Bitbashing (Posts about crypto)

Const-time Modular Inversion Using CRT

Jack Lloyd — Wed, 04 Mar 2020 05:00:00 GMT

Modular inversion is an important component in many cryptographic computations, notably in number-theoretic public key cryptosystems like RSA and ECDSA. In such uses, we must both perform the computation as quickly as possible and also in const-time, that is without any software-observable side channels which leak information about the inputs or output. Otherwise it is possible to attack computations such as RSA key generation or ECDSA signature generation, and recover the secret key.

This is a bad thing.

Read more… (3 min remaining to read)

Simple and hardware friendly RSA threshold signatures

Jack Lloyd — Sun, 04 Aug 2019 04:00:00 GMT

A \((n,t)\) threshold signature schemes allow splitting a key into \(n\) pieces, in such a way that at least \(t < n\) participants must jointly use their key shards in order to generate a valid signature.

Many techniques for RSA threshold signatures have been developed. Currently published techniques require either a trusted dealer, or use of a distributed key generation algorithm. In addition, the signers must perform a non-standard RSA signature; that is, signing a message with a private exponent which is not equal to \(e^{-1} \bmod n\). Both requirements prevent using standard hardware such as HSMs or smartcards to protect the key shards.

I discovered a technique for \(n\)-of-\(n\) RSA signatures where both keys and signatures can be computed using standard cryptographic hardware.

How Not To Do BLS Signatures

Jack Lloyd — Wed, 24 Jul 2019 04:00:00 GMT

The BLS signature scheme has several interesting properties, namely that the signatures are very short compared to any other known scheme, and it affords a simple implementation of threshold signatures and signature aggregation. For these reasons it has been of some interest especially in cryptocurrencies which can make good use of these properties.

Read more… (3 min remaining to read)

The Case For Skein

Jack Lloyd — Fri, 09 Oct 2009 04:00:00 GMT

After the initial set of attacks on MD5 and SHA-1, NIST organized a series of conferences on hash function design. I was lucky enough to be able to attend the first one, and had a great time. This was the place where the suggestion of a competition in the style of the AES process to replace SHA-1 and SHA-2 was first proposed (to wide approval). This has resulted in over 60 submissions to the SHA-3 contest, of which 14 have been brought into the second round.

Of the second round contenders, I think Skein is the best choice for becoming SHA-3, and want to explain why I think so.

Speeding up Serpent: SIMD Edition

Jack Lloyd — Wed, 09 Sep 2009 04:00:00 GMT

The Serpent block cipher was one of the 5 finalists in the AES competition, and is widely thought to be the most secure of them due to its conservative design. It was also considered the slowest candidate, which is one major reason it did not win the AES contest. However, it turns out that on modern machines one can use SIMD operations to implement Serpent at speeds quite close to AES.

Read more… (3 min remaining to read)

On Syllable's /dev/random

Jack Lloyd — Tue, 09 Dec 2008 05:00:00 GMT

Inspired by the recent FreeBSDarc4random vulnerability, I've been taking a look at the random number generators used by various libraries and operating systems.

Read more… (3 min remaining to read)

Serious Weakness in GNU Classpath/gcj PRNG; DSA keys are compromised

Jack Lloyd — Sat, 06 Dec 2008 05:00:00 GMT

GNU Classpath is an open source implementation of the Java class libraries used by gcj, the GNU Compiler for Java. One component of the Java library is JCE, the Java Cryptography Extensions (so called because originally it was not bundled with the JVM due to United States export restrictions), which provides the basic crypto features one would expect (ciphers, hashing, signatures) for Java applications. I found a rather interesting bug that compromised all RSA and DSA keys used with GNU classpath.

The More Things Change...

Jack Lloyd — Fri, 05 Dec 2008 05:00:00 GMT

"Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." - John von Neumann, 1951

On an Ubuntu forum I caught a reference to a C++ library called JUCE, which is one of those all-inclusive C++ libraries along the lines of POCO or GNU Common C++. One thing I noticed was that it includes a few cryptographic operations, including RSA key generation, so I decided to take a peek at the latest release as of this writing, 1.46.

Fun with assembly

Jack Lloyd — Sun, 13 Aug 2006 04:00:00 GMT

"If you can explain how you do something, then you're very very bad at it."

-- John Hopfield

The Monotone folks have been doing some profiling and performance work of late. One thing that came out of that was the finding that Botan's SHA-1 implementation was causing a bottleneck; because Monotone identifies everything via hashes, there are times where it needs to hash many (many) megabytes of source data, and the faster that happens, the better. Since low-level C++ wasn't cutting it, I felt that it was time to try my hand at x86 assembly again.

Read more… (3 min remaining to read)

Observation on the SSLv3 MAC function

Jack Lloyd — Sat, 11 Jan 2003 05:00:00 GMT

SSLv3 uses an early form of HMAC for message authentication functions (we will denote this MAC as SSL3-MAC for brevity). A critical point of the security of HMAC (and SSL3-MAC) is that the each of the transformed keys (termed ikey and okey) is exactly B bytes long, where B is the input size of the hash function (for the MD5 and SHA-1 hash functions, B = 64).