Hugo Krawczyk

Hugo Krawczyk
Hugo Krawczyk
Nationality	Argentine, Israeli, American
Alma mater	Haifa University, Technion
Occupation(s)	Cryptographer, Computer Scientist
Known for	IPsec/IKE/TLS 1.3 cryptographic design; HMAC msg authentication; HKDF key derivation; OPAQUE password-authenticated key exchange; HMQV and SIGMA key exchange protocols; Searchable encryption; Threshold and Proactive Cryptosystems;
Awards	Levchin Prize; RSA Award in Mathematics; NDSS Test-of-Time Award; IACR Fellow; IBM Fellow;

Last updated October 29, 2024

Hugo Krawczyk is an Argentine-Israeli cryptographer best known for co-inventing the HMAC message authentication algorithm and contributing in fundamental ways to the cryptographic architecture of central Internet standards, including IPsec, IKE, and SSL/TLS. In particular, both IKEv2 and TLS 1.3 use Krawczyk’s SIGMA protocol^[1] as the cryptographic core of their key exchange procedures. He has also contributed foundational work in the areas of threshold and proactive cryptosystems and searchable symmetric encryption, among others.

Education

Krawczyk acquired a Bachelor of Arts in Mathematics from the University of Haifa. Later he received his Master of Science and Ph.D. in computer science from Technion - Israel Institute of Technology with Oded Goldreich as doctoral thesis advisor.

Career

Hugo Krawczyk is a Senior Principal Scientist at Amazon Web Services (AWS). Between 2019 and 2023 he was a Principal Researcher at the Algorand Foundation and part of its founding team. Prior to that, he was an IBM Fellow and Distinguished Research Staff Member at the IBM T.J. Watson Research Center in New York as a member of the Cryptography Research group from 1992 to 1997, and again from 2004 to 2019. He was an Associate Professor at the Department of Electrical Engineering at the Technion in Israel from 1997 until 2004.

Krawczyk has published over 100 papers with more than 30,000 citations, and is an inventor in 30 issued patents.

His research includes both theoretical and applied elements of cryptography, with a focus on internet security, privacy, and authentication. His most recent projects in the area include: TLS 1.3, the new-generation SSL/TLS; HKDF, the standard for key derivation embraced by TLS 1.3, Signal, WhatsApp, Facebook Messenger, and others; and OPAQUE, a password authentication protocol being standardized by the IRTF and recently deployed by Facebook in its implementation of end-to-end encrypted chat backups for WhatsApp.^[2]

Krawczyk is the author of many other cryptographic algorithms and protocols including the HMQV key-exchange protocol, the LFSR-based Toeplitz Hash Algorithm, the Shrinking Generator encryption scheme, the UMAC message authentication code, and the randomized hashing scheme for strengthening digital signatures.

Other influential work includes threshold and proactive cryptosystems (including distributed key generation), searchable symmetric encryption, and theoretical contributions to secure cryptographic communications, password protocols, zero knowledge and pseudorandomness.

Awards

Krawczyk has won the RSA Conference Award for Excellence in Mathematics in 2015, the Levchin Prize^[3] for Contributions to Real-World Cryptography in 2018, and two IBM corporate awards. He is a Fellow of the International Association of Cryptologic Research (IACR) and the recipient of the 2019 NDSS Test-of-Time award^[4] for his 1996 paper, “SKEME: A versatile secure key exchange mechanism for internet”, a precursor of KEM-based key exchange protocols, central to developing post-quantum key exchange standards.

Related Research Articles

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Articles related to cryptography include:

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

Strong cryptography or cryptographically strong are general terms used to designate the cryptographic algorithms that, when used correctly, provide a very high level of protection against any eavesdropper, including the government agencies. There is no precise definition of the boundary line between the strong cryptography and (breakable) weak cryptography, as this border constantly shifts due to improvements in hardware and cryptanalysis techniques. These improvements eventually place the capabilities once available only to the NSA within the reach of a skilled individual, so in practice there are only two levels of cryptographic security, "cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files".

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and encryption functions.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

Distributed key generation (DKG) is a cryptographic process in which multiple parties contribute to the calculation of a shared public and private key set. Unlike most public key encryption models, distributed key generation does not rely on Trusted Third Parties. Instead, the participation of a threshold of honest parties determines whether a key pair can be computed successfully. Distributed key generation prevents single parties from having access to a private key. The involvement of many parties requires Distributed key generation to ensure secrecy in the presence of malicious contributions to the key calculation.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

The following outline is provided as an overview of and topical guide to cryptography:

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer. Most widely-used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.

Ran Canetti is a professor of Computer Science at Boston University. and the director of the Check Point Institute for Information Security and of the Center for Reliable Information System and Cyber Security. He is also associate editor of the Journal of Cryptology and Information and Computation. His main areas of research span cryptography and information security, with an emphasis on the design, analysis and use of cryptographic protocols.

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

An oblivious pseudorandom function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function (PRF).

References

↑ Krawczyk, Hugo (2003). "SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols" (PDF). Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer Science. Vol. 2729. pp. 399–424. doi:10.1007/978-3-540-45146-4_24. ISBN 978-3-540-40674-7.
↑ Whatsapp e2e
↑ "The Levchin Prize for Real-World Cryptography". rwc.iacr.org. Retrieved 2022-11-15.
↑ O'Donoghue, Karen (2019-02-28). "NDSS 2019 Honors Timeless Papers". Internet Society. Retrieved 2022-11-15.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Krawczyk, Hugo (2003). "SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols" (PDF). Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer Science. Vol. 2729. pp. 399–424. doi:10.1007/978-3-540-45146-4_24. ISBN 978-3-540-40674-7.

[facebook-2] Whatsapp e2e

[3] "The Levchin Prize for Real-World Cryptography". rwc.iacr.org. Retrieved 2022-11-15.

[4] O'Donoghue, Karen (2019-02-28). "NDSS 2019 Honors Timeless Papers". Internet Society. Retrieved 2022-11-15.

[1]

[2]

[3]

[4]