Paranoid project checks for well known weaknesses on cryptographic artifacts such as public keys, digital signatures and general pseudorandom numbers. This library contains implementations and optimizations of existing work found in the literature. The existing work showed that the generation of these artifacts was flawed in some cases. The following are some examples of publications the library is based on.<p>The goal is to increase the confidence in cryptography use cases inside and outside Google.<p>When dealing with asymmetric encryption, crypto artifacts usually are:<p>* Generated by one of our own tools (e.g., at Google we use for example boringssl or tink); or,
* Generated by third party tools that we have access to (so these tools can be, for example, checked for vulnerabilities using wycheproof); or,
* Generated by third party tools and/or hardware or software black boxes that we do not have access to.<p>With Paranoid, any cryptographic artifact can be tested, but its primary motivation is to detect the usage of weak third party hardware or software black boxes. Hence, Paranoid can be used even if we are not able to inspect the source code (situation 3. listed above).<p>The project aims to detect known vulnerabilities as well as unknown ones. E.g., it tries to identify vulnerabilities caused by programming errors or the use of weak proprietary random number generators. Detecting new vulnerabilities is of course much more difficult than detecting known ones. Such detections may require large sets of artifacts or find weak ones only with a low probability.