## BoringSSL 的 FIPS 140-2 驗證

FIPS 140-2 requires that one of its PRNGs be used (which they call DRBGs). In BoringCrypto, we use CTR-DRBG with AES-256 exclusively and RAND_bytes (the primary interface for the rest of the system to get random data) takes its output from there.

## 對 SHA-3 的攻擊

Based on this we propose a new distinguisher called SymSum for the SHA3 family which penetrates up to 9 rounds and outperforms the ZeroSum distinguisher by a factor of four.

## Google 與 CWI Amsterdam 合作，找到 SHA-1 第一個 collision

GoogleCWI Amsterdam 正式攻陷 SHA-1：「Announcing the first SHA1 collision」，然後也沒什麼意外的，現在大家都喜歡針對各種安全問題註冊一個 domain 來介紹：「SHAttered」。

shattered-1.pdfshattered-2.pdf 下載下來確認，可以看出來兩個不一樣的檔案有同樣的 SHA-1 value：

```gslin@home [/tmp] [21:33/W4] sha1sum *.pdf

gslin@home [/tmp] [21:33/W4] sha256sum *.pdf
d4488775d29bdef7993367d541064dbdda50d383f89f0aa13a6ff2e0894ba5ff  shattered-2.pdf```

• 6,500 years of CPU computation to complete the attack first phase
• 110 years of GPU computation to complete the second phase

GIT strongly relies on SHA-1 for the identification and integrity checking of all file objects and commits. It is essentially possible to create two GIT repositories with the same head commit hash and different contents, say a benign source code and a backdoored one. An attacker could potentially selectively serve either repository to targeted users. This will require attackers to compute their own collision.

## NIST 開始徵求 Post-Quantum Cryptography 演算法

Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we're assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections.

At this point the experiment is concluded. We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment.

## Libgcrypt 與 GnuPG 的安全性問題

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.

A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest _not to_ overhasty revoke keys.

## Google Chrome 引入 CECPQ1，開始測試 Post-Quantum Cryptography

Quantum Computer 對現有密碼學的衝擊很大，像是 RSA 演算法是基於「質因數分解」的難題而架構出來的系統，在 Quantum Computer 上存在有效率的演算法，也就是 Shor's algorithm

We explicitly do not wish to make our selected post-quantum algorithm a de-facto standard. To this end we plan to discontinue this experiment within two years, hopefully by replacing it with something better.

## 2015 年的 Turing Award 由 Whitfield Diffie 與 Martin E. Hellman 獲得

Diffie–Hellman key exchange 是全世界第一個 (1976 年) 在公開頻道上建立 shared secret 的演算法，直到現在都還廣泛的被使用，可以防禦被動式的監聽攻擊：

The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel.

a secure communication protocol is said to have forward secrecy if compromise of long-term keys does not compromise past session keys.

## 荷蘭政府捐贈五十萬歐元給 OpenSSL

The Dutch government has formally opposed the introduction of backdoors in encryption products.

A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."

The formal position comes just months after the Dutch government approved a €500,000 (\$540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library.