Among Bytes

Welcome!

I am a Cryptography Engineer specializing in post-quantum cryptography, bridging cutting-edge research with practical implementations. My focus is on developing scalable, efficient, and secure cryptographic solutions for modern security challenges.

If you’re seeking expertise in post-quantum cryptography, let’s connect.

Engineering Notes

Here are engineering and embedded systems collected over the years of working in the industry.

Implementing a Portable Cryptographic Testing Framework for Embedded Systems

In embedded cryptographic development, it is often necessary to test cryptographic schemes across different environments, such as real hardware and emulators like QEMU. This requires a flexible approach where tests can be executed in a controlled environment while ensuring the cryptographic…

Note on speed of verification in SLH-DSA

Here I’ll compare on the verification functionality of LMS and SLH-DSA. The XMSS is not mentioned, but as both LMS and XMSS are quite similar in this sense, we probably can observe similar results (XMSS is slightly slower than LMS).

Key agreement methods in FIPS

FIPS has multiple ways of claiming CAVP-tested compliance of the key agreement schemes. Each of them corresponds to a different use case, for example, the key agreement may or may not include key derivation. Additionally, FIPS also supports key confirmation (i.e. 56Ar3, 5.9) which can be applied…

Cryptography,FIPS

Gentle introduction to NTRU cryptosystem (part 1)

NTRU cryptosystem is a grandfather of lattice-based encryption schemes. The initial idea was due to Ajtai. His work evolved into a whole area of research with the goal of creating more practical, lattice-based cryptosystems, like the first NTRU-based encryption system and signature scheme due to…

Constant-time code verification with Memory Sanitizer

In the cryptography context, the side-channel attacks are about exploiting computer system implementation to gain information about the secret key. First such attacks were introduced by Paul Kocher in his paper called “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”…

Cryptography,Software Security

Experimenting with NGINX

This page describes how to enable support for some features on NGINX, i.e. post-quantum schemes or QUIC protocol. Page is updated on as-needed bases, some parts of it may be specific to Debian Linux.

Systems Engineering

OpenVPN authentication hardened with ARM TrustZone

The goal is to connect an embedded device to VPN network. The VPN uses authentication with X.509 certificates, which means that the device needs to store securely a private key. The question is, how to protect the key from being copied? Many ideas have been explored already, in this particular…

Cryptography,TrustZone,System Security

On using Trusted Execution Environment for TLS session signing

Typically, a TLS server uses a Certificate and associated Private Key in order to sign TLS session. From now on I’ll call this Private Key a “traffic- private-key”. Both certificate and traffic-private-key form a asymmetric cryptographic key-pair. Revealing the traffic-private-key makes it…

i2c-stub: Playing with I2C on linux

Recently I had a chance to play with i2c-stub. The goal was to send and receive encrypted data to/from I2C connected device. I didn’t want to play with real I2C device, so I needed to emulate it somehow, which is possible with i2c-stub on linux. Here below is description how it was done.

Building HTTPS server with quantum-safe TLS in baby steps

This post is a step-by-step instruction to build HTTPS web server which uses quantum-resistant algorithm for TLS key exchange. Solution is written in Go language. For a web server I’ve used Caddy. Caddy uses TLS implementation from standard Go library. As this doesn’t support any of…

crypto,TLS,SIDH,post-quantum

TrustZone Overview

Slides from presentation given at the Cloudflare office in London.

mbedTLS vs BoringSSL on ARM

Goal is to choose most suitable TLS library that could be statically linked with an application. The application will be runing on modern mobile operating system and variety of ARM CPUs. I’m interested in client side of the TLS only. Ideal library is the one which ensures the best security…

How run GDB on an Android

Android NDK comes with GDB, somewhere in the NDK folder one can find gdbserver and gdb binaries. The idea is obviously to run gdbserver on the device and then connect to it from local host with gdb. For that to work - both server and client need to have available binary that both are debugging…

Creating certificates for TLS testing

In some cases, it is needed to create your chain of certificates - CA and server (for example TLS testing). There are many descriptions out there on how to do it, nevertheless, I couldn’t find any copy-paste examples which would give me an RSA, ECDSA and EdDSA certificates. Hence, here below, one…

Looking for C++ object in a memory dump

When analyzing the core dump of a C++ based, long-running, server application it may be helpful to know the exact state of some objects created by the process. The question, then is, how to find that object. Core files consist of the recorded state of the working memory. The task may be not…

Compile C code in Android NDK

I’ve limited love to Android tools provided by Google and never understood why Google tries to make it so complicated to run native code on the device. In the end Android is some form of Linux and some parts of Android framework are implemented in C/C++. I also have limited love (and knowledge) to…

Encrypting RaspberryPI root partition

Description of encrypting root partition of already installed ArchLinux running on Raspberry. I assume that ArchLinux is already installed on SD card and Pi is booting correctly.