D. J. Bernstein

Talks

Reverse chronological order. Some statistics:


2024.10.11 10:30 Hillsboro time 30 min invited lecture online researchers
[horizontal PDF slides] Intel Crypto Frontiers Workshop. "PQSRC highlights."

2024.09.19 90 min invited lecture online researchers
[horizontal PDF slides] [Ogg audio] Private seminar. "Understanding patent incentives."

2024.09.17 10:00 D.C. time 60 min invited lecture online researchers
[horizontal PDF slides] NIST PQC Seminar. "Classic McEliece: conservative code-based cryptography."

2024.09.09 90 min invited lecture online researchers
[horizontal PDF slides] Private seminar. "eBACS: ECRYPT Benchmarking of Cryptographic Systems."

2024.07.22 60 min invited lecture online researchers
[horizontal PDF slides] Private seminar. "Cryptographic code snippets."

2024.07.18 16:10 Seoul time 60 min invited lecture online researchers
[horizontal PDF slides] KpqC Workshop. "Software analysis of the KpqC candidates."

2024.07.17 13:45 Chengdu time 115 min invited lecture online students
[horizontal PDF slides] 1st Post-Quantum Cryptography Summer School in Universities, South-West China, 2024. "The McEliece cryptosystem."

2024.06.24 10:00 Szczecin time 60 min invited lecture online researchers
[horizontal PDF slides] NuTMiC 2024: Number-Theoretic Methods in Cryptology. "Slow-boiled frogs." Abstract:
In 2013, I introduced a name for cryptography that simply works, solidly resists attacks, and never needs any upgrades: I called it boring cryptography. This talk is about the opposite extreme, which is called lattice-based cryptography. I'll talk about some general context and some number-theoretic issues that appear in the area.

2024.05.10 16:00 Seoul time 90 min invited lecture online researchers
[horizontal PDF slides] KpqC seminar. "Algorithms for attacking lattices."

2024.01.11 30 min invited lecture online researchers
[horizontal PDF slides] Private seminar. "Post-quantum cryptography for developers."

2023.10.25 14:30 Taipei time 60 min invited lecture online researchers
[horizontal PDF slides] Quantum Safe Migration Center. "Migrating to the McEliece cryptosystem."

2023.10.06 15:10 Hillsboro time 30 min invited lecture online researchers
[horizontal PDF slides] Intel Crypto Frontiers Workshop. "McEliece verification."

2023.07.11 09:20 20 min invited lecture Netherlands researchers
[horizontal PDF slides] Machine-Checked Mathematics. Lorentz Center, Universiteit Leiden. "Formal proofs in applied cryptography."

2023.06.15 15:00 DC time 60 min invited lecture online researchers
[horizontal PDF slides] Seminar, Federal Reserve TechLab. "Post-quantum cryptography: risk assessment."

2023.02.01 11:00 Bangkok time 90 min invited lecture online students
[horizontal PDF slides] IACR School on Applied Cryptography, Chulalongkorn University, Bangkok, Thailand. "Hash-based signatures."

2022.12.29 20:00 Berlin time 40 min refereed lecture online researchers
[horizontal PDF slides] FireShonks 2022. "Post-quantum cryptography: detours, delays, and disasters." Talk given jointly with Tanja Lange.

2022.12.14 15:20 Kolkata time 25 min refereed lecture online researchers
[vertical PDF slides] [horizontal PDF slides] Indocrypt 2022. TCG-CREST, Kolkata, India. "A one-time single-bit fault leaks all previous NTRU-HRSS session keys to a chosen-ciphertext attack."

2022.11.10 17:00 Berlin time 90 min invited lecture online researchers
[horizontal PDF slides] Seminar, Präsidiumsarbeitskreis "Datenschutz und IT-Sicherheit" der Gesellschaft für Informatik, Germany. "NSA's influence on cryptographic standards."

2022.08.25 09:40 Tampa time 40 min invited lecture online researchers
[horizontal PDF slides] USF-QSancus Workshop on Post-Quantum Cryptography. USF Research Foundation, Tampa, Florida, USA. "Introduction to post-quantum cryptography." Talk given jointly with Tanja Lange.

2022.08.20 10:10 Taipei time 45 min invited lecture online researchers
[horizontal PDF slides] HITCON 2022: Hacks in Taiwan Conference 2022. Nangang Exhibition Center, Taipei, Taiwan. "Post-quantum cryptography: detours, delays, and disasters." Talk given jointly with Tanja Lange.

2022.08.12 15:00 Bristol time 30 min refereed lecture online researchers
[vertical PDF slides] [horizontal PDF slides] [video] Algorithmic Number Theory Symposium (ANTS) XV. University of Bristol, England. "Fast norm computation in smooth-degree Abelian number fields."

2022.07.12 13:30 Taiwan time 75 min invited lecture online students
[vertical PDF slides] [horizontal PDF slides] Post-Quantum Crypto Minischool. Academia Sinica, Taiwan. "Lattice-based cryptography, part 2: efficiency."

2022.07.12 10:45 Taiwan time 75 min invited lecture online students
[vertical PDF slides] [horizontal PDF slides] Post-Quantum Crypto Minischool. Academia Sinica, Taiwan. "Lattice-based cryptography, part 1: simplicity."

2022.04.01 15:30 60 min invited lecture Taiwan students
[horizontal PDF slides] Class talk, National Taiwan University. "Hash-based signatures I: hash functions and one-time signatures."

2022.04.01 13:00 120 min invited lecture Taiwan students
[horizontal PDF slides] EECS International Distinguished Lecture Series, National Taiwan University. "The transition to post-quantum cryptography." Talk given jointly with Tanja Lange.

2022.01.14 14:35 25 min invited lecture Taiwan researchers
[PDF slides] Post-Quantum Cryptography Forum. National Taipei University of Technology. "U.S. activities in post-quantum cryptography."

2022.01.14 10:50 40 min invited lecture Taiwan researchers
[PDF slides] Post-Quantum Cryptography Forum. National Taipei University of Technology. "Lattice KEMs, the round-3 candidates: NTRU, NTRU Prime, SABER, Kyber, Frodo."

2021.12.12 14:30 Jaipur time 150 min invited lecture online students
[vertical PDF slides] [horizontal PDF slides] [video] Tutorial session; INDOCRYPT 2021. "Quantum cryptanalysis."

2021.11.26 14:55 45 min invited lecture Taiwan researchers
[horizontal PDF slides] HITCON 2021: Hacks in Taiwan Conference 2021. Academia Sinica, Taipei. "Fast verified post-quantum software."

2021.09.03 11:00 Eastern time 30 min invited lecture online researchers
[horizontal PDF slides] ICMC 2021: International Cryptographic Module Conference. "Fast verified post-quantum software." Abstract:

Cryptographic performance pressure produces many different cryptographic specifications, and a much larger number of pieces of software trying to make those cryptographic functions run quickly in various environments. The pre-quantum software ecosystem is already large and complicated but the post-quantum software ecosystem is rapidly shaping up to be much more complicated. We’ve already seen the post-quantum optimization process producing disastrous mistakes that weren’t caught by tests, and at this point we have only a limited understanding of what further mistakes to expect.

Fortunately, there are tools to verify that optimizations work for all possible inputs, and there are some cases where these tools have been successfully applied to post-quantum software. This talk will look at what these tools mean for the post-quantum software engineer.


2021.08.20 13:20 Eastern time 60 min invited lecture online researchers
[horizontal PDF slides] [video] Plenary talk. SIAM Conference on Applied Algebraic Geometry 2021. "S-unit attacks." Abstract:
Within post-quantum cryptography, lattice-based cryptography has attracted attention for its efficiency. Typical proposals for lattice-based encryption systems fit public keys and ciphertexts into only about 1KB, and take very little CPU time. This efficiency relies on using systems built from algebraic number fields. The most common choices are cyclotomic number fields, such as the smallest field containing the complex number ζ=exp(πi/512), a 512th root of −1.

Lattice-based cryptosystems are frequently claimed to have proofs of security assuming the "worst-case" hardness of certain lattice problems. For a cyclotomic lattice system, the problem is to find a short nonzero element of I, given a nonzero ideal I of the smallest ring containing ζ. The conjecture that this problem is hard is frequently claimed to be well studied. However, the problem has in fact suffered dramatic security losses.

This talk will introduce the audience to recent advances in algorithms to solve this problem, with an emphasis on techniques to exploit multiplicative structure in general, automorphisms in the Galois case, extra subfields when they exist, and additional features of cyclotomic fields. The audience is not assumed to be familiar with algebraic number theory.


2021.06.09 10:50 D.C. time 15 min refereed lecture online researchers
[horizontal PDF slides] [video] Third PQC Standardization Conference. "Fast verified post-quantum software, part 1: RAM subroutines." [white paper]

2021.06.08 15:25 D.C. time 15 min invited lecture online researchers
[horizontal PDF slides] [video] Third PQC Standardization Conference. "NTRU Prime: round-3 updates."

2021.05.14 14:20 75 min invited lecture Taiwan students
[horizontal PDF slides] Class talk, National Taiwan University. "Hash-based signatures I: hash functions and one-time signatures."

2021.01.15 11:00 D.C. time 60 min invited lecture online researchers
[vertical PDF slides] [horizontal PDF slides] [video] NIST 3rd Round Seminar Series. "Valuations and S-units." Abstract:

This talk reviews a standard infinite-dimensional number-theoretic lattice that simultaneously shows how large numbers are and how they factor. The ability to decode this lattice in some surprisingly large cases plays a critical role in a new wave of attacks against ideal-lattice problems. This talk will focus on defining the lattice, with many examples to illustrate.

This is an introductory talk aimed at a broad audience. Prerequisites: mathematics education up to and including a course in undergraduate abstract algebra (commutative rings and fields).


2020.10.07 14:00 EDT 5 min refereed lecture online researchers
[horizontal PDF slides] [video] Virtual Workshop on Considerations in Migrating to Post-Quantum Cryptographic Algorithms. "OpenSSLNTRU: experiences integrating a post-quantum KEM into TLS 1.3 via an OpenSSL ENGINE."

2020.10.07 16:00 Taipei time 30 min contributed lecture online researchers
[vertical PDF slides] [horizontal PDF slides] Post-Quantum Cryptography for Embedded Systems. "Constant-time square-and-multiply."

2020.10.04 03:00 Taipei time 90 min invited lecture online researchers
[horizontal PDF slides] [video] Post-Quantum Cryptography for Embedded Systems. "Does cryptographic software work correctly?"

2020.09.12 16:20 50 min invited lecture Taiwan researchers
[horizontal PDF slides] HITCON 2020: Hacks in Taiwan Conference 2020. Academia Sinica, Taipei. "Post-quantum cryptography." Talk given jointly with Tanja Lange.

2020.08.13 12:30 PDT 15 min refereed lecture online researchers
[horizontal PDF slides] [video] USENIX Security Symposium 2020. "McTiny: fast high-confidence post-quantum key erasure for tiny network servers." Talk given jointly with Tanja Lange.

2020.07.21 16:10 55 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 2: efficiency." Part 2.

2020.07.21 13:55 60 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 2: efficiency." Part 1.

2020.07.20 16:10 55 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 1: simplicity." Part 2.

2020.07.20 13:55 60 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Academia Sinica, Taipei. "Lattice-based cryptography, day 1: simplicity." Part 1.

2020.07.06 03:05 55 min invited lecture online researchers
[vertical PDF slides] [horizontal PDF slides] Workshop on the Mathematics of Post-Quantum Crypto. "Exploring the parameter space in lattice attacks." Talk given jointly with Tanja Lange.

2020.02.19 14:45 45 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Lattices: Geometry, Algorithms and Hardness. Simons Institute for the Theory of Computing. "Challenges in evaluating costs of known lattice attacks." Talk given jointly with Tanja Lange.

2020.02.06 16:30 60 min invited lecture Germany researchers
[horizontal PDF slides] Security Network Munich, Talking Heads. Giesecke + Devrient. "Crypto horror stories." Talk given jointly with Tanja Lange.

2020.01.30 09:30 60 min invited lecture USA researchers
[horizontal PDF slides] The Quantum Wave in Computing Boot Camp. Simons Institute for the Theory of Computing. "Post-quantum cryptography."

2020.01.20 17:30 30 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Symmetric cryptography. Schloss Dagstuhl. "Speed, speed, speed."

2019.12.29 17:30 60 min refereed lecture Germany researchers
[horizontal PDF slides] 36C3: 36th Chaos Communication Congress. Congress Center Leipzig. "High-assurance crypto software." Talk given jointly with Tanja Lange.

2019.11.27 13:00 60 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] CASA Distinguished Lecture, Ruhr-University Bochum. "Sorting integer arrays: security, speed, and verification." Abstract:

This talk will explain (1) the security concept of "constant-time" software; (2) how to build constant-time software to sort arrays of integers; (3) how to make constant-time sorting software run so quickly that it beats Intel's "Integrated Performance Primitives" library; and (4) how to automatically verify that the resulting software works correctly for all possible inputs.


2019.10.15 11:15 30 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Quantum Cryptanalysis. Schloss Dagstuhl. "Challenges in evaluating costs of known lattice attacks."

2019.10.03 10:45 105 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "Symmetric crypto, part 2."

2019.10.01 14:30 45 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "Introduction to symmetric crypto."

2019.09.23 14:00 15 min contributed lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] SHARD: Bridging the Gap Between Software and Hardware Security. Lorentz Center, Leiden University. "Is branch prediction important for performance?"

2019.08.24 14:00 15 min invited lecture USA researchers
[horizontal PDF slides] Second PQC Standardization Conference. University of California at Santa Barbara. "NTRU Prime: round 2."

2019.08.23 14:45 20 min refereed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Second PQC Standardization Conference. University of California at Santa Barbara. "Comparing proofs of security for lattice-based encryption."

2019.08.23 11:35 20 min refereed lecture USA researchers
[horizontal PDF slides] Second PQC Standardization Conference. University of California at Santa Barbara. "Visualizing size-security tradeoffs for lattice-based encryption."

2019.07.15 09:15 60 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] MWCC 2019: Munich Workshop on Coding and Cryptography. Technical University of Munich. "McTiny: McEliece for tiny network servers." Talk given jointly with Tanja Lange.

2019.07.10 11:00 25 min invited lecture Switzerland researchers
[vertical PDF slides] [horizontal PDF slides] Minisymposium on Isogenies in Cryptography. SIAM Conference on Applied Algebraic Geometry 2019. University of Bern. "Quantum attacks against isogenies."

2019.07.01 14:00 45 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Executive School on Post-Quantum Cryptography 2019. Technische Universiteit Eindhoven. "Quantum algorithms II."

2019.07.01 11:45 45 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Executive School on Post-Quantum Cryptography 2019. Technische Universiteit Eindhoven. "Quantum algorithms I."

2019.06.14 09:00 90 min invited lecture Colombia students
[vertical PDF slides] [horizontal PDF slides] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Cryptographic software engineering, part 2."

2019.06.13 15:30 90 min invited lecture Colombia students
[vertical PDF slides] [horizontal PDF slides] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Cryptographic software engineering, part 1."

2019.06.11 11:00 90 min invited lecture Colombia students
[vertical PDF slides] [horizontal PDF slides] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "What do quantum computers do?"

2019.06.10 11:00 90 min invited lecture Colombia students
[horizontal PDF slides] Crypto-CO: Summer School on Cryptography. Universidad Nacional de Colombia, Medellin. "Post-quantum cryptography." Keynote talk given jointly with Tanja Lange.

2019.05.21 14:40 25 min refereed lecture Germany researchers
[horizontal PDF slides] Eurocrypt 2019. Darmstadtium, Darmstadt. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies."

2019.05.18 09:00 60 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] CBC 2019: 7th Code-Based Cryptography Workshop. Technische Universität Darmstadt. "McTiny: McEliece for tiny network servers."

2019.05.16 10:15 30 min invited lecture Canada researchers
[horizontal PDF slides] ICMC 2019: International Cryptographic Module Conference. JW Marriott Parq Vancouver. "Does open-source cryptographic software work correctly?"

2019.02.22 17:00 60 min invited lecture England public
[horizontal PDF slides] King's College Alan Turing Lecture. University of Cambridge. "Post-quantum cryptography."

2019.02.05 10:00 60 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Workshop on quantum algorithms for analysis of public-key crypto. American Institute of Mathematics, San Jose. "Quantum walks."

2018.12.28 23:30 60 min refereed lecture Germany researchers
[horizontal PDF slides] [Ogg audio] [video] 35C3: 35th Chaos Communication Congress. Congress Center Leipzig. "The year in post-quantum crypto." Talk given jointly with Tanja Lange.

2018.12.14 11:00 90 min invited lecture Australia public
[horizontal PDF slides] Seminar, Optus Macquarie University Cyber Security Hub. "Quantum computers: the future attack that breaks today's messages." Talk given jointly with Tanja Lange.

2018.12.04 21:00 5 min contributed lecture Australia researchers
Asiacrypt 2018. Queensland University of Technology, Brisbane. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies."

2018.11.20 19:32 3 min contributed lecture Japan researchers
[horizontal PDF slides] ECC 2018: Elliptic-Curve Cryptography. Osaka. "Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies."

2018.11.16 13:30 120 min invited lecture South Korea students
[vertical PDF slides] [horizontal PDF slides] Future Crypto Workshop 2018. Seoul National University. "Lattice-based public-key cryptosystems."

2018.11.15 14:00 90 min invited lecture South Korea researchers
[vertical PDF slides] [horizontal PDF slides] Future Crypto Workshop 2018. Ramada Hotel Seoul. "Can cryptographic software be fixed?"

2018.09.27 17:00 60 min invited lecture Greece students
[horizontal PDF slides] NIS Summer School 2018. Galaxy Hotel, Heraklion. "The libpqcrypto software library for post-quantum cryptography."

2018.09.26 15:30 45 min invited lecture Greece students
[vertical PDF slides] [horizontal PDF slides] NIS Summer School 2018. Galaxy Hotel, Heraklion. "What do quantum computers do?"

2018.09.18 13:30 105 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "Examples of symmetric primitives."

2018.08.18 16:00 60 min invited lecture USA researchers
[horizontal PDF slides] WAC: Workshop on Attacks in Cryptography. University of California at Santa Barbara. "Cryptanalysis of NISTPQC submissions." Talk given jointly with Tanja Lange and Lorenz Panny.

2018.08.14 15:30 75 min invited lecture Canada students
[vertical PDF slides] [horizontal PDF slides] S3 2018: SAC Summer School. University of Calgary. "Cryptographic software engineering, part 2."

2018.08.14 13:45 75 min invited lecture Canada students
[vertical PDF slides] [horizontal PDF slides] S3 2018: SAC Summer School. University of Calgary. "Cryptographic software engineering, part 1."

2018.07.19 17:15 5 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] ANTS 2018. University of Wisconsin at Madison. "Generating random primes faster."

2018.07.11 14:00 60 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Colloquium, Informatics Institute, University of Amsterdam. "Sorting integer arrays: security, speed, and verification." Abstract:

This talk will explain (1) the security concept of "constant-time" software; (2) how to build constant-time software to sort arrays of integers; (3) how to make constant-time sorting software run so quickly that it beats Intel's "Integrated Performance Primitives" library; and (4) how to automatically verify that the resulting software works correctly for all possible inputs.


2018.06.29 16:45 45 min invited lecture Taiwan researchers
[horizontal PDF slides] Post-Quantum Cryptography Forum Workshop. Institute for Information Science, Academia Sinica, Taipei. "NTRU Prime." Talk given jointly with Tanja Lange.

2018.06.27 16:40 65 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Institute for Information Science, Academia Sinica, Taipei. "Lattice-based public-key cryptosystems, part 2."

2018.06.27 13:55 75 min invited lecture Taiwan students
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO Mini-School. Institute for Information Science, Academia Sinica, Taipei. "Lattice-based public-key cryptosystems, part 1."

2018.06.21 10:00 60 min invited lecture France researchers
[vertical PDF slides] [horizontal PDF slides] CAEN 2018: Cryptographie et théorie AlgorithmiquE des Nombres. Université de Caen Normandie. "Algorithms for multiquadratic number fields."

2018.05.09 14:15 30 min invited lecture Canada researchers
[horizontal PDF slides] ICMC 2018: International Cryptographic Module Conference. Shaw Centre, Ottawa. "The libpqcrypto software library for post-quantum cryptography."

2018.05.01 3 min contributed lecture Israel researchers
[horizontal PDF slides] Eurocrypt 2018. Hotel Dan Panorama, Tel Aviv. "libpqcrypto."

2018.04.29 15:50 50 min invited lecture Israel researchers
[vertical PDF slides] [horizontal PDF slides] Lightweight Crypto Day. Hotel Dan Panorama, Tel Aviv. "Small cryptographic bytecode."

2018.04.11 15:05 15 min contributed lecture USA researchers
[horizontal PDF slides] First PQC Standardization Conference. Pier 66 Hotel, Fort Lauderdale. "Post-quantum RSA."

2018.04.11 10:55 25 min refereed lecture USA researchers
[horizontal PDF slides] PQCrypto 2018. Pier 66 Hotel, Fort Lauderdale. "Asymptotically faster quantum algorithms to solve multivariate quadratic equations."

2018.04.10 17:15 3 min contributed lecture USA researchers
[horizontal PDF slides] PQCrypto 2018. Pier 66 Hotel, Fort Lauderdale. "libpqcrypto."

2018.03.05 20:30 7 min contributed lecture Belgium researchers
[horizontal PDF slides] FSE 2018. Oud Sint-Jan, Bruges. "Announcement of the CAESAR finalists."

2018.02.01 15:45 45 min invited lecture Spain researchers
[vertical PDF slides] [horizontal PDF slides] Combined event on post-quantum cryptography. Hotel Jardin Tropical, Costa Adeje, Tenerife. "Classic McEliece: conservative code-based cryptography."

2018.01.12 11:35 25 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "Better proofs for rekeying."

2017.12.28 22:15 60 min refereed lecture Germany researchers
[horizontal PDF slides] 34C3: 34th Chaos Communication Congress. Congress Center Leipzig. "LatticeHacks: Fun with lattices in cryptography and cryptanalysis." Talk given jointly with Nadia Heninger and Tanja Lange.

2017.11.23 13:45 105 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "The DNS security mess."

2017.10.11 11:30 90 min invited lecture Greece students
[vertical PDF slides] [horizontal PDF slides] ECRYPT-NET School on Correct and Secure Implementation. Porto Platanias, Chaniá, Crete. "Cryptographic software engineering, part 2."

2017.10.09 14:00 90 min invited lecture Greece students
[vertical PDF slides] [horizontal PDF slides] ECRYPT-NET School on Correct and Secure Implementation. Porto Platanias, Chaniá, Crete. "Cryptographic software engineering, part 1."

2017.10.03 09:00 50 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Quantum Cryptanalysis. Schloss Dagstuhl. "Challenges in quantum algorithms for integer factorization."

2017.09.20 19:00 3 min contributed lecture Cuba researchers
[horizontal PDF slides] Latincrypt 2017. Universidad de la Habana. "Quantum computing: a new record."

2017.09.19 14:00 90 min contributed lecture Cuba students
ASCrypto 2017: Fourth Advanced School on Cryptology and Information Security in Latin America. Universidad de la Habana. "Internet integration: the DNS security mess, part 2."

2017.09.18 09:00 90 min contributed lecture Cuba students
[vertical PDF slides] [horizontal PDF slides] ASCrypto 2017: Fourth Advanced School on Cryptology and Information Security in Latin America. Universidad de la Habana. "Internet integration: the DNS security mess, part 1." Slides are for both part 1 and part 2.

2017.08.15 11:00 75 min invited lecture Canada students
[vertical PDF slides] [horizontal PDF slides] S3 2017: SAC Summer School. University of Ottawa. "Public-key cryptography, part II: factorization."

2017.07.31 15:00 25 min invited lecture USA researchers
[horizontal PDF slides] Minisymposium on Applications of Computational Algebraic Geometry to Cryptology. SIAM Conference on Applied Algebraic Geometry 2017. Georgia Institute of Technology, Atlanta. "Short generators without quantum computers: the case of multiquadratics."

2017.07.20 16:30 15 min invited lecture USA public
[vertical PDF slides] [horizontal PDF slides] Panelist at Open Meeting of the Committee on Technical Assessment of the Feasibility and Implications of Quantum Computing of the National Academies of Sciences, Engineering, and Medicine. Stanford University. "Cryptographic readiness levels, and the impact of quantum computers."

2017.07.11 15:30 50 min invited lecture Spain researchers
[horizontal PDF slides] FoCM 2017: Foundations of Computational Mathematics. Universitat de Barcelona. "Short generators without quantum computers: the case of multiquadratics."

2017.06.27 15:15 25 min refereed lecture Netherlands researchers
[horizontal PDF slides] PQCrypto 2017: Eighth International Conference on Post-Quantum Cryptography. Domstad, Utrecht. "Post-quantum RSA."

2017.06.23 15:05 90 min invited lecture Netherlands public
[vertical PDF slides] [horizontal PDF slides] Executive School on Post-Quantum Cryptography 2017. Technische Universiteit Eindhoven. "Quantum algorithms."

2017.06.22 13:30 30 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Summer School on Post-Quantum Cryptography 2017. Technische Universiteit Eindhoven. "Lattice-based cryptography: Episode V: the ring strikes back."

2017.06.07 09:30 50 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Workshop on Hardware Benchmarking 2017. Beckmann's Hof, Ruhr University Bochum. "How cryptographic benchmarking goes wrong."

2017.05.29 12:15 45 min invited lecture Netherlands public
[horizontal PDF slides] Security in Times of Surveillance. Eindhoven Institute for Protection of Systems and Information. "Thomas Jefferson and Apple versus the FBI."

2017.05.19 13:40 40 min invited lecture USA public
[horizontal PDF slides] International Cryptographic Module Conference 2017. Westin Arlington Gateway, Washington, DC. "Thomas Jefferson and Apple versus the FBI."

2017.05.02 22:07 3 min contributed lecture France researchers
[horizontal PDF slides] Eurocrypt 2017. Maison de la Mutualité, Paris. "Countering quantum FUD."

2017.03.07 16:57 3 min contributed lecture Japan researchers
[horizontal PDF slides] FSE 2017: 24th International Conference on Fast Software Encryption. Tokyo International Forum. "Challenges in Authenticated Encryption."

2016.12.16 14:00 45 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Cryptography Working Group. Kargadoor, Utrecht. "Standardization for the black hat."

2016.12.08 13:45 105 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "The DNS security mess."

2016.12.02 14:00 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 6."

2016.12.01 15:30 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 5."

2016.11.30 15:30 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 4."

2016.11.30 14:00 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 3."

2016.11.29 15:30 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 2."

2016.11.28 15:30 60 min invited lecture Vietnam students
[vertical PDF slides] [horizontal PDF slides] IACR-SEAMS school "Cryptography: foundations and new directions". Vietnam Institute for Advanced Study in Mathematics, Hanoi. "High-speed cryptography, part 1."

2016.11.16 14:00 45 min invited lecture Germany researchers
[horizontal PDF slides] Escar Europe 2016: Embedded Security in Cars. München Marriott Hotel. "Long-term security for cars." Talk given jointly with Tanja Lange.

2016.11.15 14:00 60 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Colloquium, CYSEC, Technische Universität Darmstadt. "Usable verification of fast cryptographic software." Abstract:

The pursuit of performance has produced a tremendous volume of critical cryptographic software. Many different cryptographic algorithms are in widespread use, with many more implementations tuned for speed on different platforms.

A tiny bug anywhere in this code base can have disastrous consequences for security. For example, Brumley, Barbosa, Page, and Vercauteren exploited a miniscule carry bug in the commonly used OpenSSL cryptographic library to steal an SSL server's entire private key, allowing easy interception and forgery of user data.

Standard software-testing techniques catch many bugs but did not catch further OpenSSL carry bugs announced in January 2015 and December 2015. Expert audits caught these bugs but certainly have not caught all bugs: auditing is far too time-consuming to scale to the entire cryptographic code base, never mind the question of whether the auditing is reliable.

This talk will present a successful example of a new strategy to integrate highly automated proofs of correctness into real-world cryptographic software engineering. This is joint work with Peter Schwabe.


2016.11.02 13:30 60 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] HighLight: High-Security Lightweight Cryptography. Lorentz Center, Leiden. "Engineering cryptographic software."

2016.10.19 15:30 60 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] SPEED-B: Software performance enhancement for encryption and decryption, and benchmarking. BCN Utrecht. "Benchmarking benchmarking, and optimizing optimization."

2016.08.18 21:12 3 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] CHES 2016: Cryptographic Hardware and Embedded Systems. "The inverse Faraday challenge."

2016.07.19 14:00 60 min invited lecture Norway researchers
[vertical PDF slides] [horizontal PDF slides] ArcticCrypt 2016. Radisson Blu Hotel Spitsbergen. "NTRU Prime."

2016.06.28 13:30 30 min contributed lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] PQCRYPTO mini-workshop. Vergaderruimte Utrecht. "The post-quantum Internet."

2016.06.23 10:15 45 min invited lecture Netherlands researchers
[horizontal PDF slides] Black Hat Sessions Part XIV. Hotel en Congrescentrum De Reehorst, Ede. "Crypto horror stories." Keynote lecture.

2016.06.10 11:30 60 min invited lecture Croatia students
[vertical PDF slides] [horizontal PDF slides] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "The DNS security mess."

2016.05.08 13:15 25 min invited lecture Austria researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] [video] [video at youtube.com] A Workshop About Cryptographic Standards. Aula der Wissenschaften, Vienna. "Standardization for the black hat."

2016.04.16 20:00 60 min invited lecture Denmark public
[horizontal PDF slides] [video] [video on youtube.com] Science and Cocktails. Byens Lys, Christiania. "You thought your communication was secure? Quantum computers are coming!" Talk given jointly with Tanja Lange.

2016.03.09 12:00 60 min invited lecture Taiwan researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] PKC 2016: 19th International Conference on Practice and Theory in Public-Key Cryptography. "The first 10 years of Curve25519."

2016.02.24 11:30 60 min invited lecture Japan researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] PQCrypto 2016. "The post-quantum Internet."

2016.02.18 16:15 15 min invited lecture Netherlands students
[horizontal PDF slides] Department Dialogue, Technische Universiteit Eindhoven. "Next-generation elliptic-curve cryptography (ECC)."

2016.01.15 11:00 30 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "Some challenges in heavyweight cipher design."

2015.12.27 23:00 60 min refereed lecture Germany researchers
[horizontal PDF slides] 32C3: 32nd Chaos Communication Congress. Congress Center Hamburg. "PQCHacks: a gentle introduction to post-quantum cryptography." Talk given jointly with Tanja Lange. Abstract:

Last year your friend Karen joined the alternative music scene and sent you a sound track. The government is recording everything, and this year announced that alternative music is a gateway drug to terrorism (see www.theguardian.com/australia-news/2015/sep/25/radicalisation-kit-links-activism-and-alternative-music-scene-to-extremism). Fortunately, Karen encrypted the email.

Fast forward to 2035. Stasi 2.0 has risen to power, and has decided that, to protect society, anyone who has ever been exposed to alternative music will be sent to a "better place". They still have a copy of Karen's ciphertext. And here's the really bad news: they've just finished building a billion-qubit quantum computer.

Back in 2015, large general-purpose quantum computers haven't been built yet, but the consensus is that they will be built, and that they will allow well-funded attackers to retroactively break practically all of today's deployed public-key cryptography. RSA will be dead. ECC will be dead. DSA will be dead. "Perfect forward secrecy", despite its name, won't help.

Fortunately, there are replacement public-key cryptosystems that have held up very well against analysis of possible attacks, including future quantum attacks. This talk will take a hands-on look at the two examples with the longest track records: namely, hash-based signatures (Merkle trees) and code-based encryption (McEliece).


2015.12.17 13:45 105 min invited lecture Netherlands students
[vertical PDF slides] [horizontal PDF slides] Class talk, Technische Universiteit Eindhoven. "The DNS security mess."

2015.12.15 17:30 20 min contributed lecture Japan researchers
[horizontal PDF slides] SSR 2015: Security Standardisation Research. Internet Initiative Japan, Tokyo. "Failures in NIST's ECC standards." Talk given jointly with Tanja Lange.

2015.12.15 15:15 30 min refereed lecture Japan researchers
[vertical PDF slides] [horizontal PDF slides] SSR 2015: Security Standardisation Research. Internet Initiative Japan, Tokyo. "How to manipulate curve standards: a white paper for the black hat." Talk given jointly with Tanja Lange.

2015.10.05 09:30 60 min invited lecture India researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] SPACE 2015. Malaviya National Institute of Technology, Jaipur. "Boring crypto."

2015.09.08 10:15 30 min invited lecture Germany researchers
Quantum Cryptanalysis. Schloss Dagstuhl. "Trapdoor simulation of quantum algorithms."

2015.08.25 16:30 30 min refereed lecture Mexico researchers
[vertical PDF slides] [horizontal PDF slides] LatinCrypt 2015. Hotel De Mendoza, Guadalajara. "Twisted Hessian curves."

2015.08.06 11:00 25 min invited lecture South Korea researchers
[vertical PDF slides] [horizontal PDF slides] Minisymposium on Coding Theory and Cryptography. SIAM Conference on Applied Algebraic Geometry 2015. National Institute for Mathematical Sciences, Daejeon. "Computational algebraic number theory tackles lattice-based cryptography."

2015.07.22 14:15 30 min invited lecture Czech Republic researchers
[PDF slides] Crypto Forum Research Group, IETF 93. Hilton Prague. "EdDSA for more curves."

2015.07.09 17:40 40 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Hyper-and-elliptic-curve cryptography."

2015.06.11 15:10 20 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Workshop on ECC Standards. National Institute of Standards and Technology, Gaithersburg. "Simplicity."

2015.06.05 14:30 60 min invited lecture Croatia students
[vertical PDF slides] [horizontal PDF slides] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "Advanced code-based cryptography."

2015.06.02 16:00 90 min invited lecture Croatia students
[vertical PDF slides] [horizontal PDF slides] Summer school on real-world crypto and privacy. Hotel Ivan, Šibenik. "Introduction to quantum algorithms and introduction to code-based cryptography."

2015.05.08 15:30 30 min invited lecture Netherlands public
[vertical PDF slides] [horizontal PDF slides] Security in Times of Surveillance. Eindhoven Institute for the Protection of Systems and Information. "How to manipulate standards."

2015.04.26 09:30 40 min invited lecture Bulgaria researchers
[vertical PDF slides] [horizontal PDF slides] CryptoAction WG4 Meeting on Authenticated Encryption. Sofia Hotel Balkan. "Goals of authenticated encryption."

2015.04.22 09:00 45 min invited lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Mathematics of Lattices and Cybersecurity. Institute for Computational and Experimental Research in Mathematics, Brown University. "Computational algebraic number theory tackles lattice-based cryptography."

2015.04.16 16:30 90 min invited lecture England researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] ETAPS 2015: European Joint Conferences on Theory and Practice of Software. Queen Mary University of London. "The death of optimizing compilers."

2015.04.03 16:40 20 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] Workshop on Cybersecurity in a Post-Quantum World. National Institute of Standards and Technology, Gaithersburg. "Trapdoor simulation of quantum algorithms."

2015.04.02 16:00 20 min contributed lecture USA researchers
[horizontal PDF slides] Workshop on Cybersecurity in a Post-Quantum World. National Institute of Standards and Technology, Gaithersburg. "SPHINCS: practical stateless hash-based signatures."

2015.02.27 10:45 45 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Cryptography Working Group. Kargadoor, Utrecht. "Batch NFS." Talk given jointly with Tanja Lange.

2015.02.11 09:45 30 min invited lecture Germany public
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] MAPPING WP5 Round Table on Privacy, Personality and Business Models. Institut für Rechtsinformatik, Gottfried Wilhelm Leibniz Universität Hannover. "Crypto and the United States Constitution."

2015.01.17 15:00 50 min refereed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] ShmooCon 2015. Washington Hilton. "NaCl: a new crypto library." Talk given jointly with Tanja Lange.

2015.01.12 11:00 60 min invited lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] DIMACS Workshop on The Mathematics of Post-Quantum Cryptography. "Introduction to quantum algorithms."

2015.01.07 11:15 30 min invited lecture England researchers
[vertical PDF slides] [horizontal PDF slides] [Ogg audio] Real World Cryptography Workshop 2015. "Error-prone cryptographic designs."

2014.12.27 21:45 60 min refereed lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] 31C3: 31st Chaos Communication Congress. Congress Center Hamburg. "ECCHacks: a gentle introduction to elliptic-curve cryptography." Talk given jointly with Tanja Lange.

2014.12.02 11:00 90 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Guest Hacker Program, KPN. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange.

2014.11.19 12:00 15 min invited lecture Belgium public
[vertical PDF slides] [horizontal PDF slides] Cyber Security in the Financial Industry. Chateau du Lac, Genval. "Crypto developments." Presentation as panel member.

2014.11.13 16:00 60 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Colloquium, Mathematical Institute, Leiden University. "Hyper-and-elliptic-curve cryptography."

2014.11.03 14:15 30 min invited lecture Japan researchers
[vertical PDF slides] [horizontal PDF slides] Post-Quantum Cryptography: Recent Results and Trends. Fukuoka SRP Center Building. "Efficient implementation of code-based cryptography."

2014.10.21 14:30 30 min invited lecture Brazil researchers
[vertical PDF slides] [horizontal PDF slides] Seminar, Universidade Estadual de Campinas. "McBits: fast constant-time code-based cryptography."

2014.10.20 14:00 60 min invited lecture Brazil students
Class talk, Universidade de São Paulo. "Making sure crypto stays insecure."

2014.10.18 09:10 60 min invited lecture Brazil researchers
[vertical PDF slides] [horizontal PDF slides] H2HC 11: Hackers To Hackers Conference. Novotel Morumbi, Sao Paulo. "Making sure crypto stays insecure." Keynote lecture.

2014.10.08 18:05 7 min contributed lecture India researchers
[horizontal PDF slides] ECC 2014. Institute of Mathematical Sciences, Chennai. "BADA55, Curve41417, Kummer."

2014.09.30 14:00 30 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Privacy and Security in an Age of Surveillance. Schloss Dagstuhl. "How to manipulate standards."

2014.09.25 21:33 4 min contributed lecture South Korea researchers
[horizontal PDF slides] CHES 2014: Cryptographic Hardware and Embedded Systems. Paradise Hotel, Busan. "EM key extraction from constant-time software on fast ARMs." Talk given jointly with Tanja Lange.

2014.09.25 21:10 3 min contributed lecture South Korea researchers
[horizontal PDF slides] CHES 2014: Cryptographic Hardware and Embedded Systems. Paradise Hotel, Busan. "DH speed news."

2014.08.15 11:20 30 min refereed lecture Canada researchers
[vertical PDF slides] [horizontal PDF slides] SAC 2014: Selected Areas in Cryptography. Concordia University, Montreal. "Batch NFS." Talk given jointly with Tanja Lange.

2014.08.08 12:00 30 min refereed lecture South Korea researchers
[vertical PDF slides] [horizontal PDF slides] Algorithmic Number Theory Symposium (ANTS) XI. Hyundai Hotel, Gyeongju. "Hyper-and-elliptic-curve cryptography."

2014.07.23 14:05 15 min invited lecture Canada researchers
[vertical PDF slides] [horizontal PDF slides] Crypto Forum Research Group, IETF 90. Fairmont Royal York Hotel, Toronto. "Curve25519, Curve41417, E-521."

2014.07.10 16:30 60 min invited lecture Australia researchers
[vertical PDF slides] [horizontal PDF slides] Distinguished Visitor Lecture, Institute for Future Environments, Queensland University of Technology. "Making sure software stays insecure." Abstract:

We have to watch and listen to everything that people are doing so that we can catch terrorists, drug dealers, pedophiles, and organized criminals. Some of this data is sent unencrypted through the Internet, or sent encrypted to a company that passes the data along to us, but we learn much more when we have comprehensive direct access to hundreds of millions of disks and screens and microphones and cameras. This talk explains how we've successfully manipulated the world's software ecosystem to ensure our continuing access to this wealth of data. This talk will not cover our efforts against encryption, and will not cover our hardware back doors.


2014.06.03 14:35 40 min invited lecture Netherlands researchers
[horizontal PDF slides] International NCSC One Conference 2014. World Forum, The Hague. "Crypto news and views." Talk given jointly with Nadia Heninger and Tanja Lange.

2014.05.21 16:00 90 min contributed lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Seminar, Technische Universiteit Eindhoven. "A subfield-logarithm attack against ideal lattices, part 1: the number-field sieve."

2014.05.16 11:30 20 min invited lecture Denmark researchers
[horizontal PDF slides] International State of the Art Cryptography Workshop. Hotel Scandic, Copenhagen. "Randomness generation." Talk given jointly with Tanja Lange.

2014.05.13 19:30 5 min contributed lecture Denmark researchers
[horizontal PDF slides] Eurocrypt 2014. Hotel Scandic, Copenhagen. "Verifiably random secure curves." Talk given jointly with Tanja Lange.

2014.05.09 10:30 60 min invited lecture Switzerland researchers
[vertical PDF slides] [horizontal PDF slides] DLP2014: Theoretical and Practical Aspects of the Discrete Logarithm Problem. Monte Verità, Ascona. "Hyper-and-elliptic-curve cryptography."

2014.01.18 12:00 50 min refereed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] ShmooCon 2014. Washington Hilton. "SafeCurves: choosing safe curves for elliptic-curve cryptography." Talk given jointly with Tanja Lange.

2014.01.10 11:30 15 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "The impact of security proofs: two troublesome case studies."

2014.01.09 17:00 30 min invited lecture Germany researchers
[horizontal PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "Randomness." Talk given jointly with Tanja Lange.

2013.12.29 13:00 20 min invited lecture Germany researchers
[horizontal PDF slides] #youbroketheinternet assembly; Operating Systems panel. Congress Center Hamburg. "(Tweet)NaCl." Talk given jointly with Tanja Lange and Peter Schwabe.

2013.12.28 18:30 60 min refereed lecture Germany researchers
[horizontal PDF slides] [Ogg audio] [video] 30C3: 30th Chaos Communication Congress. Congress Center Hamburg. "The year in crypto." Talk given jointly with Nadia Heninger and Tanja Lange.

2013.12.27 15:40 20 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] #youbroketheinternet assembly; Crypto Names panel. Congress Center Hamburg. "Understanding DNSCurve."

2013.12.06 09:40 40 min invited lecture India researchers
[vertical PDF slides] [horizontal PDF slides] International State of the Art Cryptography Workshop. JW Marriott Hotel Bengaluru. "Cleaning up crypto." Talk given jointly with Tanja Lange.

2013.12.05 11:10 25 min refereed lecture India researchers
[vertical PDF slides] [horizontal PDF slides] Asiacrypt 2013. JW Marriott Hotel Bengaluru. "Non-uniform cracks in the concrete: the power of free precomputation." Talk given jointly with Tanja Lange.

2013.11.29 15:00 45 min invited lecture Netherlands researchers
[vertical PDF slides] [horizontal PDF slides] Cryptography Working Group. Kargadoor, Utrecht. "Failures of secret-key cryptography."

2013.11.03 14:15 30 min invited lecture Germany researchers
[horizontal PDF slides] PUFFIN Workshop. Park Inn Alexanderplatz, Berlin. "Computers as undocumented physical objects."

2013.10.31 15:30 45 min invited lecture Australia researchers
Computational Algebra Seminar, School of Mathematics and Statistics, University of Sydney. "McBits: fast constant-time code-based cryptography."

2013.10.30 14:45 45 min invited lecture Australia researchers
[vertical PDF slides] [horizontal PDF slides] Seminar, Department of Computing, Macquarie University. "McBits: fast constant-time code-based cryptography."

2013.09.26 11:25 20 min contributed lecture France researchers
[vertical PDF slides] [horizontal PDF slides] Quantum-Safe-Crypto Workshop. ETSI, Sophia Antipolis. "Overview of post-quantum cryptography."

2013.09.16 20:07 7 min contributed lecture Belgium researchers
[vertical PDF slides] [horizontal PDF slides] ECC 2013. Katholieke Universiteit Leuven. "Security dangers of the NIST curves."

2013.09.10 14:45 45 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Quantum Cryptanalysis. Schloss Dagstuhl. "Quantum algorithms for the subset-sum problem."

2013.08.22 14:25 25 min refereed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] CHES 2013: Cryptographic Hardware and Embedded Systems. University of California at Santa Barbara. "McBits: fast constant-time code-based cryptography."

2013.08.03 11:30 25 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Minisymposium on Post-Quantum Cryptography. SIAM Conference on Applied Algebraic Geometry 2013. Colorado State University. "McBits: fast constant-time code-based cryptography."

2013.08.03 10:30 25 min contributed lecture USA researchers
[vertical PDF slides] [horizontal PDF slides] Minisymposium on Post-Quantum Cryptography. SIAM Conference on Applied Algebraic Geometry 2013. Colorado State University. "Quantum algorithms for the subset-sum problem."

2013.07.18 17:30 30 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Complexity news: discrete logarithms in multiplicative groups of small-characteristic finite fields---the algorithm of Barbulescu, Gaudry, Joux, Thomé."

2013.07.05 11:00 60 min invited lecture England researchers
[vertical PDF slides] [horizontal PDF slides] Number Theory, Geometry and Cryptography. University of Warwick. "McBits: fast constant-time code-based cryptography."

2013.06.28 10:45 60 min invited lecture England students
[vertical PDF slides] [horizontal PDF slides] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 4: fast multiplication and its applications."

2013.06.27 12:00 60 min invited lecture England students
[vertical PDF slides] [horizontal PDF slides] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 3: more cryptosystems."

2013.06.26 10:45 60 min invited lecture England students
[vertical PDF slides] [horizontal PDF slides] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 2: more elliptic-curve formulas; field arithmetic."

2013.06.24 10:45 60 min invited lecture England students
[vertical PDF slides] [horizontal PDF slides] Summer School: Number Theory for Cryptography. University of Warwick. "High-speed cryptography, part 1: elliptic-curve formulas."

2013.06.19 09:45 45 min invited lecture Germany researchers
[vertical PDF slides] [horizontal PDF slides] ISC 2013: International Supercomputing Conference. Distinguished Speakers session. Congress Center Leipzig. "How to use the new 65-megawatt Bluffdale supercomputer: a gentle introduction to cryptanalysis."

2013.06.12 09:30 60 min invited lecture France researchers
[vertical PDF slides] [horizontal PDF slides] Code-Based Cryptography Workshop. INRIA Rocquencourt. "McBits: fast constant-time code-based cryptography."

2013.06.07 11:35 5 min contributed lecture France researchers
[vertical PDF slides] [horizontal PDF slides] PQCrypto 2013: Fifth International Conference on Post-Quantum Cryptography. Xlim, Limoges. "Signature sizes: a call to action."

2013.06.06 15:50 35 min refereed lecture France researchers
[vertical PDF slides] [horizontal PDF slides] PQCrypto 2013: Fifth International Conference on Post-Quantum Cryptography. Xlim, Limoges. "Quantum algorithms for the subset-sum problem."

2013.05.31 12:30 30 min invited lecture Greece researchers
[horizontal PDF slides] International State of the Art Cryptography Workshop. Divani Caravel, Athens. "Security dangers of the NIST curves." Talk given jointly with Tanja Lange.

2013.05.28 21:10 5 min contributed lecture Greece researchers
[PDF slides] Eurocrypt 2013. Divani Caravel, Athens. "Cryptographic competitions."

2013.03.12 10:35 60 min invited lecture Singapore researchers
[PDF slides] FSE 2013: 20th International Workshop on Fast Software Encryption. Novotel Singapore Clarke Quay. "Failures of secret-key cryptography." Abstract:

The most fundamental promise made by cryptography is that a sender and receiver, starting from nothing more than shared knowledge of a secret key, can securely exchange messages. Secret-key cryptography protects the confidentiality and integrity of the messages against any possible misbehavior by the intermediate network.

Unfortunately, the trust that users place in secret-key cryptography has been repeatedly and flagrantly violated. This talk will survey recent and ongoing examples, analyze ways that cryptographic designers can do better, and report on the new five-year Competition for Authenticated Encryption: Security, Applicability, and Robustness (https://competitions.cr.yp.to).


2013.02.17 11:00 60 min invited lecture Israel researchers
Theory Seminar. Weizmann Institute of Science. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange.

2013.02.13 14:30 60 min invited lecture Israel researchers
[PDF slides] Seminar, Computer Science Department. University of Haifa. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange.

2013.02.11 20:00 5 min contributed lecture Israel researchers
Modeling Intractability workshop. Ramon Inn, Mitzpe Ramon. "Quantum algorithms for the subset-sum problem."

2013.02.10 10:00 50 min invited lecture Israel researchers
[PDF slides] Modeling Intractability workshop. Ramon Inn, Mitzpe Ramon. "Modeling the security of cryptography, part 1: secret-key cryptography."

2013.02.07 12:15 45 min invited lecture Netherlands researchers
[PDF slides] Beveiligingsconferentie SURFcert & SURFibo. Gebouw Kroonjuweel, Hogeschool van Amsterdam. "The DNS security mess."

2013.01.23 16:30 5 min invited lecture Spain researchers
[PDF slides] Crypto for 2020. Hotel Jardin Tropical, Tenerife. "The fundamental goal of 'provable security'." Presentation as part of "On provable security" panel discussion.

2013.01.15 09:35 35 min invited lecture Luxembourg researchers
[PDF slides] ESC 2013: Early Symmetric Crypto. Hotel Am Klouschter, Mondorf-les-Bains. "Non-uniform cracks in the concrete: the power of free precomputation." Talk given jointly with Tanja Lange.

2013.01.14 09:40 40 min invited lecture Luxembourg researchers
[PDF slides] ESC 2013: Early Symmetric Crypto. Hotel Am Klouschter, Mondorf-les-Bains. "Feistel modes redivivus."

2013.01.07 09:15 75 min invited lecture USA researchers
[PDF slides] SRI International, Menlo Park. "The state of factoring algorithms and other cryptanalytic threats to RSA." Talk given jointly with Nadia Heninger and Tanja Lange.

2012.12.29 21:45 60 min refereed lecture Germany researchers
[PDF slides] 29C3: 29th Chaos Communication Congress. Congress Center Hamburg. "Hash-flooding DoS reloaded: attacks and defenses." Talk given jointly with Jean-Philippe Aumasson and Martin Boßlet.

2012.12.28 18:30 60 min refereed lecture Germany researchers
[PDF slides] 29C3: 29th Chaos Communication Congress. Congress Center Hamburg. "FactHacks: RSA factorization in the real world." Talk given jointly with Nadia Heninger and Tanja Lange.

2012.12.12 14:30 25 min refereed lecture India researchers
[PDF slides] Indocrypt 2012. Indian Statistical Institute, Kolkata. "SipHash: a fast short-input PRF."

2012.12.11 12:40 25 min refereed lecture India researchers
[PDF slides] Indocrypt 2012. Indian Statistical Institute, Kolkata. "Computing small discrete logarithms faster." Talk given jointly with Tanja Lange.

2012.11.29 14:25 25 min invited lecture Germany researchers
[PDF slides] Escar 2012: Embedded Security in Cars. Grand Hotel Esplanade Berlin. "High-speed, high-security cryptography on ARMs." Talk given jointly with Tanja Lange. Abstract:

Secure cryptography does not need to be big and slow. This talk explains the cryptographic primitives behind the record-setting software in the NaCl library (nacl.cr.yp.to), reports timings on a variety of CPUs, and then focuses on ARM processors, with an emphasis on the popular ARM Cortex A8 CPU core.


2012.11.20 17:00 45 min invited lecture Belgium researchers
[PDF slides] CIoT: Cryptography for the Internet of Things. Hotel Radisson Blu, Antwerp. "High-speed cryptography for mobile devices." Abstract:

Imagine the Internet of Things a few years from now: at every moment you're within radio distance of thousands of small networked devices. All of those devices will talk to, and to some extent be controlled by, your smartphone. These communications will require cryptographic protection; but can your smartphone keep up with the load? This talk will discuss the state of the art in smartphone cryptography.


2012.11.16 14:40 40 min invited lecture Taiwan researchers
[PDF slides] TWISC 2012: Taiwan-Germany Workshop on Information Security and Crypto and TWISC Annual Exhibition. International Conference Center, National Chung-Hsing University, Taichung. "The DNS security mess."

2012.11.05 10:30 30 min invited lecture Netherlands researchers
[PDF slides] Post-Quantum Cryptography and Quantum Algorithms. Lorentz Center, Leiden University. "Post-quantum cryptography." Abstract:

I'll survey the impact that quantum algorithms have had, and might have in the future, upon the traditional waterfall from cryptographers through cryptanalysts through cryptographic algorithm designers through algorithm implementors to cryptographic users.


2012.10.30 10:00 60 min invited lecture Mexico researchers
[PDF slides] ECC 2012: The 16th Workshop on Elliptic Curve Cryptography. Universidad Autónoma de Querétaro. "NIST P-256 has a cube-root ECDL algorithm." Abstract:

Don't panic. Finding the algorithm is a vastly larger computation than running the algorithm. This distinction is critical for applied cryptography but absent from the standard security definitions in the literature. I will present algorithms illustrating this gap, and will discuss strategies for fixing the definitions. This is joint work with Tanja Lange. https://eprint.iacr.org/2012/318 https://eprint.iacr.org/2012/458


2012.10.22 12:00 60 min invited lecture USA researchers
[PDF slides] [Ogg audio] [video] Advanced Programming Seminar. University of Illinois at Chicago. "Data-structure lock-in." Abstract:

Why is the computer so slow? The answer, more often than not, is a poor choice of organization of data inside the computer. I'll give several real-world examples where these poor choices persist even though (1) everyone can see the damage that they do and (2) everyone learned in school that better choices are available.


2012.09.27 11:00 30 min refereed lecture France researchers
[PDF slides] YACC 2012: Yet Another Conference on Cryptography. Porquerolles. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange.

2012.09.24 14:30 60 min invited lecture France researchers
[PDF slides] YACC 2012: Yet Another Conference on Cryptography. Porquerolles. "Cryptography for the paranoid."

2012.09.10 21:45? 5 min contributed lecture Belgium researchers
[PDF slides] CHES 2012: Cryptographic Hardware and Embedded Systems. Aula Pieter de Somer, Leuven. "Implementing 'Practical leakage-resilient symmetric cryptography'."

2012.08.08 20:25 5 min contributed lecture USA researchers
[PDF slides] USENIX Security Symposium 2012. Hyatt Regency Bellevue. "Blaming the cryptographic user."

2012.07.13 15:00 90 min invited lecture USA researchers
[PDF slides] Short Subjects in Security seminar, Qualcomm, San Diego, California. "The security impact of a new cryptographic library." Talk given jointly with Tanja Lange.

2012.07.09 12:00 30 min refereed lecture USA researchers
[PDF slides] ANTS 2012. University of California, San Diego. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange.

2012.07.03 17:54 4 min contributed lecture Netherlands researchers
[PDF slides] RFIDsec 2012. Hotel Erica, Berg en Dal. "More hidden bits."

2012.07.03 12:00 30 min refereed lecture Netherlands researchers
[PDF slides] RFIDsec 2012. Hotel Erica, Berg en Dal. "Never trust a bunny." Talk given jointly with Tanja Lange.

2012.06.28 14:30 30 min refereed lecture Singapore researchers
[PDF slides] ACNS 2012: Applied Cryptography and Network Security. Novotel. "The security impact of a new cryptographic library."

2012.06.08 11:45 45 min invited lecture Netherlands researchers
[PDF slides] Cryptography Working Group. Kargadoor, Utrecht. "Two grumpy giants and a baby." Talk given jointly with Tanja Lange.

2012.06.04 13:45 105 min invited lecture Netherlands students
[PDF slides] Class talk, Technische Universiteit Eindhoven. "The DNS security mess."

2012.04.17 20:17 7 min contributed lecture England researchers
[PDF slides] Eurocrypt 2012. Cambridge University. "Non-uniform cracks in the concrete."

2012.03.23 09:00 20 min refereed lecture USA researchers
[PDF slides] Third SHA-3 Candidate Conference. Washington Marriott. "The new SHA-3 software shootout." Talk given jointly with Tanja Lange.

2012.03.20 17:20 7 min contributed lecture USA researchers
[PDF slides] FSE 2012: 19th International Workshop on Fast Software Encryption. Washington Marriott. "The HMAC brawl."

2012.03.18 16:00 30 min refereed lecture USA researchers
[PDF slides] SHARCS 2012: Special-purpose Hardware for Attacking Cryptographic Systems. Washington Marriott. "Usable assembly language for GPUs: a success story."

2012.03.08 13:40 100 min invited lecture Belgium students
[PDF slides] SecAppDev 2012. Irish College, Leuven. "Deploying high-security cryptography."

2012.03.08 11:00 100 min invited lecture Belgium students
[PDF slides] [Ogg audio] SecAppDev 2012. Irish College, Leuven. "Cryptography worst practices."

2012.02.13 13:30 90 min invited lecture Netherlands researchers
SLaBaC seminar, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Polynomial lattices, part 2."

2012.02.06 13:30 90 min invited lecture Netherlands researchers
SLaBaC seminar, Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Polynomial lattices, part 1."

2012.01.16 17:15 45 min invited lecture Germany researchers
[PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "Authenticated ciphers."

2012.01.14 09:30 60 min invited lecture India researchers
[PDF slides] Workshop on Mathematical and Statistical Aspects of Cryptography. Indian Statistical Institute, Kolkata. "A battle of bits: building confidence in cryptography." Talk given jointly with Tanja Lange.

2011.12.01 09:55 35 min refereed lecture Taiwan researchers
[PDF slides] PQCrypto 2011. Howard International House, Taipei. "Simplified high-speed high-distance list decoding for alternant codes."

2011.11.24 16:30 55 min invited lecture Netherlands researchers
[PDF slides] DIAMANT symposium. Conferentiecentrum Mennorode, Elspeet. "Jet list decoding."

2011.10.19 08:30 60 min invited lecture Brazil researchers
[PDF slides] ITW 2011: Information Theory Workshop. Casa da Cultura, Paraty. "Jet list decoding." Plenary talk.

2011.09.28 12:45 30 min invited lecture Netherlands researchers
[PDF slides] EiPSI Seminar. Technische Universiteit Eindhoven. "The security impact of a new cryptographic library."

2011.09.22 16:15 45 min invited lecture Germany researchers
[PDF slides] Quantum cryptanalysis. Schloss Dagstuhl. "Post-quantum cryptanalysis."

2011.08.25 10:50 60 min invited lecture South Korea researchers
[PDF slides] International Conference on Coding and Cryptography. Ewha Womans University, Seoul. "Advances in code-based public-key cryptography."

2011.08.18 11:30 20 min refereed lecture USA researchers
[PDF slides] Crypto 2011. University of California, Santa Barbara. "Smaller decoding exponents: ball-collision decoding."

2011.07.29 15:00 30 min invited lecture Switzerland researchers
[PDF slides] Combinatorial, Algebraic and Algorithmic Aspects of Coding Theory. Polydome, Ecole Polytechnique Federale de Lausanne. "Simplified high-speed high-distance list decoding for alternant codes."

2011.07.18 10:15 25 min invited lecture Germany researchers
[PDF slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Jet list decoding." Abstract written after the talk:

This talk presented a new high-speed high-distance decoding algorithm for classical binary Goppa codes.


2011.07.06 20:30 7 min contributed lecture Senegal researchers
[PDF slides] Africacrypt 2011. Agence universitaire de la Francophonie, Dakar. "High-speed high-security signatures."

2011.07.06 20:10 2 min contributed lecture Senegal researchers
[PDF slides] Africacrypt 2011. Agence universitaire de la Francophonie, Dakar. "Conference announcement: Indocrypt 2011."

2011.05.31 10:45 45 min invited lecture China researchers
[PDF slides] IWCC 2011, Third International Workshop on Coding and Cryptography. Qingdao Garden Hotel, China. "Advances in code-based public-key cryptography."

2011.05.24 10:00 60 min invited lecture Poland researchers
[PDF slides] Quo Vadis Cryptology? SHA-3 Contest. LORD Hotel, Warsaw. "Software benchmarking of SHA-3 candidates." Presentation given jointly with Tanja Lange. Abstract:

The eBACS project (ECRYPT Benchmarking of Cryptographic Systems) includes eBASH (ECRYPT Benchmarking of All Submitted Hashes), which has carefully measured the speed of 564 state-of-the-art software implementations of 91 different hash functions on 100 different computers. NIST's SHA-3 finalist selection report labelled eBASH as the "primary contributor" to NIST's software speed evaluations. This talk will review the context and accomplishments of eBASH and look to the future, with a particular emphasis on the SHA-3 finalists.


2011.05.11 14:30 50 min invited lecture Netherlands researchers
[PDF slides] Code-based Cryptography Workshop. Technische Universiteit Eindhoven. "Decoding random codes: asymptotics, benchmarks, challenges, and implementations."

2011.03.30 13:30 60 min invited lecture USA researchers
[PDF slides] Seminar, National Center for Supercomputing Applications, University of Illinois at Urbana-Champaign. "Usable assembly language for GPUs."

2011.03.07 14:25 25 min refereed lecture Italy researchers
[PDF slides] PKC 2011: 14th International Conference on Practice and Theory in Public-Key Cryptography. Hotel Villa Diodoro, Taormina. "On the correct use of the negation map in the Pollard rho method." Talk given jointly with Tanja Lange.

2011.02.17 15:20 20 min refereed lecture Denmark researchers
SKEW 2011: Symmetric Key Encryption Workshop 2011. Denmark Technical University, Copenhagen. "Software speed of stream ciphers."

2011.02.16 14:20 20 min refereed lecture Denmark researchers
[PDF slides] SKEW 2011: Symmetric Key Encryption Workshop 2011. Denmark Technical University, Copenhagen. "Extending the Salsa20 nonce."

2011.02.14 19:15 5 min contributed lecture Denmark researchers
[PDF slides] FSE 2011: 18th International Workshop on Fast Software Encryption. Denmark Technical University, Copenhagen. "Really fast syndrome-based hashing."

2011.02.14 19:05 5 min contributed lecture Denmark researchers
[PDF slides] FSE 2011: 18th International Workshop on Fast Software Encryption. Denmark Technical University, Copenhagen. "Building a battlefield for authenticated encryption."

2011.02.05 11:15 25 min contributed lecture Austria researchers
[PDF slides] Arbeitstagung Allgemeine Algebra (AAA 81). University of Salzburg. "A classification of detours in proofs of the generalized Nullstellensatz."

2010.12.28 20:30 60 min invited lecture Germany researchers
[PDF slides] 27th Chaos Communication Congress (27C3). Berliner Congress Center, Berlin. "High-speed high-security cryptography: encrypting and authenticating the whole Internet." Abstract:

Are you writing a program that sends data through the Internet? Are you sending the data through HTTP, or SMTP, or simply TCP, leaving it vulnerable to espionage, corruption, and sabotage by anyone who owns a machine connected to the same network?

You can use SSH and IPsec to protect communication with your own machines, but how do you talk to the rest of the Internet? You can use TCPcrypt to protect yourself against attackers too lazy to forge packets, but how do you protect yourself against serious attackers? You can use HTTPS for low-frequency communication, but how do you handle heavy network traffic, and how do you protect yourself against the security flaws in HTTPS? Today's Internet cryptography is slow, untrustworthy, hard to use, and remarkably unsuccessful as a competitor to good old unprotected TCP.

This talk will present a different approach to high-security Internet cryptography. This approach is easy for users, easy for system administrators, and, perhaps most importantly, easy for programmers. The main reason that the approach has not been tried before is that it seems to involve very slow cryptographic operations; this talk will show that the approach is extremely fast when it is done right.


2010.12.15 12:00 30 min refereed lecture India researchers
[PDF slides] Indocrypt 2010. Marriott Convention Center, Hyderabad. "ECC2K-130 on NVIDIA GPUs."

2010.10.24 14:00 60 min invited lecture USA researchers
Workshop on Embedded Systems Security (WESS 2010). Glenville, Arizona. "Cryptographic benchmarking in ECRYPT II." Talk given jointly with Tanja Lange.

2010.10.21 14:00 60 min invited lecture USA researchers
[PDF slides] Workshop on Elliptic Curves and Computation (ECC 2010). Microsoft Research, Redmond. "Algorithms for primes."

2010.08.24 14:09 12 min invited lecture USA researchers
[PDF slides] Second SHA-3 Candidate Conference. University of California, Santa Barbara. "CubeHash."

2010.08.24 09:15 15 min refereed lecture USA researchers
Second SHA-3 Candidate Conference. University of California, Santa Barbara. "Software speed of SHA-3 candidates."

2010.08.19 21:27 7 min contributed lecture USA researchers
[PDF slides] CHES 2010: Cryptographic Hardware and Embedded Systems. "Faster ECDL."

2010.08.19 21:13 2 min contributed lecture USA researchers
[PDF slides] [Leakage video] CHES 2010: Cryptographic Hardware and Embedded Systems. "Why CHES is better than CRYPTO (except for the rump session)." Presentation given jointly with Tanja Lange.

2010.08.09 14:15 30 min refereed lecture Mexico researchers
[PDF slides] LatinCrypt 2010. "Starfish on strike." Talk given jointly with Tanja Lange.

2010.07.20 20:30 5 min contributed lecture France researchers
[PDF slides] Algorithmic Number Theory Symposium (ANTS) IX. LORIA, Nancy. "Faster rho for elliptic curves."

2010.06.28 12:00 30 min refereed lecture Turkey researchers
[PDF slides] International workshop on the arithmetic of finite fields (WAIFI 2010). Grand Hyatt Istanbul. "Type-II optimal polynomial bases."

2010.05.28 15:15 25 min contributed lecture Germany researchers
[PDF slides] PQCrypto 2010: Third International Workshop on Post-Quantum Cryptography. Fraunhofer Institute, Darmstadt. "Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA." Abstract:

(1) What is the number of bit operations required for high-security code-based cryptography? Specifically, how many additions and multiplications over F_2 are required for straight-line encryption and decryption? Optimizations in this model are directly relevant to hardware and to bitsliced software. (2) Is it possible that the community has missed another plausible candidate for post-quantum cryptography?


2010.05.26 15:00 30 min refereed lecture Germany researchers
[PDF slides] PQCrypto 2010: Third International Workshop on Post-Quantum Cryptography. Fraunhofer Institute, Darmstadt. "Grover vs. McEliece."

2010.05.17 16:10 50 min invited lecture Belgium researchers
[PDF slides] GTEM Workshop on Computational Number Theory and Arithmetic Geometry. Arenbergkasteel, Leuven. "Factoring integers with elliptic curves."

2010.05.07 09:00 240 min invited lecture South Africa students
[PDF slides] Third International Conference on Cryptology in Africa (AFRICACRYPT 2010). Stellenbosch Institute for Advanced Study. "ECC minicourse." Lecture given jointly with Tanja Lange.

2010.04.19 14:30 60 min invited lecture Canada researchers
[PDF slides] Counting Points: Theory, Algorithms and Practice. Le Centre de recherches mathématiques, University of Montreal. "Counting points as a video game."

2010.04.16 11:00 60 min invited lecture Canada researchers
[PDF slides] Computer Security and Cryptography. Le Centre de recherches mathématiques, University of Montreal. "The factorization of RSA-1024." Abstract:

This talk discusses the most important tools for attackers breaking 1024-bit RSA keys today and tomorrow. The same tools will also be useful for academic teams in the farther future publicly breaking the RSA-1024 challenge.


2010.02.26 14:45 45 min invited lecture Taiwan researchers
[PDF slides] The First Taiwanese Workshop on Security and System-on-Chip. National Taiwan University, Taipei. "Small high-security encryption, authentication, and hashing."

2010.02.04 14:25 35 min invited lecture Netherlands researchers
[PDF slides] Tweedaagse beveiligingsconferentie SURFcert & SURFibo. Koninklijke Bibliotheek, Den Haag. "Elliptic-curve cryptography."

2010.01.13 11:30 40 min invited lecture Luxembourg researchers
[PDF slides] ESC 2010: Early Symmetric Crypto. Centre de Formation et de Seminaires, Remich. "Software speed for secret-key cryptography."

2009.12.16 09:00 60 min invited lecture India researchers
[PDF slides] Indocrypt 2009. Indian National Science Academy, New Delhi. "Breaking ECC2K-130."

2009.12.04 15:00 45 min invited lecture Netherlands researchers
[PDF slides] Cryptography Working Group. Trianon Zalen, Utrecht. "Breaking ECC2K-130."

2009.11.17 09:00 75 min invited lecture Spain students
[PDF slides] Hash^3: Proofs, Analysis, and Implementation. Hotel Jardin Tropical, Costa Adeje, Tenerife. "Software benchmarking."

2009.10.30 15:00 60 min invited lecture Australia researchers
[PDF slides] Centre for Advanced Computing---Algorithms and Cryptography Seminar. Faculty of Science, Macquarie University. "Breaking DNSSEC."

2009.10.29 16:00 60 min invited lecture Australia researchers
[PDF slides] Computational Algebra Seminar. School of Mathematics and Statistics, University of Sydney. "Speeding up characteristic 2."

2009.10.12 11:00 30 min refereed lecture Germany researchers
[PDF slides] Software Performance Enhancement for Encryption and Decryption and Cryptographic Compilers (SPEED-CC). Radisson Blu, Berlin. "Optimizing linear maps modulo 2."

2009.10.06 16:45 40 min invited lecture Belgium researchers
[PDF slides] [part-2 PDF slides] CRYPTASC Workshop. QUIC, Université Libre de Bruxelles. "What is a use case for quantum key exchange?" Talk given jointly with Tanja Lange.

2009.09.22 13:30 60 min invited lecture Canada researchers
[PDF slides] Discovery and Experimentation in Number Theory. Fields Institute, Waterloo, Ontario. "Addition laws on elliptic curves." Plenary lecture.

2009.09.12 11:45 45 min invited lecture Germany researchers
[PDF slides] Factoring 2009. Bochum. "ECM speed records for CPU and GPU."

2009.09.10 11:00 30 min refereed lecture Switzerland researchers
[PDF slides] Special-Purpose Hardware for Attacking Cryptographic Systems (SHARCS 2009). Ecole Polytechnique Federale de Lausanne. "Cost analysis of hash collisions: will quantum computers make SHARCS obsolete?"

2009.09.09 18:15 30 min refereed lecture Switzerland researchers
[PDF slides] Special-Purpose Hardware for Attacking Cryptographic Systems (SHARCS 2009). Ecole Polytechnique Federale de Lausanne. "The Certicom challenges ECC2-X." Talk given jointly with Tanja Lange, Frank Gurkaynak, Daniel V. Bailey, Peter Schwabe.

2009.09.08 21:30? 3 min contributed lecture Switzerland researchers
[PDF slides] CHES 2009: Workshop on Cryptographic Hardware and Embedded Systems. Ecole Polytechnique Federale de Lausanne. "binary.cr.yp.to."

2009.09.08 17:25? 5 min invited lecture Switzerland researchers
[PDF slides] CHES 2009: Workshop on Cryptographic Hardware and Embedded Systems; panelist in special session on Benchmarking of Cryptographic Hardware. Ecole Polytechnique Federale de Lausanne. "eBACS: ECRYPT Benchmarking of Cryptographic Systems."

2009.08.25 09:00 50 min invited lecture Canada researchers
[PDF slides] ECC 2009. University of Calgary. "Post-quantum cryptography." Abstract:

Large quantum computers will break RSA, DSA, ECC, and HECC, but cryptographers will still have many attractive choices of post-quantum public-key systems. This talk will survey the post-quantum landscape, and as an illustrative example will discuss McEliece's 1978 hidden-Goppa-code public-key encryption system.


2009.08.24 19:00 10 min contributed lecture Canada researchers
[PDF slides] ECC 2009. University of Calgary. "Batch binary Edwards."

2009.08.18 12:00 25 min refereed lecture USA researchers
[PDF slides] Crypto 2009. University of California, Santa Barbara. "Batch binary Edwards." Abstract:

This paper sets new software speed records for high-security Diffie--Hellman computations, specifically 251-bit elliptic-curve variable-base-point scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper's software performs 30000 251-bit scalar multiplications on the binary Edwards curve d(x+x^2+y+y^2)=(x+x^2)(y+y^2) over the field F_2[t]/(t^{251}+t^7+t^4+t^2+1) where d=t^{57}+t^{54}+t^{44}+1. The paper's field-arithmetic techniques can be applied in much more generality but have a particularly efficient interaction with the completeness of addition formulas for binary Edwards curves. See binary.cr.yp.to/edwards.html for more information.


2009.08.11 14:00 60 min invited lecture USA researchers
[PDF slides] Seminar. Google. "High-speed cryptography, DNSSEC, and DNSCurve." Abstract:

DNSSEC, a project to add cryptographic protection to DNS, has received millions of dollars of U.S. government grants and after fifteen years still has not stopped any attacks. The underlying problem is DNSSEC's fear of cryptographic overload, which forced DNSSEC down a path of unreliability, insecurity, and unusability.

DNSCurve is a new project to add cryptographic protection to DNS. DNSCurve is much stronger than DNSSEC, much more robust, much less damaging to the Internet, much easier to implement, and much easier to use.

The critical design decision in DNSCurve is exactly the decision that DNSSEC rejected on the grounds of performance. Can busy sites keep up with the load? Advances in high-speed high-security elliptic-curve cryptography mean that the answer is yes. A single day of computation on a Core 2 Quad CPU is enough to cryptographically protect 50 billion packets exchanged with 500 million clients, more than the load on all of the Internet's top-level .com servers put together.


2009.08.10 09:30 60 min invited lecture Canada researchers
[PDF slides] WOOT 2009. Le Centre Sheraton Hotel, Montreal. "Breaking DNSSEC." Keynote lecture. Abstract:

More than two hundred sites around the world have installed DNSSEC during the past year, so attackers can finally gain hands-on experience with breaking DNSSEC servers. How quickly does DNSSEC leak private information? How powerful are today's DNSSEC servers when they are abused as denial-of-service amplifiers? How easy is it to forge DNS data from a DNSSEC server?


2009.07.31 09:40 40 min invited lecture Germany researchers
[PDF slides] Classical and quantum information assurance: foundations and practice. Schloss Dagstuhl. "How to improve the price-performance ratio of quantum collision search." Abstract:

A quantum algorithm by Brassard, Hoyer, and Tapp finds collisions in a generic b-bit hash function using O(2^(b/3)) calls to the hash function. How well does the same algorithm perform in more sophisticated cost measures than number of hash calls? In particular, does the algorithm achieve an optimal tradeoff between the size of a quantum computer and the time taken by the computer to find collisions? This talk will show that the algorithm is highly suboptimal from this perspective, and will explain how to do better.


2009.07.28 11:45 40 min invited lecture Germany researchers
[PDF slides] Classical and quantum information assurance: foundations and practice. Schloss Dagstuhl. "Cost-benefit analysis of quantum cryptography." Abstract:

"Why quantum cryptography?" "SECOQC white paper on quantum key distribution and cryptography." "Quantum cryptography: as awesome as it is pointless." "The case for quantum key distribution."

Different authors have come to wildly different conclusions regarding the value of quantum cryptography. Some of this variability can be explained by implicit differences in models of what users value; this talk will present a unified analysis explicitly parametrized by the model. A surprisingly large part of the variability stems from easily correctable errors; this talk will explain how future authors can recognize and avoid the most common pitfalls.


2009.07.17 10:10 30 min invited lecture Germany researchers
[PDF slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Complete addition laws for all elliptic curves over finite fields.'' Abstract written after the talk:

This talk reports the latest news from a joint project with Tanja Lange to find, for each elliptic curve E, the fastest possible complete addition law for E.


2009.06.27 11:00 50 min invited lecture Brazil researchers
[PDF slides] Fórum Internacional de Software Livre. Pontifícia Universidade do Rio Grande do Sul (PUCRS), Porto Alegre. "High-speed cryptography and DNSCurve." Abstract:

This talk will explain DNSCurve, a new project to add cryptographic protection to DNS. DNSCurve is much stronger than DNSSEC, much more robust, much less damaging to the Internet, much easier to implement, and much easier to use.

The critical design decision in DNSCurve is exactly the decision that DNSSEC rejected on the grounds of performance. Can busy sites keep up with the load? Advances in high-speed high-security elliptic-curve cryptography mean that the answer is yes. A single day of computation on a Core 2 Quad CPU is enough to cryptographically protect 50 billion packets exchanged with 500 million clients, more than the load on all of the Internet's top-level .com servers put together.


2009.06.24 10:00 50 min invited lecture Brazil researchers
[PDF slides] Fórum Internacional de Software Livre. Pontifícia Universidade do Rio Grande do Sul (PUCRS), Porto Alegre. "The DNS security mess." Abstract:

The Domain Name System publishes records such as "softwarelivre.org has IP address 200.169.21.196". Attackers can easily exploit the DNS protocol to selectively forge web pages and steal Internet mail.

DNSSEC, a project to add cryptographic protection to DNS, has received millions of dollars of U.S. government grants and after fifteen years still has not stopped any attacks. This talk will explain the design of DNSSEC, and in particular will explain how DNSSEC's fear of cryptographic overload forced DNSSEC down a path of unreliability, insecurity, and unusability.


2009.05.26 09:15 45 min invited lecture Germany researchers
[PDF slides] Algorithms and Number Theory. Schloss Dagstuhl. "Code-based post-quantum cryptography." Abstract:

McEliece's code-based cryptosystem was introduced in 1978 and is one of the leading candidates for post-quantum public-key cryptography. All known attacks against the cryptosystem, including attacks by quantum computers, take time exponential in the code length, while encryption and decryption take polynomial time with very small exponents.

This talk will explain (1) how the original parameters proposed by McEliece were broken in 2008 by Bernstein, Lange, and Peters, (2) the computational issues that arise in using the cryptosystem for larger parameters, and (3) how list decoding of Goppa codes is connected to the Lenstra--Konyagin--Pomerance--Coppersmith--Howgrave-Graham--Nagaraj algorithm to find divisors in residue classes.


2009.05.15 11:00 60 min invited lecture Canada researchers
[PDF slides] [Ogg audio] Cryptography Retrospective Meeting. Fields Institute, Toronto, Canada. "High-speed cryptography."

2009.04.17 11:30 60 min invited lecture Spain researchers
[PDF slides] Algebra and Number Theory Seminar. Department of Mathematics, Universidad Autonomo de Madrid. "Complete addition laws for elliptic curves." Talk given jointly with Tanja Lange.

2009.04.03 10 min contributed lecture France researchers
[PDF slides] Arithmetic, Geometry, Cryptography and Coding Theory (AGCT-12). Centre International de Rencontres Mathematiques, Luminy. Marseille. "Batch binary Edwards."

2009.03.26 60 min invited lecture France researchers
[PDF slides] ESF Exploratory Workshop: Curves, Coding Theory, and Cryptography. Institut de Mathematiques de Luminy. Marseille. "Models of elliptic curves." Talk given jointly with Tanja Lange.

2009.03.21 11:00 60 min invited lecture India researchers
[PDF slides] The LNM Institute of Information Technology, Jaipur. "DNSSEC and DNSCurve."

2009.03.20 14:00 60 min invited lecture India researchers
[PDF slides] Department of Computer Engineering. Malaviya National Institute of Technology, Jaipur. "DNSSEC and DNSCurve."

2009.03.17 10:00 60 min invited lecture India researchers
[PDF slides] Hack.in 2009: 3rd Hackers' Workshop. Indian Institute of Technology, Kanpur. "DNSCurve." Keynote lecture.

2009.03.04 09:00 100 min invited lecture Belgium students
[PDF slides] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Secure design and coding for DNS."

2009.03.03 09:00 100 min invited lecture Belgium students
[PDF slides] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Cryptography in DNS."

2009.03.02 15:40 100 min invited lecture Belgium students
[PDF slides] SecAppDev 2009. Faculty Club, Groot Begijnhof, Leuven. "Attacks on DNS."

2009.02.28 5 min contributed lecture Belgium researchers
First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "A replay attack on a one-way hash."

2009.02.28 5 min contributed lecture Belgium researchers
[PDF slides] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "Bit attacks."

2009.02.28 5 min contributed lecture Belgium researchers
[PDF slides] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "More engineering considerations for the SHA-3 hash function." Talk given jointly with Orr Dunkelman. Slides written jointly by many authors.

2009.02.28 10:00 20 min invited lecture Belgium researchers
[PDF slides] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "eBASH: ECRYPT Benchmarking of All Submitted Hashes."

2009.02.26 09:00 18 min invited lecture Belgium researchers
[PDF slides] First SHA-3 Candidate Conference. Universiteitshal, Katholieke Universiteit Leuven. "CubeHash."

2009.01.12 invited lecture Germany researchers
[PDF slides] Symmetric Cryptography. Schloss Dagstuhl. "eBACS: ECRYPT Benchmarking of Cryptographic Systems."

2008.12.09 08:51 6 min contributed lecture Australia researchers
[PDF slides] Asiacrypt 2008. Hilton on the Park, Melbourne. "eBASH: ECRYPT Benchmarking of All Submitted Hashes."

2008.10.18 09:00 60 min invited lecture USA researchers
[PDF slides] The Second International Workshop on Post-Quantum Cryptography (PQCrypto 2008). University of Cincinnati. "A brief survey of post-quantum cryptography."

2008.10.10 16:00 60 min invited lecture Netherlands researchers
[PDF slides] Lustrum OS3. Turingzaal, CWI, Amsterdam. "Internet security." Keynote talk.

2008.10.07 14:30 60 min invited lecture France researchers
[PDF slides] Cado Workshop on Integer Factorization. LORIA, Nancy. "Predicting NFS time." Abstract:

The time T(n,f,y1,...) used by NFS depends not only on the integer n to be factored but also on various parameters chosen by the NFS user, such as a polynomial f, an initial smoothness bound y1, etc. One can accurately compute T(n,f,y1,...) by running NFS, but of course this is rather slow, especially if one wants to compute several values of this function T. I'll discuss the speed and accuracy of various approximations to T.


2008.09.22 19:50? 5 min contributed lecture Netherlands researchers
[PDF slides] The 12th Workshop on Elliptic Curve Cryptography (ECC 2008). "DNSCurve: Usable security for DNS."

2008.09.17 11:45 60 min invited lecture Netherlands students
[PDF slides] DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography. Technische Universiteit Eindhoven. "Fast arithmetic on elliptic curves."

2008.09.15 11:45 60 min invited lecture Netherlands students
[PDF slides] DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography. Technische Universiteit Eindhoven. "Introduction to elliptic curves."

2008.08.22 14:00 60 min invited lecture USA researchers
[PDF slides] Seminar, Department of Computer Science. University of Illinois at Chicago. "DNSCurve: Usable security for DNS."

2008.08.12 16:45 25 min refereed lecture USA researchers
[PDF slides] CHES 2008: Cryptographic Hardware and Embedded Systems. Renaissance Mayflower Hotel. "Binary Edwards curves." Talk given jointly with Tanja Lange.

2008.07.17 15:25 45 min invited lecture Netherlands researchers
[PDF slides] Beeger Lecture, 5th European Congress of Mathematics (5ECM). RAI Amsterdam. "Edwards curves." Abstract:

Elliptic-curve addition is the bottleneck in state-of-the-art methods to prove primality of presumed primes, to find medium-size factors of composites, and to agree on a shared secret through a public channel. These applications have drawn tremendous attention to elliptic curves over the past twenty-five years.

Unfortunately, the standard elliptic-curve addition laws leave much to be desired. They force the user to distinguish doublings from generic additions; they have other exceptional cases; and they are not very fast. One can eliminate the doubling distinction, and with more work one can eliminate all of the exceptional cases over a finite field, but the resulting addition laws are even slower than the standard addition laws.

I will explain a new coordinate system that eliminates the need for the doubling distinction, that eliminates all of the exceptional cases for some curves, and that achieves remarkable speed. This system has already set new speed records for elliptic-curve computations, both in theory and in practice.

The audience is not expected to have prior exposure to elliptic curves.


2008.06.20 14:30 60 min invited lecture France researchers
[PDF slides] Seminar, University of Rennes. "The elliptic-curve zoo." Abstract:

The pursuit of speed in elliptic-curve factoring and in elliptic-curve cryptography has led researchers to consider a remarkable variety of curve shapes and point representations. Tanja Lange and I have built an Explicit-Formulas Database, hyperelliptic.org/EFD, collecting (and sometimes correcting and often improving) the addition formulas in the literature; EFD now contains 296 computer-verified explicit addition formulas for 20 representations of points on 8 shapes of elliptic curves over large-characteristic fields. In this talk I will survey the speeds that have been obtained from several interesting curve shapes. If time permits I will also comment on characteristic 2.


2008.06.13 15:00 30 min refereed lecture Morocco researchers
[PDF slides] Africacrypt 2008. Casablanca. "Twisted Edwards curves."

2008.06.05 09:30 90 min invited lecture Netherlands researchers
[PDF slides] Hash functions in cryptology: theory and practice. Lorentz Center, Leiden University. "How fast are hash functions?" Keynote talk.

2008.05.19 16:50 10 min contributed lecture Canada researchers
[PDF slides] Algorithmic Number Theory Symposium (ANTS). Banff Centre, Alberta. "The elliptic-curve zoo: a study of curve shapes." Talk given jointly with Tanja Lange.

2008.05.12 14:50 70 min invited lecture Greece students
[PDF slides] ECRYPT Summer School on Advanced Topics in Cryptography. Fodele Beach Hotel, Crete, Greece. "The rest of the zoo." [pictures]

2008.05.09 12:30 60 min invited lecture Spain researchers
[PDF slides] Algebra and Number Theory Seminar. Department of Mathematics, Universidad Autonomo de Madrid. "Binary Edwards curves." Talk given jointly with Tanja Lange.

2008.04.23 09:00 60 min invited lecture Germany researchers
[PDF slides] Troopers08. Kempinski Airport Hotel, Munich. "Invulnerable software." Keynote lecture.

2008.04.18 15:30 50 min invited lecture Netherlands researchers
[PDF slides] Intercity Number Theory Seminar: genus 2 day. Universiteit Utrecht. "Hyperelliptic-curve cryptography." Abstract:

The only public-key cryptographic systems currently recommended by the United States National Security Agency are elliptic-curve systems. I'll explain how elliptic curves are used in cryptography and how genus-2 hyperelliptic curves can do better; in particular, I'll discuss recent progress in genus-2 scalar multiplication and in constructing secure genus-2 curves. To balance the picture I'll also discuss recent progress in elliptic-curve computations.


2008.04.15 20:21 4 min contributed lecture Turkey researchers
[PDF slides] Eurocrypt 2008. Hilton Hotel Convention Center, Istanbul. "Binary Edwards curves."

2008.04.14 11:25 25 min refereed lecture Turkey researchers
[PDF slides] Eurocrypt 2008. Hilton Hotel Convention Center, Istanbul. "Proving tight security for Rabin--Williams signatures."

2008.02.14 10:45 15 min refereed lecture Switzerland researchers
[PDF slides] State of the Art of Stream Ciphers (SASC) 2008. Moevenpick Hotel, Lausanne. "ChaCha, a variant of Salsa20."

2008.02.12 17:16 4 min contributed lecture Switzerland researchers
[PDF slides] Fast Software Encryption 2008. Moevenpick Hotel, Lausanne. "SHARCS vs. SWIFFT."

2008.01.11 10:40 20 min invited lecture Luxembourg researchers
Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "Cipher DAGs."

2008.01.09 17:35 5 min contributed lecture Luxembourg researchers
[PDF slides] Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "MAC1271."

2008.01.09 17:30 5 min contributed lecture Luxembourg researchers
[PDF slides] Echternach Symmetric Cryptography (ESC) Seminar. Hotel Bel-Air, Echternach. "ChaCha20."

2007.12.24 15:00 80 min invited lecture Taiwan students
[PDF slides] Electrical Engineering seminar. National Taiwan University. "An introduction to high-speed arithmetic."

2007.12.17 09:00 50 min invited lecture India researchers
[PDF slides] Applied Algebra, Algebraic Algorithms, and Error Correcting Codes (AAECC-17). Indian Institute of Science, Bangalore. "The tangent FFT."

2007.12.03 09:50 25 min refereed lecture Malaysia researchers
[PDF slides] Asiacrypt 2007. Crowne Plaza Riverside, Kuching, Sarawak. "Faster addition and doubling on elliptic curves." Talk given jointly with Tanja Lange.

2007.11.30 15:10 50 min invited lecture South Korea researchers
[PDF slides] ICISC 2007. Seoul. "High-speed cryptography."

2007.11.10 16:30 30 min invited lecture England researchers
[PDF slides] [part-2 vertical PDF slides] [original gv-compatible part-2 PDF slides] SAGE Days 6. University of Bristol. "Edwards coordinates for elliptic curves." Talk given jointly with Tanja Lange.

2007.11.02 08:30 60 min invited lecture USA researchers
[vertical PDF slides] [original gv-compatible PDF slides] 1st Computer Security Architecture Workshop. George Mason University, Fairfax, Virginia. "Some thoughts on security after ten years of qmail 1.0."

2007.10.19 15:00 50 min invited lecture France researchers
[vertical PDF slides] [original gv-compatible PDF slides] Explicit Methods in Number Theory. Universite Bordeaux I. "Edwards coordinates for elliptic curves, part 2."

2007.09.24 11:50 25 min refereed lecture Poland researchers
ECRYPT Workshop on Tools for Cryptanalysis. Conference Center of the Jagiellonian University in Kraków-Przegorzały. "Cipher DAGs." [software]

2007.09.11 19:50 5 min contributed lecture Austria researchers
[PDF slides] CHES 2007: Cryptographic Hardware and Embedded Systems. Vienna Marriott Hotel. "The EFD thing." Talk given jointly with Tanja Lange.

2007.09.10 15:07 2 min contributed lecture Austria researchers
[PDF slides] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS) 2007. Vienna Marriott Hotel. "Edwards curves."

2007.09.10 11:30 30 min refereed lecture Austria researchers
[vertical PDF slides] [original gv-compatible PDF slides] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS) 2007. Vienna Marriott Hotel. "Better price-performance ratios for generalized birthday attacks."

2007.09.07 11:40 50 min invited lecture Ireland researchers
[PDF slides] [part-2 vertical PDF slides] [original gv-compatible part-2 PDF slides] Elliptic Curve Cryptography (ECC) 2007. University College Dublin. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange.

2007.09.05 17:52 8 min contributed lecture Ireland researchers
[PDF slides] Elliptic Curve Cryptography (ECC) 2007. University College Dublin. "The Explicit-Formulas Database."

2007.09.03 12:00 60 min invited lecture Ireland students
[vertical PDF slides] [horizontal PDF slides] [original gv-compatible PDF slides] Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007. University College Dublin. "Generic attacks and index calculus."

2007.09.03 09:30 60 min invited lecture Ireland students
[vertical PDF slides] [original gv-compatible PDF slides] Tutorial on Elliptic and Hyperelliptic Curve Cryptography 2007. University College Dublin. "Elliptic curves over $\R$ and $\F_q$."

2007.08.16 11:35 55 min invited lecture Canada researchers
[vertical PDF slides] [original gv-compatible PDF slides] Selected Areas in Cryptography (SAC) 2007. University of Ottawa, Ontario. ``Edwards coordinates for elliptic curves.''

2007.07.18 10:15 20 min invited lecture Germany researchers
[vertical PDF slides] [original gv-compatible PDF slides] [approximate transcript] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. "Complexity news: FFTs and integer multiplication." Abstract:

What is the total algebraic complexity of multiplying two polynomials of degree below $n$ over the field of real numbers? 1866 Gauss FFT: $(15+o(1))n\lg n$. 1968 Yavne split-radix FFT: $(12+o(1))n\lg n$. News, 2004 Van Buskirk tangent FFT: $(34/3+o(1))n\lg n$. What is the bit complexity of multiplying two $n$-bit integers? 1971 Sch\"onhage/Strassen algorithm: $\Theta(n\lg n\lg\lg n)$. News, 2007 F\"urer algorithm: $(n\lg n)2^{O(\lg^*n)}$.


2007.07.12 12:15 25 min contributed lecture Australia researchers
[vertical PDF slides] [original gv-compatible PDF slides] 8th International Conference on Finite Fields and Applications (FQ8). Amora Hotel Riverwalk Melbourne, Richmond. "Polynomial evaluation and message authentication."

2007.06.11 17:05 10 min contributed lecture Netherlands researchers
[PDF slides] Software Performance Enhancement for Encryption and Decryption (SPEED). Victoria Hotel, Amsterdam. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange.

2007.06.11 14:30 60 min invited lecture Netherlands researchers
[vertical PDF slides] [original gv-compatible PDF slides] Software Performance Enhancement for Encryption and Decryption (SPEED). Victoria Hotel, Amsterdam. "How fast is cryptography?"

2007.06.07 14:00 60 min invited lecture USA researchers
[PDF slides] Mathfest 2007. National Security Agency, Fort Meade, Maryland. "Edwards coordinates for elliptic curves." Abstract:

The standard elliptic-curve addition laws are annoying! They force the user to distinguish doublings from generic additions; they have other exceptional cases; and they aren't very fast. One can eliminate the doubling distinction, and with more work one can eliminate all of the exceptional cases over a finite field, but the resulting addition laws are even slower. I'll explain a new coordinate system that eliminates the need for the doubling distinction, that eliminates all of the exceptional cases for some curves, and that achieves remarkable speed. If time permits I'll discuss applications to elliptic-curve cryptography.


2007.05.28 15:05 75 min invited lecture Poland researchers
[vertical PDF slides] [original gv-compatible PDF slides] Quo vadis cryptology? Threat of side-channel attacks. LORD Hotel, Warsaw. "The impact of side-channel attacks on the design of cryptosystems." Abstract:

Authors of cryptographic software have to go to extra effort to protect themselves against cache-timing attacks, branch-prediction attacks, and other side-channel attacks. The extra effort depends on the cryptosystem; side-channel resistance often makes an otherwise attractive cryptosystem end up consuming far more resources than the system designer had originally expected. This talk will explain how to write cryptographic software that keeps secret information safely away from all known software side channels, and how to design cryptosystems that remain efficient when they are implemented in this way. Examples will be drawn from several areas of secret-key and public-key cryptography.


2007.05.24 17:20 25 min refereed lecture Spain researchers
[vertical PDF slides] [original gv-compatible PDF slides] ECRYPT Hash Workshop 2007. Universitat Oberta de Catalunya, Barcelona. "What output size resists collisions in a xor of independent expansions?"

2007.05.22 20:27 6 min contributed lecture Spain researchers
[PDF slides] Eurocrypt 2007. Catalonia Barcelona Plaza Hotel, Barcelona. "Elliptic vs. hyperelliptic, part 3: Elliptic strikes back." Talk given jointly with Tanja Lange.

2007.05.18 14:30 40 min invited lecture USA researchers
[vertical PDF slides] [original gv-compatible PDF slides] Number Theory Fest. Department of Mathematics, University of Illinois at Urbana-Champaign. "Distinguishing prime numbers from composite numbers: the state of the art." Abstract:

Is it easy to determine whether a given integer is prime? For small integers the answer is obviously yes; but what about much larger integers? If 'easy' is defined as 'deterministic polynomial time' then the answer is again yes, as proven by Agrawal, Kayal, and Saxena in a famous paper in 2002; but what happens when a polynomial-time algorithm is too slow? This talk will take a closer look at the state of the art, analyzing the scalability of today's best algorithms and identifying the most important open problems in the area.


2007.05.15 16:30 60 min invited lecture Netherlands researchers
[vertical PDF slides] [original gv-compatible PDF slides] Algemeen Wiskunde Colloquium. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven. "Circuits for integer factorization."

2007.05.04 16:20 70 min invited lecture Greece students
[vertical PDF slides] [original gv-compatible PDF slides] Emerging Topics in Cryptographic Design and Cryptanalysis. Doryssa Seaside Resort, Pythagorion, Samos. "CPU traps and pitfalls."

2007.04.30 11:35 70 min invited lecture Greece students
[vertical PDF slides] [horizontal PDF slides] [original gv-compatible PDF slides] Emerging Topics in Cryptographic Design and Cryptanalysis. Doryssa Seaside Resort, Pythagorion, Samos. "On the design of message-authentication codes."

2007.04.27 14:15 165 min invited lecture Germany students
Hackerpraktikum. Horst Görtz Institut für Sicherheit in der Informationstechnik, Ruhr-Universität Bochum. "How to program secure network servers." Main topics were (1) the UNIX functions for talking to the network, (2) various techniques for reducing bug rates, and (3) using "extreme sandboxes" to enforce security upon surprisingly large chunks of code. There were several requests for copies of the experimental extremesandbox() code, so here it is: extremesandbox.c

2007.04.25 14:30 60 min invited lecture Netherlands researchers
[vertical PDF slides] [original gv-compatible PDF slides] EIDMA Seminar Combinatorial Theory. Technische Universiteit Eindhoven. "Elliptic vs. hyperelliptic, part 1."

2007.04.17 09:00 50 min invited lecture USA researchers
[vertical PDF slides] [original gv-compatible PDF slides] [Ogg audio] [video] [video at www.ima.umn.edu] Workshop on Complexity, Coding, and Communications. Institute for Mathematics and its Applications, University of Minnesota, Minneapolis. "The tangent FFT."

2007.03.20 11:00 90 min invited lecture USA researchers
[vertical PDF slides] [original gv-compatible PDF slides] Colloquium, Akamai Technologies. ``The DNS security mess.''

2007.02.08 13:00 contributed lecture England researchers
[PDF slides] ECRYPT VAMPIRE WG1. Bristol University. "High-speed engineering of high-speed software."

2007.02.07 12:00 60 min invited lecture England researchers
[vertical PDF slides] [original gv-compatible PDF slides] The Enigma Variations: Information Security Seminar. Bristol University. "Proving tight security for Rabin-Williams signatures."

2007.02.02 15:00 45 min invited lecture Netherlands researchers
[vertical PDF slides] [original gv-compatible PDF slides] Cryptography Working Group. Universiteit van Amsterdam. "The DNS security mess." Last-minute substitution for another speaker who couldn't attend.

2007.01.31 14:15 15 min refereed lecture Germany researchers
[PDF slides] SASC 2007---The State of the Art of Stream Ciphers. Ruhr University Bochum. "Cycle counts for authenticated encryption." [sample screenshot]

2006.12.10 15:45 90 min invited lecture India students
[vertical PDF slides] [original gv-compatible PDF slides] Tutorial session; INDOCRYPT 2006. Park Hotel, Kolkata, India. ``High-speed Diffie-Hellman, part 2.''

2006.12.10 11:30 90 min invited lecture India students
[vertical PDF slides] [original gv-compatible PDF slides] Tutorial session; INDOCRYPT 2006. Park Hotel, Kolkata, India. ``High-speed Diffie-Hellman, part 1.''

2006.11.27 14:10 50 min invited lecture Canada researchers
[vertical PDF slides] [original gv-compatible PDF slides] [Ogg audio] Workshop on Cryptography: Underlying Mathematics, Provability and Foundations. Fields Institute, Toronto, Canada. ``Proving tight security for Rabin-Williams signatures.''

2006.11.19 17:00 30 min contributed lecture Canada researchers
[vertical PDF slides] [original gv-compatible PDF slides] Polynomials over Finite Fields and Applications. Banff Centre, Alberta, Canada. ``Faster factorization into coprimes.''

2006.10.17 13:00 50 min invited lecture Canada researchers
[vertical PDF slides] [original gv-compatible PDF slides] Distinguished Lecture, Institute for Computer Research, University of Waterloo. ``The DNS security mess.''

2006.09.20 11:10 50 min invited lecture Canada researchers
[vertical PDF slides] [original gv-compatible PDF slides] [Ogg audio] Elliptic Curve Cryptography (ECC) 2006. Fields Institute, Toronto, Canada. ``Elliptic vs. hyperelliptic, part 1.'' Abstract:

Last year's speed records for Diffie-Hellman software were set with a Montgomery-form elliptic curve. Is it possible to achieve even better scalar-multiplication speeds with a Gaudry-form hyperelliptic curve? Exactly how fast is arithmetic modulo 2^{127}-1, compared to arithmetic modulo 2^{255}-19?

Thanks to Tanja Lange for the Mr.-and-Mrs.-Curve slide. Thanks to the Fields Institute for the audio recording.

2006.09.13 09:00 60 min invited lecture Canada students
[vertical PDF slides] [original gv-compatible PDF slides] [Ogg audio] Summer School on Elliptic and Hyperelliptic Curve Cryptography. Fields Institute, Toronto, Ontario. ``Efficient arithmetic on elliptic curves in large characteristic.'' Thanks to the Fields Institute for the audio recording.

2006.09.11 09:00 60 min invited lecture Canada students
[vertical PDF slides] [original gv-compatible PDF slides] [Ogg audio] Summer School on Elliptic and Hyperelliptic Curve Cryptography. Fields Institute, Toronto, Ontario. ``Efficient arithmetic in finite fields.'' Thanks to the Fields Institute for the audio recording. Unfortunately, some portions of the audio recording are inaudible; sorry!

2006.08.31 14:30 60 min invited lecture Brazil students
[vertical PDF slides] [original gv-compatible PDF slides] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Choosing curves.''

2006.08.31 13:30 60 min invited lecture Brazil students
[vertical PDF slides] [original gv-compatible PDF slides] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Efficient arithmetic on elliptic curves.''

2006.08.30 14:30 60 min invited lecture Brazil students
[vertical PDF slides] [original gv-compatible PDF slides] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Elliptic curves.''

2006.08.30 13:30 60 min invited lecture Brazil students
[vertical PDF slides] [original gv-compatible PDF slides] Workshop on Cryptographic Algorithms and Protocols (WCAP 2006). Mendes Convention Center, Santos. ``Efficient arithmetic in finite fields.''

2006.08.28 14:30 50 min invited lecture Brazil researchers
[vertical PDF slides] [original gv-compatible PDF slides] 6th Brazilian Symposium on Information and Computer System Security (SBSeg '06). Mendes Convention Center, Santos. ``The DNS security mess.''

2006.08.16 11:40 50 min invited lecture Taiwan students
[vertical PDF slides] [original gv-compatible PDF slides] Information Security Summer School (ISSS) 2006. Taipei. ``Choosing curves.''

2006.08.15 14:30 50 min invited lecture Taiwan students
[vertical PDF slides] [original gv-compatible PDF slides] Information Security Summer School (ISSS) 2006. Taipei. ``Efficient arithmetic on elliptic curves.''

2006.08.15 09:30 50 min invited lecture Taiwan students
[vertical PDF slides] [original gv-compatible PDF slides] Information Security Summer School (ISSS) 2006. Taipei. ``Elliptic curves.''

2006.08.14 13:30 50 min invited lecture Taiwan students
[vertical PDF slides] [original gv-compatible PDF slides] Information Security Summer School (ISSS) 2006. Taipei. ``Efficient arithmetic in finite fields.''

2006.08.03 10:00 50 min invited lecture Japan researchers
[PDF slides] 2006 Workshop on Cryptography and Related Mathematics. Chuo University, Tokyo. ``High-speed cryptographic functions.''

2006.07.10 10:00 30 min invited lecture Australia researchers
[PDF slides] 31st Australasian Conference on Combinatorial Mathematics and Combinatorial Computing. Voyages Resort, Alice Springs. ``Differential addition chains.''

2006.06.30 09:50 80 min invited lecture USA students
[PDF slides] [Ogg audio] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Proving primality more quickly.'' Abstract:

I'll say whatever I can in the available time about the state of the art in distinguishing prime numbers from composite numbers. In particular, I'll explain ``elliptic-curve primality proving.''

Thanks to Kathryn Lesh for the audio recording.

2006.06.29 09:50 80 min invited lecture USA students
[PDF slides] [Ogg audio] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Proving primality in polynomial time.'' Abstract:

Agrawal, Kayal, and Saxena proved in 2002 that ``PRIMES is in P'': i.e., that there is a deterministic polynomial-time algorithm to distinguish prime numbers from composite numbers. I'll present an AKS-type algorithm, and I'll prove that an integer n is accepted by the algorithm if and only if n is prime.

Thanks to Kathryn Lesh for the audio recording.

2006.06.28 09:50 80 min invited lecture USA students
[PDF slides] [Ogg audio] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Speed of the number-field sieve.'' Abstract:

I'll discuss optimization of the number-field sieve. In particular, I'll explain fast linear algebra by the ``series-denominator method''; I'll analyze the asymptotic cost exponent of the number-field sieve; and I'll present various improvements in polynomial selection.

Thanks to Kathryn Lesh for the audio recording.

2006.06.27 09:50 80 min invited lecture USA students
[PDF slides] [Ogg audio] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``Finding small factors of integers.'' Abstract:

The number-field sieve (like many other number-theoretic algorithms) produces a large collection of auxiliary numbers and tries to find the smooth numbers, i.e., the numbers that factor into small primes.

I'll discuss the state of the art in algorithms to find small factors of integers, combining seven critical ideas beyond trial division: ``sieving,'' ``remainder trees,'' the ``rho method,'' the ``p-1 method,'' the ``p+1 method,'' the ``elliptic-curve method,'' and ``early aborts.''

Thanks to Kathryn Lesh for the audio recording.

2006.06.26 09:50 80 min invited lecture USA students
[PDF slides] [Ogg audio] Summer School on Computational Number Theory and Applications to Cryptography. University of Wyoming, Laramie. ``The number-field sieve.'' Abstract:

The ``number-field sieve'' is today's state-of-the-art method of finding large prime factors of integers. A year ago the number-field sieve was used to factor ``RSA-200,'' a 200-digit challenge integer chosen as the product of two secret random 100-digit primes.

I'll explain what the number-field sieve computes, and why that computation can be expected to succeed. I'll start with the ``Q sieve,'' an easy special case of the number-field sieve; I'll then generalize from Q to other number fields. Along the way I'll explain how to use ``sublattices'' to improve smoothness chances.

Thanks to Kathryn Lesh for the audio recording.

2006.06.15 16:15 105 min invited lecture Belgium students
[PDF slides] Summer School on Cryptographic Hardware, Side-Channel and Fault Attacks. Louvain-la-Neuve. ``Cache-timing attacks.'' The slides aren't as thorough as usual; I was invited only a few days before the summer school, replacing Jean-Pierre Seifert, who wasn't able to attend.

2006.05.30 19:50 4 min contributed lecture Russia researchers
[PDF slides] Eurocrypt 2006. Pulkovskaya Hotel, St. Petersburg. ``eBATS: ECRYPT Benchmarking of Asymmetric Systems.''

2006.04.25 09:50 25 min refereed lecture USA researchers
[PDF slides] PKC 2006: 9th International Conference on Theory and Practice of Public-Key Cryptography. Columbia University, New York. ``Curve25519: new Diffie-Hellman speed records.''

2006.04.09 15:30 20 min invited lecture USA researchers
[PDF slides] Special Session on Number Theory; Central Section Meeting, American Mathematical Society. University of Notre Dame, Indiana. ``Differential addition chains.'' Abstract:

Differential addition chains (also known as strong addition chains, Lucas chains, and Chebyshev chains) are addition chains in which every sum is already accompanied by a difference. Low-cost differential addition chains are used to efficiently exponentiate in groups where the operation a, b, a/b |-> ab is fast: in particular, to perform x-coordinate scalar multiplication P |-> mP on an elliptic curve y^2 = x^3 + Ax^2 + x. Similarly, low-cost two-dimensional differential addition chains are used to efficiently compute the function P, Q, P - Q |-> mP + nQ on an elliptic curve. I will present two new constructive upper bounds on the costs of two-dimensional differential addition chains. My new `binary' chain is very easy to compute and uses 3 additions (14 field multiplications in the elliptic-curve context) per exponent bit, with a uniform structure that helps cryptographers protect against side-channel attacks. My new `extended-gcd' chain takes more time to compute, does not have the uniform structure, and is not easy to analyze, but experiments show that it takes only about 1.77 additions (9.97 field multiplications) per exponent bit.


2006.04.03 17:30 6 min contributed lecture Germany researchers
[PDF slides] SHARCS 2006. Dorint Kongress Hotel, Cologne. ``eBATS: ECRYPT Benchmarking of Asymmetric Systems.''

2006.03.14 10:00 50 min invited lecture USA students
[PDF slides] [video] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 4: polynomial selection.''

2006.03.13 16:00 50 min invited lecture USA students
[PDF slides] [video] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 3: the number-field sieve.''

2006.03.12 16:00 50 min invited lecture USA students
[PDF slides] [video] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 2: detecting smoothness.''

2006.03.11 14:30 50 min invited lecture USA students
[PDF slides] [video] Arizona Winter School 2006. University of Arizona, Tucson, Arizona. ``Integer factorization, part 1: the Q sieve.''

2006.02.02 14:25 20 min refereed lecture Belgium researchers
[PDF slides] SASC 2006 - Stream Ciphers Revisited. College De Valk, Leuven, Belgium. ``Comparison of 256-bit stream ciphers.''

2005.11.06 19:40 50 min invited lecture Canada researchers
[PDF slides] Number Theory Inspired By Cryptography (NTIBC) 2005. Banff Centre, Alberta, Canada. ``Compressing RSA/Rabin keys.''

2005.09.20 09:30 60 min invited lecture Denmark researchers
[PDF slides] Elliptic Curve Cryptography (ECC) 2005. Denmark Technical University, Copenhagen. ``New speed records for point multiplication.''

2005.09.19 20:00 5 min contributed lecture Denmark researchers
[PDF slides] Elliptic Curve Cryptography (ECC) 2005. Denmark Technical University, Copenhagen. ``Is 2^{255}-19 big enough?'' Abstract written after the talk:

It is widely asserted that 128-bit AES and a strong 256-bit elliptic curve provide comparable security levels against known attacks. This assertion is false. Known attacks batch and scale much more effectively for 128-bit AES than they do for a strong 256-bit elliptic curve.


2005.07.19 10:45 25 min invited lecture Germany researchers
[PDF slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Polynomial selection for the number-field sieve, part 2: polynomial merit.'' Abstract written after the talk:

I discussed the smoothness of the values (a-bm)(a^5+f_4 a^4 b+...+f_0 b^5) that appear in the number-field sieve. In particular, I mentioned choosing pairs (a,b) to produce the smallest values; using superelliptic integrals to approximate the number of pairs (a,b); using smoothness probabilities for ideals to approximate smoothness probabilities for a-bx; using power series to approximate Dirichlet series; handling more general notions of smoothness; and, as a future possibility to explore, generalizing to (a-bm+cm^2)(...).


2005.07.08 16:00 45 min invited lecture Spain researchers
[PDF slides] Computational Number Theory Workshop; Foundations of Computational Mathematics (FoCM) 2005. Universidad de Cantabria, Santander, Spain. ``Integer factorization: a progress report.'' Abstract:

There have been several recent improvements to the number-field sieve. I'll explain some of what's going on.

Designated as a semi-plenary talk by the organizers.

2005.06.11 14:40 45 min invited lecture USA researchers
[PDF slides] CAM 2005. University of Central Oklahoma, Edmond, Oklahoma. ``Integer factorization.''

2005.06.11 10:30 60 min invited lecture USA researchers
[PDF slides] CAM 2005. University of Central Oklahoma, Edmond, Oklahoma. ``The power of parallel computation.''

2005.06.01 09:00 40 min invited lecture Poland researchers
[PDF slides] ENIGMA 2005. Warsaw, Poland. ``Cache-timing attacks on AES.'' Abstract:

I recently succeeded in extracting a complete AES key from a network server on another computer. The targeted server used its key solely to encrypt data using the OpenSSL AES implementation on a Pentium III. I will explain the AES design error that led to this attack, and I will discuss the difficult problem of stopping the attack.


2005.05.30 11:00 90 min invited lecture Poland researchers
[PDF slides] Quo Vadis Cryptology? Advances in Cryptanalysis. Warsaw, Poland. ``The power of parallel computation.'' Abstract:

There is a widespread myth that parallelizing a computation cannot improve its price-performance ratio. Cryptographers often wildly overstate the cost of an attack because they are restricting attention to serial computers. I will explain what is known---and what is not known---about the gains that can be achieved from massive parallelism. I will, in particular, discuss the problem of integer factorization.


2005.05.27 10:45 12 min refereed lecture Denmark researchers
[PDF slides] ECRYPT STVL Workshop on Symmetric Key Encryption (SKEW 2005). Scandinavian Congress Center, Aarhus. ``Understanding brute force.''

2005.05.26 14:15 12 min refereed lecture Denmark researchers
[PDF slides] ECRYPT STVL Workshop on Symmetric Key Encryption (SKEW 2005). Scandinavian Congress Center, Aarhus. ``The Salsa20 stream cipher.''

2005.05.23 16:10 25 min refereed lecture Denmark researchers
[PDF slides] Eurocrypt 2005. Scandinavian Congress Center, Aarhus. ``Stronger security bounds for Wegman-Carter-Shoup authenticators.''

2005.05.19 14:00 50 min invited lecture Denmark researchers
[PDF slides] Seminar, Department of Mathematics, Technical University of Denmark, Copenhagen. ``High-speed elliptic-curve cryptography.'' Abstract:

I'll explain the techniques used to set speed records for elliptic-curve Diffie-Hellman on popular CPUs. You do not need prior knowledge of computer microarchitecture.


2005.04.26 16:00 15 min invited lecture USA faculty
[video at uic.edu] University of Illinois at Chicago. On panel responding to 2005 Nakata Lecture by R. Michael Tanner on Universities and the Ecology of Scholarly Publication. Look, Ma: no matter where the camera is pointing, I can escape it!

2005.02.25 09:00 60 min invited lecture France researchers
[PDF slides] Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS). Paris. ``Building circuits for integer factorization.'' Abstract:

I'll present my latest work on verifiable upper bounds for the money and time needed to factor 1024-bit integers. One important observation is that the switch from conventional computers to mesh computers produces even larger gains for the elliptic-curve method than for the number-field sieve.


2005.02.21 16:52 4 min contributed lecture France researchers
[PDF slides] FSE 2005: 12th International Workshop on Fast Software Encryption. ENSTA, Paris. ``Have any challenges for qhasm?''

2005.02.21 10:05 25 min refereed lecture France researchers
[PDF slides] [approximate transcript] FSE 2005: 12th International Workshop on Fast Software Encryption. ENSTA, Paris. ``The Poly1305-AES message-authentication code.'' Abstract:

Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. I'll discuss the security of Poly1305-AES, the speed of Poly1305-AES, and five forms of deceptive benchmarks in the cryptographic literature.


2005.02.15 14:00 50 min invited lecture USA researchers
[PDF slides] Computer Security Seminar, Department of Computer Science, University of Illinois at Chicago. ``The Poly1305-AES message-authentication code.'' Abstract:

Poly1305-AES is a state-of-the-art message-authentication code suitable for a wide variety of applications. I'll start by defining the Poly1305-AES function and explaining how it is used to authenticate messages. I'll then fit Poly1305-AES into a larger framework, comparing it to other functions such as HMAC-MD5 and explaining the security impact of various choices within the framework. After that I'll focus on speed: I'll review the speeds discussed in the cryptographic literature, I'll present timings for my new Poly1305-AES software, and I'll explain the techniques used to build that software.

(I decided to spend more time on the framework; I finished the framework by the end of the talk and then skipped to the URLs.)

2004.11.19 14:00 50 min invited lecture Canada researchers
[PDF slides] Discrete Math Seminar, Department of Mathematics and Statistics, University of Calgary. ``Faster factorization into coprimes.'' Abstract:

How quickly can we factor a set of positive integers into coprimes? The obvious algorithm takes cubic time. Bach, Driscoll, and Shallit achieved quadratic time in 1990. I achieved essentially linear time in 1995. The point of this talk is to announce a new algorithm that takes time just n(lg n)^{4+o(1)} where n is the number of input bits.

The bottlenecks in several common number-theoretic computations---elliptic-curve primality proving, for example, and the number-field sieve---can be viewed as highly constrained examples of factoring into coprimes. This view is traditionally ignored, because the constraints allow many special-purpose techniques that seem to handle the examples well. A surprising discovery over the last few years is that coprime factorization has surpassed the special-purpose techniques, saving time in these computations.


2004.11.15 14:00 60 min invited lecture Canada researchers
[PDF slides] Explicit Methods in Number Theory. Banff Centre, Alberta. ``Three algorithms related to the number-field sieve.'' Abstract:

1. The number-field sieve tries to factor an integer n by inspecting values of the homogeneous form of a polynomial related to n. What is the size distribution of those values? I'll explain a fast algorithm to evaluate the relevant superelliptic integral. 2. How long does it take to find a polynomial of, say, degree 6, whose values are B times smaller than typical? The best method in the literature is conjectured to search about B^4.5 polynomials. I'll explain an algorithm, using four-dimensional lattice reduction, that is conjectured to search only about B^3.5 polynomials. 3. The bottleneck in the fastest known method to inspect values is computing a large integer modulo many small integers. How long does this take? I'll explain an algorithm that's 2.6+o(1) times faster than the previous record.


2004.09.16 15:00 60 min invited lecture USA students
[PDF slides] Colloquium aimed at graduate students, University of Illinois at Chicago. ``A state-of-the-art public-key signature system.'' Abstract:

Hand-written signatures don't prevent forgery: they can be copied from one message to another. This talk is an introduction to cryptography, and specifically to public-key signatures, which are conjectured to prevent forgery. I'll describe a modern public-key signature system: how it works, why it was designed the way it was, and what has been proven about its security.


2004.08.17 20:35 5 min contributed lecture USA researchers
[PDF slides] Crypto 2004. Santa Barbara. ``Stop overestimating RSA bandwidth!''

2004.07.29 15:00 60 min invited lecture Australia researchers
[PDF slides] Computational Algebra Seminar, School of Mathematics and Statistics, University of Sydney. ``Factorization myths.''

2004.07.07 11:00 60 min invited lecture Australia researchers
[PDF slides] Polynomial-Based Cryptography. University of Melbourne. ``How to find smooth parts of integers.''

2004.06.24 10:20 25 min invited lecture Canada researchers
[PDF slides] [approximate transcript] Special Session on Computational Number Theory; Canadian Number Theory Association (CNTA) VIII. University of Toronto, Ontario. ``Doubly focused enumeration in two dimensions.'' Abstract:

Doubly focused enumeration speeds up various sieving tasks by a factor of about 1000. My original formulation of doubly focused enumeration was limited to one-dimensional problems, such as proving primality of medium-size integers. In this talk I will explain doubly focused enumeration for higher-dimensional problems, such as sieving for locally square Gaussian integers. Prior exposure to computational geometry is not required.


2004.06.14 09:00 60 min invited lecture USA researchers
[PDF slides] [approximate transcript] Algorithmic Number Theory Symposium (ANTS) VI. University of Vermont, Burlington. ``Factorization myths.'' Abstract written after the talk:

1. We want to find all relations.
2. Sieving is the ultimate test for fully factored inputs.
3. The second small-factor test is not a bottleneck.
4. ECM is the ultimate non-sieving small-factor test.
5. We must have a factor base.
6. Coppersmith's NFS variant is not practical.
7. The direct square-root method is a bottleneck.
8. We want to minimize time on a conventional computer.
9. Mesh architectures simply make everything faster.
10. MPQS beats ECM for finding huge factors.


2004.05.14 09:00 30 min invited lecture USA researchers
[PDF slides] [approximate transcript] Special Session on Coding Theory and Cryptography; Sixth International Joint Meeting, American Mathematical Society (AMS) and Sociedad Matematica Mexicana. Hyatt Regency Houston, Texas. ``How to find smooth parts of integers.'' Abstract:

You're given a set P of primes and a sequence S of integers. Which of the integers in S are P-smooth? What is the largest P-smooth divisor of each integer? What are all the factors from P of each integer? These questions occur in many applications: computing discrete logarithms, for example, and proving primality. I previously pointed out an algorithm that answers all three questions in time b (log b)^{3+o(1)}, where b is the total number of bits in P and S. Franke, Kleinjung, Morain, and Wirth, in a recent paper on ECPP, pointed out an algorithm variant that answers only the first two questions but that typically takes time only b (log b)^{2+o(1)}. In this talk I will present an algorithm that always answers the first two questions in time b (log b)^{2+o(1)}.


2004.04.28 11:00 50 min invited lecture USA researchers
[PDF slides] Special Seminar, Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign. ``The DNS security mess.''

2003.11.08 16:40 20 min contributed lecture USA researchers
[vertical PDF slides] [original PS slides] MPKC 2003: Mathematics of Public Key Cryptography. University of Illinois at Chicago. ``More news from the Rabin-Williams front.''

2003.11.08 15:10 20 min contributed lecture USA researchers
[vertical PDF slides] [original PS slides] MPKC 2003: Mathematics of Public Key Cryptography. University of Illinois at Chicago. ``News from the Rabin-Williams front.''

2003.07.24 20 min contributed lecture Germany researchers
Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Translating Chudnovsky into English.'' Asymptotically fast computation of exponential integrals.

2003.05.26 11:00 30 min invited lecture Canada researchers
[PDF slides] Conference in Number Theory in Honour of Professor H. C. Williams. Banff Centre, Alberta. ``Doubly focused enumeration of locally square polynomial values.'' Abstract:

It is well known that one can accelerate a broad class of sieving problems by precomputing information for various primes. It is not well known that the number of precomputed primes can be nearly doubled beyond the obvious limit. As a typical application, I'll present the results of a record-setting `pseudosquare' computation, i.e., an enumeration of locally square integers.


2003.05.10 invited lecture USA researchers
Midwest Algebraic Number Theory Day. ``Sharper ABC-based bounds for congruent polynomials.''

2003.05.03 17:00 40 min invited lecture USA researchers
Special Session on Geometry and Arithmetic over Finite Fields; Western Section Meeting, American Mathematical Society (AMS). San Francisco, California. ``Sharper ABC-based bounds for congruent polynomials.'' Abstract:

The speed of the Agrawal-Kayal-Saxena primality-proving algorithm depends on proven lower bounds for the size of the multiplicative semigroup generated by several polynomials modulo another polynomial h. Voloch pointed out an application of the ABC theorem in this context: under mild assumptions, distinct polynomials A,B,C of degree at most 1.2 deg h - 0.2 deg rad ABC cannot all be the same modulo h. I'll present two improvements in the combinatorial part of Voloch's argument. The first improvement moves the degree bound up to 2 deg h - deg rad ABC; the second improvement generalizes to m>=3 polynomials A_1,...,A_m, with a degree bound of ((3m-5)/(3m-7)) deg h - (6/m(3m-7)) deg rad A_1...A_m.


2003.04.24 08:00 75 min invited lecture USA students
[PDF slides] Class talk, Butler University. ``Compressing RSA keys and signatures.'' Abstract:

Public-key signatures can be used to protect Internet packets against unauthorized modification. However, it is often difficult to fit a message, a key, and a signature into a single Internet packet.

Elliptic-curve cryptography is often advertised as offering much shorter keys and signatures than RSA. For example, 224-bit elliptic-curve keys with 448-bit signatures offer the same apparent security as 1536-bit RSA keys with 1536-bit signatures. On the other hand, RSA signature verification is much faster than elliptic-curve signature verification.

It turns out to be possible to compress RSA keys and signatures to a fraction of their original size. Even better compression is possible for the Rabin system, an improved version of RSA. This talk will explain the latest compression techniques.


2003.04.04 15:30 45 min invited lecture USA researchers
[PDF slides] Special Session on Cryptography and Computational and Algorithmic Number Theory; Central Section Meeting, American Mathematical Society (AMS). Indiana University, Bloomington. ``Randomized primality proving in essentially quartic time.'' Abstract:

In August 2002, Agrawal, Kayal, and Saxena published a new way to prove that integers are prime. A modified approach, generalizing an idea of Berrizbeitia, allows substantially shorter proofs. I'll present a typical proof of this type, that an integer satisfying certain conditions must be prime. I'll also discuss the question of whether this approach is competitive in practice with previous primality-proving methods.


2003.04.03 14:00 50 min invited lecture USA researchers
[PDF slides] Algebraic Number Theory Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``Sharper ABC-based bounds for congruent polynomials.'' Abstract:

Agrawal, Kayal, and Saxena recently introduced a new method of proving that an integer is prime. The speed of the Agrawal-Kayal-Saxena method depends on proven lower bounds for the size of the group generated by several elements of a finite field. I will discuss an intriguing idea introduced by Voloch for using ABC to obtain such lower bounds.


2003.03.26 11:30 30 min invited lecture USA researchers
Future directions in algorithmic number theory. American Institute of Mathematics, Palo Alto, California. ``Rethinking the number-field sieve: an update.''

2003.03.25 15:45 60 min invited lecture USA researchers
Future directions in algorithmic number theory. American Institute of Mathematics, Palo Alto, California. ``Randomized primality proving in essentially quartic time.''

2003.03.23 09:30 45 min invited lecture USA researchers
[PDF slides] Lenstra Treurfeest. ``A new proof that 83 is prime.''

2003.03.18 60 min invited lecture USA researchers
[PDF slides] Seminar, Sun Microsystems. ``The DNS security mess.''

2003.02.11 60 min invited lecture USA researchers
[PDF slides] Security Seminar, Computer Science Department, Stanford University. ``The DNS security mess.'' Abstract:

The Domain Name System publishes records such as ``www.stanford.edu has IP address 171.64.14.239.'' An attacker can easily forge these records, stealing your incoming and outgoing mail, web connections, etc.

Stopping DNS forgeries is a straightforward application of public-key cryptographic signatures. Or is it? After ten years of effort, the DNSSEC implementors are making comments like ``We're still doing basic research on what kind of data model will work for dns security ... wonder if THIS'll work? ... We're starting from scratch.''

Why is it so hard to protect DNS against forgery? Is DNS security going to remain an abject failure for another ten years? This talk is a case study of the integration of cryptography into the real world.


2002.10.31 50 min invited lecture USA researchers
[PDF slides] Colloquium, Department of Mathematics, University of California at Berkeley. ``Proving primality.'' Abstract:

I'll survey techniques for distinguishing prime numbers from composite numbers. In particular, I'll explain the August 2002 Agrawal-Kayal-Saxena theorem, which gave a remarkably simple solution to the long-standing `PRIMES in P' problem.


2002.08.20 5 min contributed lecture USA researchers
[vertical PDF slides] [original PS slides] Crypto 2002. Santa Barbara. ``The cost of integer factorization.'' [nfscircuit paper]

2002.08.20 10 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] Crypto 2002. Santa Barbara. ``Deterministic polynomial-time primality tests.'' [aks paper]

2002.06.15 25 min invited lecture Canada researchers
[vertical PDF slides] [original PS slides] Symposium on Cryptography; 2002 Summer Meeting, Canadian Mathematical Society (CMS). University of Laval, Quebec. ``Speed records for cryptographic software: an update.'' Abstract:

I'll present the latest speed records for software implementations of secret-key message authentication, public-key signature verification, and public-key secret sharing.


2002.04.24 50 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] Mathematics and Applications Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Finding roots of high-degree polynomials.'' Abstract:

Consider the problem of computing the complex roots of a polynomial in one variable, given the coefficients of the polynomial. In the first half of this talk, I'll discuss algebraic algorithms that, in a fantasy world of exact arithmetic, compute sequences converging to the roots. In the second half, I'll switch to the real world of limited-precision arithmetic, and present a surprisingly fast root-finding algorithm that relies on multiplication of extremely large integers. The audience will not be assumed to have any prior knowledge of numerical analysis.


2002.01.28 50 min invited lecture USA researchers
Colloquium, Department of Mathematics, University of Pittsburgh. ``Is a 2048-bit factorization worth $200,000?'' Abstract:

In this talk, I will (1) explain why cash rewards are available for anyone who finds the prime factors of certain integers; (2) present a simple example of a modern integer-factorization algorithm; (3) summarize the performance of state-of-the-art algorithms; and (4) explain how to choose good parameters in these algorithms. If time permits, I'll talk about fast Fourier transforms, generalized power series, better-than-perfect parallelization, and how easy it is to disable the Internet.


2001.11.02 60 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] Midwest Arithmetical Geometry in Cryptography (MAGC). University of Illinois at Urbana-Champaign. ``A complete software implementation of NIST P-224.'' Abstract:

This is the conclusion of a series of three talks on nistp224, a fast software library to perform Diffie-Hellman key exchange on the NIST P-224 elliptic curve. In this talk, I'll focus on non-x86 processors such as the UltraSPARC; I'll explain in detail how nistp224 performs field multiplication and elliptic-curve multiplication. You do not need to have attended the first talk, in which I explained how nistp224 computes square roots, or the second talk, in which I focused on x86 processors.

[nistp224 software]

2001.10.29 60 min invited lecture Canada researchers
[vertical PDF slides] [original PS slides] Elliptic Curve Cryptography (ECC) 2001. University of Waterloo, Ontario. ``A software implementation of NIST P-224.'' Abstract:

This is the second in a series of three talks on nistp224, an easy-to-use software library to perform compressed Diffie-Hellman key exchange on the NIST P-224 elliptic curve at record-setting speeds. In this talk, I'll focus on x86 processors such as the Pentium III; I'll explain in detail how nistp224 performs field multiplication and elliptic-curve multiplication. In the first talk, I explained how nistp224 computes square roots. In the third talk, at the MAGC meeting in Urbana, I'll focus on non-x86 processors such as the UltraSPARC.

[nistp224 software]

2001.09.22 30 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] Special Session on Cryptography and Computational and Algorithmic Number Theory; Central Section Meeting, American Mathematical Society (AMS). Ohio State University, Columbus. ``Elliptic curve cryptography: the case of NIST P-224.'' Preliminary abstract:

In this talk I'll explain how to use a particular elliptic curve for high-speed public-key cryptography.

Abstract:

This is the first in a series of three talks on nistp224, an easy-to-use software library to perform compressed Diffie-Hellman key exchange on the NIST P-224 elliptic curve at record-setting speeds. In this talk, I'll explain what this means, why it is useful, and a small part of how it works: specifically, an accelerated version of Tonelli's algorithm for computing square roots. Prior exposure to cryptography is not required. In the second and third talks, at the ECC meeting in Waterloo and the MAGC meeting in Urbana, I'll explain the rest of how nistp224 works.

[sqroot paper] [nistp224 software]

2001.07.27 35 min invited lecture Germany researchers
[vertical PDF slides] [original PS slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Finding polynomial values of small height.'' Unofficial title: ``The algorithm of Hastad, Vallee, Girault, Toffin, Coppersmith, Guruswami, Goldreich, Ron, Sudan, Durfee, Howgrave-Graham, and Boneh.'' The organizers offered me a 45-minute slot; in retrospect, I should have taken it. [smallheight paper]

2001.06.13 45 min invited lecture USA researchers
Seminar, Cambridge Research Laboratory, Compaq Computer Corporation, Cambridge, Massachusetts. ``The state of the art in RSA-type signatures.'' Abstract:

In this talk I'll explain in detail how a modern public-key signature system works: the good, the bad, and the ugly. You are not required to know anything about cryptography in advance.

[sigs software] [sigs paper]

2001.05.14 40 min invited lecture Germany researchers
[original PS slides] Algorithms and Number Theory. Schloss Dagstuhl. ``An introduction to Schimmler sorting.'' Abstract written after the talk:

One can sort n^2 numbers on an nxn processor mesh in O(n) parallel compare-exchange steps. Schimmler's algorithm is a very simple algorithm that uses 8n-8 steps. I explained (1) odd-even transposition sorting; (2) Schimmler sorting; (3) the relevance of these results to integer factorization.

Schimmler sorting is one good choice of sorting algorithm for the NSA sieving circuit. [nfscircuit paper]

2001.05.07 6 min contributed lecture Austria researchers
[vertical PDF slides] [original PS slides] Eurocrypt 2001. Innsbruck. ``The NSA sieving circuit.'' [nfscircuit paper]

2001.03.23 50 min invited lecture USA researchers
[vertical PDF slides] Seminar, Computer Science Department, Butler University. ``The NSA sieving circuit.'' Abstract:

Sieving is the heart of modern algorithms to find the prime factors of an integer---in particular, to break the RSA cryptosystem. This talk will give examples of sieving, explain the relevance of sieving to factorization, and describe a sieving circuit that is asymptotically much faster than previously published hardware designs at the same cost. It is possible that the circuit has already been built in secret by a major government.

[nfscircuit paper]

2000.10.20 60 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] [video] [video at www.msri.org] Number-Theoretic Cryptography. Mathematical Sciences Research Institute, Berkeley, California. ``Design and implementation of a public-key signature system.'' [sigs software] [sigs paper]

2000.10.06 48 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, University of California at Berkeley. ``Arbitrarily precise bounds on smooth integers.'' Abstract:

An integer is called smooth if all its prime divisors are small. Rough asymptotics for the distribution of smooth integers have been obtained by Dickman, de Bruijn, Canfield, Erdos, Pomerance, Hildebrand, Tenenbaum, et al., and used in a variety of applications. I'll present tight bounds on the distribution of smooth integers and analyze how quickly the bounds can be computed. If time permits, I'll explain the relevance of these bounds to modern integer factorization algorithms.

[psibound software] [psi paper]

2000.09.07 50 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] Colloquium, Department of Mathematics, University of California at Berkeley. ``Factoring into coprimes.'' Abstract:

We do not know a fast algorithm to factor integers into primes. We do, however, know a fast algorithm to factor integers into coprimes. Coprimes suffice for many applications. This talk will describe some of those applications, explain exactly how fast the algorithm is, and present some of the techniques behind the proof.

[dcba paper]

2000.08.18 60 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] [video] [video at www.msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Protecting communications against forgery'': a survey of secret-key authentication, public-key authentication, and public-key signatures. [forgery paper]

2000.08.15 60 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] [video] [video at www.msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Applications of fast multiplication.'' [multapps paper]

2000.08.14 60 min invited lecture USA researchers
[vertical PDF slides] [original PS slides] [video] [video at www.msri.org] Clay Mathematics Institute Introductory Workshop in Algorithmic Number Theory. Mathematical Sciences Research Institute, Berkeley, California. ``Fast multiplication.'' [multapps paper]

2000.07.27 50 min invited lecture England researchers
[vertical PDF slides] [original PS slides] London Mathematical Society (LMS) Durham Symposium on Computational Number Theory. University of Durham. ``Rethinking the number field sieve.'' Abstract:

How quickly can we factor 300-digit integers? This talk will review the number field sieve and explain some recent improvements.

[smallfactors software] [psibound software] [sf paper] [dcba paper] [psi paper] [mlnfs paper]

2000.06.27 30 min invited lecture Russia researchers
Session on Algebraic Algorithms and Complexity, 6th IMACS Conference on Applications of Computer Algebra (ACA). Shuvalov Palace, St. Petersburg. Preliminary title: ``How quickly can we split generic polynomials?'' Final title: ``High-precision high-degree polynomial factorization (preliminary report).'' [fastgraeffe paper]

2000.06.10 25 min invited lecture Canada researchers
Session on Cryptography and Number Theory, Canadian Mathematical Society summer meeting, MATH 2000. McMaster University, Hamilton, Ontario. ``Sieving in cache.'' Abstract:

Modern integer factorization algorithms do not need as much memory for sieving as is commonly believed. This talk will explain how tomorrow's factoring projects can take advantage of fast arithmetic on stupendously large integers.

[smallfactors software] [sf paper]

2000.05.22 30 min invited lecture USA researchers
Millennial Conference in Number Theory. University of Illinois at Urbana-Champaign. ``Arbitrarily precise bounds on the distribution of smooth integers.'' Abstract:

Psibound is new software to approximate the number of integers in [1,x] that factor into integers in [1,y]. This talk will explain the mathematics behind Psibound and show some results.

[psibound software] [psi paper]

2000.04.08 20 min invited lecture USA researchers
Special Session on Number Theory, Algorithms, and Cryptography; Central Section Meeting, American Mathematical Society (AMS). University of Notre Dame, Indiana. ``Faster multiplication of integers.'' Abstract:

Zmult is new software to multiply integers of various sizes on common general-purpose computers. This talk will explain, from the perspective of a mathematician and a programmer, why Zmult is so fast.

[Zmult software] [m3 paper]

1999.10.13 10:45 40 min invited lecture China researchers
[vertical PDF slides] [original PS slides] Workshop on Complexity of Equation Solving and Algebra, Foundations of Computational Mathematics. City University of Hong Kong. ``Solving equations to high precision'': reducing the algebraic complexity of Newton's method. [fastnewton paper]

1999.07.06 invited lecture Germany researchers
[vertical PDF slides] [original PS slides] Explicit Methods in Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. ``Counting rational points by brute force'': fast algorithms to find all points of low height on the Euler-Elkies surface. [sortedsums software] [sortedsums paper]

1999.06.13 20 min contributed lecture Canada researchers
The Mathematics of Public-Key Cryptography. Fields Institute, Toronto, Ontario. ``Guaranteed message authentication faster than MD5.'' [hash127 software] [hash127 paper]

1999.02.23 50 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``Fast, arbitrarily precise computation of Psi.'' Abstract:

In this talk I will explain how to compute arbitrarily precise upper and lower bounds for Psi(x,y), the number of integers in [1,x] without prime divisors exceeding y. Along the way I will explain the state of the art in fast Fourier transforms, high-precision power series exponentiation, and enumeration of small primes.

[psibound software] [primegen software] [djbfft software] [psi paper] [primesieves paper] [m3 paper] [fastnewton paper]

1999.02.23 50 min invited lecture USA faculty
Mathematics in Science and Society Seminar, Department of Mathematics, University of Illinois at Urbana-Champaign. ``How to become an international arms dealer'': an introduction to cryptography.

1998.10.29 30 min invited lecture Germany researchers
Algorithms and Number Theory. Schloss Dagstuhl. ``Ten topics in computational number theory.'' Abstract:

1. Fast Fourier transforms.
2. Dividing power series.
3. Exponentiating power series.
4. Enumerating primes.
5. Bounding smooth integers.
6. Smooth polynomial values.
7. Square products.
8. Pomerance's conjecture.
9. Estimating transition time.
10. Estimating factorization time.

This was a talk on estimating the speed of the quadratic sieve and the number field sieve.

1998.09.12 invited lecture USA researchers
Special Session on Number Theory; Central Section Meeting, American Mathematical Society (AMS). DePaul University, Chicago, Illinois. ``Estimating the speed of the quadratic sieve (preliminary report).''

1998.06.21 20 min refereed lecture USA researchers
Algorithmic Number Theory Symposium (ANTS) III. Reed College, Portland, Oregon. ``Bounding smooth integers.'' [psibound software] [psi paper]

1998.02.13 50 min invited lecture USA researchers
Colloquium, Department of Mathematics, Statistics, and Computer Science. University of Illinois at Chicago. ``Computing everything in essentially linear time'': computational one-dimensional commutative algebra.

1997.12.03 50 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Improving on the Sieve of Eratosthenes,'' talk given jointly with A. O. L. Atkin. Abstract:

This talk has two parts. The first part will explain how the Sieve of Eratosthenes, a simple method of computing the primes up to N, can be sped up to O(N) additions with roughly N^{1/2} bits of storage, or O(N/log log N) additions with roughly N bits of storage. The second part will explain a new method, relying on quadratic forms, that uses O(N/log log N) additions with roughly N^{1/2} bits of storage.

[primegen software] [primesieves paper]

1997.11.19 50 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. ``Factoring into coprimes in essentially linear time.'' Abstract:

It is not easy to factor integers into primes. The point of this talk is that it is easy to factor integers into coprimes. I will (1) give some examples where coprimes are an adequate substitute for primes, (2) explain the Bach-Driscoll-Shallit quadratic-time factorization method, and (3) describe my essentially-linear-time factorization method.

[dcba paper]

1997.10.25 20 min invited lecture USA researchers
Special Session on Number Theory and Cryptography; Central Section Meeting, American Mathematical Society (AMS). University of Wisconsin at Milwaukee. ``A secure digital signature system with verification ten times faster than RSA.'' [sigs software] [sigs paper]

1997.05.30 invited lecture Germany researchers
Computational Aspects of Commutative Algebra and Algebraic Geometry. Schloss Dagstuhl. ``Composing power series over a finite ring in essentially linear time.'' Abstract written after the talk:

Fix a finite commutative ring R. Let u and v be power series over R, with v(0)=0. I presented an algorithm that computes the first n terms of the composition u(v), given the first n terms of u and v, in n^{1+o(1)} ring operations. The algorithm is very fast in practice when char R is a product of small primes.

[compose paper]

1997.03.17 50 min invited lecture USA researchers
Seminar, Department of Mathematics and Computer Science, Butler University. ``The world's fastest digital signature system.'' Abstract:

A digital signature system works as follows: you create and publish a seal; you, and only you, can sign a document under that seal; anyone can verify your signature. For widely published documents it is crucial that verification be as fast as possible. The Rabin-Williams system, which is provably as secure as factorization, allows verification in less time than any other system known... until now. I will exhibit a new signature system with the same security and signing speed as Rabin-Williams but with much faster verification.

[sigs software] [sigs paper]

1997.03.07 30 min invited lecture USA researchers
Mathematics of Cryptography and Security. Southwest Regional Institute in the Mathematical Sciences (SWRIMS), University of Arizona, Tucson. ``The world's fastest digital signature system.'' [sigs software] [sigs paper]

1996.05.22 20 min refereed lecture France researchers
Algorithmic Number Theory Symposium (ANTS) II. University of Bordeaux. ``Fast ideal arithmetic via lazy localization.'' [fiall paper]

1995.12.02 40 min invited lecture USA researchers
Midwest Algebraic Number Theory Day III. University of Michigan, Ann Arbor. ``Fast ideal arithmetic via lazy localization.'' [fiall paper]

1995.11.15 50 min invited lecture USA researchers
Computer Science Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Universal pattern-matching automaton. [unipat paper]

1995.10.17 50 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Generalized Gaussian elimination.

1995.10.03 50 min invited lecture USA researchers
Seminar, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago. Survey of topics related to number field sieve.

1995.05 invited lecture Germany researchers
Computational Number Theory. Mathematisches Forschungsinstitut, Oberwolfach. Multidigit modular multiplication with ECRT. [mmecrt paper]

1995.04.05 50 min invited lecture USA researchers
Number Theory Seminar, Department of Mathematics, University of California at Berkeley. ``Detecting perfect powers.'' Abstract:

Let n be a positive integer. Is n a perfect power? I'll describe an algorithm that answers this question in time (log n)^{1+o(1)}---i.e., about as quickly as we can read the digits of n. The time analysis requires some recent results from transcendental number theory.

[powers paper]

1995.03.01 50 min invited lecture USA researchers
Colloquium, Department of Mathematics, Statistics, and Computer Science. University of Illinois at Chicago. Detecting perfect powers. [powers paper]

1995.02.06 invited lecture USA researchers
Seminar, Department of Mathematics, Texas A&M University, College Station, Texas. Detecting perfect powers. [powers paper]

1994.10.12 invited lecture Germany researchers
Algorithms and Number Theory. Schloss Dagstuhl. Preliminary report on detecting perfect powers. [powers paper]

1994.05.02 45 min invited lecture Canada researchers
Computational Number Theory. Fields Institute, Waterloo, Ontario. ``Practical aspects of the number field sieve.'' This talk included the first public announcement of the multiple-lattice number field sieve. [nfsi paper] [mlnfs paper]

1992.12 contributed lecture USA researchers
West Coast Number Theory Conference. Oregon State University, Corvallis. Computing Dickman's rho function.

1992.12 contributed lecture USA researchers
West Coast Number Theory Conference. Oregon State University, Corvallis. 3x+1 results.

1987.06.01 10 min contributed lecture USA researchers
Ramanujan Centenary Conference. University of Illinois at Urbana-Champaign. ``New fast algorithms for pi and e.''