10 11:3060 mininvited lectureCroatiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "The DNS security mess." 2016.05.08 13:1525 mininvited lectureAustriaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org][video] [cr.yp.to][video at youtube.com] [youtube.com] A Workshop About Cryptographic Standards. Aula der Wissenschaften, Vienna. "Standardization for the black hat." 2016.04.16 20:0060 mininvited lectureDenmarkpublic[horizontal PDF slides] [soylentnews.org][video] [cr.yp.to][video on youtube.com] [youtube.com] Science and Cocktails. Byens Lys, Christiania. "You thought your communication was secure? Quantum computers are coming!" Talk given jointly with Tanja Lange. 2016.03.09 12:0060 mininvited lectureTaiwanresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] PKC 2016: 19th International Conference on Practice and Theory in Public-Key Cryptography. "The first 10 years of Curve25519." 2016.02.24 11:3060 mininvited lectureJapanresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] PQCrypto 2016. "The post-quantum Internet." 2016.02.18 16:1515 mininvited lectureNetherlandslocal students[horizontal PDF slides] [soylentnews.org] Department Dialogue, Technische Universiteit Eindhoven. "Next-generation elliptic-curve cryptography (ECC)." 2016.01.15 11:0030 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "Some challenges in heavyweight cipher design." 2015.12.27 23:0060 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] 32C3: 32nd Chaos Communication Congress. Congress Center Hamburg. "PQCHacks: a gentle introduction to post-quantum cryptography." Talk given jointly with Tanja Lange. Abstract:

  Last year your friend Karen joined the alternative music scene and sent you a sound track. The government is recording everything, and this year announced that alternative music is a gateway drug to terrorism (see www.theguardian.com/australia-news/2015/sep/25/radicalisation-kit-links-activism-and-alternative-music-scene-to-extremism [theguardian.com]). Fortunately, Karen encrypted the email.

  Fast forward to 2035. Stasi 2.0 has risen to power, and has decided that, to protect society, anyone who has ever been exposed to alternative music will be sent to a "better place". They still have a copy of Karen's ciphertext. And here's the really bad news: they've just finished building a billion-qubit quantum computer.

  Back in 2015, large general-purpose quantum computers haven't been built yet, but the consensus is that they will be built, and that they will allow well-funded attackers to retroactively break practically all of today's deployed public-key cryptography. RSA will be dead. ECC will be dead. DSA will be dead. "Perfect forward secrecy", despite its name, won't help.

  Fortunately, there are replacement public-key cryptosystems that have held up very well against analysis of possible attacks, including future quantum attacks. This talk will take a hands-on look at the two examples with the longest track records: namely, hash-based signatures (Merkle trees) and code-based encryption (McEliece).

  2015.12.17 13:45105 mininvited lectureNetherlandslocal students[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "The DNS security mess." 2015.12.15 17:3020 mincontributed lectureJapanresearchers[horizontal PDF slides] [soylentnews.org] SSR 2015: Security Standardisation Research. Internet Initiative Japan, Tokyo. "Failures in NIST's ECC standards." Talk given jointly with Tanja Lange. 2015.12.15 15:1530 minrefereed lectureJapanresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] SSR 2015: Security Standardisation Research. Internet Initiative Japan, Tokyo. "How to manipulate curve standards: a white paper for the black hat." Talk given jointly with Tanja Lange. 2015.10.05 09:3060 mininvited lectureIndiaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] SPACE 2015. Malaviya National Institute of Technology, Jaipur. "Boring crypto." 2015.09.08 10:1530 mininvited lectureGermanyresearchers Quantum Cryptanalysis. Schloss Dagstuhl. "Trapdoor simulation of quantum algorithms." 2015.08.25 16:3030 minrefereed lectureMexicoresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] LatinCrypt 2015. Hotel De Mendoza, Guadalajara. "Twisted Hessian curves." 2015.08.06 11:0025 mininvited lectureSouth Korearesearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Minisymposium on Coding Theory and Cryptography. SIAM Conference on Applied Algebraic Geometry 2015. National Institute for Mathematical Sciences, Daejeon. "Computational algebraic number theory tackles lattice-based cryptography." 2015.07.22 14:1530 mininvited lectureCzech Republicresearchers[PDF slides] [soylentnews.org] Crypto Forum Research Group, IETF 93. Hilton Prague. "EdDSA for more curves." 2015.07.09 17:4040 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Hyper-and-elliptic-curve cryptography." 2015.06.11 15:1020 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Workshop on ECC Standards. National Institute of Standards and Technology, Gaithersburg. "Simplicity." 2015.06.05 14:3060 mininvited lectureCroatiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "Advanced code-based cryptography." 2015.06.02 16:0090 mininvited lectureCroatiastudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "Introduction to quantum algorithms and introduction to code-based cryptography." 2015.05.08 15:3030 mininvited lectureNetherlandspublic[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Security in Times of Surveillance. Eindhoven Institute for the Protection of Systems and Information. "How to manipulate standards." 2015.04.26 09:3040 mininvited lectureBulgariaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CryptoAction WG4 Meeting on Authenticated Encryption. Sofia Hotel Balkan. "Goals of authenticated encryption." 2015.04.22 09:0045 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Mathematics of Lattices and Cybersecurity. Institute for Computational and Experimental Research in Mathematics, Brown University. "Computational algebraic number theory tackles lattice-based cryptography." 2015.04.16 16:3090 mininvited lectureEnglandresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] ETAPS 2015: European Joint Conferences on Theory and Practice of Software. Queen Mary University of London. "The death of optimizing compilers." 2015.04.03 16:4020 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Workshop on Cybersecurity in a Post-Quantum World. National Institute of Standards and Technology, Gaithersburg. "Trapdoor simulation of quantum algorithms." 2015.04.02 16:0020 mincontributed lectureUSAresearchers[horizontal PDF slides] [soylentnews.org] Workshop on Cybersecurity in a Post-Quantum World. National Institute of Standards and Technology, Gaithersburg. "SPHINCS: practical stateless hash-based signatures." 2015.02.27 10:4545 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Cryptography Working Group. Kargadoor, Utrecht. "Batch NFS." Talk given jointly with Tanja Lange. 2015.02.11 09:4530 mininvited lectureGermanypublic[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] MAPPING WP5 Round Table on Privacy, Personality and Business Models. Institut für Rechtsinformatik, Gottfried Wilhelm Leibniz Universität Hannover. "Crypto and the United States Constitution." 2015.01.17 15:0050 minrefereed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ShmooCon 2015. Washington Hilton. "NaCl: a new crypto library." Talk given jointly with Tanja Lange. 2015.01.12 11:0060 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] DIMACS Workshop on The Mathematics of Post-Quantum Cryptography. "Introduction to quantum algorithms." 2015.01.07 11:1530 mininvited lectureEnglandresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Real World Cryptography Workshop 2015. "Error-prone cryptographic designs." 2014.12.27 21:4560 minrefereed lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] 31C3: 31st Chaos Communication Congress. Congress Center Hamburg. "ECCHacks: a gentle introduction to elliptic-curve cryptography." Talk given jointly with Tanja Lange. 2014.12.02 11:0090 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Guest Hacker Program, KPN. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange. 2014.11.19 12:0015 mininvited lectureBelgiumpublic[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Cyber Security in the Financial Industry. Chateau du Lac, Genval. "Crypto developments." Presentation as panel member. 2014.11.13 16:0060 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Colloquium, Mathematical Institute, Leiden University. "Hyper-and-elliptic-curve cryptography." 2014.11.03 14:1530 mininvited lectureJapanresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Post-Quantum Cryptography: Recent Results and Trends. Fukuoka SRP Center Building. "Efficient implementation of code-based cryptography." 2014.10.21 14:3030 mininvited lectureBrazillocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Seminar, Universidade Estadual de Campinas. "McBits: fast constant-time code-based cryptography." 2014.10.20 14:0060 mininvited lectureBrazillocal students Class talk, Universidade de São Paulo. "Making sure crypto stays insecure." 2014.10.18 09:1060 mininvited lectureBrazilresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] H2HC 11: Hackers To Hackers Conference. Novotel Morumbi, Sao Paulo. "Making sure crypto stays insecure." Keynote lecture. 2014.10.08 18:057 mincontributed lectureIndiaresearchers[horizontal PDF slides] [soylentnews.org] ECC 2014. Institute of Mathematical Sciences, Chennai. "BADA55, Curve41417, Kummer." 2014.09.30 14:0030 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Privacy and Security in an Age of Surveillance. Schloss Dagstuhl. "How to manipulate standards." 2014.09.25 21:334 mincontributed lectureSouth Korearesearchers[horizontal PDF slides] [soylentnews.org] CHES 2014: Cryptographic Hardware and Embedded Systems. Paradise Hotel, Busan. "EM key extraction from constant-time software on fast ARMs." Talk given jointly with Tanja Lange. 2014.09.25 21:103 mincontributed lectureSouth Korearesearchers[horizontal PDF slides] [soylentnews.org] CHES 2014: Cryptographic Hardware and Embedded Systems. Paradise Hotel, Busan. "DH speed news." 2014.08.15 11:2030 minrefereed lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] SAC 2014: Selected Areas in Cryptography. Concordia University, Montreal. "Batch NFS." Talk given jointly with Tanja Lange. 2014.08.08 12:0030 minrefereed lectureSouth Korearesearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Algorithmic Number Theory Symposium (ANTS) XI. Hyundai Hotel, Gyeongju. "Hyper-and-elliptic-curve cryptography." 2014.07.23 14:0515 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Crypto Forum Research Group, IETF 90. Fairmont Royal York Hotel, Toronto. "Curve25519, Curve41417, E-521." 2014.07.10 16:3060 mininvited lectureAustralialocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Distinguished Visitor Lecture, Institute for Future Environments, Queensland University of Technology. "Making sure software stays insecure." Abstract:

  We have to watch and listen to everything that people are doing so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent unencrypted through the Internet, or sent encrypted to a company that passes the data along to us, but we learn much more when we have comprehensive direct access to hundreds of millions of disks and screens and microphones and cameras. This talk explains how we've successfully manipulated the world's software ecosystem to ensure our continuing access to this wealth of data. This talk will not cover our efforts against encryption, and will not cover our hardware back doors.

  2014.06.03 14:3540 mininvited lectureNetherlandsresearchers[horizontal PDF slides] [soylentnews.org] International NCSC One Conference 2014. World Forum, The Hague. "Crypto news and views." Talk given jointly with Nadia Heninger and Tanja Lange. 2014.05.21 16:0090 mincontributed lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Seminar, Technische Universiteit Eindhoven. "A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve." 2014.05.16 11:3020 mininvited lectureDenmarkresearchers[horizontal PDF slides] [soylentnews.org] International State of the Art Cryptography Workshop. Hotel Scandic, Copenhagen. "Randomness generation." Talk given jointly with Tanja Lange. 2014.05.13 19:305 mincontributed lectureDenmarkresearchers[horizontal PDF slides] [soylentnews.org] Eurocrypt 2014. Hotel Scandic, Copenhagen. "Verifiably random secure curves." Talk given jointly with Tanja Lange. 2014.05.09 10:3060 mininvited lectureSwitzerlandresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] DLP2014: Theoretical and Practical Aspects of the Discrete Logarithm Problem. Monte Verità, Ascona. "Hyper-and-elliptic-curve cryptography." 2014.01.18 12:0050 minrefereed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ShmooCon 2014. Washington Hilton. "SafeCurves: choosing safe curves for elliptic-curve cryptography." Talk given jointly with Tanja Lange. 2014.01.10 11:3015 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "The impact of security proofs: two troublesome case studies." 2014.01.09 17:0030 mininvited lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "Randomness." Talk given jointly with Tanja Lange. 2013.12.29 13:0020 mininvited lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] #youbroketheinternet assembly; Operating Systems panel. Congress Center Hamburg. "(Tweet)NaCl." Talk given jointly with Tanja Lange and Peter Schwabe. 2013.12.28 18:3060 minrefereed lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org][video] [cr.yp.to] 30C3: 30th Chaos Communication Congress. Congress Center Hamburg. "The year in crypto." Talk given jointly with Nadia Heninger and Tanja Lange. 2013.12.27 15:4020 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] #youbroketheinternet assembly; Crypto Names panel. Congress Center Hamburg. "Understanding DNSCurve." 2013.12.06 09:4040 mininvited lectureIndiaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] International State of the Art Cryptography Workshop. JW Marriott Hotel Bengaluru. "Cleaning up crypto." Talk given jointly with Tanja Lange. 2013.12.05 11:1025 minrefereed lectureIndiaresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Asiacrypt 2013. JW Marriott Hotel Bengaluru. "Non-uniform cracks in the concrete: the power of free precomputation." Talk given jointly with Tanja Lange. 2013.11.29 15:0045 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Cryptography Working Group. Kargadoor, Utrecht. "Failures of secret-key cryptography." 2013.11.03 14:1530 mininvited lectureGermanyresearchers[horizontal PDF slides] [soylentnews.org] PUFFIN Workshop. Park Inn Alexanderplatz, Berlin. "Computers as undocumented physical objects." 2013.10.31 15:3045 mininvited lectureAustralialocal researchers Computational Algebra Seminar, School of Mathematics and Statistics, University of Sydney. "McBits: fast constant-time code-based cryptography." 2013.10.30 14:4545 mininvited lectureAustralialocal researchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Seminar, Department of Computing, Macquarie University. "McBits: fast constant-time code-based cryptography." 2013.09.26 11:2520 mincontributed lectureFranceresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Quantum-Safe-Crypto Workshop. ETSI, Sophia Antipolis. "Overview of post-quantum cryptography." 2013.09.16 20:077 mincontributed lectureBelgiumresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ECC 2013. Katholieke Universiteit Leuven. "Security dangers of the NIST curves." 2013.09.10 14:4545 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Quantum Cryptanalysis. Schloss Dagstuhl. "Quantum algorithms for the subset-sum problem." 2013.08.22 14:2525 minrefereed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] CHES 2013: Cryptographic Hardware and Embedded Systems. University of California at Santa Barbara. "McBits: fast constant-time code-based cryptography." 2013.08.03 11:3025 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Minisymposium on Post-Quantum Cryptography. SIAM Conference on Applied Algebraic Geometry 2013. Colorado State University. "McBits: fast constant-time code-based cryptography." 2013.08.03 10:3025 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Minisymposium on Post-Quantum Cryptography. SIAM Conference on Applied Algebraic Geometry 2013. Colorado State University. "Quantum algorithms for the subset-sum problem." 2013.07.18 17:3030 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields---the algorithm of Barbulescu, Gaudry, Joux, Thomé." 2013.07.05 11:0060 mininvited lectureEnglandresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Number Theory, Geometry and Cryptography. University of Warwick. "McBits: fast constant-time code-based cryptography." 2013.06.28 10:4560 mininvited lectureEnglandstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 4: fast multiplication and its applications." 2013.06.27 12:0060 mininvited lectureEnglandstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 3: more cryptosystems." 2013.06.26 10:4560 mininvited lectureEnglandstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 2: more elliptic-curve formulas; field arithmetic." 2013.06.24 10:4560 mininvited lectureEnglandstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 1: elliptic-curve formulas." 2013.06.19 09:4545 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] ISC 2013: International Supercomputing Conference. Distinguished Speakers session. Congress Center Leipzig. "How to use the new 65-megawatt Bluffdale supercomputer: a gentle introduction to cryptanalysis." 2013.06.12 09:3060 mininvited lectureFranceresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] Code-Based Cryptography Workshop. INRIA Rocquencourt. "McBits: fast constant-time code-based cryptography." 2013.06.07 11:355 mincontributed lectureFranceresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCrypto 2013: Fifth International Conference on Post-Quantum Cryptography. Xlim, Limoges. "Signature sizes: a call to action." 2013.06.06 15:5035 minrefereed lectureFranceresearchers[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org] PQCrypto 2013: Fifth International Conference on Post-Quantum Cryptography. Xlim, Limoges. "Quantum algorithms for the subset-sum problem." 2013.05.31 12:3030 mininvited lectureGreeceresearchers[horizontal PDF slides] [soylentnews.org] International State of the Art Cryptography Workshop. Divani Caravel, Athens. "Security dangers of the NIST curves." Talk given jointly with Tanja Lange. 2013.05.28 21:105 mincontributed lectureGreeceresearchers[PDF slides] [soylentnews.org] Eurocrypt 2013. Divani Caravel, Athens. "Cryptographic competitions." 2013.03.12 10:3560 mininvited lectureSingaporeresearchers[PDF slides] [soylentnews.org] FSE 2013: 20th International Workshop on Fast Software Encryption. Novotel Singapore Clarke Quay. "Failures of secret-key cryptography." Abstract:

  The most fundamental promise made by cryptography is that a sender and receiver, starting from nothing more than shared knowledge of a secret key, can securely exchange messages. Secret-key cryptography protects the confidentiality and integrity of the messages against any possible misbehavior by the intermediate network.

  Unfortunately, the trust that users place in secret-key cryptography has been repeatedly and flagrantly violated. This talk will survey recent and ongoing examples, analyze ways that cryptographic designers can do better, and report on the new five-year Competition for Authenticated Encryption: Security, Applicability, and Robustness (https://competitions.cr.yp.to [cr.yp.to]).

  2013.02.17 11:0060 mininvited lectureIsraellocal researchers Theory Seminar. Weizmann Institute of Science. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange. 2013.02.13 14:3060 mininvited lectureIsraellocal researchers[PDF slides] [soylentnews.org] Seminar, Computer Science Department. University of Haifa. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange. 2013.02.11 20:005 mincontributed lectureIsraelresearchers Modeling Intractability workshop. Ramon Inn, Mitzpe Ramon. "Quantum algorithms for the subset-sum problem." 2013.02.10 10:0050 mininvited lectureIsraelresearchers[PDF slides] [soylentnews.org] Modeling Intractability workshop. Ramon Inn, Mitzpe Ramon. "Modeling the security of cryptography, part 1: secret-key cryptography." 2013.02.07 12:1545 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Beveiligingsconferentie SURFcert & SURFibo. Gebouw Kroonjuweel, Hogeschool van Amsterdam. "The DNS security mess." 2013.01.23 16:305 mininvited lectureSpainresearchers[PDF slides] [soylentnews.org] Crypto for 2020. Hotel Jardin Tropical, Tenerife. "The fundamental goal of 'provable security'." Presentation as part of "On provable security" panel discussion. 2013.01.15 09:3535 mininvited lectureLuxembourgresearchers[PDF slides] [soylentnews.org] ESC 2013: Early Symmetric Crypto. Hotel Am Klouschter, Mondorf-les-Bains. "Non-uniform cracks in the concrete: the power of free precomputation." Talk given jointly with Tanja Lange. 2013.01.14 09:4040 mininvited lectureLuxembourgresearchers[PDF slides] [soylentnews.org] ESC 2013: Early Symmetric Crypto. Hotel Am Klouschter, Mondorf-les-Bains. "Feistel modes redivivus." 2013.01.07 09:1575 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] SRI International, Menlo Park. "The state of factoring algorithms and other cryptanalytic threats to RSA." Talk given jointly with Nadia Heninger and Tanja Lange. 2012.12.29 21:4560 minrefereed lectureGermanyresearchers[PDF slides] [soylentnews.org] 29C3: 29th Chaos Communication Congress. Congress Center Hamburg. "Hash-flooding DoS reloaded: attacks and defenses." Talk given jointly with Jean-Philippe Aumasson and Martin Boßlet. 2012.12.28 18:3060 minrefereed lectureGermanyresearchers[PDF slides] [soylentnews.org] 29C3: 29th Chaos Communication Congress. Congress Center Hamburg. "FactHacks: RSA factorization in the real world." Talk given jointly with Nadia Heninger and Tanja Lange. 2012.12.12 14:3025 minrefereed lectureIndiaresearchers[PDF slides] [soylentnews.org] Indocrypt 2012. Indian Statistical Institute, Kolkata. "SipHash: a fast short-input PRF." 2012.12.11 12:4025 minrefereed lectureIndiaresearchers[PDF slides] [soylentnews.org] Indocrypt 2012. Indian Statistical Institute, Kolkata. "Computing small discrete logarithms faster." Talk given jointly with Tanja Lange. 2012.11.29 14:2525 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Escar 2012: Embedded Security in Cars. Grand Hotel Esplanade Berlin. "High-speed, high-security cryptography on ARMs." Talk given jointly with Tanja Lange. Abstract:

  Secure cryptography does not need to be big and slow. This talk explains the cryptographic primitives behind the record-setting software in the NaCl library (nacl.cr.yp.to [cr.yp.to]), reports timings on a variety of CPUs, and then focuses on ARM processors, with an emphasis on the popular ARM Cortex A8 CPU core.

  2012.11.20 17:0045 mininvited lectureBelgiumresearchers[PDF slides] [soylentnews.org] CIoT: Cryptography for the Internet of Things. Hotel Radisson Blu, Antwerp. "High-speed cryptography for mobile devices." Abstract:

  Imagine the Internet of Things a few years from now: at every moment you're within radio distance of thousands of small networked devices. All of those devices will talk to, and to some extent be controlled by, your smartphone. These communications will require cryptographic protection; but can your smartphone keep up with the load? This talk will discuss the state of the art in smartphone cryptography.

  2012.11.16 14:4040 mininvited lectureTaiwanresearchers[PDF slides] [soylentnews.org] TWISC 2012: Taiwan-Germany Workshop on Information Security and Crypto and TWISC Annual Exhibition. International Conference Center, National Chung-Hsing University, Taichung. "The DNS security mess." 2012.11.05 10:3030 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Post-Quantum Cryptography and Quantum Algorithms. Lorentz Center, Leiden University. "Post-quantum cryptography." Abstract:

  I'll survey the impact that quantum algorithms have had, and might have in the future, upon the traditional waterfall from cryptographers through cryptanalysts through cryptographic algorithm designers through algorithm implementors to cryptographic users.

  2012.10.30 10:0060 mininvited lectureMexicoresearchers[PDF slides] [soylentnews.org] ECC 2012: The 16th Workshop on Elliptic Curve Cryptography. Universidad Autónoma de Querétaro. "NIST P-256 has a cube-root ECDL algorithm." Abstract:

  Don't panic. Finding the algorithm is a vastly larger computation than running the algorithm. This distinction is critical for applied cryptography but absent from the standard security definitions in the literature. I will present algorithms illustrating this gap, and will discuss strategies for fixing the definitions. This is joint work with Tanja Lange. https://eprint.iacr.org/2012/318 [iacr.org]

  " rel="url2html-744553">https://eprint.iacr.org/2012/458

2012.10.22 12:0060 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org][video] [cr.yp.to] Advanced Programming Seminar. University of Illinois at Chicago. "Data-structure lock-in." Abstract:

Why is the computer so slow? The answer, more often than not, is a poor choice of organization of data inside the computer. I'll give several real-world examples where these poor choices persist even though (1) everyone can see the damage that they do and (2) everyone learned in school that better choices are available.

2012.09.27 11:0030 minrefereed lectureFranceresearchers[PDF slides] [soylentnews.org] YACC 2012: Yet Another Conference on Cryptography. Porquerolles. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange. 2012.09.24 14:3060 mininvited lectureFranceresearchers[PDF slides] [soylentnews.org] YACC 2012: Yet Another Conference on Cryptography. Porquerolles. "Cryptography for the paranoid." 2012.09.10 21:45?5 mincontributed lectureBelgiumresearchers[PDF slides] [soylentnews.org] CHES 2012: Cryptographic Hardware and Embedded Systems. Aula Pieter de Somer, Leuven. "Implementing 'Practical leakage-resilient symmetric cryptography'." 2012.08.08 20:255 mincontributed lectureUSAresearchers[PDF slides] [soylentnews.org] USENIX Security Symposium 2012. Hyatt Regency Bellevue. "Blaming the cryptographic user." 2012.07.13 15:0090 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Short Subjects in Security seminar, Qualcomm, San Diego, California. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange. 2012.07.09 12:0030 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] ANTS 2012. University of California, San Diego. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange. 2012.07.03 17:544 mincontributed lectureNetherlandsresearchers[PDF slides] [soylentnews.org] RFIDsec 2012. Hotel Erica, Berg en Dal. "More hidden bits." 2012.07.03 12:0030 minrefereed lectureNetherlandsresearchers[PDF slides] [soylentnews.org] RFIDsec 2012. Hotel Erica, Berg en Dal. "Never trust a bunny." Talk given jointly with Tanja Lange. 2012.06.28 14:3030 minrefereed lectureSingaporeresearchers[PDF slides] [soylentnews.org] ACNS 2012: Applied Cryptography and Network Security. Novotel. "The security impact of a new cryptographic library." 2012.06.08 11:4545 mininvited lectureNetherlandslocal researchers[PDF slides] [soylentnews.org] Cryptography Working Group. Kargadoor, Utrecht. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange. 2012.06.04 13:45105 mininvited lectureNetherlandslocal students[PDF slides] [soylentnews.org] Class talk, Technische Universiteit Eindhoven. "The DNS security mess." 2012.04.17 20:177 mincontributed lectureEnglandresearchers[PDF slides] [soylentnews.org] Eurocrypt 2012. Cambridge University. "Non-uniform cracks in the concrete." 2012.03.23 09:0020 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] Third SHA-3 Candidate Conference. Washington Marriott. "The new SHA-3 software shootout." Talk given jointly with Tanja Lange. 2012.03.20 17:207 mincontributed lectureUSAresearchers[PDF slides] [soylentnews.org] FSE 2012: 19th International Workshop on Fast Software Encryption. Washington Marriott. "The HMAC brawl." 2012.03.18 16:0030 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] SHARCS 2012: Special-purpose Hardware for Attacking Cryptographic Systems. Washington Marriott. "Usable assembly language for GPUs: a success story." 2012.03.08 13:40100 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org] SecAppDev 2012. Irish College, Leuven. "Deploying high-security cryptography." 2012.03.08 11:00100 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] SecAppDev 2012. Irish College, Leuven. "Cryptography worst practices." 2012.02.13 13:3090 mininvited lectureNetherlandslocal researchers SLaBaC seminar, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Polynomial lattices, part 2." 2012.02.06 13:3090 mininvited lectureNetherlandslocal researchers SLaBaC seminar, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Polynomial lattices, part 1." 2012.01.16 17:1545 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "Authenticated ciphers." 2012.01.14 09:3060 mininvited lectureIndiaresearchers[PDF slides] [soylentnews.org] Workshop on Mathematical and Statistical Aspects of Cryptography. Indian Statistical Institute, Kolkata. "A battle of bits: building confidence in cryptography." Talk given jointly with Tanja Lange. 2011.12.01 09:5535 minrefereed lectureTaiwanresearchers[PDF slides] [soylentnews.org] PQCrypto 2011. Howard International House, Taipei. "Simplified high-speed high-distance list decoding for alternant codes." 2011.11.24 16:3055 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] DIAMANT symposium. Conferentiecentrum Mennorode, Elspeet. "Jet list decoding." 2011.10.19 08:3060 mininvited lectureBrazilresearchers[PDF slides] [soylentnews.org] ITW 2011: Information Theory Workshop. Casa da Cultura, Paraty. "Jet list decoding." Plenary talk. 2011.09.28 12:4530 mininvited lectureNetherlandslocal researchers[PDF slides] [soylentnews.org] EiPSI Seminar. Technische Universiteit Eindhoven. "The security impact of a new cryptographic library." 2011.09.22 16:1545 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Quantum cryptanalysis. Schloss Dagstuhl. "Post-quantum cryptanalysis." 2011.08.25 10:5060 mininvited lectureSouth Korearesearchers[PDF slides] [soylentnews.org] International Conference on Coding and Cryptography. Ewha Womans University, Seoul. "Advances in code-based public-key cryptography." 2011.08.18 11:3020 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] Crypto 2011. University of California, Santa Barbara. "Smaller decoding exponents: ball-collision decoding." 2011.07.29 15:0030 mininvited lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] Combinatorial, Algebraic and Algorithmic Aspects of Coding Theory. Polydome, Ecole Polytechnique Federale de Lausanne. "Simplified high-speed high-distance list decoding for alternant codes." 2011.07.18 10:1525 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Jet list decoding." Abstract written after the talk:

This talk presented a new high-speed high-distance decoding algorithm for classical binary Goppa codes.

2011.07.06 20:307 mincontributed lectureSenegalresearchers[PDF slides] [soylentnews.org] Africacrypt 2011. Agence universitaire de la Francophonie, Dakar. "High-speed high-security signatures." 2011.07.06 20:102 mincontributed lectureSenegalresearchers[PDF slides] [soylentnews.org] Africacrypt 2011. Agence universitaire de la Francophonie, Dakar. "Conference announcement: Indocrypt 2011." 2011.05.31 10:4545 mininvited lectureChinaresearchers[PDF slides] [soylentnews.org] IWCC 2011, Third International Workshop on Coding and Cryptography. Qingdao Garden Hotel, China. "Advances in code-based public-key cryptography." 2011.05.24 10:0060 mininvited lecturePolandresearchers[PDF slides] [soylentnews.org] Quo Vadis Cryptology? SHA-3 Contest. LORD Hotel, Warsaw. "Software benchmarking of SHA-3 candidates." Presentation given jointly with Tanja Lange. Abstract:

The eBACS project (ECRYPT Benchmarking of Cryptographic Systems) includes eBASH (ECRYPT Benchmarking of All Submitted Hashes), which has carefully measured the speed of 564 state-of-the-art software implementations of 91 different hash functions on 100 different computers. NIST's SHA-3 finalist selection report labelled eBASH as the "primary contributor" to NIST's software speed evaluations. This talk will review the context and accomplishments of eBASH and look to the future, with a particular emphasis on the SHA-3 finalists.

2011.05.11 14:3050 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Code-based Cryptography Workshop. Technische Universiteit Eindhoven. "Decoding random codes: asymptotics, benchmarks, challenges, and implementations." 2011.03.30 13:3060 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Seminar, National Center for Supercomputing Applications, University of Illinois at Urbana-Champaign. "Usable assembly language for GPUs." 2011.03.07 14:2525 minrefereed lectureItalyresearchers[PDF slides] [soylentnews.org] PKC 2011: 14th International Conference on Practice and Theory in Public-Key Cryptography. Hotel Villa Diodoro, Taormina. "On the correct use of the negation map in the Pollard rho method." Talk given jointly with Tanja Lange. 2011.02.17 15:2020 minrefereed lectureDenmarkresearchers SKEW 2011: Symmetric Key Encryption Workshop 2011. Denmark Technical University, Copenhagen. "Software speed of stream ciphers." 2011.02.16 14:2020 minrefereed lectureDenmarkresearchers[PDF slides] [soylentnews.org] SKEW 2011: Symmetric Key Encryption Workshop 2011. Denmark Technical University, Copenhagen. "Extending the Salsa20 nonce." 2011.02.14 19:155 mincontributed lectureDenmarkresearchers[PDF slides] [soylentnews.org] FSE 2011: 18th International Workshop on Fast Software Encryption. Denmark Technical University, Copenhagen. "Really fast syndrome-based hashing." 2011.02.14 19:055 mincontributed lectureDenmarkresearchers[PDF slides] [soylentnews.org] FSE 2011: 18th International Workshop on Fast Software Encryption. Denmark Technical University, Copenhagen. "Building a battlefield for authenticated encryption." 2011.02.05 11:1525 mincontributed lectureAustriaresearchers[PDF slides] [soylentnews.org] Arbeitstagung Allgemeine Algebra (AAA 81). University of Salzburg. "A classification of detours in proofs of the generalized Nullstellensatz." 2010.12.28 20:3060 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] 27th Chaos Communication Congress (27C3). Berliner Congress Center, Berlin. "High-speed high-security cryptography: encrypting and authenticating the whole Internet." Abstract:

Are you writing a program that sends data through the Internet? Are you sending the data through HTTP, or SMTP, or simply TCP, leaving it vulnerable to espionage, corruption, and sabotage by anyone who owns a machine connected to the same network?

You can use SSH and IPsec to protect communication with your own machines, but how do you talk to the rest of the Internet? You can use TCPcrypt to protect yourself against attackers too lazy to forge packets, but how do you protect yourself against serious attackers? You can use HTTPS for low-frequency communication, but how do you handle heavy network traffic, and how do you protect yourself against the security flaws in HTTPS? Today's Internet cryptography is slow, untrustworthy, hard to use, and remarkably unsuccessful as a competitor to good old unprotected TCP.

This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show that the approach is extremely fast when it is done right.

2010.12.15 12:0030 minrefereed lectureIndiaresearchers[PDF slides] [soylentnews.org] Indocrypt 2010. Marriott Convention Center, Hyderabad. "ECC2K-130 on NVIDIA GPUs." 2010.10.24 14:0060 mininvited lectureUSAresearchers Workshop on Embedded Systems Security (WESS 2010). Glenville, Arizona. "Cryptographic benchmarking in ECRYPT II." Talk given jointly with Tanja Lange. 2010.10.21 14:0060 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Workshop on Elliptic Curves and Computation (ECC 2010). Microsoft Research, Redmond. "Algorithms for primes." 2010.08.24 14:0912 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Second SHA-3 Candidate Conference. University of California, Santa Barbara. "CubeHash." 2010.08.24 09:1515 minrefereed lectureUSAresearchers Second SHA-3 Candidate Conference. University of California, Santa Barbara. "Software speed of SHA-3 candidates." 2010.08.19 21:277 mincontributed lectureUSAresearchers[PDF slides] [soylentnews.org] CHES 2010: Cryptographic Hardware and Embedded Systems. "Faster ECDL." 2010.08.19 21:132 mincontributed lectureUSAresearchers[PDF slides] [soylentnews.org] [Leakage video [soylentnews.org]] CHES 2010: Cryptographic Hardware and Embedded Systems. "Why CHES is better than CRYPTO (except for the rump session)." Presentation given jointly with Tanja Lange. 2010.08.09 14:1530 minrefereed lectureMexicoresearchers[PDF slides] [soylentnews.org] LatinCrypt 2010. "Starfish on strike." Talk given jointly with Tanja Lange. 2010.07.20 20:305 mincontributed lectureFranceresearchers[PDF slides] [soylentnews.org] Algorithmic Number Theory Symposium (ANTS) IX. LORIA, Nancy. "Faster rho for elliptic curves." 2010.06.28 12:0030 minrefereed lectureTurkeyresearchers[PDF slides] [soylentnews.org] International workshop on the arithmetic of finite fields (WAIFI 2010). Grand Hyatt Istanbul. "Type-II optimal polynomial bases." 2010.05.28 15:1525 mincontributed lectureGermanyresearchers[PDF slides] [soylentnews.org] PQCrypto 2010: Third International Workshop on Post-Quantum Cryptography. Fraunhofer Institute, Darmstadt. "Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA." Abstract:

(1) What is the number of bit operations required for high-security code-based cryptography? Specifically, how many additions and multiplications over F_2 are required for straight-line encryption and decryption? Optimizations in this model are directly relevant to hardware and to bitsliced software. (2) Is it possible that the community has missed another plausible candidate for post-quantum cryptography?

2010.05.26 15:0030 minrefereed lectureGermanyresearchers[PDF slides] [soylentnews.org] PQCrypto 2010: Third International Workshop on Post-Quantum Cryptography. Fraunhofer Institute, Darmstadt. "Grover vs. McEliece." 2010.05.17 16:1050 mininvited lectureBelgiumresearchers[PDF slides] [soylentnews.org] GTEM Workshop on Computational Number Theory and Arithmetic Geometry. Arenbergkasteel, Leuven. "Factoring integers with elliptic curves." 2010.05.07 09:00240 mininvited lectureSouth Africastudents[PDF slides] [soylentnews.org] Third International Conference on Cryptology in Africa (AFRICACRYPT 2010). Stellenbosch Institute for Advanced Study. "ECC minicourse." Lecture given jointly with Tanja Lange. 2010.04.19 14:3060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Counting Points: Theory, Algorithms and Practice. Le Centre de recherches mathématiques, University of Montreal. "Counting points as a video game." 2010.04.16 11:0060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Computer Security and Cryptography. Le Centre de recherches mathématiques, University of Montreal. "The factorization of RSA-1024." Abstract:

This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same tools will also be useful for academic teams in the farther future publicly breaking the RSA-1024 challenge.

2010.02.26 14:4545 mininvited lectureTaiwanresearchers[PDF slides] [soylentnews.org] The First Taiwanese Workshop on Security and System-on-Chip. National Taiwan University, Taipei. "Small high-security encryption, authentication, and hashing." 2010.02.04 14:2535 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Tweedaagse beveiligingsconferentie SURFcert & SURFibo. Koninklijke Bibliotheek, Den Haag. "Elliptic-curve cryptography." 2010.01.13 11:3040 mininvited lectureLuxembourgresearchers[PDF slides] [soylentnews.org] ESC 2010: Early Symmetric Crypto. Centre de Formation et de Seminaires, Remich. "Software speed for secret-key cryptography." 2009.12.16 09:0060 mininvited lectureIndiaresearchers[PDF slides] [soylentnews.org] Indocrypt 2009. Indian National Science Academy, New Delhi. "Breaking ECC2K-130." 2009.12.04 15:0045 mininvited lectureNetherlandslocal researchers[PDF slides] [soylentnews.org] Cryptography Working Group. Trianon Zalen, Utrecht. "Breaking ECC2K-130." 2009.11.17 09:0075 mininvited lectureSpainstudents[PDF slides] [soylentnews.org] Hash^3: Proofs, Analysis, and Implementation. Hotel Jardin Tropical, Costa Adeje, Tenerife. "Software benchmarking." 2009.10.30 15:0060 mininvited lectureAustralialocal researchers[PDF slides] [soylentnews.org] Centre for Advanced Computing---Algorithms and Cryptography Seminar. Faculty of Science, Macquarie University. "Breaking DNSSEC." 2009.10.29 16:0060 mininvited lectureAustralialocal researchers[PDF slides] [soylentnews.org] Computational Algebra Seminar. School of Mathematics and Statistics, University of Sydney. "Speeding up characteristic 2." 2009.10.12 11:0030 minrefereed lectureGermanyresearchers[PDF slides] [soylentnews.org] Software Performance Enhancement for Encryption and Decryption and Cryptographic Compilers (SPEED-CC). Radisson Blu, Berlin. "Optimizing linear maps modulo 2." 2009.10.06 16:4540 mininvited lectureBelgiumresearchers[PDF slides] [soylentnews.org][part-2 PDF slides] [soylentnews.org] CRYPTASC Workshop. QUIC, Université Libre de Bruxelles. "What is a use case for quantum key exchange?" Talk given jointly with Tanja Lange. 2009.09.22 13:3060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Discovery and Experimentation in Number Theory. Fields Institute, Waterloo, Ontario. "Addition laws on elliptic curves." Plenary lecture. 2009.09.12 11:4545 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Factoring 2009. Bochum. "ECM speed records for CPU and GPU." 2009.09.10 11:0030 minrefereed lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] Special-Purpose Hardware for Attacking Cryptographic Systems (SHARCS 2009). Ecole Polytechnique Federale de Lausanne. "Cost analysis of hash collisions: will quantum computers make SHARCS obsolete?" 2009.09.09 18:1530 minrefereed lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] Special-Purpose Hardware for Attacking Cryptographic Systems (SHARCS 2009). Ecole Polytechnique Federale de Lausanne. "The Certicom challenges ECC2-X." Talk given jointly with Tanja Lange, Frank Gurkaynak, Daniel V. Bailey, Peter Schwabe. 2009.09.08 21:30?3 mincontributed lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] CHES 2009: Workshop on Cryptographic Hardware and Embedded Systems. Ecole Polytechnique Federale de Lausanne. "binary.cr.yp.to." 2009.09.08 17:25?5 mininvited lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] CHES 2009: Workshop on Cryptographic Hardware and Embedded Systems; panelist in special session on Benchmarking of Cryptographic Hardware. Ecole Polytechnique Federale de Lausanne. "eBACS: ECRYPT Benchmarking of Cryptographic Systems." 2009.08.25 09:0050 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] ECC 2009. University of Calgary. "Post-quantum cryptography." Abstract:

Large quantum computers will break RSA, DSA, ECC, and HECC, but cryptographers will still have many attractive choices of post-quantum public-key systems. This talk will survey the post-quantum landscape, and as an illustrative example will discuss McEliece's 1978 hidden-Goppa-code public-key encryption system.

2009.08.24 19:0010 mincontributed lectureCanadaresearchers[PDF slides] [soylentnews.org] ECC 2009. University of Calgary. "Batch binary Edwards." 2009.08.18 12:0025 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] Crypto 2009. University of California, Santa Barbara. "Batch binary Edwards." Abstract:

This paper sets new software speed records for high-security Diffie--Hellman computations, specifically 251-bit elliptic-curve variable-base-point scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper's software performs 30000 251-bit scalar multiplications on the binary Edwards curve d(x+x^2+y+y^2)=(x+x^2)(y+y^2) over the field F_2[t]/(t^{251}+t^7+t^4+t^2+1) where d=t^{57}+t^{54}+t^{44}+1. The paper's field-arithmetic techniques can be applied in much more generality but have a particularly efficient interaction with the completeness of addition formulas for binary Edwards curves. See binary.cr.yp.to/edwards.html [cr.yp.to] for more information.

2009.08.11 14:0060 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Seminar. Google. "High-speed cryptography, DNSSEC, and DNSCurve." Abstract:

DNSSEC, a project to add cryptographic protection to DNS, has received millions of dollars of U.S. government grants and after fifteen years still has not stopped any attacks. The underlying problem is DNSSEC's fear of cryptographic overload, which forced DNSSEC down a path of unreliability, insecurity, and unusability.

DNSCurve is a new project to add cryptographic protection to DNS. DNSCurve is much stronger than DNSSEC, much more robust, much less damaging to the Internet, much easier to implement, and much easier to use.

The critical design decision in DNSCurve is exactly the decision that DNSSEC rejected on the grounds of performance. Can busy sites keep up with the load? Advances in high-speed high-security elliptic-curve cryptography mean that the answer is yes. A single day of computation on a Core 2 Quad CPU is enough to cryptographically protect 50 billion packets exchanged with 500 million clients, more than the load on all of the Internet's top-level .com servers put together.

2009.08.10 09:3060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] WOOT 2009. Le Centre Sheraton Hotel, Montreal. "Breaking DNSSEC." Keynote lecture. Abstract:

More than two hundred sites around the world have installed DNSSEC during the past year, so attackers can finally gain hands-on experience with breaking DNSSEC servers. How quickly does DNSSEC leak private information? How powerful are today's DNSSEC servers when they are abused as denial-of-service amplifiers? How easy is it to forge DNS data from a DNSSEC server?

2009.07.31 09:4040 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Classical and quantum information assurance: foundations and practice. Schloss Dagstuhl. "How to improve the price-performance ratio of quantum collision search." Abstract:

A quantum algorithm by Brassard, Hoyer, and Tapp finds collisions in a generic b-bit hash function using O(2^(b/3)) calls to the hash function. How well does the same algorithm perform in more sophisticated cost measures than number of hash calls? In particular, does the algorithm achieve an optimal tradeoff between the size of a quantum computer and the time taken by the computer to find collisions? This talk will show that the algorithm is highly suboptimal from this perspective, and will explain how to do better.

2009.07.28 11:4540 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Classical and quantum information assurance: foundations and practice. Schloss Dagstuhl. "Cost-benefit analysis of quantum cryptography." Abstract:

"Why quantum cryptography?" "SECOQC white paper on quantum key distribution and cryptography." "Quantum cryptography: as awesome as it is pointless." "The case for quantum key distribution."

Different authors have come to wildly different conclusions regarding the value of quantum cryptography. Some of this variability can be explained by implicit differences in models of what users value; this talk will present a unified analysis explicitly parametrized by the model. A surprisingly large part of the variability stems from easily correctable errors; this talk will explain how future authors can recognize and avoid the most common pitfalls.

2009.07.17 10:1030 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Complete addition laws for all elliptic curves over finite fields.'' Abstract written after the talk:

This talk reports the latest news from a joint project with Tanja Lange to find, for each elliptic curve E, the fastest possible complete addition law for E.

2009.06.27 11:0050 mininvited lectureBrazilresearchers[PDF slides] [soylentnews.org] Fórum Internacional de Software Livre. Pontifícia Universidade do Rio Grande do Sul (PUCRS), Porto Alegre. "High-speed cryptography and DNSCurve." Abstract:

This talk will explain DNSCurve, a new project to add cryptographic protection to DNS. DNSCurve is much stronger than DNSSEC, much more robust, much less damaging to the Internet, much easier to implement, and much easier to use.

The critical design decision in DNSCurve is exactly the decision that DNSSEC rejected on the grounds of performance. Can busy sites keep up with the load? Advances in high-speed high-security elliptic-curve cryptography mean that the answer is yes. A single day of computation on a Core 2 Quad CPU is enough to cryptographically protect 50 billion packets exchanged with 500 million clients, more than the load on all of the Internet's top-level .com servers put together.

2009.06.24 10:0050 mininvited lectureBrazilresearchers[PDF slides] [soylentnews.org] Fórum Internacional de Software Livre. Pontifícia Universidade do Rio Grande do Sul (PUCRS), Porto Alegre. "The DNS security mess." Abstract:

The Domain Name System publishes records such as "softwarelivre.org has IP address 200.169.21.196". Attackers can easily exploit the DNS protocol to selectively forge web pages and steal Internet mail.

DNSSEC, a project to add cryptographic protection to DNS, has received millions of dollars of U.S. government grants and after fifteen years still has not stopped any attacks. This talk will explain the design of DNSSEC, and in particular will explain how DNSSEC's fear of cryptographic overload forced DNSSEC down a path of unreliability, insecurity, and unusability.

2009.05.26 09:1545 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Algorithms and Number Theory. Schloss Dagstuhl. "Code-based post-quantum cryptography." Abstract:

McEliece's code-based cryptosystem was introduced in 1978 and is one of the leading candidates for post-quantum public-key cryptography. All known attacks against the cryptosystem, including attacks by quantum computers, take time exponential in the code length, while encryption and decryption take polynomial time with very small exponents.

This talk will explain (1) how the original parameters proposed by McEliece were broken in 2008 by Bernstein, Lange, and Peters, (2) the computational issues that arise in using the cryptosystem for larger parameters, and (3) how list decoding of Goppa codes is connected to the Lenstra--Konyagin--Pomerance--Coppersmith--Howgrave-Graham--Nagaraj algorithm to find divisors in residue classes.

2009.05.15 11:0060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Cryptography Retrospective Meeting. Fields Institute, Toronto, Canada. "High-speed cryptography." 2009.04.17 11:3060 mininvited lectureSpainlocal researchers[PDF slides] [soylentnews.org] Algebra and Number Theory Seminar. Department of Mathematics, Universidad Autonomo de Madrid. "Complete addition laws for elliptic curves." Talk given jointly with Tanja Lange. 2009.04.0310 mincontributed lectureFranceresearchers[PDF slides] [soylentnews.org] Arithmetic, Geometry, Cryptography and Coding Theory (AGCT-12). Centre International de Rencontres Mathematiques, Luminy. Marseille. "Batch binary Edwards." 2009.03.2660 mininvited lectureFranceresearchers[PDF slides] [soylentnews.org] ESF Exploratory Workshop: Curves, Coding Theory, and Cryptography. Institut de Mathematiques de Luminy. Marseille. "Models of elliptic curves." Talk given jointly with Tanja Lange. 2009.03.21 11:0060 mininvited lectureIndialocal researchers[PDF slides] [soylentnews.org] The LNM Institute of Information Technology, Jaipur. "DNSSEC and DNSCurve." 2009.03.20 14:0060 mininvited lectureIndialocal researchers[PDF slides] [soylentnews.org] Department of Computer Engineering. Malaviya National Institute of Technology, Jaipur. "DNSSEC and DNSCurve." 2009.03.17 10:0060 mininvited lectureIndiaresearchers[PDF slides] [soylentnews.org] Hack.in 2009: 3rd Hackers' Workshop. Indian Institute of Technology, Kanpur. "DNSCurve." Keynote lecture. 2009.03.04 09:00100 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Secure design and coding for DNS." 2009.03.03 09:00100 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Cryptography in DNS." 2009.03.02 15:40100 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Attacks on DNS." 2009.02.285 mincontributed lectureBelgiumresearchers First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "A replay attack on a one-way hash." 2009.02.285 mincontributed lectureBelgiumresearchers[PDF slides] [soylentnews.org] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "Bit attacks." 2009.02.285 mincontributed lectureBelgiumresearchers[PDF slides] [soylentnews.org] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "More engineering considerations for the SHA-3 hash function." Talk given jointly with Orr Dunkelman. Slides written jointly by many authors. 2009.02.28 10:0020 mininvited lectureBelgiumresearchers[PDF slides] [soylentnews.org] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "eBASH: ECRYPT Benchmarking of All Submitted Hashes." 2009.02.26 09:0018 mininvited lectureBelgiumresearchers[PDF slides] [soylentnews.org] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "CubeHash." 2009.01.12invited lectureGermanyresearchers[PDF slides] [soylentnews.org] Symmetric Cryptography. Schloss Dagstuhl. "eBACS: ECRYPT Benchmarking of Cryptographic Systems." 2008.12.09 08:516 mincontributed lectureAustraliaresearchers[PDF slides] [soylentnews.org] Asiacrypt 2008. Hilton on the Park, Melbourne. "eBASH: ECRYPT Benchmarking of All Submitted Hashes." 2008.10.18 09:0060 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] The Second International Workshop on Post-Quantum Cryptography (PQCrypto 2008). University of Cincinnati. "A brief survey of post-quantum cryptography." 2008.10.10 16:0060 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Lustrum OS3. Turingzaal, CWI, Amsterdam. "Internet security." Keynote talk. 2008.10.07 14:3060 mininvited lectureFranceresearchers[PDF slides] [soylentnews.org] Cado Workshop on Integer Factorization. LORIA, Nancy. "Predicting NFS time." Abstract:

The time T(n,f,y1,...) used by NFS depends not only on the integer n to be factored but also on various parameters chosen by the NFS user, such as a polynomial f, an initial smoothness bound y1, etc. One can accurately compute T(n,f,y1,...) by running NFS, but of course this is rather slow, especially if one wants to compute several values of this function T. I'll discuss the speed and accuracy of various approximations to T.

2008.09.22 19:50?5 mincontributed lectureNetherlandsresearchers[PDF slides] [soylentnews.org] The 12th Workshop on Elliptic Curve Cryptography (ECC 2008). "DNSCurve: Usable security for DNS." 2008.09.17 11:4560 mininvited lectureNetherlandsstudents[PDF slides] [soylentnews.org] DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography. Technische Universiteit Eindhoven. "Fast arithmetic on elliptic curves." 2008.09.15 11:4560 mininvited lectureNetherlandsstudents[PDF slides] [soylentnews.org] DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography. Technische Universiteit Eindhoven. "Introduction to elliptic curves." 2008.08.22 14:0060 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Seminar, Department of Computer Science. University of Illinois at Chicago. "DNSCurve: Usable security for DNS." 2008.08.12 16:4525 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] CHES 2008: Cryptographic Hardware and Embedded Systems. Renaissance Mayflower Hotel. "Binary Edwards curves." Talk given jointly with Tanja Lange. 2008.07.17 15:2545 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Beeger Lecture, 5th European Congress of Mathematics (5ECM). RAI Amsterdam. "Edwards curves." Abstract:

Elliptic-curve addition is the bottleneck in state-of-the-art methods to prove primality of presumed primes, to find medium-size factors of composites, and to agree on a shared secret through a public channel. These applications have drawn tremendous attention to elliptic curves over the past twenty-five years.

Unfortunately, the standard elliptic-curve addition laws leave much to be desired. They force the user to distinguish doublings from generic additions; they have other exceptional cases; and they are not very fast. One can eliminate the doubling distinction, and with more work one can eliminate all of the exceptional cases over a finite field, but the resulting addition laws are even slower than the standard addition laws.

I will explain a new coordinate system that eliminates the need for the doubling distinction, that eliminates all of the exceptional cases for some curves, and that achieves remarkable speed. This system has already set new speed records for elliptic-curve computations, both in theory and in practice.

The audience is not expected to have prior exposure to elliptic curves.

2008.06.20 14:3060 mininvited lectureFrancelocal researchers[PDF slides] [soylentnews.org] Seminar, University of Rennes. "The elliptic-curve zoo." Abstract:

The pursuit of speed in elliptic-curve factoring and in elliptic-curve cryptography has led researchers to consider a remarkable variety of curve shapes and point representations. Tanja Lange and I have built an Explicit-Formulas Database, hyperelliptic.org/EFD [hyperelliptic.org], collecting (and sometimes correcting and often improving) the addition formulas in the literature; EFD now contains 296 computer-verified explicit addition formulas for 20 representations of points on 8 shapes of elliptic curves over large-characteristic fields. In this talk I will survey the speeds that have been obtained from several interesting curve shapes. If time permits I will also comment on characteristic 2.

2008.06.13 15:0030 minrefereed lectureMoroccoresearchers[PDF slides] [soylentnews.org] Africacrypt 2008. Casablanca. "Twisted Edwards curves." 2008.06.05 09:3090 mininvited lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Hash functions in cryptology: theory and practice. Lorentz Center, Leiden University. "How fast are hash functions?" Keynote talk. 2008.05.19 16:5010 mincontributed lectureCanadaresearchers[PDF slides] [soylentnews.org] Algorithmic Number Theory Symposium (ANTS). Banff Centre, Alberta. "The elliptic-curve zoo: a study of curve shapes." Talk given jointly with Tanja Lange. 2008.05.12 14:5070 mininvited lectureGreecestudents[PDF slides] [soylentnews.org] ECRYPT Summer School on Advanced Topics in Cryptography. Fodele Beach Hotel, Crete, Greece. "The rest of the zoo." [pictures] [soylentnews.org]2008.05.09 12:3060 mininvited lectureSpainlocal researchers[PDF slides] [soylentnews.org] Algebra and Number Theory Seminar. Department of Mathematics, Universidad Autonomo de Madrid. "Binary Edwards curves." Talk given jointly with Tanja Lange. 2008.04.23 09:0060 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Troopers08. Kempinski Airport Hotel, Munich. "Invulnerable software." Keynote lecture. 2008.04.18 15:3050 mininvited lectureNetherlandslocal researchers[PDF slides] [soylentnews.org] Intercity Number Theory Seminar: genus 2 day. Universiteit Utrecht. "Hyperelliptic-curve cryptography." Abstract:

The only public-key cryptographic systems currently recommended by the United States National Security Agency are elliptic-curve systems. I'll explain how elliptic curves are used in cryptography and how genus-2 hyperelliptic curves can do better; in particular, I'll discuss recent progress in genus-2 scalar multiplication and in constructing secure genus-2 curves. To balance the picture I'll also discuss recent progress in elliptic-curve computations.

2008.04.15 20:214 mincontributed lectureTurkeyresearchers[PDF slides] [soylentnews.org] Eurocrypt 2008. Hilton Hotel Convention Center, Istanbul. "Binary Edwards curves." 2008.04.14 11:2525 minrefereed lectureTurkeyresearchers[PDF slides] [soylentnews.org] Eurocrypt 2008. Hilton Hotel Convention Center, Istanbul. "Proving tight security for Rabin--Williams signatures." 2008.02.14 10:4515 minrefereed lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] State of the Art of Stream Ciphers (SASC) 2008. Moevenpick Hotel, Lausanne. "ChaCha, a variant of Salsa20." 2008.02.12 17:164 mincontributed lectureSwitzerlandresearchers[PDF slides] [soylentnews.org] Fast Software Encryption 2008. Moevenpick Hotel, Lausanne. "SHARCS vs. SWIFFT." 2008.01.11 10:4020 mininvited lectureLuxembourgresearchers Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "Cipher DAGs." 2008.01.09 17:355 mincontributed lectureLuxembourgresearchers[PDF slides] [soylentnews.org] Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "MAC1271." 2008.01.09 17:305 mincontributed lectureLuxembourgresearchers[PDF slides] [soylentnews.org] Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "ChaCha20." 2007.12.24 15:0080 mininvited lectureTaiwanlocal students[PDF slides] [soylentnews.org] Electrical Engineering seminar. National Taiwan University. "An introduction to high-speed arithmetic." 2007.12.17 09:0050 mininvited lectureIndiaresearchers[PDF slides] [soylentnews.org] Applied Algebra, Algebraic Algorithms, and Error Correcting Codes (AAECC-17). Indian Institute of Science, Bangalore. "The tangent FFT." 2007.12.03 09:5025 minrefereed lectureMalaysiaresearchers[PDF slides] [soylentnews.org] Asiacrypt 2007. Crowne Plaza Riverside, Kuching, Sarawak. "Faster addition and doubling on elliptic curves." Talk given jointly with Tanja Lange. 2007.11.30 15:1050 mininvited lectureSouth Korearesearchers[PDF slides] [soylentnews.org] ICISC 2007. Seoul. "High-speed cryptography." 2007.11.10 16:3030 mininvited lectureEnglandresearchers[PDF slides] [soylentnews.org][part-2 vertical PDF slides] [soylentnews.org][original gv-compatible part-2 PDF slides] [soylentnews.org] SAGE Days 6. University of Bristol. "Edwards coordinates for elliptic curves." Talk given jointly with Tanja Lange. 2007.11.02 08:3060 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] 1st Computer Security Architecture Workshop. George Mason University, Fairfax, Virginia. "Some thoughts on security after ten years of qmail 1.0." 2007.10.19 15:0050 mininvited lectureFranceresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Universite Bordeaux I. "Edwards coordinates for elliptic curves, part 2." 2007.09.24 11:5025 minrefereed lecturePolandresearchers ECRYPT Workshop on Tools for Cryptanalysis. Conference Center of the Jagiellonian University in Kraków-Przegorzały. "Cipher DAGs." [software] [soylentnews.org]2007.09.11 19:505 mincontributed lectureAustriaresearchers[PDF slides] [soylentnews.org] CHES 2007: Cryptographic Hardware and Embedded Systems. Vienna Marriott Hotel. "The EFD thing." Talk given jointly with Tanja Lange. 2007.09.10 15:072 mincontributed lectureAustriaresearchers[PDF slides] [soylentnews.org] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS) 2007. Vienna Marriott Hotel. "Edwards curves." 2007.09.10 11:3030 minrefereed lectureAustriaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS) 2007. Vienna Marriott Hotel. "Better price-performance ratios for generalized birthday attacks." 2007.09.07 11:4050 mininvited lectureIrelandresearchers[PDF slides] [soylentnews.org][part-2 vertical PDF slides] [soylentnews.org][original gv-compatible part-2 PDF slides] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2007. University College Dublin. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange. 2007.09.05 17:528 mincontributed lectureIrelandresearchers[PDF slides] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2007. University College Dublin. "The Explicit-Formulas Database." 2007.09.03 12:0060 mininvited lectureIrelandstudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007. University College Dublin. "Generic attacks and index calculus." 2007.09.03 09:3060 mininvited lectureIrelandstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007. University College Dublin. "Elliptic curves over $\R$ and $\F_q$." 2007.08.16 11:3555 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Selected Areas in Cryptography (SAC) 2007. University of Ottawa, Ontario. ``Edwards coordinates for elliptic curves.'' 2007.07.18 10:1520 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][approximate transcript] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Complexity news: FFTs and integer multiplication." Abstract:

What is the total algebraic complexity of multiplying two polynomials of degree below $n$ over the field of real numbers? 1866 Gauss FFT: $(15+o(1))n\lg n$. 1968 Yavne split-radix FFT: $(12+o(1))n\lg n$. News, 2004 Van Buskirk tangent FFT: $(34/3+o(1))n\lg n$. What is the bit complexity of multiplying two $n$-bit integers? 1971 Sch\"onhage/Strassen algorithm: $\Theta(n\lg n\lg\lg n)$. News, 2007 F\"urer algorithm: $(n\lg n)2^{O(\lg^*n)}$.

2007.07.12 12:1525 mincontributed lectureAustraliaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] 8th International Conference on Finite Fields and Applications (FQ8). Amora Hotel Riverwalk Melbourne, Richmond. "Polynomial evaluation and message authentication." 2007.06.11 17:0510 mincontributed lectureNetherlandsresearchers[PDF slides] [soylentnews.org] Software Performance Enhancement for Encryption and Decryption (SPEED). Victoria Hotel, Amsterdam. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange. 2007.06.11 14:3060 mininvited lectureNetherlandsresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Software Performance Enhancement for Encryption and Decryption (SPEED). Victoria Hotel, Amsterdam. "How fast is cryptography?" 2007.06.07 14:0060 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Mathfest 2007. National Security Agency, Fort Meade, Maryland. "Edwards coordinates for elliptic curves." Abstract:

The standard elliptic-curve addition laws are annoying! They force the user to distinguish doublings from generic additions; they have other exceptional cases; and they aren't very fast. One can eliminate the doubling distinction, and with more work one can eliminate all of the exceptional cases over a finite field, but the resulting addition laws are even slower. I'll explain a new coordinate system that eliminates the need for the doubling distinction, that eliminates all of the exceptional cases for some curves, and that achieves remarkable speed. If time permits I'll discuss applications to elliptic-curve cryptography.

2007.05.28 15:0575 mininvited lecturePolandresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Quo vadis cryptology? Threat of side-channel attacks. LORD Hotel, Warsaw. "The impact of side-channel attacks on the design of cryptosystems." Abstract:

Authors of cryptographic software have to go to extra effort to protect themselves against cache-timing attacks, branch-prediction attacks, and other side-channel attacks. The extra effort depends on the cryptosystem; side-channel resistance often makes an otherwise attractive cryptosystem end up consuming far more resources than the system designer had originally expected. This talk will explain how to write cryptographic software that keeps secret information safely away from all known software side channels, and how to design cryptosystems that remain efficient when they are implemented in this way. Examples will be drawn from several areas of secret-key and public-key cryptography.

2007.05.24 17:2025 minrefereed lectureSpainresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] ECRYPT Hash Workshop 2007. Universitat Oberta de Catalunya, Barcelona. "What output size resists collisions in a xor of independent expansions?" 2007.05.22 20:276 mincontributed lectureSpainresearchers[PDF slides] [soylentnews.org] Eurocrypt 2007. Catalonia Barcelona Plaza Hotel, Barcelona. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange. 2007.05.18 14:3040 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Number Theory Fest. Department of Mathematics, University of Illinois at Urbana-Champaign. "Distinguishing prime numbers from composite numbers: the state of the art." Abstract:

Is it easy to determine whether a given integer is prime? For small integers the answer is obviously yes; but what about much larger integers? If 'easy' is defined as 'deterministic polynomial time' then the answer is again yes, as proven by Agrawal, Kayal, and Saxena in a famous paper in 2002; but what happens when a polynomial-time algorithm is too slow? This talk will take a closer look at the state of the art, analyzing the scalability of today's best algorithms and identifying the most important open problems in the area.

2007.05.15 16:3060 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Algemeen Wiskunde Colloquium. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Circuits for integer factorization." 2007.05.04 16:2070 mininvited lectureGreecestudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Emerging Topics in Cryptographic Design and Cryptanalysis. Doryssa Seaside Resort, Pythagorion, Samos. "CPU traps and pitfalls." 2007.04.30 11:3570 mininvited lectureGreecestudents[vertical PDF slides] [soylentnews.org][horizontal PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Emerging Topics in Cryptographic Design and Cryptanalysis. Doryssa Seaside Resort, Pythagorion, Samos. "On the design of message-authentication codes." 2007.04.27 14:15165 mininvited lectureGermanylocal students Hackerpraktikum. Horst Görtz Institut für Sicherheit in der Informationstechnik, Ruhr-Universität Bochum. "How to program secure network servers." Main topics were (1) the UNIX functions for talking to the network, (2) various techniques for reducing bug rates, and (3) using "extreme sandboxes" to enforce security upon surprisingly large chunks of code. There were several requests for copies of the experimental extremesandbox() code, so here it is: extremesandbox.c [soylentnews.org]2007.04.25 14:3060 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] EIDMA Seminar Combinatorial Theory. Technische Universiteit Eindhoven. "Elliptic vs. hyperelliptic, part 1." 2007.04.17 09:0050 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org][video] [cr.yp.to][video at www.ima.umn.edu] [umn.edu] Workshop on Complexity, Coding, and Communications. Institute for Mathematics and its Applications, University of Minnesota, Minneapolis. "The tangent FFT." 2007.03.20 11:0090 mininvited lectureUSAlocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Colloquium, Akamai Technologies. ``The DNS security mess.'' 2007.02.08 13:00contributed lectureEnglandresearchers[PDF slides] [soylentnews.org] ECRYPT VAMPIRE WG1. Bristol University. "High-speed engineering of high-speed software." 2007.02.07 12:0060 mininvited lectureEnglandlocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] The Enigma Variations: Information Security Seminar. Bristol University. "Proving tight security for Rabin-Williams signatures." 2007.02.02 15:0045 mininvited lectureNetherlandslocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Cryptography Working Group. Universiteit van Amsterdam. "The DNS security mess." Last-minute substitution for another speaker who couldn't attend. 2007.01.31 14:1515 minrefereed lectureGermanyresearchers[PDF slides] [soylentnews.org] SASC 2007---The State of the Art of Stream Ciphers. Ruhr University Bochum. "Cycle counts for authenticated encryption." [sample screenshot] [soylentnews.org]2006.12.10 15:4590 mininvited lectureIndiastudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Tutorial session; INDOCRYPT 2006. Park Hotel, Kolkata, India. ``High-speed Diffie-Hellman, part 2.'' 2006.12.10 11:3090 mininvited lectureIndiastudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Tutorial session; INDOCRYPT 2006. Park Hotel, Kolkata, India. ``High-speed Diffie-Hellman, part 1.'' 2006.11.27 14:1050 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Workshop on Cryptography: Underlying Mathematics, Provability and Foundations. Fields Institute, Toronto, Canada. ``Proving tight security for Rabin-Williams signatures.'' 2006.11.19 17:0030 mincontributed lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Polynomials over Finite Fields and Applications. Banff Centre, Alberta, Canada. ``Faster factorization into coprimes.'' 2006.10.17 13:0050 mininvited lectureCanadalocal researchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Distinguished Lecture, Institute for Computer Research, University of Waterloo. ``The DNS security mess.'' 2006.09.20 11:1050 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2006. Fields Institute, Toronto, Canada. ``Elliptic vs. hyperelliptic, part 1.'' Abstract:

Last year's speed records for Diffie-Hellman software were set with a Montgomery-form elliptic curve. Is it possible to achieve even better scalar-multiplication speeds with a Gaudry-form hyperelliptic curve? Exactly how fast is arithmetic modulo 2^{127}-1, compared to arithmetic modulo 2^{255}-19?

Thanks to Tanja Lange for the Mr.-and-Mrs.-Curve slide. Thanks to the Fields Institute for the audio recording. 2006.09.13 09:0060 mininvited lectureCanadastudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Elliptic and Hyperelliptic Curve Cryptography. Fields Institute, Toronto, Ontario. ``Efficient arithmetic on elliptic curves in large characteristic.'' Thanks to the Fields Institute for the audio recording. 2006.09.11 09:0060 mininvited lectureCanadastudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Elliptic and Hyperelliptic Curve Cryptography. Fields Institute, Toronto, Ontario. ``Efficient arithmetic in finite fields.'' Thanks to the Fields Institute for the audio recording. Unfortunately, some portions of the audio recording are inaudible; sorry! 2006.08.31 14:3060 mininvited lectureBrazilstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Choosing curves.'' 2006.08.31 13:3060 mininvited lectureBrazilstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Efficient arithmetic on elliptic curves.'' 2006.08.30 14:3060 mininvited lectureBrazilstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Elliptic curves.'' 2006.08.30 13:3060 mininvited lectureBrazilstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Efficient arithmetic in finite fields.'' 2006.08.28 14:3050 mininvited lectureBrazilresearchers[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] 6th Brazilian Symposium on Information and Computer System Security (SBSeg '06). Mendes Convention Center, Santos. ``The DNS security mess.'' 2006.08.16 11:4050 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Information Security Summer School (ISSS) 2006. Taipei. ``Choosing curves.'' 2006.08.15 14:3050 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Information Security Summer School (ISSS) 2006. Taipei. ``Efficient arithmetic on elliptic curves.'' 2006.08.15 09:3050 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Information Security Summer School (ISSS) 2006. Taipei. ``Elliptic curves.'' 2006.08.14 13:3050 mininvited lectureTaiwanstudents[vertical PDF slides] [soylentnews.org][original gv-compatible PDF slides] [soylentnews.org] Information Security Summer School (ISSS) 2006. Taipei. ``Efficient arithmetic in finite fields.'' 2006.08.03 10:0050 mininvited lectureJapanresearchers[PDF slides] [soylentnews.org] 2006 Workshop on Cryptography and Related Mathematics. Chuo University, Tokyo. ``High-speed cryptographic functions.'' 2006.07.10 10:0030 mininvited lectureAustraliaresearchers[PDF slides] [soylentnews.org] 31st Australasian Conference on Combinatorial Mathematics and Combinatorial Computing. Voyages Resort, Alice Springs. ``Differential addition chains.'' 2006.06.30 09:5080 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Proving primality more quickly.'' Abstract:

I'll say whatever I can in the available time about the state of the art in distinguishing prime numbers from composite numbers. In particular, I'll explain ``elliptic-curve primality proving.''

Thanks to Kathryn Lesh for the audio recording. 2006.06.29 09:5080 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Proving primality in polynomial time.'' Abstract:

Agrawal, Kayal, and Saxena proved in 2002 that ``PRIMES is in P'': i.e., that there is a deterministic polynomial-time algorithm to distinguish prime numbers from composite numbers. I'll present an AKS-type algorithm, and I'll prove that an integer n is accepted by the algorithm if and only if n is prime.

Thanks to Kathryn Lesh for the audio recording. 2006.06.28 09:5080 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Speed of the number-field sieve.'' Abstract:

I'll discuss optimization of the number-field sieve. In particular, I'll explain fast linear algebra by the ``series-denominator method''; I'll analyze the asymptotic cost exponent of the number-field sieve; and I'll present various improvements in polynomial selection.

Thanks to Kathryn Lesh for the audio recording. 2006.06.27 09:5080 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Finding small factors of integers.'' Abstract:

The number-field sieve (like many other number-theoretic algorithms) produces a large collection of auxiliary numbers and tries to find the smooth numbers, i.e., the numbers that factor into small primes.

I'll discuss the state of the art in algorithms to find small factors of integers, combining seven critical ideas beyond trial division: ``sieving,'' ``remainder trees,'' the ``rho method,'' the ``p-1 method,'' the ``p+1 method,'' the ``elliptic-curve method,'' and ``early aborts.''

Thanks to Kathryn Lesh for the audio recording.

2006.06.26 09:5080 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][Ogg audio] [soylentnews.org] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``The number-field sieve.'' Abstract:

The ``number-field sieve'' is today's state-of-the-art method of finding large prime factors of integers. A year ago the number-field sieve was used to factor ``RSA-200,'' a 200-digit challenge integer chosen as the product of two secret random 100-digit primes.

I'll explain what the number-field sieve computes, and why that computation can be expected to succeed. I'll start with the ``Q sieve,'' an easy special case of the number-field sieve; I'll then generalize from Q to other number fields. Along the way I'll explain how to use ``sublattices'' to improve smoothness chances.

Thanks to Kathryn Lesh for the audio recording.

2006.06.15 16:15105 mininvited lectureBelgiumstudents[PDF slides] [soylentnews.org] Summer School on Cryptographic Hardware, Side-Channel and Fault Attacks. Louvain-la-Neuve. ``Cache-timing attacks.'' The slides aren't as thorough as usual; I was invited only a few days before the summer school, replacing Jean-Pierre Seifert, who wasn't able to attend. 2006.05.30 19:504 mincontributed lectureRussiaresearchers[PDF slides] [soylentnews.org] Eurocrypt 2006. Pulkovskaya Hotel, St. Petersburg. ``eBATS: ECRYPT Benchmarking of Asymmetric Systems.'' 2006.04.25 09:5025 minrefereed lectureUSAresearchers[PDF slides] [soylentnews.org] PKC 2006: 9th International Conference on Theory and Practice of Public-Key Cryptography. Columbia University, New York. ``Curve25519: new Diffie-Hellman speed records.'' 2006.04.09 15:3020 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Special Session on Number Theory; Central Section Meeting, American Mathematical Society. University of Notre Dame, Indiana. ``Differential addition chains.'' Abstract:

Differential addition chains (also known as strong addition chains, Lucas chains, and Chebyshev chains) are addition chains in which every sum is already accompanied by a difference. Low-cost differential addition chains are used to efficiently exponentiate in groups where the operation a, b, a/b |- ab is fast: in particular, to perform x-coordinate scalar multiplication P |- mP on an elliptic curve y^2 = x^3 + Ax^2 + x. Similarly, low-cost two-dimensional differential addition chains are used to efficiently compute the function P, Q, P - Q |- mP + nQ on an elliptic curve. I will present two new constructive upper bounds on the costs of two-dimensional differential addition chains. My new `binary' chain is very easy to compute and uses 3 additions (14 field multiplications in the elliptic-curve context) per exponent bit, with a uniform structure that helps cryptographers protect against side-channel attacks. My new `extended-gcd' chain takes more time to compute, does not have the uniform structure, and is not easy to analyze, but experiments show that it takes only about 1.77 additions (9.97 field multiplications) per exponent bit.

2006.04.03 17:306 mincontributed lectureGermanyresearchers[PDF slides] [soylentnews.org] SHARCS 2006. Dorint Kongress Hotel, Cologne. ``eBATS: ECRYPT Benchmarking of Asymmetric Systems.'' 2006.03.14 10:0050 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][video] [cr.yp.to] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 4: polynomial selection.'' 2006.03.13 16:0050 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][video] [cr.yp.to] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 3: the number-field sieve.'' 2006.03.12 16:0050 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][video] [cr.yp.to] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 2: detecting smoothness.'' 2006.03.11 14:3050 mininvited lectureUSAstudents[PDF slides] [soylentnews.org][video] [cr.yp.to] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 1: the Q sieve.'' 2006.02.02 14:2520 minrefereed lectureBelgiumresearchers[PDF slides] [soylentnews.org] SASC 2006 - Stream Ciphers Revisited. College De Valk, Leuven, Belgium. ``Comparison of 256-bit stream ciphers.'' 2005.11.06 19:4050 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Number Theory Inspired By Cryptography (NTIBC) 2005. Banff Centre, Alberta, Canada. ``Compressing RSA/Rabin keys.'' 2005.09.20 09:3060 mininvited lectureDenmarkresearchers[PDF slides] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2005. Denmark Technical University, Copenhagen. ``New speed records for point multiplication.'' 2005.09.19 20:005 mincontributed lectureDenmarkresearchers[PDF slides] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2005. Denmark Technical University, Copenhagen. ``Is 2^{255}-19 big enough?'' Abstract written after the talk:

It is widely asserted that 128-bit AES and a strong 256-bit elliptic curve provide comparable security levels against known attacks. This assertion is false. Known attacks batch and scale much more effectively for 128-bit AES than they do for a strong 256-bit elliptic curve.

2005.07.19 10:4525 mininvited lectureGermanyresearchers[PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Polynomial selection for the number-field sieve, part 2: polynomial merit.'' Abstract written after the talk:

I discussed the smoothness of the values (a-bm)(a^5+f_4 a^4 b+...+f_0 b^5) that appear in the number-field sieve. In particular, I mentioned choosing pairs (a,b) to produce the smallest values; using superelliptic integrals to approximate the number of pairs (a,b); using smoothness probabilities for ideals to approximate smoothness probabilities for a-bx; using power series to approximate Dirichlet series; handling more general notions of smoothness; and, as a future possibility to explore, generalizing to (a-bm+cm^2)(...).

2005.07.08 16:0045 mininvited lectureSpainresearchers[PDF slides] [soylentnews.org] Computational Number Theory Workshop; Foundations of Computational Mathematics (FoCM) 2005. Universidad de Cantabria, Santander, Spain. ``Integer factorization: a progress report.'' Abstract:

There have been several recent improvements to the number-field sieve. I'll explain some of what's going on.

Designated as a semi-plenary talk by the organizers. 2005.06.11 14:4045 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] CAM 2005. University of Central Oklahoma, Edmond, Oklahoma. ``Integer factorization.'' 2005.06.11 10:3060 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] CAM 2005. University of Central Oklahoma, Edmond, Oklahoma. ``The power of parallel computation.'' 2005.06.01 09:0040 mininvited lecturePolandresearchers[PDF slides] [soylentnews.org] ENIGMA 2005. Warsaw, Poland. ``Cache-timing attacks on AES.'' Abstract:

I recently succeeded in extracting a complete AES key from a network server on another computer. The targeted server used its key solely to encrypt data using the OpenSSL AES implementation on a Pentium III. I will explain the AES design error that led to this attack, and I will discuss the difficult problem of stopping the attack.

2005.05.30 11:0090 mininvited lecturePolandresearchers[PDF slides] [soylentnews.org] Quo Vadis Cryptology? Advances in Cryptanalysis. Warsaw, Poland. ``The power of parallel computation.'' Abstract:

There is a widespread myth that parallelizing a computation cannot improve its price-performance ratio. Cryptographers often wildly overstate the cost of an attack because they are restricting attention to serial computers. I will explain what is known---and what is not known---about the gains that can be achieved from massive parallelism. I will, in particular, discuss the problem of integer factorization.

2005.05.27 10:4512 minrefereed lectureDenmarkresearchers[PDF slides] [soylentnews.org] ECRYPT STVL Workshop on Symmetric Key Encryption (SKEW 2005). Scandinavian Congress Center, Aarhus. ``Understanding brute force.'' 2005.05.26 14:1512 minrefereed lectureDenmarkresearchers[PDF slides] [soylentnews.org] ECRYPT STVL Workshop on Symmetric Key Encryption (SKEW 2005). Scandinavian Congress Center, Aarhus. ``The Salsa20 stream cipher.'' 2005.05.23 16:1025 minrefereed lectureDenmarkresearchers[PDF slides] [soylentnews.org] Eurocrypt 2005. Scandinavian Congress Center, Aarhus. ``Stronger security bounds for Wegman-Carter-Shoup authenticators.'' 2005.05.19 14:0050 mininvited lectureDenmarklocal researchers[PDF slides] [soylentnews.org] Seminar, Department of Mathematics, Technical University of Denmark, Copenhagen. ``High-speed elliptic-curve cryptography.'' Abstract:

I'll explain the techniques used to set speed records for elliptic-curve Diffie-Hellman on popular CPUs. You do not need prior knowledge of computer microarchitecture.

2005.04.26 16:0015 mininvited lectureUSAlocal faculty[video at uic.edu] [uic.edu] University of Illinois at Chicago. On panel responding to 2005 Nakata Lecture by R. Michael Tanner on Universities and the Ecology of Scholarly Publication. Look, Ma: no matter where the camera is pointing, I can escape it! 2005.02.25 09:0060 mininvited lectureFranceresearchers[PDF slides] [soylentnews.org] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS). Paris. ``Building circuits for integer factorization.'' Abstract:

I'll present my latest work on verifiable upper bounds for the money and time needed to factor 1024-bit integers. One important observation is that the switch from conventional computers to mesh computers produces even larger gains for the elliptic-curve method than for the number-field sieve.

2005.02.21 16:524 mincontributed lectureFranceresearchers[PDF slides] [soylentnews.org] FSE 2005: 12th International Workshop on Fast Software Encryption. ENSTA, Paris. ``Have any challenges for qhasm?'' 2005.02.21 10:0525 minrefereed lectureFranceresearchers[PDF slides] [soylentnews.org][approximate transcript] [soylentnews.org] FSE 2005: 12th International Workshop on Fast Software Encryption. ENSTA, Paris. ``The Poly1305-AES message-authentication code.'' Abstract:

Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. I'll discuss the security of Poly1305-AES, the speed of Poly1305-AES, and five forms of deceptive benchmarks in the cryptographic literature.

2005.02.15 14:0050 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Computer Security Seminar, Department of Computer Science, University of Illinois at Chicago. ``The Poly1305-AES message-authentication code.'' Abstract:

Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. I'll start by defining the Poly1305-AES function and explaining how it is used to authenticate messages. I'll then fit Poly1305-AES into a larger framework, comparing it to other functions such as HMAC-MD5 and explaining the security impact of various choices within the framework. After that I'll focus on speed: I'll review the speeds discussed in the cryptographic literature, I'll present timings for my new Poly1305-AES software, and I'll explain the techniques used to build that software.

(I decided to spend more time on the framework; I finished the framework by the end of the talk and then skipped to the URLs.) 2004.11.19 14:0050 mininvited lectureCanadalocal researchers[PDF slides] [soylentnews.org] Discrete Math Seminar, Department of Mathematics and Statistics, University of Calgary. ``Faster factorization into coprimes.'' Abstract:

How quickly can we factor a set of positive integers into coprimes? The obvious algorithm takes cubic time. Bach, Driscoll, and Shallit achieved quadratic time in 1990. I achieved essentially linear time in 1995. The point of this talk is to announce a new algorithm that takes time just n(lg n)^{4+o(1)} where n is the number of input bits.

The bottlenecks in several common number-theoretic computations---elliptic-curve primality proving, for example, and the number-field sieve---can be viewed as highly constrained examples of factoring into coprimes. This view is traditionally ignored, because the constraints allow many special-purpose techniques that seem to handle the examples well. A surprising discovery over the last few years is that coprime factorization has surpassed the special-purpose techniques, saving time in these computations.

2004.11.15 14:0060 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Explicit Methods in Number Theory. Banff Centre, Alberta. ``Three algorithms related to the number-field sieve.'' Abstract:

1. The number-field sieve tries to factor an integer n by inspecting values of the homogeneous form of a polynomial related to n. What is the size distribution of those values? I'll explain a fast algorithm to evaluate the relevant superelliptic integral. 2. How long does it take to find a polynomial of, say, degree 6, whose values are B times smaller than typical? The best method in the literature is conjectured to search about B^4.5 polynomials. I'll explain an algorithm, using four-dimensional lattice reduction, that is conjectured to search only about B^3.5 polynomials. 3. The bottleneck in the fastest known method to inspect values is computing a large integer modulo many small integers. How long does this take? I'll explain an algorithm that's 2.6+o(1) times faster than the previous record.

2004.09.16 15:0060 mininvited lectureUSAlocal students[PDF slides] [soylentnews.org] Colloquium aimed at graduate students, University of Illinois at Chicago. ``A state-of-the-art public-key signature system.'' Abstract:

Hand-written signatures don't prevent forgery: they can be copied from one message to another. This talk is an introduction to cryptography, and specifically to public-key signatures, which are conjectured to prevent forgery. I'll describe a modern public-key signature system: how it works, why it was designed the way it was, and what has been proven about its security.

2004.08.17 20:355 mincontributed lectureUSAresearchers[PDF slides] [soylentnews.org] Crypto 2004. Santa Barbara. ``Stop overestimating RSA bandwidth!'' 2004.07.29 15:0060 mininvited lectureAustralialocal researchers[PDF slides] [soylentnews.org] Computational Algebra Seminar, School of Mathematics and Statistics, University of Sydney. ``Factorization myths.'' 2004.07.07 11:0060 mininvited lectureAustraliaresearchers[PDF slides] [soylentnews.org] Polynomial-Based Cryptography. University of Melbourne. ``How to find smooth parts of integers.'' 2004.06.24 10:2025 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org][approximate transcript] [soylentnews.org] Special Session on Computational Number Theory; Canadian Number Theory Association (CNTA) VIII. University of Toronto, Ontario. ``Doubly focused enumeration in two dimensions.'' Abstract:

Doubly focused enumeration speeds up various sieving tasks by a factor of about 1000. My original formulation of doubly focused enumeration was limited to one-dimensional problems, such as proving primality of medium-size integers. In this talk I will explain doubly focused enumeration for higher-dimensional problems, such as sieving for locally square Gaussian integers. Prior exposure to computational geometry is not required.

2004.06.14 09:0060 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org][approximate transcript] [soylentnews.org] Algorithmic Number Theory Symposium (ANTS) VI. University of Vermont, Burlington. ``Factorization myths.'' Abstract written after the talk:

1. We want to find all relations.
2. Sieving is the ultimate test for fully factored inputs.
3. The second small-factor test is not a bottleneck.
4. ECM is the ultimate non-sieving small-factor test.
5. We must have a factor base.
6. Coppersmith's NFS variant is not practical.
7. The direct square-root method is a bottleneck.
8. We want to minimize time on a conventional computer.
9. Mesh architectures simply make everything faster.
10. MPQS beats ECM for finding huge factors.

2004.05.14 09:0030 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org][approximate transcript] [soylentnews.org] Special Session on Coding Theory and Cryptography; Sixth International Joint Meeting, American Mathematical Society (AMS) and Sociedad Matematica Mexicana. Hyatt Regency Houston, Texas. ``How to find smooth parts of integers.'' Abstract:

You're given a set P of primes and a sequence S of integers. Which of the integers in S are P-smooth? What is the largest P-smooth divisor of each integer? What are all the factors from P of each integer? These questions occur in many applications: computing discrete logarithms, for example, and proving primality. I previously pointed out an algorithm that answers all three questions in time b (log b)^{3+o(1)}, where b is the total number of bits in P and S. Franke, Kleinjung, Morain, and Wirth, in a recent paper on ECPP, pointed out an algorithm variant that answers only the first two questions but that typically takes time only b (log b)^{2+o(1)}. In this talk I will present an algorithm that always answers the first two questions in time b (log b)^{2+o(1)}.

2004.04.28 11:0050 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Special Seminar, Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign. ``The DNS security mess.'' 2003.11.08 16:4020 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] MPKC 2003: Mathematics of Public Key Cryptography. University of Illinois at Chicago. ``More news from the Rabin-Williams front.'' 2003.11.08 15:1020 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] MPKC 2003: Mathematics of Public Key Cryptography. University of Illinois at Chicago. ``News from the Rabin-Williams front.'' 2003.07.2420 mincontributed lectureGermanyresearchers Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Translating Chudnovsky into English.'' Asymptotically fast computation of exponential integrals. 2003.05.26 11:0030 mininvited lectureCanadaresearchers[PDF slides] [soylentnews.org] Conference in Number Theory in Honour of Professor H. C. Williams. Banff Centre, Alberta. ``Doubly focused enumeration of locally square polynomial values.'' Abstract:

It is well known that one can accelerate a broad class of sieving problems by precomputing information for various primes. It is not well known that the number of precomputed primes can be nearly doubled beyond the obvious limit. As a typical application, I'll present the results of a record-setting `pseudosquare' computation, i.e., an enumeration of locally square integers.

2003.05.10invited lectureUSAresearchers Midwest Algebraic Number Theory Day. ``Sharper ABC-based bounds for congruent polynomials.'' 2003.05.03 17:0040 mininvited lectureUSAresearchers Special Session on Geometry and Arithmetic over Finite Fields; Western Section Meeting, American Mathematical Society (AMS). San Francisco, California. ``Sharper ABC-based bounds for congruent polynomials.'' Abstract:

The speed of the Agrawal-Kayal-Saxena primality-proving algorithm depends on proven lower bounds for the size of the multiplicative semigroup generated by several polynomials modulo another polynomial h. Voloch pointed out an application of the ABC theorem in this context: under mild assumptions, distinct polynomials A,B,C of degree at most 1.2 deg h - 0.2 deg rad ABC cannot all be the same modulo h. I'll present two improvements in the combinatorial part of Voloch's argument. The first improvement moves the degree bound up to 2 deg h - deg rad ABC; the second improvement generalizes to m=3 polynomials A_1,...,A_m, with a degree bound of ((3m-5)/(3m-7)) deg h - (6/m(3m-7)) deg rad A_1...A_m.

2003.04.24 08:0075 mininvited lectureUSAlocal students[PDF slides] [soylentnews.org] Class talk, Butler University. ``Compressing RSA keys and signatures.'' Abstract:

Public-key signatures can be used to protect Internet packets against unauthorized modification. However, it is often difficult to fit a message, a key, and a signature into a single Internet packet.

Elliptic-curve cryptography is often advertised as offering much shorter keys and signatures than RSA. For example, 224-bit elliptic-curve keys with 448-bit signatures offer the same apparent security as 1536-bit RSA keys with 1536-bit signatures. On the other hand, RSA signature verification is much faster than elliptic-curve signature verification.

It turns out to be possible to compress RSA keys and signatures to a fraction of their original size. Even better compression is possible for the Rabin system, an improved version of RSA. This talk will explain the latest compression techniques.

2003.04.04 15:3045 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Special Session on Cryptography and Computational and Algorithmic Number Theory; Central Section Meeting, American Mathematical Society (AMS). Indiana University, Bloomington. ``Randomized primality proving in essentially quartic time.'' Abstract:

In August 2002, Agrawal, Kayal, and Saxena published a new way to prove that integers are prime. A modified approach, generalizing an idea of Berrizbeitia, allows substantially shorter proofs. I'll present a typical proof of this type, that an integer satisfying certain conditions must be prime. I'll also discuss the question of whether this approach is competitive in practice with previous primality-proving methods.

2003.04.03 14:0050 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Algebraic Number Theory Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``Sharper ABC-based bounds for congruent polynomials.'' Abstract:

Agrawal, Kayal, and Saxena recently introduced a new method of proving that an integer is prime. The speed of the Agrawal-Kayal-Saxena method depends on proven lower bounds for the size of the group generated by several elements of a finite field. I will discuss an intriguing idea introduced by Voloch for using ABC to obtain such lower bounds.

2003.03.26 11:3030 mininvited lectureUSAresearchers Future directions in algorithmic number theory. American Institute of Mathematics, Palo Alto, California. ``Rethinking the number-field sieve: an update.'' 2003.03.25 15:4560 mininvited lectureUSAresearchers Future directions in algorithmic number theory. American Institute of Mathematics, Palo Alto, California. ``Randomized primality proving in essentially quartic time.'' 2003.03.23 09:3045 mininvited lectureUSAresearchers[PDF slides] [soylentnews.org] Lenstra Treurfeest. ``A new proof that 83 is prime.'' 2003.03.1860 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Seminar, Sun Microsystems. ``The DNS security mess.'' 2003.02.1160 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Security Seminar, Computer Science Department, Stanford University. ``The DNS security mess.'' Abstract:

The Domain Name System publishes records such as ``www.stanford.edu has IP address 171.64.14.239.'' An attacker can easily forge these records, stealing your incoming and outgoing mail, web connections, etc.

Stopping DNS forgeries is a straightforward application of public-key cryptographic signatures. Or is it? After ten years of effort, the DNSSEC implementors are making comments like ``We're still doing basic research on what kind of data model will work for dns security ... wonder if THIS'll work? ... We're starting from scratch.''

Why is it so hard to protect DNS against forgery? Is DNS security going to remain an abject failure for another ten years? This talk is a case study of the integration of cryptography into the real world.

2002.10.3150 mininvited lectureUSAlocal researchers[PDF slides] [soylentnews.org] Colloquium, Department of Mathematics, University of California at Berkeley. ``Proving primality.'' Abstract:

I'll survey techniques for distinguishing prime numbers from composite numbers. In particular, I'll explain the August 2002 Agrawal-Kayal-Saxena theorem, which gave a remarkably simple solution to the long-standing `PRIMES in P' problem.

2002.08.205 mincontributed lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Crypto 2002. Santa Barbara. ``The cost of integer factorization.'' [nfscircuit paper] [soylentnews.org]2002.08.2010 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Crypto 2002. Santa Barbara. ``Deterministic polynomial-time primality tests.'' [aks paper] [soylentnews.org]2002.06.1525 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Symposium on Cryptography; 2002 Summer Meeting, Canadian Mathematical Society (CMS). University of Laval, Quebec. ``Speed records for cryptographic software: an update.'' Abstract:

I'll present the latest speed records for software implementations of secret-key message authentication, public-key signature verification, and public-key secret sharing.

2002.04.2450 mininvited lectureUSAlocal researchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Mathematics and Applications Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Finding roots of high-degree polynomials.'' Abstract:

Consider the problem of computing the complex roots of a polynomial in one variable, given the coefficients of the polynomial. In the first half of this talk, I'll discuss algebraic algorithms that, in a fantasy world of exact arithmetic, compute sequences converging to the roots. In the second half, I'll switch to the real world of limited-precision arithmetic, and present a surprisingly fast root-finding algorithm that relies on multiplication of extremely large integers. The audience will not be assumed to have any prior knowledge of numerical analysis.

2002.01.2850 mininvited lectureUSAlocal researchers Colloquium, Department of Mathematics, University of Pittsburgh. ``Is a 2048-bit factorization worth $200,000?'' Abstract:

In this talk, I will (1) explain why cash rewards are available for anyone who finds the prime factors of certain integers; (2) present a simple example of a modern integer-factorization algorithm; (3) summarize the performance of state-of-the-art algorithms; and (4) explain how to choose good parameters in these algorithms. If time permits, I'll talk about fast Fourier transforms, generalized power series, better-than-perfect parallelization, and how easy it is to disable the Internet.

2001.11.0260 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Midwest Arithmetical Geometry in Cryptography (MAGC). University of Illinois at Urbana-Champaign. ``A complete software implementation of NIST P-224.'' Abstract:

This is the conclusion of a series of three talks on nistp224, a fast software library to perform Diffie-Hellman key exchange on the NIST P-224 elliptic curve. In this talk, I'll focus on non-x86 processors such as the UltraSPARC; I'll explain in detail how nistp224 performs field multiplication and elliptic-curve multiplication. You do not need to have attended the first talk, in which I explained how nistp224 computes square roots, or the second talk, in which I focused on x86 processors.

[nistp224 software] [soylentnews.org]2001.10.2960 mininvited lectureCanadaresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Elliptic Curve Cryptography (ECC) 2001. University of Waterloo, Ontario. ``A software implementation of NIST P-224.'' Abstract:

This is the second in a series of three talks on nistp224, an easy-to-use software library to perform compressed Diffie-Hellman key exchange on the NIST P-224 elliptic curve at record-setting speeds. In this talk, I'll focus on x86 processors such as the Pentium III; I'll explain in detail how nistp224 performs field multiplication and elliptic-curve multiplication. In the first talk, I explained how nistp224 computes square roots. In the third talk, at the MAGC meeting in Urbana, I'll focus on non-x86 processors such as the UltraSPARC.

[nistp224 software] [soylentnews.org]2001.09.2230 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Special Session on Cryptography and Computational and Algorithmic Number Theory; Central Section Meeting, American Mathematical Society (AMS). Ohio State University, Columbus. ``Elliptic curve cryptography: the case of NIST P-224.'' Preliminary abstract:

In this talk I'll explain how to use a particular elliptic curve for high-speed public-key cryptography.

Abstract:

This is the first in a series of three talks on nistp224, an easy-to-use software library to perform compressed Diffie-Hellman key exchange on the NIST P-224 elliptic curve at record-setting speeds. In this talk, I'll explain what this means, why it is useful, and a small part of how it works: specifically, an accelerated version of Tonelli's algorithm for computing square roots. Prior exposure to cryptography is not required. In the second and third talks, at the ECC meeting in Waterloo and the MAGC meeting in Urbana, I'll explain the rest of how nistp224 works.

[sqroot paper] [soylentnews.org][nistp224 software] [soylentnews.org]2001.07.2735 mininvited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Finding polynomial values of small height.'' Unofficial title: ``The algorithm of Hastad, Vallee, Girault, Toffin, Coppersmith, Guruswami, Goldreich, Ron, Sudan, Durfee, Howgrave-Graham, and Boneh.'' The organizers offered me a 45-minute slot; in retrospect, I should have taken it. [smallheight paper] [soylentnews.org]2001.06.1345 mininvited lectureUSAlocal researchers Seminar, Cambridge Research Laboratory, Compaq Computer Corporation, Cambridge, Massachusetts. ``The state of the art in RSA-type signatures.'' Abstract:

In this talk I'll explain in detail how a modern public-key signature system works: the good, the bad, and the ugly. You are not required to know anything about cryptography in advance.

[sigs software] [soylentnews.org][sigs paper] [soylentnews.org]2001.05.1440 mininvited lectureGermanyresearchers[original PS slides] [soylentnews.org] Algorithms and Number Theory. Schloss Dagstuhl. ``An introduction to Schimmler sorting.'' Abstract written after the talk:

One can sort n^2 numbers on an nxn processor mesh in O(n) parallel compare-exchange steps. Schimmler's algorithm is a very simple algorithm that uses 8n-8 steps. I explained (1) odd-even transposition sorting; (2) Schimmler sorting; (3) the relevance of these results to integer factorization.

Schimmler sorting is one good choice of sorting algorithm for the NSA sieving circuit. [nfscircuit paper] [soylentnews.org]2001.05.076 mincontributed lectureAustriaresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Eurocrypt 2001. Innsbruck. ``The NSA sieving circuit.'' [nfscircuit paper] [soylentnews.org]2001.03.2350 mininvited lectureUSAlocal researchers[vertical PDF slides] [soylentnews.org] Seminar, Computer Science Department, Butler University. ``The NSA sieving circuit.'' Abstract:

Sieving is the heart of modern algorithms to find the prime factors of an integer---in particular, to break the RSA cryptosystem. This talk will give examples of sieving, explain the relevance of sieving to factorization, and describe a sieving circuit that is asymptotically much faster than previously published hardware designs at the same cost. It is possible that the circuit has already been built in secret by a major government.

[nfscircuit paper] [soylentnews.org]2000.10.2060 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org][video] [cr.yp.to][video at www.msri.org] [msri.org] Number-Theoretic Cryptography. Mathematical Sciences Research Institute, Berkeley, California. ``Design and implementation of a public-key signature system.'' [sigs software] [soylentnews.org][sigs paper] [soylentnews.org]2000.10.0648 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, University of California at Berkeley. ``Arbitrarily precise bounds on smooth integers.'' Abstract:

An integer is called smooth if all its prime divisors are small. Rough asymptotics for the distribution of smooth integers have been obtained by Dickman, de Bruijn, Canfield, Erdos, Pomerance, Hildebrand, Tenenbaum, et al., and used in a variety of applications. I'll present tight bounds on the distribution of smooth integers and analyze how quickly the bounds can be computed. If time permits, I'll explain the relevance of these bounds to modern integer factorization algorithms.

[psibound software] [soylentnews.org][psi paper] [soylentnews.org]2000.09.0750 mininvited lectureUSAlocal researchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Colloquium, Department of Mathematics, University of California at Berkeley. ``Factoring into coprimes.'' Abstract:

We do not know a fast algorithm to factor integers into primes. We do, however, know a fast algorithm to factor integers into coprimes. Coprimes suffice for many applications. This talk will describe some of those applications, explain exactly how fast the algorithm is, and present some of the techniques behind the proof.

[dcba paper] [soylentnews.org]2000.08.1860 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org][video] [cr.yp.to][video at www.msri.org] [msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Protecting communications against forgery'': a survey of secret-key authentication, public-key authentication, and public-key signatures. [forgery paper] [soylentnews.org]2000.08.1560 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org][video] [cr.yp.to][video at www.msri.org] [msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Applications of fast multiplication.'' [multapps paper] [soylentnews.org]2000.08.1460 mininvited lectureUSAresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org][video] [cr.yp.to][video at www.msri.org] [msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Fast multiplication.'' [multapps paper] [soylentnews.org]2000.07.2750 mininvited lectureEnglandresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] London Mathematical Society (LMS) Durham Symposium on Computational Number Theory. University of Durham. ``Rethinking the number field sieve.'' Abstract:

How quickly can we factor 300-digit integers? This talk will review the number field sieve and explain some recent improvements.

[smallfactors software] [soylentnews.org][psibound software] [soylentnews.org][sf paper] [soylentnews.org][dcba paper] [soylentnews.org][psi paper] [soylentnews.org][mlnfs paper] [soylentnews.org]2000.06.2730 mininvited lectureRussiaresearchers Session on Algebraic Algorithms and Complexity, 6th IMACS Conference on Applications of Computer Algebra (ACA). Shuvalov Palace, St. Petersburg. Preliminary title: ``How quickly can we split generic polynomials?'' Final title: ``High-precision high-degree polynomial factorization (preliminary report).'' [fastgraeffe paper] [soylentnews.org]2000.06.1025 mininvited lectureCanadaresearchers Session on Cryptography and Number Theory, Canadian Mathematical Society summer meeting, MATH 2000. McMaster University, Hamilton, Ontario. ``Sieving in cache.'' Abstract:

Modern integer factorization algorithms do not need as much memory for sieving as is commonly believed. This talk will explain how tomorrow's factoring projects can take advantage of fast arithmetic on stupendously large integers.

[smallfactors software] [soylentnews.org][sf paper] [soylentnews.org]2000.05.2230 mininvited lectureUSAresearchers Millennial Conference in Number Theory. University of Illinois at Urbana-Champaign. ``Arbitrarily precise bounds on the distribution of smooth integers.'' Abstract:

Psibound is new software to approximate the number of integers in [1,x] that factor into integers in [1,y]. This talk will explain the mathematics behind Psibound and show some results.

[psibound software] [soylentnews.org][psi paper] [soylentnews.org]2000.04.0820 mininvited lectureUSAresearchers Special Session on Number Theory, Algorithms, and Cryptography; Central Section Meeting, American Mathematical Society (AMS). University of Notre Dame, Indiana. ``Faster multiplication of integers.'' Abstract:

Zmult is new software to multiply integers of various sizes on common general-purpose computers. This talk will explain, from the perspective of a mathematician and a programmer, why Zmult is so fast.

[Zmult software] [soylentnews.org][m3 paper] [soylentnews.org]1999.10.13 10:4540 mininvited lectureChinaresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Workshop on Complexity of Equation Solving and Algebra, Foundations of Computational Mathematics. City University of Hong Kong. ``Solving equations to high precision'': reducing the algebraic complexity of Newton's method. [fastnewton paper] [soylentnews.org]1999.07.06invited lectureGermanyresearchers[vertical PDF slides] [soylentnews.org][original PS slides] [soylentnews.org] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Counting rational points by brute force'': fast algorithms to find all points of low height on the Euler-Elkies surface. [sortedsums software] [soylentnews.org][sortedsums paper] [soylentnews.org]1999.06.1320 mincontributed lectureCanadaresearchers The Mathematics of Public-Key Cryptography. Fields Institute, Toronto, Ontario. ``Guaranteed message authentication faster than MD5.'' [hash127 software] [soylentnews.org][hash127 paper] [soylentnews.org]1999.02.2350 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``Fast, arbitrarily precise computation of Psi.'' Abstract:

In this talk I will explain how to compute arbitrarily precise upper and lower bounds for Psi(x,y), the number of integers in [1,x] without prime divisors exceeding y. Along the way I will explain the state of the art in fast Fourier transforms, high-precision power series exponentiation, and enumeration of small primes.

[psibound software] [soylentnews.org][primegen software] [soylentnews.org][djbfft software] [soylentnews.org][psi paper] [soylentnews.org][primesieves paper] [soylentnews.org][m3 paper] [soylentnews.org][fastnewton paper] [soylentnews.org]1999.02.2350 mininvited lectureUSAlocal faculty Mathematics in Science and Society Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``How to become an international arms dealer'': an introduction to cryptography. 1998.10.2930 mininvited lectureGermanyresearchers Algorithms and Number Theory. Schloss Dagstuhl. ``Ten topics in computational number theory.'' Abstract:

1. Fast Fourier transforms.
2. Dividing power series.
3. Exponentiating power series.
4. Enumerating primes.
5. Bounding smooth integers.
6. Smooth polynomial values.
7. Square products.
8. Pomerance's conjecture.
9. Estimating transition time.
10. Estimating factorization time.

This was a talk on estimating the speed of the quadratic sieve and the number field sieve. 1998.09.12invited lectureUSAresearchers Special Session on Number Theory; Central Section Meeting, American Mathematical Society (AMS). DePaul University, Chicago, Illinois. ``Estimating the speed of the quadratic sieve (preliminary report).'' 1998.06.2120 minrefereed lectureUSAresearchers Algorithmic Number Theory Symposium (ANTS) III. Reed College, Portland, Oregon. ``Bounding smooth integers.'' [psibound software] [soylentnews.org][psi paper] [soylentnews.org]1998.02.1350 mininvited lectureUSAlocal researchers Colloquium, Department of Mathematics, Statistics, and Computer Science. University of Illinois at Chicago. ``Computing everything in essentially linear time'': computational one-dimensional commutative algebra. 1997.12.0350 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Improving on the Sieve of Eratosthenes,'' talk given jointly with A. O. L. Atkin. Abstract:

This talk has two parts. The first part will explain how the Sieve of Eratosthenes, a simple method of computing the primes up to N, can be sped up to O(N) additions with roughly N^{1/2} bits of storage, or O(N/log log N) additions with roughly N bits of storage. The second part will explain a new method, relying on quadratic forms, that uses O(N/log log N) additions with roughly N^{1/2} bits of storage.

[primegen software] [soylentnews.org][primesieves paper] [soylentnews.org]1997.11.1950 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Factoring into coprimes in essentially linear time.'' Abstract:

It is not easy to factor integers into primes. The point of this talk is that it is easy to factor integers into coprimes. I will (1) give some examples where coprimes are an adequate substitute for primes, (2) explain the Bach-Driscoll-Shallit quadratic-time factorization method, and (3) describe my essentially-linear-time factorization method.

[dcba paper] [soylentnews.org]1997.10.2520 mininvited lectureUSAresearchers Special Session on Number Theory and Cryptography; Central Section Meeting, American Mathematical Society (AMS). University of Wisconsin at Milwaukee. ``A secure digital signature system with verification ten times faster than RSA.'' [sigs software] [soylentnews.org][sigs paper] [soylentnews.org]1997.05.30invited lectureGermanyresearchers Computational Aspects of Commutative Algebra and Algebraic Geometry. Schloss Dagstuhl. ``Composing power series over a finite ring in essentially linear time.'' Abstract written after the talk:

Fix a finite commutative ring R. Let u and v be power series over R, with v(0)=0. I presented an algorithm that computes the first n terms of the composition u(v), given the first n terms of u and v, in n^{1+o(1)} ring operations. The algorithm is very fast in practice when char R is a product of small primes.

[compose paper] [soylentnews.org]1997.03.1750 mininvited lectureUSAlocal researchers Seminar, Department of Mathematics and Computer Science, Butler University. ``The world's fastest digital signature system.'' Abstract:

A digital signature system works as follows: you create and publish a seal; you, and only you, can sign a document under that seal; anyone can verify your signature. For widely published documents it is crucial that verification be as fast as possible. The Rabin-Williams system, which is provably as secure as factorization, allows verification in less time than any other system known... until now. I will exhibit a new signature system with the same security and signing speed as Rabin-Williams but with much faster verification.

[sigs software] [soylentnews.org][sigs paper] [soylentnews.org]1997.03.0730 mininvited lectureUSAresearchers Mathematics of Cryptography and Security. Southwest Regional Institute in the Mathematical Sciences (SWRIMS), University of Arizona, Tucson. ``The world's fastest digital signature system.'' [sigs software] [soylentnews.org][sigs paper] [soylentnews.org]1996.05.2220 minrefereed lectureFranceresearchers Algorithmic Number Theory Symposium (ANTS) II. University of Bordeaux. ``Fast ideal arithmetic via lazy localization.'' [fiall paper] [soylentnews.org]1995.12.0240 mininvited lectureUSAresearchers Midwest Algebraic Number Theory Day III. University of Michigan, Ann Arbor. ``Fast ideal arithmetic via lazy localization.'' [fiall paper] [soylentnews.org]1995.11.1550 mininvited lectureUSAlocal researchers Computer Science Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Universal pattern-matching automaton. [unipat paper] [soylentnews.org]1995.10.1750 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Generalized Gaussian elimination. 1995.10.0350 mininvited lectureUSAlocal researchers Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Survey of topics related to number field sieve. 1995.05invited lectureGermanyresearchersComputational Number Theory [www.mfo.de]. Mathematisches Forschungsinstitut, Oberwolfach. Multidigit modular multiplication with ECRT. [mmecrt paper] [soylentnews.org]1995.04.0550 mininvited lectureUSAlocal researchers Number Theory Seminar, Department of Mathematics, University of California at Berkeley. ``Detecting perfect powers.'' Abstract:

Let n be a positive integer. Is n a perfect power? I'll describe an algorithm that answers this question in time (log n)^{1+o(1)}---i.e., about as quickly as we can read the digits of n. The time analysis requires some recent results from transcendental number theory.

[powers paper] [soylentnews.org]1995.03.0150 mininvited lectureUSAlocal researchers Colloquium, Department of Mathematics, Statistics, and Computer Science. University of Illinois at Chicago. Detecting perfect powers. [powers paper] [soylentnews.org]1995.02.06invited lectureUSAlocal researchers Seminar, Department of Mathematics, Texas A&M University, College Station, Texas. Detecting perfect powers. [powers paper] [soylentnews.org]1994.10.12invited lectureGermanyresearchers Algorithms and Number Theory. Schloss Dagstuhl. Preliminary report on detecting perfect powers. [powers paper] [soylentnews.org]1994.05.0245 mininvited lectureCanadaresearchers Computational Number Theory. Fields Institute, Waterloo, Ontario. ``Practical aspects of the number field sieve.'' This talk included the first public announcement of the multiple-lattice number field sieve. [nfsi paper] [soylentnews.org][mlnfs paper] [soylentnews.org]1992.12contributed lectureUSAresearchers West Coast Number Theory Conference. Oregon State University, Corvallis. Computing Dickman's rho function. 1992.12contributed lectureUSAresearchers West Coast Number Theory Conference. Oregon State University, Corvallis. 3x+1 results. 1987.06.0110 mincontributed lectureUSAresearchers Ramanujan Centenary Conference. University of Illinois at Urbana-Champaign. ``New fast algorithms for pi and e.''

Post-quantum cryptography - Wikipedia [wikipedia.org]:

Cryptography secured against quantum computers

In cryptography [wikipedia.org], post-quantum cryptography (PQC) (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic [wikipedia.org] algorithms (usually public-key [wikipedia.org] algorithms) that are thought to be secure against a cryptanalytic attack [wikipedia.org] by a quantum computer [wikipedia.org]. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem [wikipedia.org], the discrete logarithm problem [wikipedia.org] or the elliptic-curve discrete logarithm problem [wikipedia.org]. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm [wikipedia.org].[1][2]

Even though current quantum computers lack processing power [wikipedia.org] to break any real cryptographic algorithm,[3] many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat. This work has gained greater attention from academics and industry through the PQCrypto conference [wikipedia.org] series since 2006 and more recently by several workshops on Quantum Safe Cryptography hosted by the European Telecommunications Standards Institute [wikipedia.org] (ETSI) and the Institute for Quantum Computing [wikipedia.org].[4][5][6] The rumoured existence of widespread harvest now, decrypt later [wikipedia.org] programs has also been seen as a motivation for the early introduction of post-quantum algorithms, as data recorded now may still remain sensitive many years into the future.[7][8]

In contrast to the threat quantum computing poses to current public-key algorithms, most current symmetric cryptographic algorithms [wikipedia.org] and hash functions [wikipedia.org] are considered to be relatively secure against attacks by quantum computers.[2][9] While the quantum Grover's algorithm [wikipedia.org] does speed up attacks against symmetric ciphers, doubling the key size can effectively block these attacks.[10] Thus post-quantum symmetric cryptography does not need to differ significantly from current symmetric cryptography.

Algorithms[edit [wikipedia.org]]

Currently post-quantum cryptography research is mostly focused on six different approaches:[2][5]

Lattice-based cryptography[edit [wikipedia.org]] Main article: Lattice-based cryptography [wikipedia.org]

This approach includes cryptographic systems such as learning with errors [wikipedia.org], ring learning with errors [wikipedia.org] (ring-LWE [wikipedia.org]),[11][12][13] the ring learning with errors key exchange [wikipedia.org] and the ring learning with errors signature [wikipedia.org], the older NTRU [wikipedia.org] or GGH [wikipedia.org] encryption schemes, and the newer NTRU signature [wikipedia.org] and BLISS signatures [wikipedia.org].[14] Some of these schemes like NTRU encryption have been studied for many years without anyone finding a feasible attack. Others like the ring-LWE algorithms have proofs that their security reduces to a worst-case problem.[15] The Post Quantum Cryptography Study Group sponsored by the European Commission suggested that the Stehle–Steinfeld variant of NTRU be studied for standardization rather than the NTRU algorithm.[16][17] At that time, NTRU was still patented. Studies have indicated that NTRU may have more secure properties than other lattice based algorithms.[18]

Multivariate cryptography[edit [wikipedia.org]] Main article: Multivariate cryptography [wikipedia.org]

This includes cryptographic systems such as the Rainbow (Unbalanced Oil and Vinegar [wikipedia.org]) scheme which is based on the difficulty of solving systems of multivariate equations. Various attempts to build secure multivariate equation encryption schemes have failed. However, multivariate signature schemes like Rainbow could provide the basis for a quantum secure digital signature.[19] There is a patent on the Rainbow Signature Scheme.

Hash-based cryptography[edit [wikipedia.org]] Main article: Hash-based cryptography [wikipedia.org]

This includes cryptographic systems such as Lamport signatures [wikipedia.org], the Merkle signature scheme [wikipedia.org], the XMSS,[20] the SPHINCS,[21] and the WOTS schemes. Hash based digital signatures were invented in the late 1970s by Ralph Merkle [wikipedia.org] and have been studied ever since as an interesting alternative to number-theoretic digital signatures like RSA and DSA. Their primary drawback is that for any hash-based public key, there is a limit on the number of signatures that can be signed using the corresponding set of private keys. This fact had reduced interest in these signatures until interest was revived due to the desire for cryptography that was resistant to attack by quantum computers. There appear to be no patents on the Merkle signature scheme[citation needed [wikipedia.org]] and there exist many non-patented hash functions that could be used with these schemes. The stateful hash-based signature scheme XMSS developed by a team of researchers under the direction of Johannes Buchmann [wikipedia.org] is described in RFC 8391.[22] Note that all the above schemes are one-time or bounded-time signatures, Moni Naor [wikipedia.org] and Moti Yung [wikipedia.org] invented UOWHF [wikipedia.org] hashing in 1989 and designed a signature based on hashing (the Naor-Yung scheme)[23] which can be unlimited-time in use (the first such signature that does not require trapdoor properties).

Code-based cryptography[edit [wikipedia.org]]

This includes cryptographic systems which rely on error-correcting codes [wikipedia.org], such as the McEliece [wikipedia.org] and Niederreiter [wikipedia.org] encryption algorithms and the related Courtois, Finiasz and Sendrier Signature [wikipedia.org] scheme. The original McEliece signature using random Goppa codes [wikipedia.org] has withstood scrutiny for over 40 years. However, many variants of the McEliece scheme, which seek to introduce more structure into the code used in order to reduce the size of the keys, have been shown to be insecure.[24] The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended the McEliece public key encryption system as a candidate for long term protection against attacks by quantum computers.[16]

Isogeny-based cryptography[edit [wikipedia.org]]

These cryptographic systems rely on the properties of isogeny [wikipedia.org] graphs of elliptic curves [wikipedia.org] (and higher-dimensional abelian varieties [wikipedia.org]) over finite fields, in particular supersingular isogeny graphs [wikipedia.org], to create cryptographic systems. Among the more well-known representatives of this field are the Diffie-Hellman [wikipedia.org]-like key exchange CSIDH which can serve as a straightforward quantum-resistant replacement for the Diffie-Hellman and elliptic curve Diffie–Hellman [wikipedia.org] key-exchange methods that are in widespread use today,[25] and the signature scheme SQISign which is based on the categorical equivalence between supersingular elliptic curves and maximal orders in particular types of quaternion algebras.[26] Another widely noticed construction, SIDH/SIKE [wikipedia.org], was spectacularly broken in 2022.[27] The attack is however specific to the SIDH/SIKE family of schemes and does not generalize to other isogeny-based constructions.[28]

Symmetric key quantum resistance[edit [wikipedia.org]]

Provided one uses sufficiently large key sizes, the symmetric key cryptographic systems like AES [wikipedia.org] and SNOW 3G [wikipedia.org] are already resistant to attack by a quantum computer.[29] Further, key management systems and protocols that use symmetric key cryptography instead of public key cryptography like Kerberos [wikipedia.org] and the 3GPP Mobile Network Authentication Structure [wikipedia.org] are also inherently secure against attack by a quantum computer. Given its widespread deployment in the world already, some researchers recommend expanded use of Kerberos-like symmetric key management as an efficient way to get post quantum cryptography today.[30]

Security reductions[edit [wikipedia.org]]

In cryptography research, it is desirable to prove the equivalence of a cryptographic algorithm and a known hard mathematical problem. These proofs are often called "security reductions", and are used to demonstrate the difficulty of cracking the encryption algorithm. In other words, the security of a given cryptographic algorithm is reduced to the security of a known hard problem. Researchers are actively looking for security reductions in the prospects for post quantum cryptography. Current results are given here:

Lattice-based cryptography – Ring-LWE Signature[edit [wikipedia.org]] Further information: Ring learning with errors key exchange [wikipedia.org]

In some versions of Ring-LWE [wikipedia.org] there is a security reduction to the shortest-vector problem (SVP) [wikipedia.org] in a lattice as a lower bound on the security. The SVP is known to be NP-hard [wikipedia.org].[31] Specific ring-LWE systems that have provable security reductions include a variant of Lyubashevsky's ring-LWE signatures defined in a paper by Güneysu, Lyubashevsky, and Pöppelmann.[12] The GLYPH signature scheme is a variant of the Güneysu, Lyubashevsky, and Pöppelmann (GLP) signature [wikipedia.org] which takes into account research results that have come after the publication of the GLP signature in 2012. Another Ring-LWE signature is Ring-TESLA.[32] There also exists a "derandomized variant" of LWE, called Learning with Rounding (LWR), which yields " improved speedup (by eliminating sampling small errors from a Gaussian-like distribution with deterministic errors) and bandwidth."[33] While LWE utilizes the addition of a small error to conceal the lower bits, LWR utilizes rounding for the same purpose.

Lattice-based cryptography – NTRU, BLISS[edit [wikipedia.org]]

The security of the NTRU [wikipedia.org] encryption scheme and the BLISS[14] signature is believed to be related to, but not provably reducible to, the Closest Vector Problem (CVP) [wikipedia.org] in a Lattice. The CVP is known to be NP-hard [wikipedia.org]. The Post Quantum Cryptography Study Group sponsored by the European Commission suggested that the Stehle–Steinfeld variant of NTRU which does have a security reduction be studied for long term use instead of the original NTRU algorithm.[16]

Multivariate cryptography – Unbalanced Oil and Vinegar[edit [wikipedia.org]] Further information: Multivariate cryptography [wikipedia.org]

Unbalanced Oil and Vinegar [wikipedia.org] signature schemes are asymmetric cryptographic [wikipedia.org] primitives based on multivariate polynomials [wikipedia.org] over a finite field [wikipedia.org]F{\displaystyle \mathbb {F} }. Bulygin, Petzoldt and Buchmann have shown a reduction of generic multivariate quadratic UOV systems to the NP-Hard Multivariate Quadratic Equation Solving problem [wikipedia.org].[34]

Hash-based cryptography – Merkle signature scheme[edit [wikipedia.org]] Further information: Hash-based cryptography [wikipedia.org] and Merkle signature scheme [wikipedia.org]

In 2005, Luis Garcia proved that there was a security reduction of Merkle Hash Tree [wikipedia.org] signatures to the security of the underlying hash function. Garcia showed in his paper that if computationally one-way hash functions exist then the Merkle Hash Tree signature is provably secure.[35]

Therefore, if one used a hash function with a provable reduction of security to a known hard problem one would have a provable security reduction of the Merkle tree [wikipedia.org] signature to that known hard problem.[36]

The Post Quantum Cryptography Study Group [wikipedia.org] sponsored by the European Commission [wikipedia.org] has recommended use of Merkle signature scheme for long term security protection against quantum computers.[16]

Code-based cryptography – McEliece[edit [wikipedia.org]] Further information: McEliece cryptosystem [wikipedia.org]

The McEliece Encryption System has a security reduction to the Syndrome Decoding Problem (SDP). The SDP is known to be NP-hard [wikipedia.org][37] The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended the use of this cryptography for long term protection against attack by a quantum computer.[16]

Code-based cryptography – RLCE[edit [wikipedia.org]]

In 2016, Wang proposed a random linear code encryption scheme RLCE[38] which is based on McEliece schemes. RLCE scheme can be constructed using any linear code such as Reed-Solomon code by inserting random columns in the underlying linear code generator matrix.

Supersingular elliptic curve isogeny cryptography[edit [wikipedia.org]] Further information: Supersingular isogeny key exchange [wikipedia.org]

Security is related to the problem of constructing an isogeny between two supersingular curves with the same number of points. The most recent investigation of the difficulty of this problem is by Delfs and Galbraith indicates that this problem is as hard as the inventors of the key exchange suggest that it is.[39] There is no security reduction to a known NP-hard [wikipedia.org] problem.

Comparison[edit [wikipedia.org]]

One common characteristic of many post-quantum cryptography algorithms is that they require larger key sizes than commonly used "pre-quantum" public key algorithms. There are often tradeoffs to be made in key size, computational efficiency and ciphertext or signature size. The table lists some values for different schemes at a 128 bit post-quantum security level.

AlgorithmTypePublic KeyPrivate KeySignature NTRU Encrypt [wikipedia.org][40]Lattice766.25 B842.875 BStreamlined NTRU Prime[citation needed [wikipedia.org]]Lattice154 BRainbow[41]Multivariate124 KB95 KBSPHINCS[21]Hash Signature1 KB1 KB41 KB SPHINCS+[42]Hash Signature32 B64 B8 KB BLISS [wikipedia.org]-IILattice7 KB2 KB5 KB GLP-Variant GLYPH Signature[12][43]Ring-LWE2 KB0.4 KB1.8 KB NewHope [wikipedia.org][44]Ring-LWE2 KB2 KBGoppa-based McEliece [wikipedia.org][16]Code-based1 MB11.5 KBRandom Linear Code based encryption[45]RLCE115 KB3 KBQuasi-cyclic MDPC-based McEliece[46]Code-based1,232 B2,464 BSIDH[47]Isogeny564 B48 BSIDH (compressed keys)[48]Isogeny330 B48 B3072-bit Discrete Lognot PQC384 B32 B96 B 256-bit Elliptic Curvenot PQC32 B32 B65 B

A practical consideration on a choice among post-quantum cryptographic algorithms is the effort required to send public keys over the internet. From this point of view, the Ring-LWE, NTRU, and SIDH algorithms provide key sizes conveniently under 1KB, hash-signature public keys come in under 5KB, and MDPC-based McEliece takes about 1KB. On the other hand, Rainbow schemes require about 125KB and Goppa-based McEliece requires a nearly 1MB key.

Lattice-based cryptography – LWE key exchange and Ring-LWE key exchange[edit [wikipedia.org]] Further information: Ring learning with errors key exchange [wikipedia.org]

The fundamental idea of using LWE and Ring LWE for key exchange was proposed and filed at the University of Cincinnati in 2011 by Jintai Ding. The basic idea comes from the associativity of matrix multiplications, and the errors are used to provide the security. The paper[49] appeared in 2012 after a provisional patent application was filed in 2012.

In 2014, Peikert[50] presented a key transport scheme following the same basic idea of Ding's, where the new idea of sending additional 1 bit signal for rounding in Ding's construction is also utilized. For somewhat greater than 128 bits of security [wikipedia.org], Singh presents a set of parameters which have 6956-bit public keys for the Peikert's scheme.[51] The corresponding private key would be roughly 14,000 bits.

In 2015, an authenticated key exchange with provable forward security following the same basic idea of Ding's was presented at Eurocrypt 2015,[52] which is an extension of the HMQV[53] construction in Crypto2005. The parameters for different security levels from 80 bits to 350 bits, along with the corresponding key sizes are provided in the paper.[52]

Lattice-based cryptography – NTRU encryption[edit [wikipedia.org]] Further information: NTRUEncrypt [wikipedia.org]

For 128 bits of security in NTRU, Hirschhorn, Hoffstein, Howgrave-Graham and Whyte, recommend using a public key represented as a degree 613 polynomial with coefficients mod(210){\displaystyle {\bmod {\left(2^{10}\right)}}}. This results in a public key of 6130 bits. The corresponding private key would be 6743 bits.[40]

Multivariate cryptography – Rainbow signature[edit [wikipedia.org]] Further information: Multivariate cryptography [wikipedia.org]

For 128 bits of security and the smallest signature size in a Rainbow multivariate quadratic equation signature scheme, Petzoldt, Bulygin and Buchmann, recommend using equations in F31{\displaystyle \mathbb {F} _{31}} with a public key size of just over 991,000 bits, a private key of just over 740,000 bits and digital signatures which are 424 bits in length.[41]

Hash-based cryptography – Merkle signature scheme[edit [wikipedia.org]] Further information: Hash-based cryptography [wikipedia.org] and Merkle signature scheme [wikipedia.org]

In order to get 128 bits of security for hash based signatures to sign 1 million messages using the fractal Merkle tree method of Naor Shenhav and Wool the public and private key sizes are roughly 36,000 bits in length.[54]

Code-based cryptography – McEliece[edit [wikipedia.org]] Further information: McEliece cryptosystem [wikipedia.org]

For 128 bits of security in a McEliece scheme, The European Commissions Post Quantum Cryptography Study group recommends using a binary Goppa code of length at least n=6960{\displaystyle n=6960} and dimension at least k=5413{\displaystyle k=5413}, and capable of correcting t=119{\displaystyle t=119} errors. With these parameters the public key for the McEliece system will be a systematic generator matrix whose non-identity part takes k×(n−k)=8373911{\displaystyle k\times (n-k)=8373911} bits. The corresponding private key, which consists of the code support with n=6960{\displaystyle n=6960} elements from GF(213){\displaystyle GF(2^{13})} and a generator polynomial of with t=119{\displaystyle t=119} coefficients from GF(213){\displaystyle GF(2^{13})}, will be 92,027 bits in length[16]

The group is also investigating the use of Quasi-cyclic MDPC codes of length at least n=216+6=65542{\displaystyle n=2^{16}+6=65542} and dimension at least k=215+3=32771{\displaystyle k=2^{15}+3=32771}, and capable of correcting t=264{\displaystyle t=264} errors. With these parameters the public key for the McEliece system will be the first row of a systematic generator matrix whose non-identity part takes k=32771{\displaystyle k=32771} bits. The private key, a quasi-cyclic parity-check matrix with d=274{\displaystyle d=274} nonzero entries on a column (or twice as much on a row), takes no more than d×16=4384{\displaystyle d\times 16=4384} bits when represented as the coordinates of the nonzero entries on the first row.

Barreto et al. recommend using a binary Goppa code of length at least n=3307{\displaystyle n=3307} and dimension at least k=2515{\displaystyle k=2515}, and capable of correcting t=66{\displaystyle t=66} errors. With these parameters the public key for the McEliece system will be a systematic generator matrix whose non-identity part takes k×(n−k)=1991880{\displaystyle k\times (n-k)=1991880} bits.[55] The corresponding private key, which consists of the code support with n=3307{\displaystyle n=3307} elements from GF(212){\displaystyle GF(2^{12})} and a generator polynomial of with t=66{\displaystyle t=66} coefficients from GF(212){\displaystyle GF(2^{12})}, will be 40,476 bits in length.

Supersingular elliptic curve isogeny cryptography[edit [wikipedia.org]] Further information: Supersingular isogeny key exchange [wikipedia.org]

For 128 bits of security in the supersingular isogeny Diffie-Hellman (SIDH) method, De Feo, Jao and Plut recommend using a supersingular curve modulo a 768-bit prime. If one uses elliptic curve point compression the public key will need to be no more than 8x768 or 6144 bits in length.[56] A March 2016 paper by authors Azarderakhsh, Jao, Kalach, Koziel, and Leonardi showed how to cut the number of bits transmitted in half, which was further improved by authors Costello, Jao, Longa, Naehrig, Renes and Urbanik resulting in a compressed-key version of the SIDH protocol with public keys only 2640 bits in size.[48] This makes the number of bits transmitted roughly equivalent to the non-quantum secure RSA and Diffie-Hellman at the same classical security level.[57]

Symmetric–key-based cryptography[edit [wikipedia.org]]

As a general rule, for 128 bits of security in a symmetric-key-based system, one can safely use key sizes of 256 bits. The best quantum attack against generic symmetric-key systems is an application of Grover's algorithm [wikipedia.org], which requires work proportional to the square root of the size of the key space. To transmit an encrypted key to a device that possesses the symmetric key necessary to decrypt that key requires roughly 256 bits as well. It is clear that symmetric-key systems offer the smallest key sizes for post-quantum cryptography.

Forward secrecy[edit [wikipedia.org]]

A public-key system demonstrates a property referred to as perfect forward secrecy [wikipedia.org] when it generates random public keys per session for the purposes of key agreement. This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages. Security experts recommend using cryptographic algorithms that support forward secrecy over those that do not.[58] The reason for this is that forward secrecy can protect against the compromise of long term private keys associated with public/private key pairs. This is viewed as a means of preventing mass surveillance by intelligence agencies.

Both the Ring-LWE key exchange and supersingular isogeny Diffie-Hellman (SIDH) key exchange can support forward secrecy in one exchange with the other party. Both the Ring-LWE and SIDH can also be used without forward secrecy by creating a variant of the classic ElGamal encryption [wikipedia.org] variant of Diffie-Hellman.

The other algorithms in this article, such as NTRU, do not support forward secrecy as is.

Any authenticated public key encryption system can be used to build a key exchange with forward secrecy.[59]

Open Quantum Safe project[edit [wikipedia.org]]

Open Quantum Safe (OQS) project was started in late 2016 and has the goal of developing and prototyping quantum-resistant cryptography.[60][61] It aims to integrate current post-quantum schemes in one library: liboqs.[62] liboqs is an open source C [wikipedia.org] library for quantum-resistant cryptographic algorithms. It initially focuses on key exchange algorithms but by now includes several signature schemes. It provides a common API suitable for post-quantum key exchange algorithms, and will collect together various implementations. liboqs will also include a test harness and benchmarking routines to compare performance of post-quantum implementations. Furthermore, OQS also provides integration of liboqs into OpenSSL [wikipedia.org].[63]

As of March 2023, the following key exchange algorithms are supported:[60]

AlgorithmType CRYSTALS-Kyber [wikipedia.org]Module Learning With Error [wikipedia.org]Classic McEliece [wikipedia.org]goppa codes BIKE[64]codes HQC[65][66]codes Frodo[67][68]Learning with errors [wikipedia.org]NTRU [wikipedia.org][69]Lattice-based cryptography [wikipedia.org]CRYSTALS-Dilithium[70][71]Shortest Integer Solution FalconShortest Integer Solution SPHINCS+ hash based

Older supported versions that have been removed because of the progression of the NIST Post-Quantum Cryptography Standardization Project are:

AlgorithmType BCNS15[72]Ring learning with errors key exchange [wikipedia.org]NewHope [wikipedia.org][73][44]Ring learning with errors key exchange [wikipedia.org]SIDH[74][75]Supersingular isogeny key exchange [wikipedia.org]McBits[76]Error-correcting codes

Implementation[edit [wikipedia.org]]

One of the main challenges in post-quantum cryptography is considered to be the implementation of potentially quantum safe algorithms into existing systems. There are tests done, for example by Microsoft Research [wikipedia.org] implementing PICNIC in a PKI [wikipedia.org] using Hardware security modules [wikipedia.org].[77] Test implementations for Google's [wikipedia.org]NewHope [wikipedia.org] algorithm have also been done by HSM [wikipedia.org] vendors. In August 2023, Google released a FIDO2 [wikipedia.org] security key implementation of an ECC [wikipedia.org]/Dilithium hybrid signature schema which was done in partnership with ETH Zürich [wikipedia.org].[78]

Other notable implementations include:

• bouncycastle [wikipedia.org][79]
• liboqs[80]

See also[edit [wikipedia.org]]

• NIST Post-Quantum Cryptography Standardization [wikipedia.org]
• Quantum cryptography [wikipedia.org] – cryptography based on quantum mechanics
• Crypto-shredding [wikipedia.org] - Deleting encryption keys
• Harvest now, decrypt later [wikipedia.org]

References[edit [wikipedia.org]]

1. ^Peter W. Shor [wikipedia.org] (1997). "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509. arXiv [wikipedia.org]:quant-ph/9508027 [arxiv.org]. Bibcode [wikipedia.org]:1995quant.ph..8027S [harvard.edu]. doi [wikipedia.org]:10.1137/S0097539795293172 [doi.org]. S2CID [wikipedia.org] 2337707 [semanticscholar.org].
2. ^ abcDaniel J. Bernstein [wikipedia.org] (2009). "Introduction to post-quantum cryptography" [pqcrypto.org](PDF). Post-Quantum Cryptography.
3. ^"New qubit control bodes well for future of quantum computing" [phys.org]. phys.org.
4. ^"Cryptographers Take On Quantum Computers" [ieee.org]. IEEE Spectrum [wikipedia.org]. 2009-01-01.
5. ^ ab"Q&A With Post-Quantum Computing Cryptography Researcher Jintai Ding" [ieee.org]. IEEE Spectrum [wikipedia.org]. 2008-11-01.
6. ^"ETSI Quantum Safe Cryptography Workshop" [archive.org]. ETSI Quantum Safe Cryptography Workshop. ETSI. October 2014. Archived from the original [etsi.org] on 17 August 2016.
7. ^Townsend, Kevin (2022-02-16). "Solving the Quantum Decryption 'Harvest Now, Decrypt Later' Problem" [securityweek.com]. SecurityWeek.
8. ^"Quantum-Safe Secure Communications" [ukri.org](PDF). UK National Quantum Technologies Programme. October 2021.
9. ^Daniel J. Bernstein [wikipedia.org] (2009-05-17). "Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete?" [cr.yp.to](PDF).
10. ^Daniel J. Bernstein [wikipedia.org] (2010-03-03). "Grover vs. McEliece" [cr.yp.to](PDF).
11. ^Peikert, Chris (2014). "Lattice Cryptography for the Internet" [archive.org](PDF). IACR. Archived from the original on 12 May 2014.
12. ^ abcGüneysu, Tim; Lyubashevsky, Vadim; Pöppelmann, Thomas (2012). "Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems" [emsec.rub.de](PDF). INRIA.
13. ^Zhang, jiang (2014). "Authenticated Key Exchange from Ideal Lattices" [archive.org](PDF). iacr.org. IACR. Archived from the original on 7 September 2014.
14. ^ abDucas, Léo; Durmus, Alain; Lepoint, Tancrède; Lyubashevsky, Vadim (2013). "Lattice Signatures and Bimodal Gaussians" [iacr.org].
15. ^Lyubashevsky, Vadim; Peikert; Regev (2013). "On Ideal Lattices and Learning with Errors Over Rings" [archive.org](PDF). IACR. Archived from the original on 31 January 2014.
16. ^ abcdefgAugot, Daniel (7 September 2015). "Initial recommendations of long-term secure post-quantum systems" [eu.org](PDF). PQCRYPTO.
17. ^Stehlé, Damien; Steinfeld, Ron (2013-01-01). "Making NTRUEncrypt and NTRUSign as Secure as Standard Worst-Case Problems over Ideal Lattices" [iacr.org]. Cryptology ePrint Archive.
18. ^Easttom, Chuck (2019-02-01). "An Analysis of Leading Lattice-Based Asymmetric Cryptographic Primitives". 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC). pp. 0811–0818. doi [wikipedia.org]:10.1109/CCWC.2019.8666459 [doi.org]. ISBN [wikipedia.org] 978-1-7281-0554-3 [wikipedia.org]. S2CID [wikipedia.org] 77376310 [semanticscholar.org].
19. ^Ding, Jintai; Schmidt (7 June 2005). "Rainbow, a New Multivariable Polynomial Signature Scheme". In Ioannidis, John (ed.). Third International Conference, ACNS 2005, New York, NY, USA, June 7–10, 2005. Proceedings. Lecture Notes in Computer Science. Vol. 3531. pp. 64–175. doi [wikipedia.org]:10.1007/11496137_12 [doi.org]. ISBN [wikipedia.org] 978-3-540-26223-7 [wikipedia.org]. S2CID [wikipedia.org] 6571152 [semanticscholar.org].
20. ^Buchmann, Johannes; Dahmen, Erik; Hülsing, Andreas (2011). "XMSS - A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions". Post-Quantum Cryptography. PQCrypto 2011. Lecture Notes in Computer Science. Vol. 7071. pp. 117–129. CiteSeerX [wikipedia.org] 10.1.1.400.6086 [psu.edu]. doi [wikipedia.org]:10.1007/978-3-642-25405-5_8 [doi.org]. ISSN [wikipedia.org] 0302-9743 [worldcat.org].
21. ^ abBernstein, Daniel J.; Hopwood, Daira; Hülsing, Andreas; Lange, Tanja [wikipedia.org]; Niederhagen, Ruben; Papachristodoulou, Louiza; Schneider, Michael; Schwabe, Peter; Wilcox-O'Hearn, Zooko (2015). Oswald, Elisabeth [wikipedia.org]; Fischlin, Marc (eds.). SPHINCS: practical stateless hash-based signatures. Lecture Notes in Computer Science. Vol. 9056. Springer Berlin Heidelberg. pp. 368–397. CiteSeerX [wikipedia.org] 10.1.1.690.6403 [psu.edu]. doi [wikipedia.org]:10.1007/978-3-662-46800-5_15 [doi.org]. ISBN [wikipedia.org] 9783662467992 [wikipedia.org].
22. ^Huelsing, A.; Butin, D.; Gazdag, S.; Rijneveld, J.; Mohaisen, A. (2018). "RFC 8391 - XMSS: eXtended Merkle Signature Scheme" [ietf.org]. tools.ietf.org. doi [wikipedia.org]:10.17487/RFC8391 [doi.org].
23. ^Moni Naor, Moti Yung: Universal One-Way Hash Functions and their Cryptographic Applications .STOC 1989: 33-43
24. ^Overbeck, Raphael; Sendrier (2009). "Code-based cryptography". In Bernstein, Daniel (ed.). Post-Quantum Cryptography. pp. 95–145. doi [wikipedia.org]:10.1007/978-3-540-88702-7_4 [doi.org]. ISBN [wikipedia.org] 978-3-540-88701-0 [wikipedia.org].
25. ^Castryck, Wouter; Lange, Tanja; Martindale, Chloe; Panny, Lorenz; Renes, Joost (2018). "CSIDH: An Efficient Post-Quantum Commutative Group Action" [handle.net]. In Peyrin, Thomas; Galbraith, Steven (eds.). Advances in Cryptology – ASIACRYPT 2018. Lecture Notes in Computer Science. Vol. 11274. Cham: Springer International Publishing. pp. 395–427. doi [wikipedia.org]:10.1007/978-3-030-03332-3_15 [doi.org]. hdl [wikipedia.org]:1854/LU-8619033 [handle.net]. ISBN [wikipedia.org] 978-3-030-03332-3 [wikipedia.org]. S2CID [wikipedia.org] 44165584 [semanticscholar.org].
26. ^De Feo, Luca; Kohel, David; Leroux, Antonin; Petit, Christophe; Wesolowski, Benjamin (2020). "SQISign: Compact Post-quantum Signatures from Quaternions and Isogenies" [archives-ouvertes.fr](PDF). In Moriai, Shiho; Wang, Huaxiong (eds.). Advances in Cryptology – ASIACRYPT 2020. Lecture Notes in Computer Science. Vol. 12491. Cham: Springer International Publishing. pp. 64–93. doi [wikipedia.org]:10.1007/978-3-030-64837-4_3 [doi.org]. ISBN [wikipedia.org] 978-3-030-64837-4 [wikipedia.org]. S2CID [wikipedia.org] 222265162 [semanticscholar.org].
27. ^Castryck, Wouter; Decru, Thomas (2023), Hazay, Carmit; Stam, Martijn (eds.), "An Efficient Key Recovery Attack on SIDH" [springer.com], Advances in Cryptology – EUROCRYPT 2023, Cham: Springer Nature Switzerland, vol. 14008, pp. 423–447, doi [wikipedia.org]:10.1007/978-3-031-30589-4_15 [doi.org], ISBN [wikipedia.org] 978-3-031-30588-7 [wikipedia.org], S2CID [wikipedia.org] 258240788 [semanticscholar.org]
28. ^"Is SIKE broken yet?" [github.io].
29. ^Perlner, Ray; Cooper (2009). "Quantum Resistant Public Key Cryptography: A Survey" [nist.gov]. NIST.
30. ^Campagna, Matt; Hardjono; Pintsov; Romansky; Yu (2013). "Kerberos Revisited Quantum-Safe Authentication" [etsi.org](PDF). ETSI.
31. ^Lyubashevsky, Vadim; Peikert; Regev (25 June 2013). "On Ideal Lattices and Learning with Errors Over Rings" [umich.edu](PDF). Springer.
32. ^Akleylek, Sedat; Bindel, Nina; Buchmann, Johannes; Krämer, Juliane; Marson, Giorgia Azzurra (2016). "An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation" [iacr.org]. Cryptology ePrint Archive.
33. ^Nejatollahi, Hamid; Dutt, Nikil; Ray, Sandip; Regazzoni, Francesco; Banerjee, Indranil; Cammarota, Rosario (2019-02-27). "Post-Quantum Lattice-Based Cryptography Implementations: A Survey" [acm.org]. ACM Computing Surveys. 51 (6): 1–41. doi [wikipedia.org]:10.1145/3292548 [doi.org]. ISSN [wikipedia.org] 0360-0300 [worldcat.org]. S2CID [wikipedia.org] 59337649 [semanticscholar.org].
34. ^Bulygin, Stanislav; Petzoldt; Buchmann (2010). "Towards Provable Security of the Unbalanced Oil and Vinegar Signature Scheme under Direct Attacks". Progress in Cryptology – INDOCRYPT 2010. Lecture Notes in Computer Science. Vol. 6498. pp. 17–32. CiteSeerX [wikipedia.org] 10.1.1.294.3105 [psu.edu]. doi [wikipedia.org]:10.1007/978-3-642-17401-8_3 [doi.org]. ISBN [wikipedia.org] 978-3-642-17400-1 [wikipedia.org].
35. ^Pereira, Geovandro; Puodzius, Cassius; Barreto, Paulo (2016). "Shorter hash-based signatures". Journal of Systems and Software. 116: 95–100. doi [wikipedia.org]:10.1016/j.jss.2015.07.007 [doi.org].
36. ^Garcia, Luis. "On the security and the efficiency of the Merkle signature scheme" [iacr.org](PDF). Cryptology ePrint Archive. IACR.
37. ^Blaum, Mario; Farrell; Tilborg (31 May 2002). Information, Coding and Mathematics. Springer. ISBN [wikipedia.org] 978-1-4757-3585-7 [wikipedia.org].
38. ^Wang, Yongge (2016). "Quantum resistant random linear code based public key encryption scheme RLCE". Proceedings of Information Theory (ISIT). IEEE ISIT: 2519–2523. arXiv [wikipedia.org]:1512.08454 [arxiv.org]. Bibcode [wikipedia.org]:2015arXiv151208454W [harvard.edu].
39. ^Delfs, Christina; Galbraith (2013). "Computing isogenies between supersingular elliptic curves over F_p". arXiv [wikipedia.org]:1310.7789 [arxiv.org] [math.NT [arxiv.org]].
40. ^ abHirschborrn, P; Hoffstein; Howgrave-Graham; Whyte. "Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches" [archive.org](PDF). NTRU. Archived from the original [securityinnovation.com](PDF) on 30 January 2013.
41. ^ abPetzoldt, Albrecht; Bulygin; Buchmann (2010). "Selecting Parameters for the Rainbow Signature Scheme – Extended Version -" [archive.org](PDF). Archived from the original on 4 March 2016.
42. ^"SPHINCS+: Submission to the NIST post-quantum project" [sphincs.org](PDF).
43. ^Chopra, Arjun (2017). "GLYPH: A New Insantiation of the GLP Digital Signature Scheme" [iacr.org]. Cryptology ePrint Archive.
44. ^ abAlkim, Erdem; Ducas, Léo; Pöppelmann, Thomas; Schwabe, Peter (2015). "Post-quantum key exchange - a new hope" [iacr.org] (PDF). Cryptology ePrint Archive, Report 2015/1092.
45. ^Wang, Yongge (2017). "Revised Quantum Resistant Public Key Encryption Scheme RLCE and IND-CCA2 Security for McEliece Schemes" [iacr.org]. Cryptology ePrint Archive.
46. ^Misoczki, R.; Tillich, J. P.; Sendrier, N.; Barreto, P. S. L. M. (2013). "MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes". 2013 IEEE International Symposium on Information Theory. pp. 2069–2073. CiteSeerX [wikipedia.org] 10.1.1.259.9109 [psu.edu]. doi [wikipedia.org]:10.1109/ISIT.2013.6620590 [doi.org]. ISBN [wikipedia.org] 978-1-4799-0446-4 [wikipedia.org]. S2CID [wikipedia.org] 9485532 [semanticscholar.org].
47. ^Costello, Craig; Longa, Patrick; Naehrig, Michael (2016). "Efficient Algorithms for Supersingular Isogeny Diffie-Hellman" [iacr.org](PDF). Advances in Cryptology – CRYPTO 2016. Lecture Notes in Computer Science. Vol. 9814. pp. 572–601. doi [wikipedia.org]:10.1007/978-3-662-53018-4_21 [doi.org]. ISBN [wikipedia.org] 978-3-662-53017-7 [wikipedia.org].
48. ^ abCostello, Craig; Jao; Longa; Naehrig; Renes; Urbanik. "Efficient Compression of SIDH public keys" [iacr.org].
49. ^Lin, Jintai Ding, Xiang Xie, Xiaodong (2012-01-01). "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem" [iacr.org]. Cryptology ePrint Archive.
50. ^Peikert, Chris (2014-01-01). "Lattice Cryptography for the Internet" [iacr.org]. Cryptology ePrint Archive.
51. ^Singh, Vikram (2015). "A Practical Key Exchange for the Internet using Lattice Cryptography" [iacr.org].
52. ^ abZhang, Jiang; Zhang, Zhenfeng; Ding, Jintai; Snook, Michael; Dagdelen, Özgür (2015-04-26). "Authenticated Key Exchange from Ideal Lattices". In Oswald, Elisabeth; Fischlin, Marc (eds.). Advances in Cryptology - EUROCRYPT 2015. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 719–751. CiteSeerX [wikipedia.org] 10.1.1.649.1864 [psu.edu]. doi [wikipedia.org]:10.1007/978-3-662-46803-6_24 [doi.org]. ISBN [wikipedia.org] 978-3-662-46802-9 [wikipedia.org].
53. ^Krawczyk, Hugo (2005-08-14). "HMQV: A High-Performance Secure Diffie-Hellman Protocol". In Shoup, Victor (ed.). Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. Vol. 3621. Springer. pp. 546–566. doi [wikipedia.org]:10.1007/11535218_33 [doi.org]. ISBN [wikipedia.org] 978-3-540-28114-6 [wikipedia.org].
54. ^Naor, Dalit; Shenhav; Wool (2006). "One-Time Signatures Revisited: Practical Fast Signatures Using Fractal Merkle Tree Traversal" [tau.ac.il](PDF). IEEE.
55. ^Barreto, Paulo S. L. M.; Biasi, Felipe Piazza; Dahab, Ricardo; López-Hernández, Julio César; Morais, Eduardo M. de; Oliveira, Ana D. Salina de; Pereira, Geovandro C. C. F.; Ricardini, Jefferson E. (2014). Koç, Çetin Kaya (ed.). A Panorama of Post-quantum Cryptography. Springer International Publishing. pp. 387–439. doi [wikipedia.org]:10.1007/978-3-319-10683-0_16 [doi.org]. ISBN [wikipedia.org] 978-3-319-10682-3 [wikipedia.org].
56. ^De Feo, Luca; Jao; Plut (2011). "Towards Quantum-Resistant Cryptosystems From Supersingular Elliptic Curve Isogenies" [archive.org](PDF). Archived from the original on 11 February 2014.
57. ^"Cryptology ePrint Archive: Report 2016/229" [iacr.org]. eprint.iacr.org.
58. ^Ristic, Ivan (2013-06-25). "Deploying Forward Secrecy" [qualys.com]. SSL Labs.
59. ^"Does NTRU provide Perfect Forward Secrecy?" [stackexchange.com]. crypto.stackexchange.com.
60. ^ ab"Open Quantum Safe" [openquantumsafe.org]. openquantumsafe.org.
61. ^Stebila, Douglas; Mosca, Michele. "Post-Quantum Key Exchange for the Internet and the Open Quantum Safe Project" [iacr.org]. Cryptology ePrint Archive, Report 2016/1017, 2016.
62. ^"liboqs: C library for quantum-resistant cryptographic algorithms" [github.com]. 26 November 2017 – via GitHub.
63. ^"openssl: Fork of OpenSSL that includes quantum-resistant algorithms and ciphersuites based on liboqs" [github.com]. 9 November 2017 – via GitHub.
64. ^"BIKE - Bit Flipping Key Encapsulation" [bikesuite.org]. bikesuite.org.
65. ^"HQC" [pqc-hqc.org]. pqc-hqc.org.
66. ^"Fast and Efficient Hardware Implementation of HQC" [nist.gov](PDF).
67. ^Bos, Joppe; Costello, Craig; Ducas, Léo; Mironov, Ilya; Naehrig, Michael; Nikolaenko, Valeria; Raghunathan, Ananth; Stebila, Douglas (2016-01-01). "Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE" [iacr.org]. Cryptology ePrint Archive.
68. ^"FrodoKEM" [frodokem.org]. frodokem.org.
69. ^"NTRUOpenSourceProject/NTRUEncrypt" [github.com]. GitHub.
70. ^Schwabe, Peter. "Dilithium" [pq-crystals.org]. pq-crystals.org.
71. ^"Cryptographic Suite for Algebraic Lattices, Digital Signature: Dilithium" [nist.gov](PDF).
72. ^Stebila, Douglas (26 Mar 2018). "liboqs nist-branch algorithm datasheet: kem_newhopenist" [github.com]. GitHub.
73. ^"Lattice Cryptography Library" [microsoft.com]. Microsoft Research. 19 Apr 2016.
74. ^"SIDH Library - Microsoft Research" [microsoft.com]. Microsoft Research.
75. ^Feo, Luca De; Jao, David; Plût, Jérôme (2011-01-01). "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies" [archive.org]. Archived from the original [iacr.org] on 2014-05-03.
76. ^Bernstein, Daniel J.; Chou, Tung; Schwabe, Peter (2015-01-01). "McBits: fast constant-time code-based cryptography" [iacr.org]. Cryptology ePrint Archive.
77. ^"Microsoft/Picnic" [github.com](PDF). GitHub.
78. ^"Toward Quantum Resilient Security Keys" [googleblog.com]. Google Online Security Blog.
79. ^"Bouncy Castle Betas" [bouncycastle.org].
80. ^"Open Quantum Safe" [openquantumsafe.org].

Further reading[edit [wikipedia.org]]

• Post-Quantum Cryptography [springer.com]. Springer. 2008. p. 245. ISBN [wikipedia.org] 978-3-540-88701-0 [wikipedia.org].
• Isogenies in a Quantum World [loria.fr]
• On Ideal Lattices and Learning With Errors Over Rings [di.ens.fr]
• Kerberos Revisited: Quantum-Safe Authentication [etsi.org]
• The picnic signature scheme [github.com]

External links[edit [wikipedia.org]]

• PQCrypto, the post-quantum cryptography conference [pqcrypto.org]
• ETSI Quantum Secure Standards Effort [etsi.org]
• NIST's Post-Quantum crypto Project [nist.gov]
• PQCrypto Usage & Deployment [ianix.com]
• ISO 27001 Certification Cost [siscertifications.com]

Background

• Introduction [wikipedia.org]
• History [wikipedia.org]
  • Timeline [wikipedia.org]
• Classical mechanics [wikipedia.org]
• Old quantum theory [wikipedia.org]
• Glossary [wikipedia.org]

Fundamentals

• Born rule [wikipedia.org]
• Bra–ket notation [wikipedia.org]
• Complementarity [wikipedia.org]
• Density matrix [wikipedia.org]
• Energy level [wikipedia.org]
  • Ground state [wikipedia.org]
  • Excited state [wikipedia.org]
  • Degenerate levels [wikipedia.org]
  • Zero-point energy [wikipedia.org]
• Entanglement [wikipedia.org]
• Hamiltonian [wikipedia.org]
• Interference [wikipedia.org]
• Decoherence [wikipedia.org]
• Measurement [wikipedia.org]
• Nonlocality [wikipedia.org]
• Quantum state [wikipedia.org]
• Superposition [wikipedia.org]
• Tunnelling [wikipedia.org]
• Scattering theory [wikipedia.org]
• Symmetry in quantum mechanics [wikipedia.org]
• Uncertainty [wikipedia.org]
• Wave function [wikipedia.org]
  • Collapse [wikipedia.org]
  • Wave–particle duality [wikipedia.org]

Formulations

• Formulations [wikipedia.org]
• Heisenberg [wikipedia.org]
• Interaction [wikipedia.org]
• Matrix mechanics [wikipedia.org]
• Schrödinger [wikipedia.org]
• Path integral formulation [wikipedia.org]
• Phase space [wikipedia.org]

Equations

• Dirac [wikipedia.org]
• Klein–Gordon [wikipedia.org]
• Pauli [wikipedia.org]
• Rydberg [wikipedia.org]
• Schrödinger [wikipedia.org]

Interpretations [wikipedia.org]

• Bayesian [wikipedia.org]
• Consistent histories [wikipedia.org]
• Copenhagen [wikipedia.org]
• de Broglie–Bohm [wikipedia.org]
• Ensemble [wikipedia.org]
• Hidden-variable [wikipedia.org]
  • Local [wikipedia.org]
• Many-worlds [wikipedia.org]
• Objective collapse [wikipedia.org]
• Quantum logic [wikipedia.org]
• Relational [wikipedia.org]
• Transactional [wikipedia.org]
• Von Neumann-Wigner [wikipedia.org]

Experiments

• Bell's inequality [wikipedia.org]
• Davisson–Germer [wikipedia.org]
• Delayed-choice quantum eraser [wikipedia.org]
• Double-slit [wikipedia.org]
• Franck–Hertz [wikipedia.org]
• Mach–Zehnder interferometer [wikipedia.org]
• Elitzur–Vaidman [wikipedia.org]
• Popper [wikipedia.org]
• Quantum eraser [wikipedia.org]
• Stern–Gerlach [wikipedia.org]
• Wheeler's delayed choice [wikipedia.org]

Science [wikipedia.org]

• Quantum biology [wikipedia.org]
• Quantum chemistry [wikipedia.org]
• Quantum chaos [wikipedia.org]
• Quantum cosmology [wikipedia.org]
• Quantum differential calculus [wikipedia.org]
• Quantum dynamics [wikipedia.org]
• Quantum geometry [wikipedia.org]
• Quantum measurement problem [wikipedia.org]
• Quantum mind [wikipedia.org]
• Quantum stochastic calculus [wikipedia.org]
• Quantum spacetime [wikipedia.org]

Technology [wikipedia.org]

• Quantum algorithms [wikipedia.org]
• Quantum amplifier [wikipedia.org]
• Quantum bus [wikipedia.org]
• Quantum cellular automata [wikipedia.org]
  • Quantum finite automata [wikipedia.org]
• Quantum channel [wikipedia.org]
• Quantum circuit [wikipedia.org]
• Quantum complexity theory [wikipedia.org]
• Quantum computing [wikipedia.org]
  • Timeline [wikipedia.org]
• Quantum cryptography [wikipedia.org]
• Quantum electronics [wikipedia.org]
• Quantum error correction [wikipedia.org]
• Quantum imaging [wikipedia.org]
• Quantum image processing [wikipedia.org]
• Quantum information [wikipedia.org]
• Quantum key distribution [wikipedia.org]
• Quantum logic [wikipedia.org]
• Quantum logic gates [wikipedia.org]
• Quantum machine [wikipedia.org]
• Quantum machine learning [wikipedia.org]
• Quantum metamaterial [wikipedia.org]
• Quantum metrology [wikipedia.org]
• Quantum network [wikipedia.org]
• Quantum neural network [wikipedia.org]
• Quantum optics [wikipedia.org]
• Quantum programming [wikipedia.org]
• Quantum sensing [wikipedia.org]
• Quantum simulator [wikipedia.org]
• Quantum teleportation [wikipedia.org]

Extensions

• Quantum fluctuation [wikipedia.org]
• Casimir effect [wikipedia.org]
• Quantum statistical mechanics [wikipedia.org]
• Quantum field theory [wikipedia.org]
  • History [wikipedia.org]
• Quantum gravity [wikipedia.org]
• Relativistic quantum mechanics [wikipedia.org]

Related

• Schrödinger's cat [wikipedia.org]
  • in popular culture [wikipedia.org]
• EPR paradox [wikipedia.org]
• Quantum mysticism [wikipedia.org]

• Category [wikipedia.org]
• Physics portal [wikipedia.org]
• Commons [wikimedia.org]

General

• DiVincenzo's criteria [wikipedia.org]
• NISQ era [wikipedia.org]
• Quantum computing [wikipedia.org]
  • timeline [wikipedia.org]
• Quantum information [wikipedia.org]
• Quantum programming [wikipedia.org]
• Quantum simulation [wikipedia.org]
• Qubit [wikipedia.org]
  • physical vs. logical [wikipedia.org]
• Quantum processors [wikipedia.org]
  • cloud-based [wikipedia.org]

Theorems

• Bell's [wikipedia.org]
• Eastin–Knill [wikipedia.org]
• Gleason's [wikipedia.org]
• Gottesman–Knill [wikipedia.org]
• Holevo's [wikipedia.org]
• Margolus–Levitin [wikipedia.org]
• No-broadcasting [wikipedia.org]
• No-cloning [wikipedia.org]
• No-communication [wikipedia.org]
• No-deleting [wikipedia.org]
• No-hiding [wikipedia.org]
• No-teleportation [wikipedia.org]
• PBR [wikipedia.org]
• Threshold [wikipedia.org]
• Solovay–Kitaev [wikipedia.org]
• Purification [wikipedia.org]

Quantum
communication

• Classical capacity [wikipedia.org]
  • entanglement-assisted [wikipedia.org]
  • quantum capacity [wikipedia.org]
• Entanglement distillation [wikipedia.org]
• Monogamy of entanglement [wikipedia.org]
• LOCC [wikipedia.org]
• Quantum channel [wikipedia.org]
  • quantum network [wikipedia.org]
• Quantum teleportation [wikipedia.org]
  • quantum gate teleportation [wikipedia.org]
• Superdense coding [wikipedia.org]

Quantum cryptography [wikipedia.org]

• Post-quantum cryptography
• Quantum coin flipping [wikipedia.org]
• Quantum money [wikipedia.org]
• Quantum key distribution [wikipedia.org]
  • BB84 [wikipedia.org]
  • SARG04 [wikipedia.org]
  • other protocols [wikipedia.org]
• Quantum secret sharing [wikipedia.org]

Quantum algorithms [wikipedia.org]

• Amplitude amplification [wikipedia.org]
• Bernstein–Vazirani [wikipedia.org]
• Boson sampling [wikipedia.org]
• Deutsch–Jozsa [wikipedia.org]
• Grover's [wikipedia.org]
• HHL [wikipedia.org]
• Hidden subgroup [wikipedia.org]
• Quantum annealing [wikipedia.org]
• Quantum counting [wikipedia.org]
• Quantum Fourier transform [wikipedia.org]
• Quantum optimization [wikipedia.org]
• Quantum phase estimation [wikipedia.org]
• Shor's [wikipedia.org]
• Simon's [wikipedia.org]
• VQE [wikipedia.org]

Quantum [wikipedia.org]
complexity theory

• BQP [wikipedia.org]
• EQP [wikipedia.org]
• QIP [wikipedia.org]
• QMA [wikipedia.org]
• PostBQP [wikipedia.org]

Quantum
processor benchmarks

• Quantum supremacy [wikipedia.org]
• Quantum volume [wikipedia.org]
• Randomized benchmarking [wikipedia.org]
  • XEB [wikipedia.org]
• Relaxation times [wikipedia.org]
  • T1 [wikipedia.org]
  • T2 [wikipedia.org]

Quantum
computing models [wikipedia.org]

• Adiabatic quantum computation [wikipedia.org]
• Continuous-variable quantum information [wikipedia.org]
• One-way quantum computer [wikipedia.org]
  • cluster state [wikipedia.org]
• Quantum circuit [wikipedia.org]
  • quantum logic gate [wikipedia.org]
• Quantum machine learning [wikipedia.org]
  • quantum neural network [wikipedia.org]
• Quantum Turing machine [wikipedia.org]
• Topological quantum computer [wikipedia.org]

Quantum [wikipedia.org]
error correction

• Codes
  • CSS [wikipedia.org]
  • quantum convolutional [wikipedia.org]
  • stabilizer [wikipedia.org]
  • Shor [wikipedia.org]
  • Bacon–Shor [wikipedia.org]
  • Steane [wikipedia.org]
  • Toric [wikipedia.org]
  • gnu [wikipedia.org]
• Entanglement-assisted [wikipedia.org]

Physical
implementationsQuantum optics [wikipedia.org]

• Cavity QED [wikipedia.org]
• Circuit QED [wikipedia.org]
• Linear optical QC [wikipedia.org]
• KLM protocol [wikipedia.org]

Ultracold atoms [wikipedia.org]

• Optical lattice [wikipedia.org]
• Trapped-ion QC [wikipedia.org]

Spin [wikipedia.org]-based

• Kane QC [wikipedia.org]
• Spin qubit QC [wikipedia.org]
• NV center [wikipedia.org]
• NMR QC [wikipedia.org]

Superconducting [wikipedia.org]

• Charge qubit [wikipedia.org]
• Flux qubit [wikipedia.org]
• Phase qubit [wikipedia.org]
• Transmon [wikipedia.org]

Quantum [wikipedia.org]
programming

• OpenQASM [wikipedia.org]–Qiskit [wikipedia.org]–IBM QX [wikipedia.org]
• Quil [wikipedia.org]–Forest/Rigetti QCS [wikipedia.org]
• Cirq [wikipedia.org]
• Q# [wikipedia.org]
• libquantum [wikipedia.org]
• many others... [wikipedia.org]

• Quantum information science [wikipedia.org]
• Quantum mechanics topics [wikipedia.org]

Kyber - Wikipedia [wikipedia.org]:

For the fictional crystals, see Lightsaber [wikipedia.org]. For the computing I/O scheduler, see I/O scheduling [wikipedia.org]. For other uses, see Khyber (disambiguation) [wikipedia.org].

Kyber is a key encapsulation mechanism [wikipedia.org] (KEM) designed to be resistant to cryptanalytic [wikipedia.org] attacks with future powerful quantum computers [wikipedia.org]. It is used to establish a shared secret [wikipedia.org] between two communicating parties without an (IND-CCA2 [wikipedia.org]) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem [wikipedia.org] uses a variant of the learning with errors [wikipedia.org]lattice problem [wikipedia.org] as its basic trapdoor function [wikipedia.org]. It won the NIST competition [wikipedia.org] for the first post-quantum cryptography [wikipedia.org] (PQ) standard.[1] Kyber is named after the fictional kyber crystals used to power lightsabers [wikipedia.org] in the Star Wars [wikipedia.org] universe (compare [Light-]SABER [wikipedia.org]).

Properties[edit [wikipedia.org]]

The system is based on module learning with errors (M-LWE) from the field of machine learning [wikipedia.org], in conjunction with cyclotomic [wikipedia.org]rings [wikipedia.org].[2] Recently, there has also been a tight formal mathematical security reduction [wikipedia.org] of the ring-LWE problem to MLWE.[3][4] Compared to competing PQ methods, it has typical advantages of lattice-based methods, e.g. in regard to runtime as well as the size of the ciphertexts and the key material.[5] Variants with different security levels have been defined: Kyber512 (NIST [wikipedia.org] security level 1, ≈AES [wikipedia.org] 128), Kyber768 (NIST security level 3, ≈AES 192), and Kyber1024 (NIST security level 5, ≈AES 256).[6] At a complexity of 161 bits, the secret keys are 2400, the public keys 1184, and the ciphertexts 1088 bytes in size.[7][8] With an accordingly optimized implementation, 4 kilobytes of memory can be sufficient for the cryptographic operations.[9] For a chat [wikipedia.org] encryption scenario using liboqs, replacing the extremely efficient, non-quantum-safe ECDH [wikipedia.org] key exchange using Curve25519 [wikipedia.org] was found to increase runtime [wikipedia.org] by a factor of about 2.3 (1.5–7), an estimated 2.3-fold (1.4–3.1) increase in energy consumption, and have about 70 times (48–92) more data overhead [wikipedia.org].[10] Internal hashing operations account for the majority of the runtime, which would thus potentially benefit greatly from corresponding hardware acceleration [wikipedia.org].

Development[edit [wikipedia.org]]

Kyber is derived from a method published in 2005 by Oded Regev [wikipedia.org], developed by developers from Europe and North America, who are employed by various government universities or research institutions, or by private companies, with funding from the European Commission [wikipedia.org], Switzerland, the Netherlands, and Germany.[11] They also developed the related and complementary signature scheme Dilithium, as another component of their "Cryptographic Suite for Algebraic Lattices" (CRYSTALS). Like other PQC-KEM methods, Kyber makes extensive use of hashing [wikipedia.org] internally. In Kyber's case, variants of Keccak (SHA-3 [wikipedia.org]/SHAKE) are used here, to generate pseudorandom numbers [wikipedia.org], among other things.[9] In 2017 the method was submitted to the US National Institute of Standards and Technology [wikipedia.org] (NIST) for its public selection process [wikipedia.org] for a first standard for quantum-safe cryptographic primitives (NISTPQC). It is the only key encapsulation mechanism that has been selected for standardization at the end of the third round of the NIST standardization process.[3] According to a footnote the report announcing the decision, it is conditional on the execution of various patent [wikipedia.org]-related agreements, with NTRU [wikipedia.org] being a fallback option. Currently, a fourth round of the standardization process is underway, with the goal of standardizing an additional KEM. In the second phase of the selection process, several parameters of the algorithm were adjusted and the compression of the public keys was dropped.[9] Most recently, NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding side-channel attacks [wikipedia.org] (SCA).[3]

Evolution[edit [wikipedia.org]]

During the NIST standardization process, Kyber has undergone changes. In particular, in the submission for round 2 (so called Kyber v2), the following features have been changed:[12]

• public key compression removed (due to NIST comments on the security proof);
• parameter q reduced to 3329 (from 7681);
• ciphertext compression parameters changed;
• number-theoretic transform [wikipedia.org] (NTT) definition changed along the lines of NTTRU [wikipedia.org] for faster polynomial multiplication;
• noise parameter reduced to η=2{\displaystyle \eta =2} for faster noise sampling;
• public key representation is changed to NTT domain in order to save the NTT operations.

Submission to round 3 underwent further tweaks:[13]

• the use of Fujisaki-Okamoto transformation [wikipedia.org] (FO transform) modified;
• noise level increased and ciphertext compression reduced for the level 1 parameter set;
• sampling algorithm improved.

Usage[edit [wikipedia.org]]

The developers have released a reference implementation [wikipedia.org] into the public domain [wikipedia.org] (or under CC0 [wikipedia.org]), which is written in C [wikipedia.org].[14] The program library [wikipedia.org]liboqs of the Open Quantum Safe [wikipedia.org] (OQS) project contains an implementation based[15] on that.[10] OQS also maintains a quantum-safe development branch of OpenSSL [wikipedia.org],[16] has integrated it into BoringSSL [wikipedia.org], and its code has also been integrated into WolfSSL [wikipedia.org].[17] There are a handful of implementations using various other programming languages from third-party developers, including JavaScript and Java.[18][19][20] Various (free) optimized hardware implementations exist, including one that is resistant to side-channel attacks.[21][22] The German Federal Office for Information Security [wikipedia.org] is aiming for implementation in Thunderbird [wikipedia.org], and in this context also an implementation in the Botan [wikipedia.org] program library and corresponding adjustments to the OpenPGP [wikipedia.org] standard.[23] In 2023, the encrypted messaging service Signal [wikipedia.org] implemented PQXDH [wikipedia.org], a Kyber-based post-quantum extension of their end-to-end encryption protocol.[24]

References[edit [wikipedia.org]]

1. ^Moody, Dustin (2022). "Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process" [nist.gov](PDF). Gaithersburg, MD: NIST IR 8413. doi [wikipedia.org]:10.6028/nist.ir.8413 [doi.org]. S2CID [wikipedia.org] 247903639 [semanticscholar.org].
2. ^What was NIST thinking? [ox.ac.uk] (PDF-Datei)
3. ^ abcStatus Report on the Second Round of the NIST PQC Standardization Process [nist.gov] (PDF-Datei)
4. ^
5. ^Lattice-based cryptography and Kyber – Andrea Basso [bham.ac.uk] (PDF; 2,0 MB)
6. ^Overview of NIST Round 3 Post-Quantum cryptography Candidates [pqsecurity.com] (PDF; 157 kB)
7. ^Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé (2018), "CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM" [iacr.org], 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018., IEEE, pp. 353-367, doi [wikipedia.org]:10.1109/EuroSP.2018.00032 [doi.org], ISBN [wikipedia.org] 978-1-5386-4228-3 [wikipedia.org], S2CID [wikipedia.org] 20449721 [semanticscholar.org]
8. ^https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf [pq-crystals.org][bare URL PDF [wikipedia.org]]
9. ^ abc
10. ^ ab
11. ^https://pq-crystals.org/ [pq-crystals.org][bare URL [wikipedia.org]]
12. ^Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS–Kyber [nist.gov] (Round 2 presentation) August 23, 2019.
13. ^Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS–Kyber [nist.gov] (Round 3 presentation) June 9, 2021.
14. ^Kyber/LICENSE at master · pq-crystals/kyber · GitHub [github.com]
15. ^"Kyber – Open Quantum Safe" [archive.org]. Archived from the original [openquantumsafe.org] on 2021-04-20.
16. ^"Post-Quantum TLS" [microsoft.com]. Microsoft Research.
17. ^"wolfSSL and libOQS Integration" [wolfssl.com]. WolfSSL-Website. 2021-09-01.
18. ^"CRYSTALS KYBER Java" [github.com]. GitHub [wikipedia.org]. 25 October 2021.
19. ^"CRYSTALS-KYBER JavaScript" [github.com]. GitHub [wikipedia.org]. 11 December 2021.
20. ^"Yawning/Kyber: [archive.org]https://Pq-crystals.org/Kyber/Index.SHTML [pq-crystals.org] - Gogs". Archived from the original [schwanenlied.me] on 2021-07-28.
21. ^
22. ^
23. ^"E-Vergabe, die Vergabeplattform des Bundes" [evergabe-online.de].
24. ^"Add Kyber KEM and implement PQXDH protocol" [github.com]. GitHub [wikipedia.org].

External links[edit [wikipedia.org]]

• Official website [pq-crystals.org]
• kyber [github.com] on GitHub [wikipedia.org]
• original method by

AlgorithmsInteger factorization [wikipedia.org]

• Benaloh [wikipedia.org]
• Blum–Goldwasser [wikipedia.org]
• Cayley–Purser [wikipedia.org]
• Damgård–Jurik [wikipedia.org]
• GMR [wikipedia.org]
• Goldwasser–Micali [wikipedia.org]
• Naccache–Stern [wikipedia.org]
• Paillier [wikipedia.org]
• Rabin [wikipedia.org]
• RSA [wikipedia.org]
• Okamoto–Uchiyama [wikipedia.org]
• Schmidt–Samoa [wikipedia.org]

Discrete logarithm [wikipedia.org]

• BLS [wikipedia.org]
• Cramer–Shoup [wikipedia.org]
• DH [wikipedia.org]
• DSA [wikipedia.org]
• ECDH [wikipedia.org]
  • X25519 [wikipedia.org]
  • X448 [wikipedia.org]
• ECDSA [wikipedia.org]
• EdDSA [wikipedia.org]
  • Ed25519 [wikipedia.org]
  • Ed448 [wikipedia.org]
• ECMQV [wikipedia.org]
• EKE [wikipedia.org]
• ElGamal [wikipedia.org]
  • signature scheme [wikipedia.org]
• MQV [wikipedia.org]
• Schnorr [wikipedia.org]
• SPEKE [wikipedia.org]
• SRP [wikipedia.org]
• STS [wikipedia.org]

Lattice/SVP/CVP [wikipedia.org]/LWE [wikipedia.org]/SIS [wikipedia.org]

• Kyber
• NTRUEncrypt [wikipedia.org]
• NTRUSign [wikipedia.org]
• RLWE-KEX [wikipedia.org]
• RLWE-SIG [wikipedia.org]
• BLISS [wikipedia.org]
• NewHope [wikipedia.org]

Others

• AE [wikipedia.org]
• CEILIDH [wikipedia.org]
• EPOC [wikipedia.org]
• HFE [wikipedia.org]
• IES [wikipedia.org]
• Lamport [wikipedia.org]
• McEliece [wikipedia.org]
• Merkle–Hellman [wikipedia.org]
• Naccache–Stern knapsack cryptosystem [wikipedia.org]
• Three-pass protocol [wikipedia.org]
• XTR [wikipedia.org]

Theory

• Discrete logarithm cryptography [wikipedia.org]
• Elliptic-curve cryptography [wikipedia.org]
• Hash-based cryptography [wikipedia.org]
• Non-commutative cryptography [wikipedia.org]
• RSA problem [wikipedia.org]
• Trapdoor function [wikipedia.org]

Standardization

• CRYPTREC [wikipedia.org]
• IEEE P1363 [wikipedia.org]
• NESSIE [wikipedia.org]
• NSA Suite B [wikipedia.org]
• Post-Quantum Cryptography [wikipedia.org]

Topics

• Digital signature [wikipedia.org]
• OAEP [wikipedia.org]
• Fingerprint [wikipedia.org]
• PKI [wikipedia.org]
• Web of trust [wikipedia.org]
• Key size [wikipedia.org]
• Identity-based cryptography [wikipedia.org]
• Post-quantum cryptography [wikipedia.org]
• OpenPGP card [wikipedia.org]

General

• History of cryptography [wikipedia.org]
• Outline of cryptography [wikipedia.org]
• Cryptographic protocol [wikipedia.org]
  • Authentication protocol [wikipedia.org]
• Cryptographic primitive [wikipedia.org]
• Cryptanalysis [wikipedia.org]
• Cryptocurrency [wikipedia.org]
• Cryptosystem [wikipedia.org]
• Cryptographic nonce [wikipedia.org]
• Cryptovirology [wikipedia.org]
• Hash function [wikipedia.org]
  • Cryptographic hash function [wikipedia.org]
  • Key derivation function [wikipedia.org]
• Digital signature [wikipedia.org]
• Kleptography [wikipedia.org]
• Key (cryptography) [wikipedia.org]
• Key exchange [wikipedia.org]
• Key generator [wikipedia.org]
• Key schedule [wikipedia.org]
• Key stretching [wikipedia.org]
• Keygen [wikipedia.org]
• Cryptojacking malware [wikipedia.org]
• Ransomware [wikipedia.org]
• Random number generation [wikipedia.org]
  • Cryptographically secure pseudorandom number generator [wikipedia.org] (CSPRNG)
• Pseudorandom noise [wikipedia.org] (PRN)
• Secure channel [wikipedia.org]
• Insecure channel [wikipedia.org]
• Subliminal channel [wikipedia.org]
• Encryption [wikipedia.org]
• Decryption [wikipedia.org]
• End-to-end encryption [wikipedia.org]
• Harvest now, decrypt later [wikipedia.org]
• Information-theoretic security [wikipedia.org]
• Plaintext [wikipedia.org]
• Codetext [wikipedia.org]
• Ciphertext [wikipedia.org]
• Shared secret [wikipedia.org]
• Trapdoor function [wikipedia.org]
• Trusted timestamping [wikipedia.org]
• Key-based routing [wikipedia.org]
• Onion routing [wikipedia.org]
• Garlic routing [wikipedia.org]
• Kademlia [wikipedia.org]
• Mix network [wikipedia.org]

Mathematics

• Cryptographic hash function [wikipedia.org]
• Block cipher [wikipedia.org]
• Stream cipher [wikipedia.org]
• Symmetric-key algorithm [wikipedia.org]
• Authenticated encryption [wikipedia.org]
• Public-key cryptography [wikipedia.org]
• Quantum key distribution [wikipedia.org]
• Quantum cryptography [wikipedia.org]
• Post-quantum cryptography [wikipedia.org]
• Message authentication code [wikipedia.org]
• Random numbers [wikipedia.org]
• Steganography [wikipedia.org]

• Category [wikipedia.org]

Original Submission