→ Development Digest the latest achievements in the field of cryptography.

Hi, %username%


It's time for a fresh pack of crypto news, while they have not ceased to be news. In this episode:

A new record for calculating the discrete logarithm
VPN server and client using protocol Noise
Postquantum cryptography in Chrome today!
What do you know about the new E2E encryption in Facebook
RLWE rid of R, and it is to his advantage
• Comodo wanted to mess with Let's Encrypt, but failed. And Let`s Encrypt will support ddns tomorrow
• the minimum requirements for implementations of algorithms RSA, DSA, DH, resistant to side-channel attacks appeared

Record of calculating the discrete logarithm

A group of researchers from EPFL and the University of Leipzig could count logarithm to the base of a prime number size 768 bit . To do this, they needed 200 cores and time since February 2015. They used a digital version of the sieve. Thus logarithm equaled the record for factorization where ordinary numbers <ahref="https://en.wikipedia.org/wiki/Integer_factorization_records#Numbers_of_a_general_form">768bit too

Wireguard . VPN, which uses the most fashionable cryptoalgorithms

We do not have time to publish the spec on Noise protocol, as has already appeared a decision based on it.

Very minimalistic VPN, which uses Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24 and HKDF. It works in kernel mode, but usermode version of the Go and Rust are are in active development. I advise you to take a closer look, very cool stuff.

Google added postquantum encryption in Chrome Canary

Learn more here. Used algorithm New Hope, which is based on RLWE problem, which in turn is a special option Lattice-based cryptography. This is a relatively young field of cryptography, still poorly understood, and therefore it is impossible to use in real life. But as an experiment, why not?

E2E encryption on Facebook allows you to squeal on the companion

They called this mechanism Franking. It allows you to send Abuse report if necessary. Implemented as follows:

Generates random key N f

Counts T_f = HMAC·SHA256(N_f, M)

N_f concatenated with M and the encrypted key of the recipient. On the server is sent to T f and encrypted text

The server calculates R d = HMAC · SHA256 (Facebook key, T f || metadata (who, whom, ...))

to the recipient sent R f , T f , encrypted text

The recipient decrypts the encrypted text, calculates HMAC (N f , M) and compares with T f . If the comparison fails, it throws a message

If the recipient wants to report to Facebook, then it sends the decrypted message, R f , N f

Facebook is convinced that this is the message that is sent to the sender and take appropriate action

Thus, person can't avoid bad actions he did.

RLWE without R

So there Lattice-based cryptography. It's good in that it does not crack a quantum computer in the future. But its parameters are huge, the size of the keys reach megabytes. Is it a private event, called learning with errors . So, learning from mistakes is also very cool though, but nevertheless due to limitations on the size of the key and the other was impossible to use in production. Therefore, the LWE added ring and called it RLWE , which is already used in Chrome Canary, i.eg. where the parameters have become more or less human size.

Unfortunately, the level of knowledge is inversely proportional tricked algorithm and adding rings may weaken LWE. Therefore, a group of comrades implemented key agreement without rings and published on the topic dock. Message sizes in each direction are within 12 kb, key negotiation takes about 1.3 ms. This is about 5 times greater in volume than handshake DH, and also 1.6 times the bandwidth slows TLS server, but nevertheless this is comparable to the New Hope and can be used in practice. The structure is a more secure.

Comodo is mad

And decided for a number of its services to register a trademark Let's Encrypt. Not only that sell air, so even stranger fame does not rest. However, the community gathered strength, slapped on the face them and discouraged trade mark. Details here .

By the way, after update can be screwed to the free TLS dyndns hosts! It supercool, all the hamsters will now have certificates.

Protecting from Side channel attacks

It is no secret that today information about encryption keys, you can remotely remove almost every fan. Therefore, the increasing popularity gain constant-time algorithms, which do not depend on the input data. The Germans released the minimum requirements for implementation, the implementation of which will complicate the task of obtaining secret information through side channels of data. <ahref="https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_46_BSI_guidelines_SCA_RSA_V1_0_e_pdf.pdf">interesting document, advise you to read.

On this I have everything, until we meet again! Have a great day steemers!