The Security Impact of a New Cryptographic Library

  • Daniel J. Bernstein
  • Tanja Lange
  • Peter Schwabe
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7533)


This paper introduces a new cryptographic library, NaCl, and explains how the design and implementation of the library avoid various types of cryptographic disasters suffered by previous cryptographic libraries such as OpenSSL. Specifically, this paper analyzes the security impact of the following NaCl features: no data flow from secrets to load addresses; no data flow from secrets to branch conditions; no padding oracles; centralizing randomness; avoiding unnecessary randomness; extremely high speed; and cryptographic primitives chosen conservatively in light of the cryptanalytic literature.


confidentiality integrity simplicity speed security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: Evans, D., Myers, A. (eds.) 2009 IEEE Symposium on Security and Privacy, Proceedings, pp. 16–26. IEEE Computer Society (2009),
  2. 2.
    Alfardan, N.J., Paterson, K.G.: Plaintext-recovery attacks against datagram TLS. In: NDSS 2012 (to appear, 2012),
  3. 3.
    Bacelar Almeida, J., Barbosa, M., Pinto, J.S., Vieira, B.: Formal verification of side channel countermeasures using self-composition. Science of Computer Programming (to appear),
  4. 4.
    Apple. iPhone end user licence agreement. Copy distributed inside each iPhone 4; transcribed at
  5. 5.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management—part 1: General (revised). NIST Special Publication 800-57 (2007),
  6. 6.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) Fast Software Encryption. LNCS, vol. 3557, pp. 32–49. Springer (2005),
  7. 7.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) Public Key Cryptography—PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer (2006),
  8. 8.
    Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New stream cipher designs: the eSTREAM finalists. LNCS, vol. 4986, pp. 84–97. Springer (2008),
  9. 9.
    Bernstein, D.J.: DNSCurve: Usable security for DNS (2009),
  10. 10.
    Bernstein, D.J.: CurveCP: Usable security for the Internet (2011),
  11. 11.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer (2011),
  12. 12.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT benchmarking of cryptographic systems,
  13. 13.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems: CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer (2012),
  14. 14.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1. In: Krawczyk, H. (ed.) Advances in Cryptology—CRYPTO ’98. LNCS, vol. 1462, pp. 1–12. Springer (1998),
  15. 15.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) Computer Security—ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer (2011),
  16. 16.
    “Bushing”, Hector Martin “marcan” Cantero, Boessenkool, S., Peter, S.: PS3 epic fail (2010),
  17. 17.
    Chandramouli, R., Rose, S.: Secure domain name system (DNS) deployment guide. NIST Special Publication 800-81r1 (2010),
  18. 18.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael, version 2 (1999),
  19. 19.
    Dempsky, M.: OpenDNS adopts DNSCurve,
  20. 20.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: A strengthened version of RIPEMD. In: Gollmann, D. (ed.) Fast Software Encryption. LNCS, vol. 1039, pp. 71–82. Springer (1996)Google Scholar
  21. 21.
    ECRYPT. The eSTREAM project,
  22. 22.
    Gutmann, P.: cryptlib security toolkit,
  23. 23.
    Gutmann, P.: cryptlib security toolkit: version 3.4.1: user’s guide and manual,
  24. 24.
    Josefsson, S.: Don’t return different errors depending on content of decrypted PKCS#1. Commit to the GnuTLS library (2006),;a=commit;h=fc43c0d05ac450513b6dcb91949ab03eba49626a
  25. 25.
  26. 26.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer (2009),
  27. 27.
    Langley, A.: ctgrind—checking that functions are constant time with Valgrind (2010),
  28. 28.
    Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: Automatic detection and removal of control-flow side channel attacks. In: Won, D., Kim, S. (eds.) Information Security and Cryptology: ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer (2005)Google Scholar
  29. 29.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987), MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    OpenSSL. OpenSSL: The open source toolkit for SSL/TLS,
  31. 31.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) Topics in Cryptology—CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer (2006)Google Scholar
  32. 32.
    Shamir, A., Tromer, E.: Factoring large numbers with the TWIRL device. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003. LNCS, vol. 2729, pp. 1–26. Springer (2003),
  33. 33.
    Smits, I.: QuickTun,
  34. 34.
    Software in the Public Interest, Inc. Debian security advisory, DSA-1571-1 openssl—predictable random number generator (2008),
  35. 35.
    Solworth, J.A.: Ethos: an operating system which creates a culture of security,
  36. 36.
    Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: MD5 considered harmful today (2008),
  37. 37.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collision for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) Advances in Cryptology—CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer (2009),
  38. 38.
    Tor project: Anonymity online,
  39. 39.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23(1), 37–71 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  40. 40.
    Ulevitch, D.: Want to do something that matters? Then read on,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Tanja Lange
    • 2
  • Peter Schwabe
    • 3
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Research Center for Information Technology Innovation and Institute of Information ScienceAcademia SinicaTaipeiTaiwan

Personalised recommendations