news from leading universities and research institutes in the Netherlands reSearcherS • Daniel J. Bernstein, Eindhoven University of Technology, the Netherlands, and University of Illinois at Chicago, USA • Tanja Lange, Eindhoven University of Technology, the Netherlands • Peter Schwabe, Academia Sinica, Taiwan. High-security and high-speed protection for computer networks Securing communication Internet and mobile communication has become a vital part of our lives in the past decade, but almost all of it is exposed to criminals. Researchers at the Eindhoven University of Technology have developed a new cryptographic library that is fast enough to allow universal deployment of high-security encryption. We often assume that communication downloading a game from an online These essential requirements over the internet is just as secure store. Users begin by accessing the of communication over computer as traditional forms of personal online store, and want to be sure that networks are ensured through communication. We assume that we they are in fact accessing the right cryptographic protection. Encryption know who we are communicating website and not a look-alike that will is what provides communication with; we assume our conversations are take their money but not let them with confidentiality, the assurance private, that only the person we talk download the software. Users then that transmitted information is only to can hear what we are saying; and submit their credit-card details or other read by the recipient and not by we assume that what we are saying banking information, and want to be an eavesdropper. Authentication will reach the recipient without being sure that this information is protected of users and data is provided by modified. from eavesdroppers who could misuse message-authentication codes and The importance of these three it. Users then download the purchased digital signatures. The security of aspects of security can be illustrated game, and want to be sure that they these functions relies on the fact using a simple example of internet have the genuine product and not some that a legitimate user knows some communication: buying and kind of malware. secret information, a key unknown to www.research-plaza.nl 12RP0004_CRYPTOGRAPHY.indd 1 15/01/2013 11:52:04 attackers. If attackers somehow figure A new crypto librAry: nacl underlying functions and parameters out this key, they can fully breach the Researchers at the Eindhoven are chosen by experts in cryptography, system’s security. University of Technology are tackling namely the NaCl designers. The scientific literature contains these problems. Daniel J. Bernstein well-studied cryptographic functions (also of the University of Illinois at HigH speed for HigH secUrity for encryption and authentication that Chicago, USA), Tanja Lange, and their Almost all internet communication are believed to be secure. Security former PhD student Peter Schwabe is unencrypted and unauthenticated, in this context is not absolute; all (now at the Academia Sinica, Taiwan) leaving it completely unprotected cryptographic protection used for have identified the fundamental against attacks. One might wonder why internet communication can be sources of security failures in existing any programmer would fail to protect broken by a large enough effort. cryptographic libraries. They have communication if free cryptographic However, even all of the world’s designed and implemented a new libraries are readily available. The supercomputers working together Networking and Cryptography library reason is often simply that cryptography would take thousands of years or more (NaCl, pronounced salt) that is too slow; keeping up with high to actually carry out the computations systematically avoids these failures. network loads requires many expensive required to break a good cryptographic computers with high electricity and function. UsAbility And selection of maintenance costs. Analogous problems For each of these functions there are fUnctions apply to smartphones and tablets, various implementations in software, A typical cryptographic library is a which have smaller network loads but typically bundled into cryptographic collection of many different functions also much smaller central processing libraries. Libraries are collections of and supports a plethora of parameter units (CPUs) and limited battery life. software that can be used to integrate sets. It is left to the software developer Sometimes, rather than not deploying features into computer programs. to choose from these functions and cryptographic protection at all, The use of these established libraries parameters, and combine them in a way programmers react to performance in the development of programs that that offers the desired security. These problems by deploying low-security need cryptographic protection is now choices come with various pitfalls, not cryptography. Many cryptographic common best practice. only because most libraries still contain libraries allow trade-offs between security One might think that the security highly insecure functions for ‘historical’ and performance. The Eindhoven of network communication is or ‘compatibility’ reasons, but also researchers are world leaders in now fully protected by well- because it is easy to combine secure evaluating the security of cryptography; established implementations of functions in an insecure way. they have found that many cryptographic well-studied cryptographic functions. The Eindhoven researchers have systems can be breached using the Unfortunately, quite the opposite is found that this level of complication is level of computer power that is readily true, as demonstrated by frequent unnecessary for most applications. NaCl available today to rogue governments, international news stories about new offers an easy-to-use high-level interface large companies and botnets, and that information-security disasters caused for exactly what applications need: will soon be available to attackers with by failures of cryptography. secure authenticated encryption. The far fewer resources at their disposal. As stated above, NaCl does not provide any low-security options; its choice of functions is very conservative. FunctionS and implementationS It nevertheless offers exceptionally high speed, keeping up with even very Imagine a computer program that reads two numbers x and y from the user, large network loads. The Eindhoven multiplies x by itself to obtain x2, multiplies y by itself to obtain y2, and subtracts the researchers selected the functions in results to obtain x2 – y2. Now imagine a second computer program that reads two NaCl with close attention to software numbers x and y from the user, adds x to y to obtain x + y, subtracts y from x to performance, and developed highly obtain x – y, and multiplies the results to obtain x2 – y2. optimized implementations of those These two pieces of software are two different implementations of the functions for a broad spectrum of same mathematical function. The function produces x2 – y2, given x and y. The commonly used CPUs, ranging from implementations compute this function in different ways, with different speeds: powerful Intel server CPUs down to the first implementation uses two multiplications and a subtraction, while the energy-efficient ARM smartphone second implementation uses one multiplication, one addition, and one subtraction. CPUs. Their implementations hold Cryptography uses more complicated functions. Each function has a wide range various speed records published at of implementations, and those implementations vary dramatically in speed. international conferences (see box ‘What’s under the hood?’). 12RP0004_CRYPTOGRAPHY.indd 2 15/01/2013 11:52:04 What’S under the HOOD? The core of NaCl is public-key authenticated encryption, consisting of three components: • the Curve25519 Diffie–Hellman key-exchange function, based on fast arithmetic on a strong elliptic curve, computes a secret shared between the sender and receiver, using the sender’s secret key and the receiver’s public key (or vice versa); • the Salsa20 stream cipher, which has been recommended by ECRYPT after four years of extensive study in the eSTREAM project, encrypts a message using the shared secret; and • the Poly1305 message-authentication code, a fast function that is information- theoretically secure if used together with a secure cipher, authenticates the encrypted message using the shared secret. End-to-end two-party communication is not the only communication scenario that requires high-security cryptographic protection. NaCl also has a fourth component, the Ed25519 public-key signature system, for unforgeable and undeniable broadcast communication. side-channel secUrity Constant-time software means software without huge performance penalties. Even when information-security whose running time does not depend All implementations in NaCl are systems use high-security cryptographic on secret data. However, for many constant-time implementations; they functions and use them in the right cryptographic functions this comes with are thus inherently protected against way, they may not steer clear of huge performance penalties. This is why timing attacks. cryptographic failures. The reason is most cryptographic libraries are still that a particular implementation of a vulnerable to timing attacks. Users secure function can be insecure. The NaCl designers carefully The researchers’ long-term aim is to Timing attacks are a powerful attack selected the functions