## NIST 開始徵求 Post-Quantum Cryptography 演算法

Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we're assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections.

At this point the experiment is concluded. We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment.

## Libgcrypt 與 GnuPG 的安全性問題

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.

A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest _not to_ overhasty revoke keys.

## Google Chrome 引入 CECPQ1，開始測試 Post-Quantum Cryptography

Quantum Computer 對現有密碼學的衝擊很大，像是 RSA 演算法是基於「質因數分解」的難題而架構出來的系統，在 Quantum Computer 上存在有效率的演算法，也就是 Shor's algorithm

We explicitly do not wish to make our selected post-quantum algorithm a de-facto standard. To this end we plan to discontinue this experiment within two years, hopefully by replacing it with something better.

## 2015 年的 Turing Award 由 Whitfield Diffie 與 Martin E. Hellman 獲得

Diffie–Hellman key exchange 是全世界第一個 (1976 年) 在公開頻道上建立 shared secret 的演算法，直到現在都還廣泛的被使用，可以防禦被動式的監聽攻擊：

The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel.

a secure communication protocol is said to have forward secrecy if compromise of long-term keys does not compromise past session keys.

## 荷蘭政府捐贈五十萬歐元給 OpenSSL

The Dutch government has formally opposed the introduction of backdoors in encryption products.

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."

The formal position comes just months after the Dutch government approved a €500,000 (\$540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library.

## OpenSSL 的 ECDH 中，224 bits 速度比 160/192 bits 快的原因

`openssl speed ecdh` 的時候發現很特別的現象：

```Doing 160 bit  ecdh's for 10s: 40865 160-bit ECDH ops in 9.99s
Doing 192 bit  ecdh's for 10s: 34169 192-bit ECDH ops in 9.99s
Doing 224 bit  ecdh's for 10s: 60980 224-bit ECDH ops in 9.99s
Doing 256 bit  ecdh's for 10s: 34298 256-bit ECDH ops in 10.00s
Doing 384 bit  ecdh's for 10s: 9602 384-bit ECDH ops in 10.00s
Doing 521 bit  ecdh's for 10s: 9127 521-bit ECDH ops in 9.99s```

We present a 64-bit optimized implementation of the NIST and SECG-standardized elliptic curve P-224.

full TLS handshakes using a 1024-bit RSA certificate and ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 now run at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster.

OpenSSLCHANGES 也可以看到對應的修改，不只是 NIST-P224 有被改善，其他的 NIST-P256 與 NIST-P521 也都有被改善：

Add optional 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256, NIST-P521, with constant-time single point multiplication on typical inputs.