For several years, CryptoHack has been a free platform for learning modern cryptography through fun and challenging programming puzzles. From toy ciphers to post-quantum cryptography, CryptoHack has a wide-ranging and ever increasing library of puzzles for both the aspiring and accomplished cryptographer. On this episode, Nadim and Lucas are joined by Giacomo Pope and Laurence Tennant, the founders of CryptoHack, to discuss how the platform came to be, and how it evolved, as well as how to improve cryptographic pedagogy more broadly.
Special Guests: Giacomo Pope and Laurence Tennant.
Sponsored By:
Links:
On April 19th 2022, Neil Madden disclosed a vulnerability in many popular Java runtimes and development kits. The vulnerability, dubbed "Psychic Signatures", lies in the cryptography for ECDSA signatures and allows an attacker to bypass signature checks entirely for these signatures. How are popular cryptographic protocol implementations in Java affected? What's the state of Java cryptography as a whole? Join Neil, Nadim and Lucas as they discuss.
\n\nMusic composed by Yasunori Mitsuda.
Special Guest: Neil Madden.
Sponsored By:
Links:
Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been widely advertised as a secure alternative to other messengers.
\n\nKenny, Kien and Matteo from the ETH Zurich Applied Cryptography Group present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.
\n\nLinks and papers discussed in the show:
\n\nSpecial Guests: Kenny Paterson, Kien Tuong Truong, and Matteo Scarlata.
Sponsored By:
Links:
","summary":"Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been widely advertised as a secure alternative to other messengers.\r\n\r\nKenny, Kien and Matteo from the ETH Zurich Applied Cryptography Group present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice. ","date_published":"2023-01-16T13:00:00.000+01:00","attachments":[{"url":"https://chtbl.com/track/1E9A46/aphid.fireside.fm/d/1437767933/ab43586a-0143-48c8-af78-ac9dc4316514/856b33dd-f3d4-4e22-9d17-bfccafe87e75.mp3","mime_type":"audio/mpeg","size_in_bytes":76827255,"duration_in_seconds":3132}]},{"id":"47d6b3f7-bea5-4449-80d6-72321405466e","title":"Episode 21: Proving Fundamental Equivalencies in Isogeny Mathematics!","url":"https://www.cryptography.fm/21","content_text":"Benjamin Wesolowski talks about his latest paper in which he mathematically proved that the two fundamental problems underlying isogeny-based cryptography are equivalent.\n\nLinks and papers discussed in the show:\n\n\nThe supersingular isogeny path and endomorphism ring problems are equivalent\nEpisode 5: Isogeny-based Cryptography for Dummies!\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.Special Guest: Benjamin Wesolowski.Sponsored By:Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns.\r\n\r\nCapsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.Links:The supersingular isogeny path and endomorphism ring problems are equivalentEpisode 5: Isogeny-based Cryptography for Dummies!","content_html":"Benjamin Wesolowski talks about his latest paper in which he mathematically proved that the two fundamental problems underlying isogeny-based cryptography are equivalent.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Benjamin Wesolowski.
Sponsored By:
Links:
A team of cryptanalysits presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, they show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time 240 GEA-1 evaluations and using 44.5 GiB of memory. The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design.
\n\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Gaëtan Leurent and Håvard Raddum.
Links:
","summary":"Were GPRS's encryption ciphers deliberately backdoored? Nadim discusses this question with cryptanalysts Gaëtan Leurent and Håvard Raddum.","date_published":"2021-07-20T16:00:00.000+02:00","attachments":[{"url":"https://chtbl.com/track/1E9A46/aphid.fireside.fm/d/1437767933/ab43586a-0143-48c8-af78-ac9dc4316514/b60866a9-b2e2-4f18-afa5-9e85ed75887d.mp3","mime_type":"audio/mpeg","size_in_bytes":61829664,"duration_in_seconds":2576}]},{"id":"4ea88eab-7196-4078-a395-62a40fd2a756","title":"Episode 19: Cross-Protocol Attacks on TLS with ALPACA!","url":"https://www.cryptography.fm/19","content_text":"TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols.\n\nALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.\n\nLinks and papers discussed in the show:\n\n\nALPACA Attack Website\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.Special Guests: Marcus Brinkmann and Robert Merget.Sponsored By:Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns.\r\n\r\nCapsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.Links:ALPACA Attack","content_html":"TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols.
\n\nALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
\n\nLinks and papers discussed in the show:
\n\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Marcus Brinkmann and Robert Merget.
Sponsored By:
Links:
","summary":"Nadim discusses a new line of cross-protocol attacks on TLS with Marcus Brinkmann and Robert Merget, made possible via the new ALPACA Attack, research published this year at the USENIX Security Symposium.","date_published":"2021-07-12T16:00:00.000+02:00","attachments":[{"url":"https://chtbl.com/track/1E9A46/aphid.fireside.fm/d/1437767933/ab43586a-0143-48c8-af78-ac9dc4316514/4ea88eab-7196-4078-a395-62a40fd2a756.mp3","mime_type":"audio/mpeg","size_in_bytes":60102448,"duration_in_seconds":2504}]},{"id":"6191fef0-12fb-4581-be91-8c6ae713eff1","title":"Episode 18: Optimizing Cryptography for Microcontrollers!","url":"https://www.cryptography.fm/18","content_text":"Nadim talks with Peter Schwabe and Matthias Kannwischer about the considerations — both in terms of security and performance — when implementing cryptographic primitives for low-level and embedded platforms.\n\nLinks and papers discussed in the show:\n\n\nOptimizing crypto on embedded microcontrollers\nImplementing post-quantum cryptography on embedded microcontrollers\nOptimizing crypto on embedded microcontrollers (ASEC 2018)\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.Special Guests: Matthias Kannwischer and Peter Schwabe.Sponsored By:Capsule Social: At Capsule Social, Inc. we are building a platform for decentralized discourse. A place where content creators, writers, and thinkers have full ownership and control over their speech, and enjoy resilience from censorship and takedowns.\r\n\r\nCapsule Social is hiring decentralized technology engineers, and we'd be thrilled for you to apply.","content_html":"Nadim talks with Peter Schwabe and Matthias Kannwischer about the considerations — both in terms of security and performance — when implementing cryptographic primitives for low-level and embedded platforms.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Matthias Kannwischer and Peter Schwabe.
Sponsored By:
Wi-Fi is a pretty central technology to our daily lives, whether at home or at the office. Given that so much sensitive data is regularly exchanged between Wi-Fi devices, a number of standards have been developed to ensure the privacy and authentication of Wi-Fi communications.
\n\nHowever, a recent paper shows that every single Wi-Fi network protection standard since 1997, from WEP all the way to WPA3, is exposed to a critical vulnerability that allows the exfiltration of sensitive data. How far does this new attack go? How does it work? And why wasn’t it discovered before? We’ll discuss this and more in this episode of Cryptography FM.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Mathy Vanhoef.
Sponsored By:
Links:
Contact discovery is a core feature in popular mobile messaging apps such as WhatsApp, Signal and Telegram that lets users grant access to their address book in order to discover which of their contacts are on that messaging service. While contact discovery is critical for WhatsApp, Signal and Telegram to function properly, privacy concerns arise with the current methods and implementations of this feature, potentially resulting in the exposure of a range of sensitive information about users and their social circle.
\n\nDo we really need to rely on sharing every phone number on our phone in order for mobile messengers to be usable? What are the privacy risks, and do better cryptographic alternatives exist for managing that data? Joining us are researchers looking exactly into this problem, who will tell us more about their interesting results.
\n\nLinks and papers discussed in the show:
\nAll the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers
Music composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Alexandra Dmitrienko, Christian Weinert, and Christoph Hagen.
Sponsored By:
Links:
Secure multi-party computation is a fascinating field in cryptography, researching how to allow multiple parties to compute secure operations over inputs while keeping those inputs private. This makes multi-party computation a super relevant technology in areas such as code signing, hospital records and more.
\n\nBut what does it take to bring secure multi-party computation from the blank slate of academia and into the messiness of the real world? Today on Cryptography FM, we’re joined by Dr. Yehuda Lindell and Dr. Nigel Smart, from Unbound Security, to tell us about their research, their experiences with real world secure multiparty computation, and more.
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Nigel Smart and Yehuda Lindell.
Sponsored By:
On March 1st, 2021, a curious paper appeared on the Cryptology ePrint Archive: senior cryptographer Claus Peter Schnorr submitted research that claims to use lattice mathematics to improve the fast factoring of integers so much that he was able to completely “destroy the RSA cryptosystem” -- certainly a serious claim.
\n\nStrangely, while the paper’s ePrint abstract did mention RSA, the paper itself didn’t. Two days later, Schnorr pushed an updated version of the paper, clarifying his method.
\n\nDoes Schnorr’s proposed method for “destroying RSA” hold water, however? Some cryptographers aren’t convinced. Joining us today is Leo Ducas , a tenured researcher at CWI, Amsterdam who specialises in lattice-based cryptography, to help us understand where Schnorr was coming from, whether his results stand on their own, and how the influence of lattice mathematics in applied cryptography has grown over the past decade.
\n\nLinks and papers discussed in the show:
\n\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Léo Ducas.
Sponsored By:
Links:
Zero-Knowledge proofs have broadened the realm of use cases for applied cryptography over the past decade, from privacy-enhanced cryptocurrencies to applications in voting, finance, protecting medical data and more. In 2018, Dr. Eli Ben-Sasson and his team introduced ZK-STARKs, a new zero-knowledge construction that functions without trusted setup, thereby broadening what zero-knowledge systems are capable of. We’ll talk about ZK-STARKs and more with Eli in this episode of Cryptography FM.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Eli Ben-Sasson.
Sponsored By:
Links:
Every year, the IACR Real World Cryptography symposium brings together researchers, engineers and practitioners in applied cryptography to discuss cryptography that matters, in the real world. To me, this is the big one! The one cryptography conference that matters the most. Who needs proceedings when you’ve got so much excitement in the air, and so many results and projects that actually have a measurable impact on how cryptography affects the real world?
\n\nThis year’s program is maybe the most exciting yet, with talks on secure channel protocols, multiparty computation, formal methods, post-quantum cryptography, humans, policy and cryptography, hardware, cryptocurrency, cryptography for the cloud, anonymity and more. So many exciting talks! So much new research to discuss! Like every year, Real World Crypto is shaping up to be a veritable who’s who of applied cryptography.
\n\nIn this special episode of Cryptography FM, I’m joined by fellow researcher Benjamin Lipp in order to just… candidly go through the program of Real World Crypto 2021 and covering each talk’s abstract briefly.
\n\nWe’re going to have another special episode after Real World Crypto 2021 as a post-conference episode in order to discuss the highlights of the conference. And hopefully we’ll do this every year here on Cryptography FM!
\n\nMusic composed by Toby Fox and performed by The Consouls.
Special Guest: Benjamin Lipp.
Sponsored By:
The race for post-quantum cryptographic signature primitives is in its final lap over at NIST, which recently announced DILITHIUM, FALCON and Rainbow as the three signature primitive finalists. But a paper recently published by KU Leuven researcher Ward Beullens claims to find serious weaknesses in the security of Rainbow, one of those three finalists. In fact, the paper claims that the weaknesses are so severe that Rainbow’s security parameters now fall short of the security requirements set out by the NIST post-quantum competition.
\n\nBut how does Rainbow work, and how do these weaknesses affect it? And why weren’t they spotted until now? We discuss this and more in this week’s episode of Cryptography FM.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Ward Beullens.
Sponsored By:
Authenticated encryption such as AES-GCM or ChaCha20-Poly1305 is used in a wide variety of applications, including potentially in settings for which it was not originally designed. A question given relatively little attention is whether an authenticated encryption scheme guarantees “key commitment”: the notion that ciphertext should decrypt to a valid plaintext only under the key that was used to generate the ciphertext.
\n\nIn reality, however, protocols and applications do rely on key commitment. A new paper by engineers at Google, the University of Haifa and Amazon demonstrates three recent applications where missing key commitment is exploitable in practice. They construct AES-GCM ciphertext which can be decrypted to two plaintexts valid under a wide variety of file formats, such as PDF, Windows executables, and DICOM; and the results may shock you.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Ange Albertini and Stefan Kölbl.
Sponsored By:
Before there was Signal, before there was WhatsApp, the realm of secure encrypted messaging was ruled by the Off-the-Record secure messaging protocol, created as an alternative to PGP that introduced security properties like forward secrecy and deniability that were considered exotic at the time.
\n\nNow, more than a decade later, Off-the-Record messaging, or OTR, has been largely sidelined by Signal variants. But a small team of cryptography engineers is still working on pushing Off-the-Record messaging forward by focusing on use cases that they argue aren’t sufficiently covered by Signal. But what even is deniability, and how much does it matter in the real-world context of secure messaging? Sofía Celi joins us in today’s episode to talk about this and more.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Sofía Celi.
Sponsored By:
Elliptic-curve signatures have become a highly used cryptographic primitive in secure messaging, TLS as well as in cryptocurrencies due to their high speed benefits over more traditional signature schemes. However, virtually all signature schemes are known to be susceptible to misuse, especially when information about the nonce is leaked to an attacker.
\n\nLadderLeak is a new attack that exploits side channels present in ECDSA, claiming to allow real-world breaking of ECDSA with less than a bit of nonce leakage. But what does “less than a bit” mean in this context? Is LadderLeak really that effective at breaking ECDSA, with so little information to go on? Joining us this episode are LadderLeak co-authors Akira Takahashi, Mehdi Tibouchi and Yuval Yarom to discuss these questions and more.
\n\nLinks and papers discussed in the show:
\n\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Akira Takahashi, Mehdi Tibouchi, and Yuval Yarom.
Sponsored By:
Secure messaging protocols like Signal have succeeded at making end-to-end encryption the norm in messaging more generally. Whether you’re using WhatsApp, Wire, Facebook Messenger’s Secret Chat feature, or Signal itself, you’re benefiting from end-to-end encryption across all of your messages and calls, and it’s so transparent that most users aren’t even aware of it!
\n\nOne area in which current secure messaging protocols have stalled, however, is the ability to scale secure conversations to groups of dozens, hundreds and even thousands of people. But the IETF’s Messaging Layer Security, or MLS, effort aims to make that happen. Bringing together a collaboration between Wire, Mozilla, Cisco, Facebook, as well as academia, MLS wants to become the TLS of secure messaging, and make it possible to hold secure conversations scaling to thousands of participants.
\n\nBut what are the real-world implementation risks involved? Are conversations even worth securing when you’ve got hundreds of potential leakers?
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Raphael Robert.
Sponsored By:
Zero-knowledge proofs have been a notorious research target ever since Zcash and other cryptocurrencies have invented lots of new use cases for them. Range proofs, bullet proofs, you name it – all kinds of zero-knowledge mechanisms have received more and more attention.
\n\nBut what about using zero-knowledge proofs to prove the existence of a software vulnerability? That way, you can prove that you have a zero-day without risking it getting stolen, putting both vulnerability researchers as well as companies looking to secure their software in a better position!
\n\nThat’s what Dr. David Archer from Galois is working on, and he joins me today on Cryptography FM to discuss this new interesting use case, and more.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: David Archer.
Sponsored By:
The NIST post-quantum competition has started a race for post-quantum cryptography. As a result, we’ve seen a great deal of research into alternative hard mathematical problems to use as a basis for public-key cryptography schemes. Lattice-based cryptography! Error-correcting code based cryptography! And of course, isogeny-based cryptography, have all received enormous renewed interest as a result.
\n\nWhile the NIST post-quantum competition recently announced that it’s favoring candidates founded on lattice-based cryptography, it also encouraged further research into isogeny-based cryptography. But what even is isogeny-based cryptography? Is it as intimidating as it sounds? And what’s keeping it behind on NIST’s list of post-quantum primitives?
\n\nToday, it’s my pleasure to be joined by isogeny-based cryptography researchers Luca de Feo and Hart Montgomery, co-authors of a recent publication titled “Cryptographic Group Actions and Applications”, which Luca affectionately described as a “isogeny-based cryptography for dummies” paper. We’ll be discussing isogeny-based cryptography and more.
\n\nLinks and papers discussed in the show:
\n\n\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Hart Montgomery and Luca De Feo.
Sponsored By:
Anyone who’s looked at the French civil code -- or, God forbid, the French tax code -- will tell you that it takes more than a mere human mind to decipher its meaning, given how it’s been growing and growing ever since it was established by Napoleon hundreds of years ago.
\n\nWell, Catala is a new project that takes this adage perhaps a bit too literally, by applying formal methods -- a field increasingly seen as immediately adjacent to cryptography -- on the French tax code! Catala aims to provide a “domain-specific programming language designed for deriving correct-by-construction implementations from legislative texts.” -- what that means is that you’ll be able to describe the tax code in a programming language, and get a proven-correct processing of your tax returns in that same language, too!
\n\nThis episode of Cryptography FM is not directly about cryptography. Instead we’ll be covering a highly related and definitely interesting tangent: can we use the same formal methods that have recently proven the security of protocols like Signal and TLS in order to formally verify our tax returns? And, more importantly, can today’s guest help me pay less taxes?!
\n\nJoining us today is doctoral student Denis Merigoux, to talk about Catala, and more.
\n\nLinks:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Denis Merigoux.
Sponsored By:
Ever since its introduction in 2012, the BLAKE hash function has been reputed for achieving performance matching and even exceeding MD5 while still maintaining a high security margin.
\n\nWhile the original BLAKE did make it as a finalist to the NIST SHA3 competition, Keccak was ultimately selected. But this hasn’t discouraged the BLAKE team, who in January of this year, published BLAKE3, promising to be even faster than BLAKE2 thanks to a highly parallelizable design and fewer rounds.
\n\nBut wait, what exactly is a parallelizable hash function? Isn't a lower round number risky? And heck, how do you even design a hash function?! Joining me today are two of the four BLAKE3 authors: Jack O’Connor and Jean-Philippe Aumasson, to discuss these questions and more.
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Jack O'Connor and Jean-Philippe Aumasson.
Sponsored By:
Aside from working on a competition for standardizing post-quantum primitives, the United States National Institute of Standards and Technology, or NIST, has also organized a lightweight cryptography competition meant to attract designs for symmetric primitives, such as hash functions and authenticated encryption ciphers, that work in use cases where even AES is not an adequately speedy standard.
\n\nAmong the submissions to NIST’s lightweight cryptography competition has been Gimli, a family of cryptographic primitives comprised of a hash function and of an authenticated encryption with associated data (AEAD) cipher. Named after the Lord of the Rings Dwarf warrior and authored by a long list of accomplished cryptographers, Gimli looked like a promising submission -- until a team of cryptanalysts at INRIA produced a surprising set of results outlining some potentially serious weaknesses in Gimli’s current design.
\n\nIn their paper, which recently was declared as the winner of the IACR Asiacrypt 2020 Best Paper Award, Antonio Flórez Gutiérrez, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin, André Schrottenloher and Ferdinand Sibleyras from the INRIA research institute here in France presented some very strong results against Gimli’s security.
\n\nBut why does Gimli even matter? Why aren’t AES, ChaCha20-Poly1305, and BLAKE2 enough, even for the most performance-constrained scenarios? And how did this team of researchers succeed in obtaining such serious results on a family of cryptographic primitives that was certainly designed with care and expertise?
\n\nLinks and papers discussed in the show:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guest: Léo Perrin.
Sponsored By:
TLS 1.3 has been widely praised as a major upgrade to the Transport Layer Security protocol responsible for securing the majority of Web traffic. But one area in which TLS 1.3 seems to be lacking is its potential for resistance to attacks that utilize quantum computing – computers that, theoretically, could factor the products of large primes and solve the discrete logarithm problem in relatively short periods of time, significantly affecting the security of TLS 1.3.
\n\nToday however, we’re discussing an interesting new paper, to be published at this year’s ACM CCS, which introduces KEMTLS: a modified version of TLS 1.3 that uses Key Encapsulation Mechanisms, or KEMs, instead of signatures for server authentication, thereby providing a sort of “post-quantum TLS”.
\n\nBut what even are KEMs? Are quantum computers even a thing that we should be worried about? On the first ever episode of Cryptography FM, we’ll be hosting Dr. Douglas Stebila and PhD Candidate Thom Wiggers to discuss these questions and more.
\n\nDr. Douglas Stebila is an Associate Professor of cryptography in the Department of Combinatorics & Optimization at the University of Waterloo in Waterloo, Ontario, Canada. His research focuses on improving the security of key exchange protocols and Internet cryptography protocols such as TLS and SSH, including the development of quantum-resistant solutions. His previous work on the integration of elliptic curve cryptography in TLS has been deployed on hundreds of millions of web browsers and servers worldwide.
\n\nThom Wiggers is a PhD Candidate at the Institute of Computing and Information Sciences at Radboud University in The Netherlands. He is working on the interactions of post-quantum cryptography with protocols, under the supervision of Dr. Peter Schwabe, who is also a co-author of the research work that we’re going to discuss today.
\n\nLinks to discussed papers:
\n\nMusic composed by Toby Fox and performed by Sean Schafianski.
Special Guests: Douglas Stebila and Thom Wiggers.
Sponsored By: