New blog post "Bibliography keys: It's as easy as [1], [2], [3]." blog.cr.yp.to/20240612-bibke… #bibliographies #citations #bibtex #votemanipulation #paperwriting

We're now also at mathtod.online/@PQCryptoConf

libmceliece-20240726 now available from lib.mceliece.org. Simple new mceliece-fulltest wrapper parallelizes the valgrind-based tests for constant-time behavior of the binaries. Source includes state-of-the-art defenses against compilers introducing timing variations.

Gave a burst of new talks over the past week, including intros to (1) patents, (2) timing variations in crypto code, (3) modern tools to avoid bugs in rewriting snippets to run in constant time, and, on the more mathematical side, (4) cola cryptography: cr.yp.to/talks.html

Liked this snippet: "April 2024: I pointed out that current compilers are sometimes “optimizing” arithmetic into bool. What’s optblocker? optblocker is a volatile variable set to 0. The usage of optblocker is designed to prevent compilers from seeing that there’s a 1-bit result."

New blog post "Clang vs. Clang": blog.cr.yp.to/20240803-clang… You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans

If Clang continues on its current path, it soon can’t be safely used anymore to compile cryptography. And honestly, we might have reached that point already.

libmceliece-20240812 now available from lib.mceliece.org. More unification of field-arithmetic code across parameter sets; more parallelization inside mceliece-fulltest; more use of cryptoint. Now tested on amd64 (with and without AVX2), arm64, mips64, ppc64le, x86.

The very first post-quantum standards from NIST are out: ML-KEM, ML-DSA, and SLH-DSA aka FIPS 203, 204, 205. nvlpubs.nist.gov/nistpubs/fips/… nvlpubs.nist.gov/nistpubs/fips/… nvlpubs.nist.gov/nistpubs/fips/… Spotted by Matthias Kannwischer. linkedin.com/posts/mkannwis…

W et al., Crypto 2024: "we show that the latency of exponentiation can be reduced using parallel computation, against the preliminary assumptions". Speaker today claimed VDF people missed this. I had pointed it out in Q&A for a 2019 VDF talk by W (youtube.com/watch?v=_x4Rsc…, 20:49).

John Kelsey a moment ago at the Crypto 2024 rump session: ~"I don't even know how to pronounce this. Slush-DSA? The government names are a lot less nice than Kyber, Dilithium, SPHINCS+." So why did they change? Darth Vader + the Borg coming after NIST for trademark infringement?

Amazing gap between attack reality and cryptographer perceptions. Reality: Bitcoin-mining hardware is five orders of magnitude more efficient than general-purpose CPUs. Perceptions: Niels Ferguson claims at Crypto 2024 that attackers will use CPUs instead of optimizing circuits.

Seyoon Ragavan's talk at Crypto 2024 described the latest quantum factoring algorithms as being better than previous algorithms once n is beyond "small" sizes. Could be true, but hasn't been justified: the comparison ignores earlier use of surface codes (never mind better codes).

What's the best way to minimize overall risks (patent risks + mathematical-security risks + implementation risks) of post-quantum encryption? McEliece. But what if your application needs small one-time keys? Happy to announce the release of libntruprime: libntruprime.cr.yp.to

Some tools at different layers that would have stopped timing attacks against ECDSA nonce-inversion software: (1) the safegcd algorithm, gcd.cr.yp.to; (2) switching from ECDSA to EdDSA, typically Ed25519; (3) using TIMECOP (bench.cr.yp.to/tips.html#time…) to scan for leaks.

This year IETF appointed a "Security Area Director" whose August 2024 conflict-of-interest filing lists NSA as a source of income: ietf.org/about/groups/i… Profile says retired from NSA "with 37+ years of service in Dec 2023", still "working as a Stand-by Active Reservist at NSA".

IETF: "Pervasive Monitoring Is an Attack... The IETF Will Work to Mitigate Pervasive Monitoring". Also IETF: ~"It's perfectly fine that we had an NSA employee co-chairing IRTF's Crypto Forum Research Group, and that we now have an NSA employee as IETF Security Area Director."

Service announcement for ECC 2024 (Workshop on Elliptic Curve Cryptography): If you want to book one of the rooms in the Academia Sinica Guest House (=nice hotel on campus next to venue) you need to have requested that before 20 September, see troll.iis.sinica.edu.tw/ecc24/registra…

NSA employee Kevin Igoe remains CFRG co-chair (CFRG=IRTF's Crypto Forum) ietf.org/mail-archive/w… /c Cryptome Jaap van Ginkel #Dragonfly

This week on "The Crypto Days of Our Lives": powers that be reject call to remove NSA IETF co-chair ietf.org/mail-archive/w… (ht Christopher Soghoian)