We need your help.

UKClimbing is a vibrant web site with rich content and an amazing community. So far, all we've asked of you is that you visit and interact with the site but we are in uncertain times. We need to look at ways to keep the site moving forward whilst maintaining our key aim of allowing free access to everyone to our main content. The site will continue to be mainly funded by a subtle level of outdoor-only advertising but we now need extra support to ensure we can continue to provide the UKC that we all know and love.

You can help us by becoming a UKC Supporter. This can be in a small way or in a larger package that includes discounted products from our sister-publishing company Rockfax.

If you appreciate UKClimbing then please help us by becoming a UKC Supporter.

Read the original here:
NEWS: Cryptography: the hardest slab in the world? - UKC News

Editors note: Andreessen Horowitzs Crypto Startup School brought together 45 participants from around the U.S. and overseas in a seven-week course to learn how to build crypto companies. Andreessen Horowitz is partnering with TechCrunch to release the online version of the course over the next few weeks.

In week one of a16zs Crypto Startup School, a16z general partner Chris Dixon discusses Crypto Networks and Why They Matter, giving an overview of the crypto space, the transformative implications of its technology, and the potential for crypto networks to lead a new wave of innovation. And in his talk on Blockchain Primitives: Cryptography and Consensus, Dan Boneh, a professor in applied cryptography and computer security at Stanford, provides an introduction to the cryptographic foundation of blockchains and how developers can use them to build new types of applications.

Dixon says that crypto is poised to become the next major computing platform. Like mobile phones and the web before it, crypto offers opportunities for entrepreneurs and developers to build new networks and applications, due to the decentralized blockchain technology that underpins it. He describes blockchains as a new type of computer a virtual computer that runs on a network of physical computers, with encoded guarantees that it will continue to operate as designed. Just as the rise of mobile phones enabled an explosion of innovation on top of that new computing platform, crypto presents an opportunity for the next such idea maze, he says. Our feeling is this is an incredibly rich design space.

The architecture of crypto enables new possibilities, Dixon says, starting with digital currency but expanding to general computing and community owned and operated networks. In combination with the digital primitive of tokens, which align incentives among network creators and users, this sets the stage for exponential innovation over the next decade that should echo previous eras of tech growth. When a lot of really smart people who know computer science start thinking about computer science problems and have an economic incentive to do so, those computers tend to get a lot better.

In the second presentation in week one, Dan Boneh explains the layers of crypto, including the consensus layer, and how Satoshi Nakamotos bitcoin whitepaper proposed a system that enables an unlimited number of participants to contribute to a blockchain without authorization and still come to verifiable consensus. He also talks about cryptographic primitives, how mining works, how blocks are added to the blockchain, public and private keys, and zero-knowledge proofs. These unique features provide a fertile ground for open-source developers.

The application layer, Boneh says, is where a lot of the excitement is, with a thriving ecosystem of applications running on the blockchain in the area of decentralized finance (DeFi). While technical, Bonehs presentation is accessible to those who dont have a background in cryptography or consensus mechanisms.

More here:
Crypto Startup School: A new type of computer drives waves of innovation - TechCrunch

VoltShare is free service that encrypts data and files locally, requiring only email addresses; adds extra layer of security to Slack, Teams, Dropbox and all other collaboration and cloud storage platforms

Volterra, an innovator in distributed cloud services, today announced the launch of VoltShare to radically simplify the process of securely encrypting confidential data end-to-end. VoltShare is available as downloadable software (or an API and SDK) that operates locally on a laptop or mobile device to easily encrypt sensitive data for sharing with target recipients through email or existing collaboration platforms such as Slack, Teams, Dropbox, etc. It is a simpler and more secure approach than traditional file sharing and encryption solutions since it does not require sending passwords or managing complex public-key cryptography.

"The dramatic rise in remote work is here to stay for the long term. With so many employees working at home, its more important than ever that they can securely share data and leverage the leading collaboration platforms without having to worry about their data being compromised," said Manish Mehta, Chief Security Architect at Volterra. "Unfortunately, this market has been stagnant, with organizations never moving beyond the use of passwords and public keys. By eliminating them both, VoltShare provides the safest method for end-to-end encryption in a way thats very simple for end users to adopt."

File and data encryption is normally performed using one of two traditional workflows and technologies. The most common approach is a sender encrypts information using a high-strength algorithm and generates a unique password for decryption by the recipient. This creates a key security gap as now the password must be securely shared with the same recipient as the encrypted data, which usually is not possible in a secure manner. As a result, the password is often sent via a second email or other communication.

A more secure, but much more complicated, method is to use an enterprise-grade encryption technology like PGP or other public-key cryptography along with complex enterprise vaults. This workflow is both complex and costly to implement and operate, and thus is only used by larger organizations with significant IT and security resources. It also lacks the ability to create custom security policy attributes like a deadline after which the data cannot be decrypted.

VoltShare: Much Simpler and More Secure Encryption for Sensitive Data

Volterras VoltShare provides end users and organizations of all sizes with a simple and highly secure workflow for sharing their confidential data using our patent-pending end-to-end encryption technology with built-in policy controls. End users simply:

When the target recipients receive the encrypted data, they simply have to decrypt the data using VoltShare. Assuming they are using the email address specified by the sender and are within the specified timeframe, the data automatically decrypts.

In contrast to traditional encryption techniques for data sharing, VoltShare doesnt create or send any passwords. Nor does it burden the enterprise with the cost and complexity of deploying public-key cryptography for signing, encrypting and decrypting data.

Complement to Existing Collaboration Platforms

VoltShare complements a wide range of collaboration tools and platforms like Slack, Teams, Box and Dropbox by adding an additional layer of encryption and protection for stored and shared data. If the collaboration platform were ever breached, the content protected by VoltShare would not be readable by the perpetrator.

Free and Enterprise Versions Available

VoltShare is available today as a free software download for base users and a paid enterprise subscription for increased security and compliance.

The VoltShare enterprise subscription provides an expanded set of control and reporting capabilities including full integration with single sign-on (SSO) systems, the ability to override policies, audit logs and real-time alerting. The enterprise edition also provides enterprises with the ability to build end-to-end encryption in their own applications using VoltShares SDK and APIs.

Both versions provide the same easy-to-use workflow that dont use passwords or public keys.

Story continues

To learn more about VoltShare and how it securely shares files and encrypts data, visit https://www.volterra.io/products/voltshare or watch this video.

About Volterra

Volterra provides a distributed cloud platform to deploy, connect, secure and operate applications and data across multi-cloud and edge sites. Line-of-business leaders can drive business transformation and automation by distributing workloads closer to business activity. DevOps teams can manage fleets of applications and infrastructure with less complexity. Network teams can simplify application connectivity and security across clouds. Visit http://www.volterra.io or follow us on Twitter @Volterra_ to learn more.

View source version on businesswire.com: https://www.businesswire.com/news/home/20200514005264/en/

Contacts

Jordan Tewell1-415-666-6066volterra@10fold.com

Read the original post:
Volterra Radically Simplifies End-to-End Encryption with Industry-First, Free Service That Doesnt Use Passwords or Public Keys - Yahoo Finance

Key Takeaways

Anyone handling sensitive user data lives in fear of a data breach. We know that encryption can reduce the negative consequences, but most encryption is relegated to infrastructure-level elements like TLS and VPNs rather than at the application layer. Application-layer and end-to-end encryption can be a powerful tool in our toolkit, but as developers, how can we safely add encryption to our applications without introducing bugs or reducing the utility of the data?

In this article, we discuss the pros and cons of application-layer encryption. We will cover the attack surface of application-layer encryption in the browser, how it is very different from native clients, and how WebCrypto helps.

The reputation, financial, and human impact of breaches can be extremely high. New laws that help protect end-user privacy are an important step forward, but they come with potentially ruinous fines.

Studies showthat encryption is one of the most effective technical security measures to reduce the impact and cost of a data breach. When attackers get encrypted datasets, they either have to attack a different system to get the key or have to settle with metadata and side-channel information instead of the good stuff.

Encryption is typically focused on infrastructure-layer elements, like TLS, VPNs, database encryption flags, and full-disk encryption. These are important tools in our toolbox, but they rely on assumptions about the infrastructure instead of the application code itself.

In fact, if you consider most recent data breaches, at least among established companies, they were certainly using TLS and at-rest database encryption, and yet the leaks happened anyway. For instance,Capital One was recently hackedand sensitive financial information stolen. Google Photosaccidentally gave the wrong users accessto photos and videos from other users. These mistakes could have been prevented, or at least mitigated, by application-layer or end-to-end encryption.

As developers, infrastructure isnt our strength, and sometimes its not our job, so encryption takes a back seat to features. But for those of us who do care about defense in-depth, it makes good sense to add encryption to the application itself. Application-layer encryption can insulate our systems from infrastructure-level failures, known weaknesses of TLS, and some server-side vulnerabilities.

The practice of moving more security, operations, and testing into the development process (known asshift-left) is improving software agility, reliability, and efficiency. It also means that security best practices need to be implemented as part of application developmentnot as an afterthought when things go wrong. However, the vast majority of developers are not security or cryptography experts, and at the same time, the security team has less control over the security posture of IT and development than ever before.

Application-layer encryption, or shift-left cryptography, is part of this trend. It means giving developers more control over what gets encrypted and who gets the keys for decryption. In some cases, the users themselves may be the only parties with the keys. In other cases, application-layer encryption can be an added access control layer on data management, providing defense-in-depth.

As implied by the name, application-layer encryption gets added directly to the codebase of your application, and access to key material is controlled by your application logic. As a result, you can think of the data itself as being encrypted throughout its lifecycle, rather than relying on it being on an encrypted network or disk.

The most widely-understood application-layer encryption is end-to-end encrypted chat like Signal and WhatsApp provide, so lets think through how those applications work. Its a bit over-simplified, but it basically works like this:

End-user action

Access Control Logic (Server)

App-layer Cryptographic Operation (Client)

Add a friend

Create an access control rule where users are allowed to send each-other messages

Trust the friends cryptographic key

Write the friend a message

Create an access control rule where the friend can read the message

Encrypt the message with the friends key (and sign it)

Read a message from a friend

Check for permission to download the message

Decrypt a message with end users key (and check the signature)

In this simple example, we can already see some of the power of application-layer encryption:

Note that this is an example of end-to-end encryption, but not all application-layer encryption is end-to-end. Also, applications like this still need TLS and other infrastructure-layer encryption to enforce things like authentication, prevent replay attacks, and address a host of other issues.

When we think about TLS, we picture data getting encrypted at its source and decrypted on the server. But this over-simplification hides the practical limits of TLS.

The reality of encryption in transit leaves out encryption of data at rest, which impacts the security of both ends of the transmission. It also completely ignores what happens to the data after HTTPS termination which may be further out on the edge of your network than you know; at your load balancer for instance.

So what about encryption at other points in the application? If youre doing an above-average job of crypto, youve written robust, well-tested code in your app to encrypt data at rest, youve used HTTPS and IPSec on your network, and youve enabled transparent database crypto.

Were pretty much encrypting everywhere with this approach, but as the data moves through the system, it gets decrypted and re-encrypted at each step. Each point that touches plain text data is a potential vulnerability, resulting in a large attack surface, and you have to ask yourself, why the heck do these intermediate services need the data in plain text anyway? They probably dont.

Infrastructure-layer encryption also lends itself to gaps in security because unanticipated parts of the infrastructure might get the data. For instance, your database and disk backups might not get encrypted, even if your database is. Or your health monitoring system might be logging sensitive data in plain text, and (horror of horrors) maybe even sending it to a third party. These security gaps happen because different individuals or departments are accountable for security at these various points:

Each one of these solutions uses different ciphers, libraries, and key sizes. Youre counting on a lot of people to get a lot of things right. Thats a problem.

Encryption is about communication; data is written and encrypted by one party, then received and decrypted by another party. The sender and receiver both have to have an application that knows how to do the encryption and decryption, and can be trusted to do it correctly. But that is easier said than done.

What if the encryption code is malicious? What could an attacker do? The simplest attack would be for the application to work exactly as expected, butalsosend the unencrypted messages to the bad guys. More subtle attacks are possible of course; adding hidden vulnerabilities to weaken the encryption, messing with the public keys, etc. But they all amount to the same thing: A bit of code that helps the bad guy get the secret message.

So lets talk about code delivery. For two people communicating using apps on their mobile phones, the trust chain goes something like this: A good programmer writes good encryption code, compiles it into an app, signs the app with a digital signature, and uploads it to an app store via TLS. The user downloads an app over TLS, the operating system checks whether the digital signature is trusted, and the user runs the app to have their encrypted communication. Note that this protocol is itself an application-layer cryptographic data exchange. Systems like Debian Linux have similar protocols for installing and upgrading the server and desktop applications.

There are a number of things that can go wrong with the trusted app download: The user could download a malicious version of the app. The OS vendor could undermine the check of the digital signature on the app. An attacker could trick the user into installing an old and vulnerable version of the app (or not upgrading it). Any of these types of attacks would make the end-to-end encrypted communication suspect. But for the most part, this works well.

Application-level cryptography is typically implemented in native code running on mobile, laptops, or servers, and can use a protocol like this to deliver trustworthy code. But modern applications very often have a major browser-based component, even for critically sensitive information.

The code delivery model on the web looks quite different from an app. When users decide that they want to have a secure conversation, they visit a web page. The browser downloads some JavaScript over TLS on-demand. Beyond warning the user about bad TLS connections, thats the end of the standard protocol for code delivery. It relies completely on TLS. The JavaScript that gets delivered needs to perform the application-layer encryption and tonothave any malicious code that just sends the unencrypted text to the bad guys.

Why is this a problem? Lets say for instance that our security claim is that the data gets encrypted in one browser, decrypted in another browser, and the webserver in between cannot see the data without warning flags and fireworks going off. To undermine this claim, the server simply needs to deliver malicious JavaScript at the application start time. So an attacker that can control the server that delivers code or various aspects of DNS and TLS could pull off this attack without breaking any crypto. The bad code can be sent only to a specific target, making it hard to detect for security researchers.

In fact, with the speed of application updates and continuous integration, similar attacks are possible against mobile apps and desktops. Many modern apps use dynamic code techniques to deliver at least some code to an app in real-time; many desktop apps update their own code at will. This gives attackers the ability to hijack code updates at various points but also gives security teams the ability to patch quickly. That said, the browser-based attacks are a lot better understood.

Some people in the security and cryptography community point to this issue to say that you shouldnt do browser-based encryption, or if you do, you cant claim that its end-to-end secure. Or at the very least, that it creates a false sense of security. We disagree. There are indeed weaknesses, but as developers, we should be doing it anyway, because simply put, people use the web for security-critical purposes.

Despite the code delivery problem, doing application-layer encryption in the browser significantly improves the overall security of any system. The reason for this is that security isnt all-or-nothing. Very rarely in modern server infrastructure is a single browser talking only to a single web server that performs every task; modern systems are just more complex than that.

For instance, lets say your web application uses HTTPS and does browser-based end-to-end encryption, but that it has an SQL injection vulnerability. The nature of this vulnerability is that the attacker tricks the application into tricking the database into dumping out sensitive data (over HTTPS, ironically). But in our example, the data is end-to-end encrypted, so the database only contains encrypted messages. Without application-layer encryption, the bad guy would get something much more sensitive: the plain text messages. Note that with this vulnerability alone, the attacker cannot change the code to inject malicious JavaScript; the browser-based encryption code is still sound.

On the other hand, if the attacker has a remote code execution exploit on the API server, and can modify the JavaScript or inject malicious code into it on the fly, theycanundermine the end-to-end encryption, again by simply adding code that sends the plain text data to themselves.

These are only two examples, one where application-layer encryption can be undermined and one where it cannot, but there are innumerable other attacks that can be prevented with end-to-end encryption: Perhaps you have a too-nosey employee who is looking for the private information on celebrities, but who doesnt have access to the code. Perhaps you backed up your Postgres database to an S3 bucket and accidentally left it open on the web. Perhaps an attacker can undermine TLS, but they only act passively; they can eavesdrop but they cannot do code injection.

As we can see, application-layer encryption in the browser provides defense-in-depth, even though there are challenges to code delivery. In the next section, we will talk about approaches that mitigate those challenges.

There are a number of ways to improve the security of application-layer encryption in the browser. The first line of defense is to use good, trusted code. Modern application development is much faster because we reuse a lot of code we find on the web, but if any of the code that runs in the users browser is malicious or vulnerable, it undermines the encryption significantly.

Protecting the server that delivers the code is also vital. Use the principle of least privilege when assigning access control rights on that server. Use multi-party control for administration and code deployment. This will significantly reduce the risk of insider attacks.

There are also under-used code-delivery settings that instruct the browser to take extra precautions. These arent the default because they somewhat reduce the flexibility of the development and integration process, but the security they provide is worth the work, whether your application does encryption or not:

In addition, there is a relatively new browser API that helps with efficient and secure delivery of cryptographic primitives. The WebCrypto API provides low-level ciphers, hashes, and other encryption components. This helps because you dont have to include those ciphers in your JavaScript. The browser implements them directly and can take advantage of local native execution and even hardware acceleration. It doesnt prevent certain attacks, like just sending an unencrypted copy of the data to the bad guys, but WebCrypto does make browser-based encryption more standard and accessible.

Secure code delivery isnt the only challenge for implementing application-layer encryption. The biggest problem is that most encryption libraries are relatively hard to use securely and difficult to implement consistently in different programming languages and platforms. When you encrypt something in a browser and decrypt it on an app, you probably need three different implementations in different languages (Android, iOS, and JavaScript) that all use the exact same ciphers and modes.

The secure operation of these modes is not very easy to understand. For instance, the well-beloved cipher AES is secure, but pairing it with an insecure mode like ECB (the default mode in Java) is insecure. Pairing AES with GCM is considered a best practice, but even GCM has its flaws; if you encrypt too much data with the same key, or make a mistake with the initialization vector/nonce, you could actually leak key material, which is a flaw that some other modes do not have.

One mistake can make your encrypted data unrecoverable, or even worse, recoverable by a bad guy.

Another challenge is that if you put encrypted data in your database, its no longer as searchable. You have to plan ahead for what kinds of queries and downselects you want the database to do or that you want your application to do. If you encrypt a users home address, for instance, you cant simply SELECT * for all the rows with the string Oregon. If downselecting by state is part of your application workflow, you can instead encrypt the users entire address, but add an unencrypted metadata field with their state so that you can still perform this query. From there, you can potentially use application-layer logic to decrypt the record and perform the rest of the search, but the database wont be of much help.

People I talk to are often concerned about performance for application-layer encryption, but this isnt a significant concern. Encryption is fast, and often hardware accelerated these days. After all, we use HTTPS for streaming entire social networks with photos and videos and dont really notice much of a performance hit. Its similar at the application layer, and you are simply unlikely to find encryption to be a bottleneck.

To be sure, there are still attacks against application-layer encryption. Various governments have made it illegal or legally impractical to operate an encryption service or install an encrypted app. Users selecting weak or reused passwords can completely undermine encryption. Users forgetting passwords is a challenge to address as well; what should happen in that case? Should the user be able to recover their data via a password reset email? That itself weakens the end-to-end encryption argument.

And of course, once the data is decrypted, attackers can attack the end device itself. This happened to WhatsApp in 2019, causing some to wonder if end-to-end encryption is worthwhile or important. But the fact that attackers had to target specific individuals with zero-day attacks against WhatsApp is proof enough to me that end-to-end encryption helps.

When implementing encryption in your application, you will need to consider your specific security goals, any compliance rules you might have to follow, and who you need to have the key material. Cryptography is very specific to your application. A trained cryptographer can help you understand the strengths and weaknesses of your approach, and no magazine article can tell you whats right or wrong. There are, however, a few choices you can make that will get you closer to good cryptography, and you can often safely use them.

First a bit of brief background on the three major cryptographic systemssymmetric, asymmetric, and hashing. Symmetric (shared key) is fast and efficient, these algorithms are usually your baseline for encrypting data. AES is usually what you want. Symmetric encryption suffers from challenges with key management. You need a way to get the shared key to both parties, which is why you need asymmetric encryption. Symmetric multi-block modes vary in their confidentiality and integrity properties, and some work better with different types of data or different system constraints (such as a lack of a random number generator): ECB, GCM, CBC, SIV, etc.

Asymmetric (public/private key) cryptography is slower and more complex than symmetric encryption, these algorithms are typically used for exchanging symmetric keys. RSA is the classic choice here; ECC is more modern and efficient, and almost as widely supported. Roughly speaking, public keys are used for encrypting data and verifying signatures. Private keys are used for decrypting data and generating signatures.

Hashing, cryptographic signatures, and message authentication codes (MACs) provide integrity. Hashing generates a short string that proves the data was either unchanged or in the case of message authentication codes, proves that the person holding a secret key signed the data. Many people think that encryption implies integrity, but it does not. For instance, AES doesnt provide integrity by default. Algorithms like SHA2, Poly1305, and GCM help.

Managing keys is a very big topic in itself, but a few important things to consider:

Beyond key material, there are other elements of randomness or uniqueness that are associated with encrypted messages. Initialization Vector, salt, and nonces fall in this category. These need to be communicated to the decrypting party as well, so they need to be stored or transmitted. Typically, its safe to transmit these unencrypted along with the ciphertext, but you should be careful not to let the attacker modify them.

You also need to pad, encode, serialize, and sign your messages. Believe it or not, even bad padding can undermine the confidentiality of the encrypted message. For signing of structured data like a JSON object or HTTP headers, you need an identical way for both sides to serialize and deserialize the data, or the signatures wont match.

If youve done all of this right, you now have an encrypted and signed message. Its likely at this point that youll want to send this message to another party, who will check the signature and decrypt the message. That means you need to communicate all of your choices: key id, size, cipher, mode, IV, hashing algorithm, etc. This communication itself is a fraught weakness in many cryptography systems. For instance, attackers have been able to trick some symmetric systems into behaving like asymmetric systems and sending their shared key directly to the attacker. Oops.

A few recommendations we have, particularly if you need to or want to stick with the NIST/FIPS-140 ciphers that are sometimes required for compliance in government work or banking:

Encryption is an exceptionally effective way to protect data, but most encryption deployed today is part of the IT infrastructure, and not part of applications. As developers, we have a unique opportunity to improve privacy and security of our users by making application-layer encryption a part of our toolbox. There are challenges to be sure; encrypted data can be harder to manage, and most encryption libraries are very hard to use for untrained developers, but the benefit to our users is worth it!

The following are not the formal definition of these terms, but color commentary to help you understand how these terms and technologies fit into application-layer encryption.

Isaac Potoczny-Jones is the founder and CEO of Tozny, LLC, a privacy and security company specializing in identity management and encryption. Isaacs work in cybersecurity spans open source, the public sector, and commercial companies. His projects have included end-to-end encryption for privacy in human subject research, secure cross-domain collaboration, identity management, anonymous authorization, mobile password-free authentication, anti-forgery in hardware devices, and privacy-preserving authentication. He has worked with agencies including DARPA, the Navy, Air Force Research Laboratory, the Department of Homeland Security, the National Institute of Standards and Technologies, and other elements of the DoD and intelligence communities. Isaac is an active open source developer in the areas of cryptography and programming languages. Education: B.S. in computer science, M.S. in Cybersecurity.

Read the original:
How to Use Encryption for Defense in Depth in Native and Browser Apps - InfoQ.com

NEW YORK, May 13, 2020 /PRNewswire/ --Fireblocks (www.fireblocks.com), announced today it has developed a new MPC (secure multi-party computation) algorithm that pushes digital asset transaction speeds up to 8X faster than what's currently possible. Fireblocks' new protocol, called "MPC-CMP," is based on and surpasses the speed of Gennaro and Goldfeder's protocol, a current industry standard for MPC, and Lindell et al.'s protocol. Starting today, all digital asset custodians and MPC vendors can access Fireblocks' MPC-CMP protocol and use it for free as Fireblocks will not be applying for patents on this technology.

MPC technology is allowing advanced fintech platforms to flourish because it removes the single point of compromise by transforming private keys into liquid form through securely distributed transaction signing. In an academic paper released this week by the Fireblocks Research Team, Prof. Ran Canetti, Dr. Nikolaos Makriyannis, and Udi Peled, revealed the new cryptographic security protocol. In the paper, Canetti, Makriyannis, and Peled (CMP) outline how to securely cut the number of rounds needed to sign an MPC transaction by 10-fold. While Gennaro and Goldfeder's algorithm requires 9 rounds to sign a transaction, MPC-CMP only requires 1.

Designed to support institutions with large retail customer bases, such as the biggest exchanges, lending providers, and banks. MPC-CMP enables them to execute high-volume withdrawal requests. Additionally, it allows institutions located in areas with strong regulations around cold storage to utilize MPC in an offline wallet.

By slicing the number of interactive rounds in half and combining the method of pre-processing with non-interactive signing, MPC-CMP accomplishes 8X faster transaction speed. "The MPC-CMP algorithm developed by our cryptography team is ushering in the next generation of threshold cryptography," said Ran Canetti, Professor of Computer Science at Boston University and Tel Aviv University. "It demonstrates that strong security need not compromise on efficiency."

The new algorithm introduces major security improvements, such as automatically refreshing key shares in minute intervals, protections against more advanced attackers, and an out-of-the-box Universally Composable secure computation proof.

"As financial institutions look to launch and operationalize digital asset services, we believe MPC-based technology will be paramount to delivering an experience comparable to the speed of traditional assets," explains Michael Shaulov, CEO and Co-Founder of Fireblocks. "We're freely providing custodians and MPC vendors with our new algorithm to drive innovation, boost adoption, and prepare digital assets for the broader institutional market."

MPC-CMP delivers:

Fireblocks has made MPC-CMP open to peer review to ensure its strength and efficiency in order to implement the new algorithm by end of Q2 2020.

About FireblocksFireblocks is an enterprise-grade platform delivering a secure infrastructure for moving, storing and issuing digital assets. The platform enables exchanges, custodians, banks, trading desks, and hedge funds to securely scale digital asset operations through patent-pending SGX & MPC technology. Fireblocks has secured the transfer of over $30 billion in digital assets, and offers a unique insurance policy that covers assets in storage & in transit. For more information, please visit http://www.fireblocks.com.

See the rest here:
Fireblocks Releases New Free to Use MPC Algorithm, Boosts Transaction Speed by 800% - cnweekly

Opening a company in Switzerland and hiring Thierry Martin as managing partner to lead the region's activities are the highlights.

Seeking to consolidate its presence and develop new businesses in Europe, Middle East and Africa (EMEA), Brazilian Kryptus, specialized in cryptography and information security, announces the expansion of its international activities with the opening of a new unit of the company in Switzerland. The initiative is focused on offering technical support in the region, as well as develop the market, regional channel partners, and respond to local requirements. The move includes the announcement of Thierry Martin as the new director for EMEA and the head of the Swiss branch.

With a strong cybersecurity background, Martin is an engineer who has led several different technology companies in Europe and Brazil. The executive has also been a member of the Kryptus board in 2016 and 2017.

Currently providing solutions to financial institutions, private companies, and governments around the globe, Kryptus aims through this expansion to reach more customers with its competitive and unique product portfolio. The offerings include kNET, its high-performance HSM with unbreakable encryption, and Commguard, its flexible line of link encryptors.

"Kryptus can deliver world-class, trustworthy, and secure cryptography solutions for critical applications. Our presence in the region allows the optimization of services for customized or custom-developed products, providing a strong value proposition in the EMEA region," says Thierry Martin.

According to Roberto Gallo, founder & CEO of Kryptus, expanding to the EMEA region strengthens the company's position as a strategic provider of cyberdefense for governments and enterprises. "Kryptus can now extend its technology offering to Europe, Middle East, and Africa, based on relevant certifications and high performance," he points out.

With its Headquarter in Campinas, Kryptus was founded in 2003 and counts among its customers companies like BSH (a BOSCH Gmbh subsidiary), Claro Brasil (America Mvil Group), Certisign (exclusive Verisign partner in Brazil), Iron Mountain, iFood and Embraer. Granted the status of Strategic Defense Company (EED) by the Brazilian Defense Council, Kryptus has gained the trust - as a supplier from a neutral country - of several government agencies to protect their sovereignty. Among such customers with the highest security requirements, Kryptus delivered government-grade solutions to the Peruvian Navy, the Colombian Army and the Brazilian Army, Air Force, Navy, Intelligence Agency, Ministry of Foreign Affairs, and Superior Electoral Court, as well as to several other governments.

About Thierry Martin

Thierry Martin was born in Switzerland where he studied Electronics and Computer Science. He has professional experience in various areas of technology, among them Digital TV, Cyber Security, Electronics, and Telecommunications. Along his career he has lived and worked in Switzerland, Spain, the United Kingdom, and Brazil, as well as worked extensively with the United States and Asia. He has held executive positions in companies like Nagra, Kudelski Security, Selectron Systems AG, and Mouvent AG.

About Kryptus

Kryptus is a provider of solutions in Information Security. With 17 years of history and HQ in Campinas (SP), Kryptus SA is an independent Brazilian company that has been growing consistently for the past 10 years, focusing on long term actions, scientific and technological plans, and understanding the mission of its clients in the business lines it develops. Kryptus is a partner of the Kudelski Group. Kryptus is a Brazilian Strategic Defense Company (EED), a status granted by the Brazilian Defense Council.

Read more from the original source:
Leading Brazilian Information Security Specialist Kryptus Expands Its Activities in the EMEA Region - BusinessGhana

Chainlink is best known for its pioneering work around decentralized oracles, but the projects experts have also gone expansive with work on Mixicles, meta oracles, and beyond.

The Link Marines are buzzing anew, then, as Chainlink has rolled out yet another major contribution to the smart contracts ecosystem this week, the Chainlink VRF.

The VRF in that stands for verifiable random function, a cryptographic primitive that can generate random numbers in verifiable and unbiasable fashion.

Whys this important? There are no shortage of use cases in which blockchain projects could make use of randomness, but tamper-proof randomness is a tough nut to crack when it comes to actualizing it on-chain. And anything short of tamper-proof randomness can introduce big security hole for projects, Chainlink said in an announcement post:

A security-sensitive mindset is required to create and successfully defend a smart contract against adversaries seeking to steal the funds held by that contract. Smart contract developers using randomness as a key input should also see the manipulation of that randomness as a critical risk.

Alas, heres where Chainlink VRF comes in.

The key for a reliable VRF is to be unbiasable and unpredictable, which are the exact two characteristics that Chainlinks new tool is aimed at.

Chainlink VRF seeks to [be fair and unguessable] by delivering its randomness along with cryptographic proofs that can be verified on-chain, showing that the randomness is indeed unpredictable, the Chainlink team said.

As for possible use cases for the solution, theyre manifold. Chainlink specifically cited blockchain gaming, security, [and] layer-two protocols as low-hanging fruits.

For instance, with regard to gaming industry example, Chainlink added that its new VRF capability could make games more fun by generating challenging and unpredictable scenarios and environments, and assigning unpredictable player rewards like loot drops.

And thats just one hypothetical example of many possible ones. Yet when it comes to how Chainlink VRF can be used in the here and now, look no further than no-loss lotto savings game PoolTogether.

PoolTogether is an Ethereum dApp in which users can buy tickets with stablecoins like Dai or USDC in order to enter weekly or daily prize pools.

However, hitherto the randomization process has been less than perfect, the games CEO Leighton Cusack explained in a separate announcement:

The PoolTogether Protocol requires random numbers to select the winner of each prize. In our initial design, this randomness generation process was a manual and centralized process [] this makes it difficult for some users to fully trust PoolTogether Protocols ability to generate a provably fair winner.

Accordingly, Chainlink VRF is something of an ideal solution for this predicament, which is why the PoolTogether CEO said the project would be integrating with the tool shortly.

Incorporating Chainlinks VRF benefits PoolTogether by providing a more reliable and provably secure form of randomness in the selection prize winners, which our users can trust, Cusack said.

Chainlink VRF is good news for smart contract ecosystems like Ethereums. Indeed, Ethereum developers in particular have been deeply considering randomness tools in recent times.

For example, last year the Ethereum Foundation collaborated with Amazons AWS and others on a $100,000 USD hardware competition centered on verifiable delay function (VDF) tech.

The idea behind a VDF is similar to a VRF except that the former involves a delay function during its computations. Why? In order to block malicious actors from manipulating, and thus biasing, outputs.

Verifiable delay functions uniquely tie physical time and cryptography into a promising new tool for the blockchain industry, the Ethereum Foundation said at the time.

1,317

See the original post:
Chainlink VRF Tool for Smart Contracts to Achieve On-Chain Randomness - Blockonomi