Digest of recent advances in cryptography. First release
Hi% username%
The time has come for a fresh pack of krypton news, while they have not yet ceased to be news. In this issue:
Previous release here
A group of researchers from EPFL and the University of Leipzig was able to calculate the logarithm of the base of a prime number of 768 bits . To do this, they needed 200 cores and the time since February 2015. They used a version of the digital sieve. Thus, logarithm equaled factorization, where the record for ordinary numbers is also 768 bits.
')
We did not have time to publish the spec on the Noise protocol, as a decision based on it had already appeared.
A very minimalistic VPN that uses the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24 and HKDF. It works in kernel mode, but usermode versions on Go and Rust are actively sawing. I advise you to look, very cool thing.
Read more here . The New Hope algorithm is used, which is based on the RLWE problem, which in turn is a particular variant of lattice cryptography . This is a relatively young field of cryptography, is still poorly understood and therefore it can not be used in real life. But as an experiment, why not?
They called this mechanism Franking . It allows you to send an Abuse report if necessary. Implemented as follows:
Thus, otverzhateltsya from obzyvatelnosti Vasya goat will not work.
So, there is cryptography on the grids. It is good that in the future it will not be hacked by a quantum computer. But its parameters are huge, the size of the keys reaches megabytes. There is a special case of it, called learning with errors . So, learning with errors is also very cool, but nevertheless, due to limitations on key size and others, it was unrealistic to use in production. Therefore, they added rings to LWE and called it RLWE , which is already used in Chrome Canary, i.e. there the parameters have become more or less human in size.
Unfortunately, the degree of knowledge is inversely proportional to the trickiness of the algorithm and the addition of rings may have weakened LWE. Therefore, a group of comrades implemented the agreement of keys without rings and published a document on this topic. The sizes of messages in each direction are within 12 kb, the operation of key agreement takes about 1.3 ms. This is about 5 times more in terms of DH's handshake, and also 1.6 times slows down the throughput of the TLS server, but nevertheless it is already comparable to New Hope and can be used in practice. In this case, the structure is more secure.
And I decided for several of my services to register the trademark Let's Encrypt. Not only do they trade in air, so does the stranger glory of peace does not. But, the community gathered forces, pressed a dresser on the tinsel and beat off the trademark. Details here .
By the way, after tomorrow's update, you can screw free TLS to dyndns hosts! This is super cool, all hamsters will now be certified.
It is no secret that now information about encryption keys can be remotely removed almost through a fan. Therefore, constant-time algorithms that do not depend on the input data become increasingly popular. The Germans have released the minimum requirements for implementations, the implementation of which will complicate the task of obtaining secret data through side channels of data. An interesting document , I advise you to read.
On this I have everything, until we meet again!
The time has come for a fresh pack of krypton news, while they have not yet ceased to be news. In this issue:
- New record of discrete logarithm calculation
- VPN server and client using the Noise protocol
- Post-Quantum Cryptography in Chrome today!
- What you do not know about the new E2E encryption on Facebook
- RLWE gets rid of R and it benefits him
- Comodo wanted to have Let`s Encrypt, but sfeilil. And Let`s Encrypt from tomorrow will support ddns
- There are minimal requirements for implementations of RSA, DSA, DH algorithms that are resistant to side-channel attacks
Previous release here
Record calculation of the discrete logarithm
A group of researchers from EPFL and the University of Leipzig was able to calculate the logarithm of the base of a prime number of 768 bits . To do this, they needed 200 cores and the time since February 2015. They used a version of the digital sieve. Thus, logarithm equaled factorization, where the record for ordinary numbers is also 768 bits.
')
Wireguard . VPN using the most fashionable cryptographic algorithms
We did not have time to publish the spec on the Noise protocol, as a decision based on it had already appeared.
A very minimalistic VPN that uses the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24 and HKDF. It works in kernel mode, but usermode versions on Go and Rust are actively sawing. I advise you to look, very cool thing.
Google added postquant encryption in Chrome Canary
Read more here . The New Hope algorithm is used, which is based on the RLWE problem, which in turn is a particular variant of lattice cryptography . This is a relatively young field of cryptography, is still poorly understood and therefore it can not be used in real life. But as an experiment, why not?
E2E encryption on Facebook allows you to talk to the interlocutor
They called this mechanism Franking . It allows you to send an Abuse report if necessary. Implemented as follows:
- Random key N f generated
- It is considered T f = HMAC · SHA256 (N f , M)
- N f is concatenated with M and encrypted with the recipient's key. T f and ciphertext sent to server
- Server counts R f = HMAC · SHA256 (facebook key, T f || metadata (who, to whom, ...))
- R f , T f , ciphertext
- The recipient decrypts the ciphertext, counts HMAC (N f , M) and compares it with T f . If the comparison fails, the message is thrown.
- If the recipient wants to complain to Facebook, then sends him a decrypted message, R f , N f
- Facebook is convinced that this is exactly the message that the sender sent and takes the appropriate action
Thus, otverzhateltsya from obzyvatelnosti Vasya goat will not work.
RLWE without R
So, there is cryptography on the grids. It is good that in the future it will not be hacked by a quantum computer. But its parameters are huge, the size of the keys reaches megabytes. There is a special case of it, called learning with errors . So, learning with errors is also very cool, but nevertheless, due to limitations on key size and others, it was unrealistic to use in production. Therefore, they added rings to LWE and called it RLWE , which is already used in Chrome Canary, i.e. there the parameters have become more or less human in size.
Unfortunately, the degree of knowledge is inversely proportional to the trickiness of the algorithm and the addition of rings may have weakened LWE. Therefore, a group of comrades implemented the agreement of keys without rings and published a document on this topic. The sizes of messages in each direction are within 12 kb, the operation of key agreement takes about 1.3 ms. This is about 5 times more in terms of DH's handshake, and also 1.6 times slows down the throughput of the TLS server, but nevertheless it is already comparable to New Hope and can be used in practice. In this case, the structure is more secure.
Comodo bumbled
And I decided for several of my services to register the trademark Let's Encrypt. Not only do they trade in air, so does the stranger glory of peace does not. But, the community gathered forces, pressed a dresser on the tinsel and beat off the trademark. Details here .
By the way, after tomorrow's update, you can screw free TLS to dyndns hosts! This is super cool, all hamsters will now be certified.
Defending against side channel attacks
It is no secret that now information about encryption keys can be remotely removed almost through a fan. Therefore, constant-time algorithms that do not depend on the input data become increasingly popular. The Germans have released the minimum requirements for implementations, the implementation of which will complicate the task of obtaining secret data through side channels of data. An interesting document , I advise you to read.
On this I have everything, until we meet again!
Source: https://habr.com/ru/post/305572/
All Articles