Accumulated test vectors make it possible to run large sets of random known-answer tests without checking in large assets.
The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice it’s approved for almost any purpose.
ML-KEM private key seeds are vastly preferable to expanded decapsulation keys as a storage format. A plea to standardize on them.
The age plugin system allows integrating third-party recipient types at the CLI level. A new framework makes it easy to implement plugins.
Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.
XAES-256-GCM is a new AEAD extended-nonce algorithm designed for high-level APIs and FIPS 140 compliance.
A short document describing how I maintain open source projects. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations.
Hardware secure elements make it possible to use low-entropy secrets like PINs for encryption.
filippo.io/mlkem768 is a pure-Go implementation of the post-quantum key exchange mechanism ML-KEM-768 optimized for correctness and readability.
How much linear algebra and polynomials do you need to know to implement Kyber? Turns out, very little!
Elliptic curves are standardized, instead of being generated like Diffie-Hellman parameters. There's good reasons!
Announcing a $12,288 bounty (tripled to charity) for cracking the five seeds selected by the NSA in the '90s for the NIST elliptic curve standard.
I want the extended-nonce 256-bit reduced-rounds XAES-256-GCM/11 AEAD. It has infinitely randomizable nonces, a comfortable margin of multi-user security, and nearly the same performance as AES-128-GCM. Only issue is that it doesn’t exist.
A recent issue in scalar multiplication makes for a good case study of how unsafe interfaces, undocumented assumptions, and time lead to vulnerabilities.
Go 1.20 was a big release. Go 1.21 has some exciting API work on crypto/tls, and some follow-up work including crypto/rsa performance.
Protocols that use randomness should make it a deterministic function that takes a fixed-size string of random bytes, so it can be tested.
It works! I am now a full-time independent open-source maintainer. I'm announcing my first cohort of six clients, and sharing some details of how the model works.
I updated the whoami.filippo.io dataset! I explain how it works, and how I fetched the new data.