Google recently officially open-sourced Paranoid, a project for identifying common vulnerabilities in cryptographic artifacts.

Paranoid supports testing of several cryptographic artifacts, including digital signatures, general pseudorandom numbers, and public keys, to identify problems caused by programming errors or the use of weak proprietary random number generators.

According to Google’s official information, Paranoid can inspect any artifact, even those generated by an unknown implementation system (Google calls it a “black box” whose source code cannot be inspected).

An artifact may be generated by a black box, not by our own tools (like Tink) or by a library that we can check and test with Wycheproof.While not secure enough, unfortunately sometimes we end up relying on black box generated artifacts

Google has used Paranoid to examine cryptographic artifacts in Certificate Transparency (CT) – which contains over 7 billion issued website certificates – and discovered thousands of certificates affected by critical and high-severity RSA public key vulnerabilities. Most of these certificates have expired or been revoked.

Google open sourced the library, not only to allow others to use it, but also to increase transparency and accept contributions from outsiders. Hopefully researchers will add checks to the library as cryptographic vulnerabilities are discovered and reported. This allows Google and other users to quickly respond to new threats.

The Paranoid project contains ECDSA signatures and checks for RSA and EC public keys, and is actively maintained by the Google security team. The project also aims to ease the use of computing resources. The inspection must be fast enough to run against a large number of artifacts and must make sense in a real-world production environment.

Project address: https://github.com/google/paranoid_crypto