Posts by djb@mastodon.cr.yp.to
(DIR) Post #AhoVLHoBVQRfvxLYO0 by djb@mastodon.cr.yp.to
2024-04-20T15:40:40Z
0 likes, 0 repeats
Tracking down some TIMECOP alerts led to a 2021 gcc patch from ARM (https://gcc.gnu.org/git/?p=gcc.git;a=commit;f=gcc/match.pd;h=d70720c2382e687e192a9d666e80acb41bfda856) turning (-x)>>31 into a bool, often breaking constant-time code. Can often work around with (-x)>>30, and asm is safer anyway, but for portable fallbacks we need security-aware compilers.
(DIR) Post #AhrQCnBrXi2qMOQqsi by djb@mastodon.cr.yp.to
2024-02-01T00:18:36Z
0 likes, 0 repeats
Columbia Accident Investigation Board, final report, 2003, volume 1 (https://history2.nasa.gov/columbia/reports/CAIBreportv1.pdf), page 191: "The Board views the endemic use of PowerPoint briefing slides instead of technical papers as an illustration of the problematic methods of technical communication at NASA."
(DIR) Post #AhugcjqqlDrGH5sSZM by djb@mastodon.cr.yp.to
2024-04-12T21:10:34Z
0 likes, 0 repeats
Reminder for the sales team: If https://eprint.iacr.org/2024/555 turns out to be wrong, relentlessly hype the failure. If it turns out to be right, relentlessly hype the exponent in the approximation factor. Always remember: any attack claim short of a full break is a win-win scenario.
(DIR) Post #Ai1AkEPLiKF8e0GLVg by djb@mastodon.cr.yp.to
2024-03-21T17:03:25Z
0 likes, 0 repeats
lib25519-20240321 released: https://lib25519.cr.yp.to https://lib25519-cr-yp-to.viacache.net Includes more speedups from Kaushik Nath, a simple use-s2n-bignum option, MacOS support, and more. Still generally needs formal verification and auditing, but AWS's s2n-bignum code is formally verified.
(DIR) Post #Ai43evd7z9Uskl6yhc by djb@mastodon.cr.yp.to
2024-03-14T06:25:29Z
0 likes, 0 repeats
Releasing beta for auditing: small-ish OpenSSL 3 "providers" to use lib25519 (gives big speedups, although still needs verification) for X25519 and Ed25519. Code: https://cr.yp.to/2024/20240314/openssl_x25519_lib25519.c https://cr.yp.to/2024/20240314/openssl_ed25519_lib25519.c Current test scripts: https://cr.yp.to/2024/20240314/xtest https://cr.yp.to/2024/20240314/edtest
(DIR) Post #Ai52L8lPXWLmtlwjIm by djb@mastodon.cr.yp.to
2024-04-22T09:35:20Z
0 likes, 0 repeats
Next round of interesting lattice claims to dig into: https://eprint.iacr.org/2024/601 claims to prove that "breaking NTRU lattices can be reduced to finding shortest lattice vectors in halved dimension". For comparison, Table 5 of https://ntru.org/f/ntru-20190330.pdf is around 70% of the dimension.
(DIR) Post #AkamQwyi8bK8ghlatc by djb@mastodon.cr.yp.to
2024-08-03T13:57:23Z
0 likes, 0 repeats
New blog post "Clang vs. Clang": https://blog.cr.yp.to/20240803-clang.html You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans
(DIR) Post #AlosTMUJd7Dc7f2M8O by djb@mastodon.cr.yp.to
2024-09-09T05:41:28Z
0 likes, 0 repeats
This year IETF appointed a "Security Area Director" whose August 2024 conflict-of-interest filing lists NSA as a source of income: https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ Profile says retired from NSA "with 37+ years of service in Dec 2023", still "working as a Stand-by Active Reservist at NSA".
(DIR) Post #AlrWCmr8j2oNSgHffM by djb@mastodon.cr.yp.to
2024-09-09T07:11:56Z
0 likes, 0 repeats
@eliotlear Incorrect: Sure, like trying to ram a give-control-over-SSH-to-NSA WG through IETF without answering the concerns publicly expressed by Theo de Raadt (e.g., https://mailarchive.ietf.org/arch/msg/ssh/A3gmWCryJW9VnH1A7vFPrFXxjnQ/) and others (including me). But the important point here is much simpler: giving control over any IETF/IRTF security decisions to NSA creates the appearance of a conflict of interest, ergo shouldn't happen.
(DIR) Post #AlrWCo6472LRJGH6ZM by djb@mastodon.cr.yp.to
2024-09-09T15:30:52Z
0 likes, 0 repeats
@eliotlear 1. Do you realize that you're linking to a 13 August message about the charter, and that this was before the 24 August message that I linked to where he expressed unanswered concerns about the WG? 2. Other than histrionics, do you have any comment on the conflict-of-interest problem with having an NSA employee as an IETF security-area director? 3. If you think I've said something incorrect, can you please quote the allegedly incorrect statement? Thanks in advance!
(DIR) Post #AlrWCpN7N7ZzGRGEmu by djb@mastodon.cr.yp.to
2024-09-10T04:14:32Z
0 likes, 0 repeats
@eliotlear Your quote is fabricated. I said he (and others, including me) expressed concerns. Instead of answering, the NSA AD filed WG-creation forms as if discussion had settled. As for your "no industry or government participant" strawman: I'm talking specifically about NSA. That's an organization that internally asked whether cryptographic standards could be made "weak enough" for NSA to break, and that at last report had a cryptographic sabotage budget of a quarter billion dollars a year.
(DIR) Post #AlrWMxEJ0lg2Wxy4Ey by djb@mastodon.cr.yp.to
2024-09-10T12:11:06Z
0 likes, 0 repeats
@eliotlear OK, looks like time for Recusal 101: Do you think that it's okay for U.S. Supreme Court justices with conflicts of interest to not recuse themselves since there's more than one judge on the court? And it's okay for lower-court judges with conflicts of interest to not recuse themselves since there's an appeals process? Do you understand what the purpose of recusal is?
(DIR) Post #AlrWMyTwM7mGPkI4FU by djb@mastodon.cr.yp.to
2024-09-10T13:27:29Z
0 likes, 0 repeats
@eliotlear There you go again with these ridiculous "everyone" exaggerations. The actual issue at hand is an IETF security-area directorship being given to an employee of NSA, an organization with a policy and track record of sabotaging security standards.
(DIR) Post #AlrWMzc899vHvR87ea by djb@mastodon.cr.yp.to
2024-09-10T13:51:25Z
0 likes, 0 repeats
@rsalz @eliotlear I gave an example earlier in the thread; but, again, the recusal obligation is triggered simply by the appearance of a conflict of interest. https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ says "In cases where a clear conflict of interest exists, an Area Director should normally recuse". It doesn't say "Wait until the evidence of bad decisions is so overwhelming that you feel pressured to do what you would have done without this policy existing in the first place".
(DIR) Post #AtGzONsphSTiGPavTc by djb@mastodon.cr.yp.to
2025-04-19T15:24:04Z
0 likes, 0 repeats
Senior eprint censor Joppe Bos says it's "defamatory" and "cyber libel" to say that he bears responsibility for eprint not posting https://classic.mceliece.org/mceliece-529-20250417.pdf yet. Not only does he in fact bear responsibility, but also his own email, cc'ing me, continues to argue for this censorship.
(DIR) Post #AtGzOQdLTUs8nFN6Fk by djb@mastodon.cr.yp.to
2025-04-20T05:31:30Z
1 likes, 0 repeats
@Pyrrhlin Specifically, they claimed that they "require (human) author names" rather than an "organization". But organizations are listed as authors of documents all the time (e.g.: https://web.archive.org/web/20250309024856/https://iacr.org/petitions/gaza_war.html); previous cryptographic research papers from organizations have appeared on eprint (e.g.: https://web.archive.org/web/20250130053518/https://eprint.iacr.org/2022/087.pdf); and published eprint policy says "any author" (https://web.archive.org/web/20240413134704/https://iacr.org/eprint/). It's clear that IACR's actual goal here is to suppress this particular new report, not to be consistent.
(DIR) Post #AtPaD6xHY7i092qJou by djb@mastodon.cr.yp.to
2025-04-24T09:07:22Z
1 likes, 0 repeats
The gcc/clang excuse for changing program behavior, often introducing bugs and security holes (see https://www.usenix.org/system/files/usenixsecurity23-xu-jianhao.pdf), is performance. But a new paper https://web.ist.utl.pt/nuno.lopes/pubs/ub-pldi25.pdf modifies clang to eliminate most (all?) such changes, and finds negligible effect on benchmarks.
(DIR) Post #AtQYUyMMEymLwrv9xA by djb@mastodon.cr.yp.to
2025-04-24T20:30:13Z
1 likes, 0 repeats
Happy to announce my new paper "The cryptoint library": https://cr.yp.to/papers.html#cryptoint Constant-time code is the main way that we avoid leaking secrets to timing attacks. This is a paper on how much progress there has been, what's left to do, and how to do it.
(DIR) Post #B2cA9npbR8Yz3HfLfM by djb@mastodon.cr.yp.to
2026-01-24T15:45:03Z
1 likes, 0 repeats
Almost done packaging a new release of djbsort; mainly now waiting for some big verification runs to finish. As an example of the new speeds, here's a comparison graph for AMD Zen 3. This is for random inputs, not inputs chosen to slow down the competitors that use quicksort.
(DIR) Post #B30NJzJ3J3WI3HDBfU by djb@mastodon.cr.yp.to
2026-02-05T07:52:34Z
1 likes, 0 repeats
One of the OpenSSL disasters announced last week (CVE-2025-15469) is really the fault of OpenSSL's detached-signature interface. With a signed-message/message-recovery interface, the bug would have had no effect on security, and would have been easier to catch. Interfaces matter.