Hi All, We are pleased to announce the release of version 1.8.2 of the BouncyCastle C# Crypto API.
The main security fix is for an issue with EC math: "Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (Org.BouncyCastle.Math.Raw.Nat???). These classes are used by our custom elliptic curve implementations (Org.BouncyCastle.Math.Ec.Custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. We consider these bugs to be exploitable for static ECDH with long-term keys, per 'Practical realisation and elimination of an ECC-related software bug attack, Brumley et.al" There is also an important note regarding the Poly1305 implementation: "This release brings our Poly1305 implementation into line wih RFC 7539, which breaks backward compatibility. The essential difference from 1.8.1 is that the two halves of the 32-byte Poly1305 key have swapped places. If you have persisted Poly1305 keys, or are interoperating with other Poly1305 implementations, you may need to account for this change when migrating to 1.8.2." The release also adds several new algorithms, including BCrypt, BLAKE2b/2s, GOST R 34.11-2012 and DSTU-7564, plus many minor fixes and improvements throughout the code. We encourage all users of the library to upgrade to this version. Please visit http://www.bouncycastle.org/csharp/ for the release notes and to download the .NET 1.1 assembly or the source code. Also see https://github.com/bcgit/bc-csharp/pulls?q=is%3Apr+is%3Aclosed for details of resolved issues. If you are interested in tracking code changes, our git repositories are mirrored to github: https://github.com/bcgit . If you are interested in donating to the project, you can find the details on how to donate via PayPal or Bitcoin, at: https://www.bouncycastle.org/donate If you prefer to use direct bank transfer please feel free to discuss it with us by contacting us at off...@bouncycastle.org and we'll be happy to help. The Legion of the Bouncy Castle is a registered Australian charity based in the State of Victoria, Australia. If you wish to sponsor specific work on Bouncy Castle or get a commercial support contract for the APIs please contact us at Crypto Workshop ( http://www.cryptoworkshop.com ). Remember, you can also follow this project on Facebook ( https://www.facebook.com/legionofthebouncycastle ), Google+ ( https://plus.google.com/+BouncycastleOrgAPIs/posts ) and/or Twitter ( https://twitter.com/bccrypto ). Regards, Pete Dettman
