Digest of recent advances in cryptography. Zero release

Hello!
I would like in one article to briefly talk about the achievements of mathematicians, which we already use or will soon be.
Let's start

Post-Quantum crypto

It's no secret that quantum computers are coming. And as soon as they begin to work in full force, public key cryptography in its modern understanding will come to an end. RSA, DSA, ECC, DH. All modern popular crypto-primitives for key exchange and signatures will become rubbish. Fortunately, there is a light at the end of the tunnel and in recent years there are active studies of algorithms that are resistant to cracking on quantum computers. Annual conferences are held on this topic and there are already first recommendations on algorithms that can be used to counter quantum computers.
')


Many of these algorithms have long existed and are well studied. McEliece, for example, was created in 1978. Hash based signatures ( slides about XMSS signatures , pdf) are also from the 80s. The only thing is the size of the keys, the transmitted data, the speed of work, etc. asymmetric algorithms may not be as convenient as they are now.

Nonce-misuse-resistance and AEAD-block encryption mode

Pretty old thing, but very few people know about it. In 2000, a scheme was proposed that allowed receiving a message consisting of encrypted data, an unencrypted service part, for example, packet size, and some value depending on the key, which allowed authenticating the entire message. This encryption mode was so convenient that in 2007, NIST adopted one of its implementations - AES GCM as standard. In modern intel processors, even the special instruction is PCLMULQDQ besides AES-NI, which allows you to implement this mode in a very smart way.

The problem is that all AEAD algorithms necessarily require some additional nonce value, which must be different for different messages encrypted with one key. Not necessarily random, just different. Otherwise, your cryptography will turn into a pumpkin . Those. either use a counter of some kind and store the state, or use random nonce and hope that they do not match. Just recently, a group of researchers published an attack on TLS , which just exploits the nonce reuse vulnerability. Visa is also vulnerable there, and another half of all servers on the Internet are a rather serious hole.

To secure such Krivoruki implementers of good algorithms, a CAESAR crypto contest was organized, the goal of which is to find the best AEAD algorithm, including one that is protected from nonce reuse / misuse attacks.
The most promising are HS1-SIV (PDF) and AES-GSM-SIV (pdf)
The second one doesn’t need anything new at all, it uses the already existing AES-NI and PCLMULQDQ instructions, therefore it is very smart. Even implementation gash on githabe.

Noise protocol

If you follow the news, then know that WhatsApp has enabled encryption for all by default. They use the best Signal protocol, in my opinion, but this is not the most interesting thing in the news.
The creator of the Protocol Signal Trevor Perrin also developed a lightweight replacement for the TLS, noise protocol . This is not just a protocol, it is a framework for building secure data transfer protocols. And whatsapp use it for network level interaction. It is much simpler than TLS and much more foolproof. Here, even the video was shot with an explanation of how it works


Implementations are already in C, Go, Haskell and Rust (from the author himself). It will be nice to see the implementation of any Google, a thing worthwhile.

ARGON2

I already wrote about this memory hard algorithm for password hashes. I repeat - just use hash (salt + password), use normal KDF like scrypt, bcrypt or superior to ARGON2. From the new - good slides (pdf) from the last conference appeared, and you should not forget about the coin based on it. It can turn out quite promising currency without asicov.

Reverse engineering of the Grasshopper S-box cipher

An interesting analysis of the new Russian encryption and hashing algorithms for Grasshopper, Stribog and Stribob by Alex Biryukov, Leo Perrin, Aleksei Udovenko shows that the key element - the 16x16 replacement table was not generated randomly, as the developers claim, but with using a hidden algorithm ( pdf )



Quite an interesting result, which leads to suspicions about the hidden backdoor. Otherwise, why lie?

On this I have everything, see you in new digests!

PS

Another good news from BalinTomsk