Daniel J. Bernstein @hashbreaker Twitter profile

Pinned Tweet

Daniel J. Bernstein

3 years

Anyone considering lattice-based post-quantum cryptography should see this warning chart: . Full analysis is contained in new 99-page PDF "Risks of lattice KEMs" available from the same page. Page+PDF authors: NTRU Prime Risk-Management Team.

15

67

150

Last Seen Profiles

@bokeplokalmalam

@PenisWilson88

@AMDServer

@sososo28839

@hhachn

@AminaGarci52540

@BNickson99

@nemunegi1229

@superclub

@AdamFroman_9

@BAnselmino34

@SandwellAcademy

@zaiiehm

@binney_z

@CookoutCartoons

@otomaru_gunpla

@tennen6606

@patrickboutayeh

@MasterCrypto35

@arnstro

@sly__therin

@JosebaBonaut

@LeibnizIOS

@Sreesre91100414

@dndndndjnd

@Liszto21

@xie_wa1069

@Brett_T_Jones

@Jamir3Brown

@as2060011

@hour2ac

@loveu27091997

@SevernAmber

@khaotario

@StrangeTFMedia

@nancybgutierrez

Daniel J. Bernstein

@hashbreaker

8 years

"How do we solve or disrupt a terrorist plot if law enforcement can't access the memories and thoughts inside suspected terrorists' brains?"

20

501

476

Daniel J. Bernstein

@hashbreaker

6 years

First release of djbsort: super-fast constant-time automatically verified AVX2 sorting code for int32 arrays. (Next target is ARM NEON.) Verification starts with the #angr toolkit for symbolic execution, which in turn uses libVEX from Valgrind.

9

100

227

Daniel J. Bernstein

@hashbreaker

7 years

"Today billions of brains sit in skulls, impervious to search warrants. Warrant-proof skulls are a serious problem."

Deputy Attorney General Rod J. Rosenstein Delivers Remarks on Encryption at the United States Naval...

Thank you, Professor Kosseff, for that kind introduction. I am honored to be here today with some of our nation’s finest public servants.

www.justice.gov

11

144

211

Daniel J. Bernstein

@hashbreaker

4 years

In apparently coordinated announcements, NIST and NSA are strongly pushing for lattice-based crypto, specifically structured lattices, specifically cyclotomic lattices, including sizes where published attacks already seem to violate the minimum #NISTPQC security requirements.

4

89

209

Daniel J. Bernstein

@hashbreaker

9 years

I use Tor Browser for all my regular web surfing. The occasional sites that don't like it (e.g., nytimes) turn out to be totally skippable.

7

123

185

Daniel J. Bernstein

@hashbreaker

9 years

Success in displaying "ELIMINATE THE STATE" next to American flag at official NIST workshop. http://t.co/nBL5Tpo1ix http://t.co/Hx4EVKc8Ml

6

172

179

Daniel J. Bernstein

@hashbreaker

5 years

Amazing compendium of failures of "provable security": . I saw a preprint months ago and the shock value of the huge lists still hasn't worn off. I think (and hope) this will put an end to the delusion that provable-security failures are isolated mistakes.

Critical Perspectives on Provable Security: Fifteen Years of "Another Look" Papers

We give an overview of our critiques of “proofs” of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples...

eprint.iacr.org

10

96

185

Daniel J. Bernstein

@hashbreaker

8 years

Fun game to play: Take statements from Comey et al. Replace "smartphones" with "brains"/"memories"/"thoughts". Technology will get us there!

5

184

172

Daniel J. Bernstein

@hashbreaker

8 years

"Democracy" (noun, American slang): A multiple-week mob trial of two accused criminals to decide which one will be the next 4-year warlord.

7

105

164

Daniel J. Bernstein

@hashbreaker

8 years

"Everybody is walking around with a Swiss bank account in his brain if government can't get in. You cannot take an absolutist view on this."

4

165

158

Daniel J. Bernstein

@hashbreaker

5 years

Another example of how easy it's becoming to deploy cryptographic software formally verified to be bug-free: As in NaCl, the only public-key option is ECC, and the only curve is Curve25519. Asking for RSA-2048 for "algorithm agility" = asking for bugs.

EverCrypt: A verified cryptographic provider

Working toward provably secure online communications requires a strong foundation on which to build protocols. Enter EverCrypt, a fully verified cryptographic provider offering a comprehensive suite...

www.microsoft.com

1

72

153

Daniel J. Bernstein

@hashbreaker

7 years

New blog post "Reconstructing ROCA" w/ @hyperelliptic : how quickly attack can be developed from a limited disclosure.

3

126

156

Daniel J. Bernstein

@hashbreaker

5 years

New blog post "An introduction to vectorization": Understanding one of the most important changes in the high-speed-software ecosystem. #vectorization #sse #avx #avx512 #antivectors

0

59

148

Daniel J. Bernstein

@hashbreaker

8 years

True democracy would let me vote directly against dropping bombs, building walls, recording all communication. American "democracy" doesn't.

22

80

135

Daniel J. Bernstein

@hashbreaker

7 years

What really bugs me about all this "Windows is vulnerable" news is the notion that it wasn't continuously vulnerable from 1985 through 2017.

3

77

136

Daniel J. Bernstein

@hashbreaker

5 years

0.57 cycles/byte for ChaCha20 to encrypt 4KB on one core of new Intel Cannon Lake CPU. I haven't seen AES-256 results as fast as this on the same CPU, even though AES-256 has special hardware support and much smaller security margin.

6

45

135

Daniel J. Bernstein

@hashbreaker

9 years

I wonder what the reaction would be to headlines saying "FBI orders Apple engineers to build tools to help FBI spy on civil-rights leaders."

14

164

135

Daniel J. Bernstein

@hashbreaker

7 years

Post-quantum cryptography, new introductory paper aimed at general science audience: by @hashbreaker , @hyperelliptic

2

102

128

Daniel J. Bernstein

@hashbreaker

6 years

Seems like a good moment to mention that, under Qubes, I have one browser window in one VM logged into Twitter, and a separate browser window in a separate VM logged into Google. The browsers aren't sharing any data. The window frames have different colors for the different VMs.

4

36

123

Daniel J. Bernstein

@hashbreaker

2 years

New blog post "NSA, NIST, and post-quantum cryptography: Announcing my second lawsuit against the U.S. government." Case filed in federal court today by @LoevyAndLoevy . #nsa #nist #des #dsa #dualec #sigintenablingproject #nistpqc #foia

9

50

122

Daniel J. Bernstein

@hashbreaker

8 years

There is a parallel universe where NIST's quantum random numbers have all been 0 and papers are asking "Why doesn't quantum physics work?"

0

53

112

Daniel J. Bernstein

@hashbreaker

2 years

Releasing #libcpucycles library to count CPU cycles: Supports counters for amd64 (both PMC and TSC), arm32, arm64 (both PMC and VCT), mips64, ppc32, ppc64, riscv32, riscv64, sparc64, and x86, plus automatic fallbacks to various OS-level timing mechanisms.

2

29

121

Daniel J. Bernstein

@hashbreaker

6 years

Wow: Inoue and Minematsu announce a fast attack breaking OCB2. OCB2 appeared at Asiacrypt 2004; advertised provable security; is a current ISO standard. OCB3 seems safe, and Rogaway has been recommending OCB3 for years, but the OCB2 story is terrifying.

Cryptanalysis of OCB2

We present practical attacks against OCB2, an ISO-standard authenticated encryption (AE) scheme. OCB2 is a highly-efficient blockcipher mode of operation. It has been extensively studied and widely...

eprint.iacr.org

4

63

109

Daniel J. Bernstein

@hashbreaker

9 years

In math, a "1024x768" matrix has 1024 rows, 768 columns. But a "1024x768" screen has 768 rows, 1024 columns. How did humanity get to space?

30

114

111

Daniel J. Bernstein

@hashbreaker

2 years

Bits in DRAM sometimes flip. Typical servers have SECDED ECC DRAM to protect against this, but typical desktops/laptops/smartphones don't. Have released a "libsecded" micro-library with secded_encode() to protect an array and secded_decode() to recover it:

5

26

108

Daniel J. Bernstein

@hashbreaker

4 years

New paper "A discretization attack": Identifies another NSA-exploitable weakness in standardization processes. Includes a detailed case study of how #NISTPQC could hypothetically have been attacked, and evidence suggesting that it was in fact attacked.

2

46

106

Daniel J. Bernstein

@hashbreaker

8 years

Unscientific studies strongly suggest that the most common lie told by Americans is "I have read and agree to these terms and conditions."

4

58

109

Daniel J. Bernstein

@hashbreaker

7 years

I'm astonished at how casually some people are dismissing the notion that NSA bribes academics. Why wouldn't they?

10

43

102

Daniel J. Bernstein

@hashbreaker

6 years

Dear @nature editorial board: Please withdraw the following statement, which is (1) false and (2) thoroughly deceptive. "Specialists also point to problems for which quantum computers have long been known to have a proven advantage, such as web searches."

6

29

102

Daniel J. Bernstein

@hashbreaker

4 years

Are you surprised to hear WHO saying that healthy skydivers don't need to and shouldn't use parachutes? This is backed up by a systematic review of randomized controlled trials, published in the British Medical Journal, cited more than 1000 times:

7

38

107

Daniel J. Bernstein

@hashbreaker

4 years

People who trust optimizing compilers to work correctly seem to be surprised by a 2020 gcc bug report where the optimizer treats byte arrays as equal if they pass strcmp. For comparison, here's a gcc bug report I filed last century:

3

29

102

Daniel J. Bernstein

@hashbreaker

10 years

Nice to see systemd finally integrating Firefox into pid 1. The benchmarks show clear improvements in the post-boot browser startup latency.

8

177

100

Daniel J. Bernstein

@hashbreaker

6 years

Video available for #35c3 talk "The year in post-quantum crypto" from @hyperelliptic and me: Also slides: "A journey through selected recent highlights from the post-quantum world." #nistpqc #pqcrypto #quantumcyberblockchain

The year in post-quantum crypto

The world is finally catching on to the urgency of deploying post-quantum cryptography: cryptography designed to survive attacks by...

media.ccc.de

1

48

102

Daniel J. Bernstein

@hashbreaker

4 years

Not verified yet, so don't put into production, but seems to compute inverses mod 2^255-19 in under 4800 Skylake cycles: Also speed records on Haswell, Broadwell, Kaby Lake, etc. Joint work with Bo-Yin Yang. Uses convex-hull calculations from @pwuille .

6

21

102

Daniel J. Bernstein

@hashbreaker

9 years

Biking through Utrecht. Box near the road is labeled "Dijkstra Transport." Immediate reaction: "I guess they always take the shortest path!"

3

58

100

Daniel J. Bernstein

@hashbreaker

8 years

New post "Thomas Jefferson and Apple versus the FBI" : An introduction to freedom of speech for software publishers.

2

108

92

Daniel J. Bernstein

@hashbreaker

5 years

Cryptographers working on "verifiable delay functions" (VDF) seem to think that all known algorithms to compute x^2^T mod pq (unknown p,q) need T times the latency of a single squaring. Sorenson and I have a 2007 paper beating this in some hardware models.

5

37

91

Daniel J. Bernstein

@hashbreaker

8 years

Could this be the first crypto/security talk ever where Alice and Bob are being attacked by Donald rather than Eve?

3

59

93

Daniel J. Bernstein

@hashbreaker

5 years

Bo-Yin Yang and I have a new paper "Fast constant-time gcd computation and modular inversion": Much faster than earlier constant-time Euclid variants. Case studies: new speed records for 2^255-19 inversion (even faster than Fermat!) and NTRU-HRSS keygen.

1

32

91

Daniel J. Bernstein

@hashbreaker

7 years

The simplicity of Curve25519 is a big part of what has enabled formally verified (HACL*) X25519 software in Firefox:

0

32

91

Daniel J. Bernstein

@hashbreaker

5 years

Implementing gcd/xgcd/modinv? Heard about Microsoft SymCrypt gcd running forever () and OpenSSL gcd leaking secret keys via timing ()? Bo-Yin Yang and I have a paper with a simple constant-time gcd algorithm.

Cache-Timing Attacks on RSA Key Generation

During the last decade, constant-time cryptographic software has quickly transitioned from an academic construct to a concrete security requirement for real-world libraries. Most of OpenSSL's...

eprint.iacr.org

0

36

88

Daniel J. Bernstein

@hashbreaker

5 years

New blog post "Why EdDSA held up better than ECDSA against Minerva": Cryptosystem designers successfully predicting, and protecting against, implementation failures. #ecdsa #eddsa #hnp #lwe #bleichenbacher #bkw

3

38

86

Daniel J. Bernstein

@hashbreaker

7 years

10000 Haswell cycles to sort 1024 32-bit integers: 13x faster than radix sort in Intel's Integrated Performance Primitives library, 2.6x faster than sorting code from NTRU Prime paper. Working on formal verification.

3

16

85

Daniel J. Bernstein

@hashbreaker

6 years

US govt sends $1.2B to quantum salesmen making false promises: e.g. "Quantum computers will be able to sort rapidly through data sets that are too large to ever be stored on conventional devices, such as real-time video of the entire surface of the earth."

7

19

81

Daniel J. Bernstein

@hashbreaker

2 years

IACR is adopting NSA's clever solution to the cryptocurrency/cryptography conundrum: from now on, "crypto" means cryptocurrency, and "crypt" means cryptography. Next year's flagship IACR conferences will split into Crypto, Eurocrypto, Asiacrypto, Crypt, Eurocrypt, and Asiacrypt.

5

15

84

Daniel J. Bernstein

@hashbreaker

2 years

As someone who happily runs servers and laptops at constant clock frequencies (see for Linux advice) rather than heat-the-hardware random frequencies, I dispute the claim in that this has an "extreme system-wide performance impact".

3

22

84

Daniel J. Bernstein

@hashbreaker

6 years

"What do quantum computers do?" Focusing on the core quantum instructions that programmers need to know. Emphasizing examples much more than formulas. Trying hard to eliminate unnecessary terminology (e.g., unitaries) and unnecessary notation (e.g., kets).

1

34

83

Daniel J. Bernstein

@hashbreaker

9 years

Really hoping the video worked for this: "I am the man in the middle." http://t.co/iiQ7cBpu3L http://t.co/wHQc7GFPJG http://t.co/jgfX4d02wm

1

59

83

Daniel J. Bernstein

@hashbreaker

8 years

Posted new paper "Is the security of quantum cryptography guaranteed by the laws of physics?" #holographicprinciple

5

86

82

Daniel J. Bernstein

@hashbreaker

3 months

18 months ago NIST suddenly switched to counting memory-access costs in lattice attacks, massively pumping up Kyber-512's claimed security level. New lattice-attack optimization from Zhao, Ding, and Yang makes the memory-access costs practically disappear:

BGJ15 Revisited: Sieving with Streamed Memory Access

The focus of this paper is to tackle the issue of memory access within sieving algorithms for lattice problems. We have conducted an in-depth analysis of an optimized BGJ sieve (Becker-Gama-Joux...

eprint.iacr.org

0

29

83

Daniel J. Bernstein

@hashbreaker

4 years

New paper "Cryptographic competitions": This paper surveys procedures that have been used in cryptographic competitions, and analyzes the extent to which those procedures reduce security risks. #DES #AES #eSTREAM #SHA3 #CAESAR #NISTPQC #NISTLWC #NSA

4

30

80

Daniel J. Bernstein

@hashbreaker

4 years

This is clearly not the world's biggest problem in 2020, but it's still depressing to see the official software for Frodo (a high-profile candidate for post-quantum crypto) broken by a timing attack on memcmp: . We need more work on constant-time languages.

2

25

78

Daniel J. Bernstein

@hashbreaker

9 years

Slides from my tutorial talk "The death of optimizing compilers" today at ETAPS: http://t.co/YqLza9Oau9 Recording should be available soon.

9

48

76

Daniel J. Bernstein

@hashbreaker

2 years

NIST now says it plans to announce its selections of post-quantum algorithms on "Tuesday, July 5th" (I presume 2022, not 2033). Given the extent to which waiting for NIST has stalled pq deployment, this announcement is an important step forward no matter what the details are.

9

30

80

Daniel J. Bernstein

@hashbreaker

8 years

New blog post "The death of due process": #ethics #crime #punishment

12

61

75

Daniel J. Bernstein

@hashbreaker

9 years

Listening to a "big data"/"data science" talk. Mentally translating "data" to "surveillance": "... everything starts with surveillance ..."

3

113

76

Daniel J. Bernstein

@hashbreaker

2 years

We're now up to a solid half year of delay in post-quantum standardization, apparently because NIST picked a new design in the middle of a patent minefield and was somehow confident it could instantly buy its way out of the minefield. Half a year of data given away to attackers.

6

19

77

Daniel J. Bernstein

@hashbreaker

5 years

"Let's take code from the SUPERCOP benchmarking framework. Does this file supercop/crypto_stream/salsa20/e/amd64-xmm6/warning-256gb mean anything? Probably not." [Time passes] "BREAKING NEWS: We found that this implementation doesn't work after 256GB!"

4

22

75

Daniel J. Bernstein

@hashbreaker

1 year

My new report "Papers with computer-checked proofs" gives "case studies supporting the hypothesis that it is often affordable for a paper presenting theorems to also include proofs that have been checked with today's proof-checking software":

3

19

74

Daniel J. Bernstein

@hashbreaker

2 years

New resource page available on timing attacks, including recommendations for action to take regarding overclocking attacks such as #HertzBleed : Don't wait for the next public overclocking attack; take proactive steps to defend your data against compromise.

1

37

74

Daniel J. Bernstein

@hashbreaker

5 years

This news reminds me of the European Space Agency in saying that "human beings" usually cannot "access flying spacecraft" so "there is no need for side channel attack protection". Serious attackers build machines to carry out attacks beyond human ability.

1

45

69

Daniel J. Bernstein

@hashbreaker

1 year

NSA's secret members of pqc @nist .gov team: Nick Gajcowski; David Hubbard; Daniel Kirkwood; Brad Lackey; Laurie Law; John McVey; Scott Simon; Jerry Solinas; David Tuller; later Rich Davis. Jacob Farinholt was Naval Surface Warfare Center, US Navy. Not sure about Evan Bullock.

Daniel J. Bernstein

@hashbreaker

1 year

says author is "Post Quantum Cryptography Team, National Institute of Standards and Technology (NIST), pqc @nist .gov". FOIA results have revealed secret pqc @nist .gov team members in early Sep 2016, after draft NISTPQC call: more NSA people than NIST people.

1

11

63

2

17

71

Daniel J. Bernstein

@hashbreaker

4 years

Which post-quantum submissions (1) haven't suffered security losses since the #NISTPQC competition began and (2) are among the 26 submissions in round 2 (which is ending soon)? I think there are exactly 3: SIKE (which scares me for being too new), Classic McEliece, and SPHINCS+.

4

18

71

Daniel J. Bernstein

@hashbreaker

9 years

The C "standard" is an unstable series of sloppy documents that have never accurately documented the needs of typical real-world C code.

6

58

69

Daniel J. Bernstein

@hashbreaker

6 years

Experimenting with several variants of the TEA cipher as a teaching tool (TEAching tool, I guess) for cipher cryptanalysis: Are there any common cipher attacks that _can't_ be illustrated with TEA or minor variants of TEA? See also .

4

18

69

Daniel J. Bernstein

@hashbreaker

2 years

Posted an AVX2-vectorized-sorting benchmarking script covering djbsort, vxsort, vqsort. (vxsort and vqsort also support AVX-512.) The middle part of this Skylake graph is the part that matters for crypto, and also the base case for larger quicksort etc.

3

21

70

Daniel J. Bernstein

@hashbreaker

10 years

Slides online for my "Making sure crypto stays insecure" talk at #h2hc : http://t.co/Gspou7RFHP #terrorism #drugs #pedophilia #organizedcrime

4

85

70

Daniel J. Bernstein

@hashbreaker

11 months

New blog post "The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level." On a related note, announces a followup FOIA lawsuit filed today. #nist #addition #multiplication #ntru #kyber #fiasco

2

17

66

Daniel J. Bernstein

@hashbreaker

2 years

Still needs auditing and formal verification, but happy to announce availability of lib25519-20221222. Includes extensive new speed work from Kaushik Nath: e.g., on Skylake, 30 kcycles for DH keygen, sig keygen, signing; 90 for DH shared secret; 110 verif.

3

9

67

Daniel J. Bernstein

@hashbreaker

10 years

ECCHacks Python scripts http://t.co/vDGpPa4OaE with @hyperelliptic are now online. We'd better run over to talk room and plug in laptop now.

1

56

66

Daniel J. Bernstein

@hashbreaker

7 years

New blog post "Fast-key-erasure random-number generators": An effort to clean up several messes simultaneously.

1

41

65

Daniel J. Bernstein

@hashbreaker

10 years

Clearly it's much better for the magic "secure golden key" to be held by NSA. Nobody has ever stolen, or will ever steal, secrets from NSA.

4

98

61

Daniel J. Bernstein

@hashbreaker

2 years

Given the current reality of desktops/laptops/smartphones almost never having ECC RAM, I'd love to see more operating-system support for periodically sweeping through pages to detect and correct errors, storing (say) 14 bytes of error-correction data for each 4096-byte page.

5

9

66

Daniel J. Bernstein

@hashbreaker

2 years

20 years ago, when the IETF was building Punycode instead of mandating UTF-8, I thought they were being remarkably stupid, and said so publicly. Later I started understanding the basic incentives. Simple, boring, working systems mean less money for standardization organizations.

1

18

64

Daniel J. Bernstein

@hashbreaker

8 years

New blog post "Security fraud in Europe's 'Quantum Manifesto' ": #qkd #quantumcrypto #quantummanifesto #QuantumEU

4

82

63

Daniel J. Bernstein

@hashbreaker

1 year

says author is "Post Quantum Cryptography Team, National Institute of Standards and Technology (NIST), pqc @nist .gov". FOIA results have revealed secret pqc @nist .gov team members in early Sep 2016, after draft NISTPQC call: more NSA people than NIST people.

1

11

63

Daniel J. Bernstein

@hashbreaker

3 years

Apparently some Americans aren't making vaccination appointments despite being eligible. Will they be jealous if and when we start publicly sending spare vaccines to Mexico, Brazil, India, etc.? "I didn't want this dose but I definitely don't want those _foreigners_ to have it!"

3

7

64

Daniel J. Bernstein

@hashbreaker

6 years

"Sorting integer arrays: security, speed, and verification." Slides for first djbsort talk now available:

1

22

64

Daniel J. Bernstein

@hashbreaker

9 years

"Verifiably pseudo-random" Brainpool curves weren't actually generated by the standard Brainpool procedure. Amazing. http://t.co/nIyQRvzZ2y

3

84

61

Daniel J. Bernstein

@hashbreaker

2 years

Tried Google's new vectorized quicksort code vqsort on Skylake, and timed Sorter() as ~8000 cycles for int32[256] (big chunk of code for a size-specific sorting network), ~19000 cycles for int32[1024] (non-constant-time). djbsort is 1230, 6286 (ct). Did I misuse vqsort somehow?

5

11

62

Daniel J. Bernstein

@hashbreaker

4 years

After NIST's Dual EC standard was revealed in 2013 to be an actual (rather than just potential) NSA back door, NIST promised more transparency. Why does NIST keep soliciting private #NISTPQC input? (The submissions I'm involved in seem well positioned; that's not the point.)

2

26

58

Daniel J. Bernstein

@hashbreaker

9 years

It's interesting how leeches such as Elsevier and Springer manage to keep sucking money out of science without contributing anything to it.

4

105

60

Daniel J. Bernstein

@hashbreaker

8 months

New blog post "Double encryption: Analyzing the NSA/GCHQ arguments against hybrids." #nsa #quantification #risks #complexity #costs

0

27

61

Daniel J. Bernstein

@hashbreaker

4 years

The new CleverParrot exposure-notification protocol in says your phone will spend 12 minutes per day checking, for your secret s, for many pairs u,v, whether u^s = v. Here's a nearly 2x speedup: check whether u^r v^t = 1 for half-size r,t with s = -r/t.

Privacy-Preserving Automated Exposure Notification

Contact tracing is an essential component of public health efforts to slow the spread of COVID-19 and other infectious diseases. Automating parts of the contact tracing process has the potential to...

eprint.iacr.org

2

9

58

Daniel J. Bernstein

@hashbreaker

9 years

Support the police state! It doesn't stop terrorists, but it does stop those scary anti-corporate climate activists:

Paris climate activists put under house arrest using emergency laws

French police arrest activists for flouting ban on organising protests during climate talks next week

www.theguardian.com

3

87

54

Daniel J. Bernstein

@hashbreaker

2 years

Looks like NIST didn't actually nail down the patent buyouts before announcing Kyber's selection, so now the patent holders have even more power. But, wait, NIST's expert negotiators say that they "may consider" switching to NTRU if agreements aren't signed "by the end of 2022".

1

14

61

Daniel J. Bernstein

@hashbreaker

9 years

alpha release of gfverif (from @cryptojedi and me), plausible path towards guaranteed bug-free state-of-the-art ECC:

1

45

57

Daniel J. Bernstein

@hashbreaker

7 years

Happy to announce that 20-author ECRYPT-CSA "Challenges in Authenticated Encryption" white paper is available from .

0

45

56

Daniel J. Bernstein

@hashbreaker

9 months

In case it's useful for more people, posted a small script built on top of pypdf () to magnify giant-margin conference/book PDFs into reasonable-margin PDFs, while preserving hyperlinks (unlike pdfjam) and anchors. More information:

GitHub - py-pdf/pypdf: A pure-python PDF library capable of splitting, merging, cropping, and...

A pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files - py-pdf/pypdf

github.com

3

7

58

Daniel J. Bernstein

@hashbreaker

11 years

New MinimaLT protocol spearheaded by Mike Petullo: faster than TCP, higher security than TLS. http://t.co/23dUFfj3rs We helped w/the crypto.

4

70

56

Daniel J. Bernstein

@hashbreaker

4 years

Our inversion code is now generalized to handle common 256-bit primes at almost the same speed as 2^255-19, around 4000 Skylake cycles: Still haven't fully verified, so don't put into production. Tracking verification progress:

0

11

56

Daniel J. Bernstein

@hashbreaker

6 years

RWC2019 has some talks on formal verification, where a computer takes care of tediously checking for all the little mistakes that humans tend to miss. Particularly looking forward to the verification talk by Bhargavan, or, as the schedule says, "Bhargava".

3

8

56

Daniel J. Bernstein

@hashbreaker

4 years

Now under 3900 Skylake cycles for code that seems to compute inverses mod 2^255-19: This is further work with @bo_yin , also using ideas from Greg Maxwell and @pwuille . Still exploring speeds, still haven't verified the code, so don't put into production.

1

11

52

Daniel J. Bernstein

@hashbreaker

7 years

Uses fewer logical qubits than Shor; heuristically asymptotically breaks RSA faster than NFS: Bernstein-Biasse-Mosca

0

41

55

Daniel J. Bernstein

@hashbreaker

2 years

More document releases forced by the "NSA, NIST, and post-quantum cryptography" lawsuit: These include internal NIST slides marked "not for public distribution". Meanwhile NIST repeatedly claimed in public that this was an "open and transparent" project.

2

13

56

Daniel J. Bernstein

@hashbreaker

8 months

A recent preprint "The Planck Constant and Quantum Fourier Transformation" () suggests that Shor is unimplementable since it involves tiny rotations. But Coppersmith pointed out in 1994 () that Shor works _without_ the tiny rotations.

An approximate Fourier transform useful in quantum factoring

We define an approximate version of the Fourier transform on $2^L$ elements, which is computationally attractive in a certain setting, and which may find application to the problem of factoring...

arxiv.org

3

5

55

Daniel J. Bernstein

@hashbreaker

8 years

New mailing list for security experts tracking dishonest security claims (not just #quantummanifesto ): snakeoil+subscribe @googlegroups .com

3

42

53

Daniel J. Bernstein

@hashbreaker

3 years

No. Lattice KEMs under consideration for deployment (NTRU, Kyber, Frodo, etc.) do _not_ have NP-hardness proofs. (There's also no serious hope of crossing the dividing lines.) Questions to ask: Where did the pervasive misinformation on this topic originate? Who benefits from it?

6

9

52

Daniel J. Bernstein

@hashbreaker

8 years

"Free speech is at risk at the very institution where it should be assured: the university! Please pay now to read the rest of this essay."

4

24

50