'Referees and other readers provided with a computer-checked proof spend much less time worrying about the possibility that the theorem is wrong' (quoted from Section 1 of 'Papers with computer-checked proofs', cr.yp.to/papers.html#pw…, September 2023)

Ross Anderson Professor Ross Anderson, FRS, FREng Dear friend and treasured long term campaigner for privacy and security, Professor of Security Engineering at Cambridge University and Edinburgh University, Lovelace Medal winner, has died suddenly at home in Cambridge.

Searching for ways to communicate without exposing your information to Google? Here's a PDF ('Portable Document Format'), created with standard tools, containing a red message that's invisible to (pre-123) Chrome users: cr.yp.to/2024/20240324/… Joint work with Jolijn Cottaar.

lib25519-20240321 released: lib25519.cr.yp.to lib25519-cr-yp-to.viacache.net Includes more speedups from Kaushik Nath, a simple use-s2n-bignum option, MacOS support, and more. Still generally needs formal verification and auditing, but AWS's s2n-bignum code is formally verified.

Fun fact noted in the code: if you change first 0x30 in openssl_ed25519_lib25519.c to, say, 0x31 then the edtest script triggers double-free in the OpenSSL core when it calls openssl req. String contents corrupting pointer structures! Hopefully never attacker-influenced strings.

Releasing beta for auditing: small-ish OpenSSL 3 'providers' to use lib25519 (gives big speedups, although still needs verification) for X25519 and Ed25519. Code: cr.yp.to/2024/20240314/… cr.yp.to/2024/20240314/… Current test scripts: cr.yp.to/2024/20240314/… cr.yp.to/2024/20240314/…

I clicked on 'Google's Threat model for Post-Quantum Cryptography'. 2MB page; below web average. I was hoping it would explain how Google sees Kyber-768 as such low risk as to not move up to Kyber-1024 (384 bytes larger key, 480 bytes larger ciphertext): bughunters.google.com/blog/510874798…

.Trail of Bits is making a big investment in post-quantum cryptography (PQC) this year. If that's something you're ready to work on, we're doing security reviews *and* custom engineering.

Math people: Here is a job opportunity with my new colleague Mireille Boutin at TU Eindhoven ; good conditions & exciting new group in the making:
Assistant Prof in Applied Algebra and Geometry in Eindhoven jobs.tue.nl/en/vacancy/ass…
No application deadline: first come first serve

2009: 'Not covered in this talk: other types of DoS attacks. e.g. DNSSEC advertising says zero server-CPU-time cost. How much server CPU time can we actually consume?' cr.yp.to/talks.html#200… Also posed the question in some later talks. Most recent answer: athene-center.de/fileadmin/cont…

Columbia Accident Investigation Board, final report, 2003, volume 1 (history2.nasa.gov/columbia/repor…), page 191: 'The Board views the endemic use of PowerPoint briefing slides instead of technical papers as an illustration of the problematic methods of technical communication at NASA.'

HOPE is on! Spread the word! Thanks hackaday! hackaday.com/2024/01/20/hop…

Recent claims of exponents for supposedly well-studied lattice attacks considering memory-access costs: 2023.11, web.archive.org/web/2023112521…: 0.396! Oops, wait, 0.349! 2023.12, web.archive.org/web/2023121920…: 0.349, or 0.329 in 3D! 2024.01, web.archive.org/web/2024011908…: 0.311, or 0.292 in 3D!

Is there a name for the following failure pattern? (1) 'Don't worry about flaws in defense X: we have Y as another layer of defense.' (2) 'Don't worry about flaws in Y: we also have X.' (3) 'This real-world attack exploited flaws in X _and_ in Y? Nobody could have expected that!'

Puzzled by AMD manuals saying that VPMASKMOV might fault on unused addresses. Does it actually do that on any AMD chips? Intel manuals guarantee it won't, making it useful for 256-bit processing of array lengths that aren't multiples of 256 bits, but could such code crash on AMD?

Some stuff I've been busy with lately tue.nl/en/news-and-ev… Yes, we'll be adding PQC support.

Updated sortbench (int32 arrays, AVX2) to add Intel's x86-simd-sort, add the 'fast-and-robust' library, upgrade to latest version of Google's vqsort, support current vxsort, and include baseline std::sort: sorting.cr.yp.to/comparison.html Let me know if I've missed a competitive library.

Happy to announce that ECC 2024, the 25th Workshop on Elliptic Curve Cryptography, will take place in Taipei, Taiwan Oct 30 - Nov 01, 2024. The workshop will be preceeded by an autumn school on isogenies. For more see troll.iis.sinica.edu.tw/ecc24/index.sh… You can sign up up for annoucements

A recent preprint 'The Planck Constant and Quantum Fourier Transformation' (eprint.iacr.org/2023/1971) suggests that Shor is unimplementable since it involves tiny rotations. But Coppersmith pointed out in 1994 (arxiv.org/abs/quant-ph/0…) that Shor works _without_ the tiny rotations.