Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption. | Continue reading
filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability. | Continue reading
How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little! | Continue reading
Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons! | Continue reading
Announcing a $8,192 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard. | Continue reading
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesn’t exist. | Continue reading
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesn’t exist. | Continue reading
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities. | Continue reading
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities. | Continue reading
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance. | Continue reading
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance. | Continue reading
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested. | Continue reading
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested. | Continue reading
It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works. | Continue reading
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data. | Continue reading
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data. | Continue reading
A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends! | Continue reading
A lot of new cryptography is landing in Go 1.20, including the new crypto/ecdh package and math/big-less RSA and ECDSA backends! | Continue reading
A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration. | Continue reading
A description of my password management solution based on passage, a fork of pass that uses age, and YubiKeys. Its main feature is resisting post-compromise exfiltration. | Continue reading
Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers. | Continue reading
Go 1.20 is adding an interning cache for reused certificates. The entries are reference-counted with the help of the garbage collector and finalizers. | Continue reading
We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place. | Continue reading
We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place. | Continue reading
Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships. | Continue reading
Having a direct line to the maintainers of Open Source project is reciprocally valuable, and made possible by high-touch contractual relationships. | Continue reading
age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing. | Continue reading
age currently only provides confidentiality. We look at how a couple small tweaks can introduce authentication, when you'd need it, and how it is different from signing. | Continue reading
My plans for Go 1.20 include landing the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work. | Continue reading
My plans for Go 1.20 include landing the crypto/ecdh package, making progress on moving math/big out of the security perimeter, and a batch of crypto/tls work. | Continue reading
In line with the original spirit of Cryptography Dispatches, this is a quick[1] issue to talk about a neat bit of cryptography engineering I encountered.The structure of an ECC implementationElliptic curve cryptography implementations all roughly share the following structure: th … | Continue reading
We look into a neat trick that allowed replacing the last bit of unreadable edwards25519 code, and learn about the structure and lineage of ECC implementations. | Continue reading
They're here! NIST selected a first batch of post-quantum cryptographic key exchange and signature algorithms. The report is a nice read that explains a lot of the goals, candidates, selections, and rationales. I recommend Sections 2, 3.3, and 4.1. For key exchange, NIST sel … | Continue reading
NIST selected a post-quantum cryptographic KEM. We look at how it works and how we can use it for file encryption with age. | Continue reading
To successfully fund Open Source projects, companies should: pay the maintainers; pay them real money; pay for maintenance; and keep paying them. | Continue reading
Fully reproducible builds are important because they bridge the gap between auditable open source and convenient binary artifacts. Technologies like TUF and Binary Transparency provide accountability for what binaries are shipped to users, but that's of limited utility if there i … | Continue reading
[русский] Go has good support for calling into assembly, and a lot of the fast cryptographic code in the stdlib is carefully optimized assembly, bringing speedups of over 20 times. However, writing assembly code is hard, reviewing it is possibly harder, and cryptography is unf … | Continue reading
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession. | Continue reading
This is the first article I wrote for the Go blog (!!) about how TLS cipher suites configuration got so complicated, and how we've made it way easier in Go 1.17. The Go standard library provides crypto/tls, a robust implementation of Transport Layer Security (TLS), the most impo … | Continue reading
This is the story of a bug that was discovered and fixed in Telegram's self-rolled cryptographic protocol about seven years ago. The bug didn't get any press, and no one seems to know about it, probably because it was only published in Russian. To this day, it's the most backdoo … | Continue reading
A lot of my job is implementing specifications, and sometimes in a crypto spec you'll encounter something like this (p+3)/8 3 (p-5)/8 x = (u/v) = u v (u v^7) (mod p) and what you do is nod, copy it into a comment, break it down into | Continue reading
Project Zero dropped a great bug in Vault which I think would have been prevented by one of the lessons learned of cryptography engineering: when you can, always prefer reconstructing a value rather than parsing and validating it. You should read the blog post to understand the … | Continue reading
When talking about high-level application cryptography APIs I usually hear mentioned libsodium, Tink, pyca/cryptography, and NaCl. One of these things is not like the others! The value NaCl had 10 years ago was that it was an opinionated library at a time when all cryptography l … | Continue reading
Cryptographic protocols and specifications often come with registries that map numeric or string identifiers to algorithms or suites. Something like this. 1 RSA-PSS-SHA256 2 RSA-PSS-SHA512 3 ECDSA-P256-SHA256 4 ECDSA-P521-SHA512 5 Ed25519 ... You'll find them eve … | Continue reading
I asked my Twitter followers what I should talk about in this issue, and those trolls picked PGP and security vulnerability reporting, so here goes nothing. As you probably know, the school of modern cryptography thinking I subscribe to says that tools and protocols should be sm … | Continue reading
I want to start by acknowledging that tech is not the most important thing happening around me at the moment. It's critical to understand our role in fixing the issues in the system we are part of. I found that Russ Cox captured that message very well in a recent | Continue reading
X25519 is a simple Elliptic Curve Diffie-Hellman (ECDH) function: it takes a scalar (a fancy name for an integer[1]) and an elliptic curve point, and it multiplies the elliptic curve point by the scalar. Point additions and multiplications work modulo the order of the point, jus … | Continue reading
OpenSSH is on a roll. In February, OpenSSH 8.2 introduced first-class support for FIDO2 (née U2F) security keys, making hardware backed keys accessible for less than $20. This is not some complicated PAM setup, or some janky cryptographic trick, but a proper public key type, whe … | Continue reading