Security Cryptography Whatever

Facebook Messenger has finally been end-to-end encrypted, a couple of years after Mark Zuckerberg announced it! Plus Instagram DMs are trialing ephemeral E2EE DMs too! We invited on Jon Millican and Timothy Buck from Meta to discuss this major cross-platform endeavor, and how David Bowie fits into their personal Labyrinth.Transcript: https://securitycryptographywhatever.com/2023/12/28/e2ee-fb-messenger/Links:- https://www.facebook.com/notes/2420600258234172- https://eprint.iacr.org/2022/1044.pdf- https://engineering.fb.com/2023/12/06/security/building-end-to-end-security-for-messenger/- https://www.theverge.com/2023/12/6/23991501/facebook-messenger-default-end-to-end-encryption-meta- https://www.threads.net/@jonmillican/post/C0kQPAyoFpr- https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview_12-6-2023.pdf- https://engineering.fb.com/wp-content/uploads/2023/12/TheLabyrinthEncryptedMessageStorageProtocol_12-6-2023.pdf- https://engineering.fb.com/2022/03/10/security/code-verify/- https://chrome.google.com/webstore/detail/code-verify/llohflklppcaghdpehpbklhlfebooeog"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Returning champion Martin Albrecht joins us to help explain how we measure the security of lattice-based cryptosystems like Kyber and Dilithium against attackers. QRAM, BKZ, LLL, oh my!Transcript: https://securitycryptographywhatever.com/2023/11/13/lattice-attacks/Links:- https://pq-crystals.org/kyber/index.shtml- https://pq-crystals.org/dilithium/index.shtml- https://eprint.iacr.org/2019/930.pdf- https://en.wikipedia.org/wiki/Short_integer_solution_problem- Frodo: https://eprint.iacr.org/2016/659- https://csrc.nist.gov/CSRC/media/Events/third-pqc-standardization-conference/documents/accepted-papers/ribeiro-saber-pq-key-pqc2021.pdf- https://en.wikipedia.org/wiki/Hermite_normal_form- https://en.wikipedia.org/wiki/Wagner%E2%80%93Fischer_algorithm- https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch18.pdf- https://eprint.iacr.org/2019/1161- QRAM: https://arxiv.org/abs/2305.10310- https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%93Lov%C3%A1sz_lattice_basis_reduction_algorithm- MATZOV improved dual lattice attack: https://zenodo.org/records/6412487- https://eprint.iacr.org/2008/504.pdf- https://eprint.iacr.org/2023/302.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Signal rolled out post-quantum resilient protocol; Intercepting Jabber TLS; Same-origin policy debate; Secure message formats; E2EE challenges in browsers.

Returning champion Steve Weis discusses the origins of NIST curve parameter seeds, controversy surrounding NSA's curve selection, Jerry Solinas code, debate on using P-256 curve, mysterious story of missing seeds, NSA's backdooring of cryptography, speculation about OPM breach, and a funny story about encoded seeds.

The hosts discuss their summer vacation experiences and touch on topics like pixel attacks, 2G deprecation, and writing modem firmware. They explore vulnerabilities Zenbleed, Downfall, Spectre, and Meltdown, discussing technical details, risks, and potential exploitation. They also talk about software and firmware vulnerabilities, downgrade attacks, and crypto talks at conferences. The chapter covers lattice-based Kyber and dilithium schemes, the need to check old papers, and explore alternatives in cryptography. They discuss issues with authentic code, X-509, SSL slippery slope, and call for reviews.

What does P vs NP have to do with cryptography? Why do people love and laugh about the random oracle model? What's an oracle? What do you mean factoring and discrete log don't have proofs of hardness? How does any of this cryptography stuff work, anyway? We trapped Steve Weis into answering our many questions.Transcript: https://securitycryptographywhatever.com/2023/06/29/why-do-we-think-anything-is-secure-with-steve-weis/Links:- The Random Oracle Methodology, Revisited: https://eprint.iacr.org/1998/011.pdf- Factoring integers with CADO-NFS: https://www.ens-lyon.fr/LIP/AriC/wp-content/uploads/2015/03/JDetrey-tutorial.pdf- On One-way Functions from NP-Complete Problems: https://eprint.iacr.org/2021/513.pdf- Seny Kamara's lecture notes on provable security: https://cs.brown.edu/~seny/2950-v/2-provablesecurity.pdf- How To Simulate It – A Tutorial on the Simulation Proof Technique: https://eprint.iacr.org/2016/046.pdf- A Survey of Leakage-Resilient Cryptography: https://eprint.iacr.org/2019/302- A Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Are Twitter’s new encrypted DMs unreadable even if you put a gun to Elon’s head? We invited Matthew Garrett on to do a deep decompiled dive into what kind of cryptography actually shipped.Transcript: https://securitycryptographywhatever.com/2023/05/29/elons-encrypted-dms-with-matthew-garrett/Links:https://mjg59.dreamwidth.org/66791.htmlhttps://help.twitter.com/en/using-twitter/encrypted-direct-messageshttps://www.techdirt.com/2023/05/11/twitter-launches-not-actually-encrypted-encrypted-dms/BrokenKDF2BytesGenerator: https://github.com/bcgit/bc-java/blob/master/prov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java#L70Analysis from sweis: https://twitter.com/sweis/status/1657082478727933954?s=20https://signal.org/docs/specifications/x3dh/https://signal.org/docs/specifications/doubleratchet/https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-MessagesTrail of Bits has not audited nor signed a contract yet, per Platformer: https://www.platformer.news/p/why-you-cant-trust-twitters-encrypted"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

WhatsApp has announced they’re rolling out key transparency! Doing this at WhatsApp-scale (aka billions and biiillions of keys) is a significant task, so we talked to Jasleen Malvai and Kevin Lewi about how it works.Transcript: https://securitycryptographywhatever.com/2023/05/06/whatsapp-key-transparencyLinks: https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/https://github.com/facebook/akdParkeet: https://eprint.iacr.org/2023/081.pdfCONIKS: https://eprint.iacr.org/2014/1004.pdfSEEMless: https://eprint.iacr.org/2018/607.pdfWhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdfKeybase key transparency: https://book.keybase.io/docs/server"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Messaging Layer Security (MLS) 1.0 is (basically) here! We invited RaphaelRobert, coauthor of the MLS specification to explain it to us and answer our annoying questions (read: why does this exist?)Transcript:https://securitycryptographywhatever.com/2023/04/22/mls/Links:- https://messaginglayersecurity.rocks/- https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html- https://messaginglayersecurity.rocks/mls-architecture/draft-ietf-mls-architecture.html- https://github.com/openmls/openmls- https://eprint.iacr.org/2022/1533.pdf- https://eprint.iacr.org/2020/1327.pdf- https://eprint.iacr.org/2022/559.pdf- https://signal.org/docs/- https://en.wikipedia.org/wiki/Key_encapsulation_mechanism- https://twitter.com/beurdouche/status/1220617962182389760- https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#mls-ciphersuites- https://www.ietf.org/archive/id/draft-ietf-mls-federation-02.html- https://datatracker.ietf.org/wg/mimi/documents/- https://competition-policy.ec.europa.eu/dma/dma-workshops/interoperability-workshop_en- Yes in the protocol document this is 1.0: https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#section-6"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Real World Cryptography 2023 is happening any moment now in Tokyo. Also, some phone basebands are broken.Linkshttps://rwc.iacr.org/2023/https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.htmlTranscript: https://securitycryptographywhatever.com/2023/03/24/rwc-2023/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)