Notices by Daniel J. Bernstein (djb@mastodon.cr.yp.to)

The gcc/clang excuse for changing program behavior, often introducing bugs and security holes (see https://www.usenix.org/system/files/usenixsecurity23-xu-jianhao.pdf), is performance. But a new paper https://web.ist.utl.pt/nuno.lopes/pubs/ub-pldi25.pdf modifies clang to eliminate most (all?) such changes, and finds negligible effect on benchmarks.

@Pyrrhlin Specifically, they claimed that they "require (human) author names" rather than an "organization". But organizations are listed as authors of documents all the time (e.g.: https://web.archive.org/web/20250309024856/https://iacr.org/petitions/gaza_war.html); previous cryptographic research papers from organizations have appeared on eprint (e.g.: https://web.archive.org/web/20250130053518/https://eprint.iacr.org/2022/087.pdf); and published eprint policy says "any author" (https://web.archive.org/web/20240413134704/https://iacr.org/eprint/). It's clear that IACR's actual goal here is to suppress this particular new report, not to be consistent.

Pleased to announce PQConnect: https://www.pqconnect.net Easy-to-install software for your Linux box (more OSes coming later) to protect network applications against future quantum computers. Paper will appear at NDSS 2025. Joint work with @hyperelliptic, Jonathan Levin, Bo-Yin Yang.

@eliotlear OK, looks like time for Recusal 101: Do you think that it's okay for U.S. Supreme Court justices with conflicts of interest to not recuse themselves since there's more than one judge on the court? And it's okay for lower-court judges with conflicts of interest to not recuse themselves since there's an appeals process? Do you understand what the purpose of recusal is?

@eliotlear There you go again with these ridiculous "everyone" exaggerations. The actual issue at hand is an IETF security-area directorship being given to an employee of NSA, an organization with a policy and track record of sabotaging security standards.

@rsalz @eliotlear I gave an example earlier in the thread; but, again, the recusal obligation is triggered simply by the appearance of a conflict of interest. https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ says "In cases where a clear conflict of interest exists, an Area Director should normally recuse". It doesn't say "Wait until the evidence of bad decisions is so overwhelming that you feel pressured to do what you would have done without this policy existing in the first place".

@eliotlear Your quote is fabricated. I said he (and others, including me) expressed concerns. Instead of answering, the NSA AD filed WG-creation forms as if discussion had settled. As for your "no industry or government participant" strawman: I'm talking specifically about NSA. That's an organization that internally asked whether cryptographic standards could be made "weak enough" for NSA to break, and that at last report had a cryptographic sabotage budget of a quarter billion dollars a year.

This year IETF appointed a "Security Area Director" whose August 2024 conflict-of-interest filing lists NSA as a source of income: https://www.ietf.org/about/groups/iesg/iesg-coi-policy/ Profile says retired from NSA "with 37+ years of service in Dec 2023", still "working as a Stand-by Active Reservist at NSA".

New blog post "Clang vs. Clang": https://blog.cr.yp.to/20240803-clang.html You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans

Tracking down some TIMECOP alerts led to a 2021 gcc patch from ARM (https://gcc.gnu.org/git/?p=gcc.git;a=commit;f=gcc/match.pd;h=d70720c2382e687e192a9d666e80acb41bfda856) turning (-x)>>31 into a bool, often breaking constant-time code. Can often work around with (-x)>>30, and asm is safer anyway, but for portable fallbacks we need security-aware compilers.