Notices by Soatok Dreamseeker (soatok@furry.engineer), page 2

Don’t Use Session (Signal Fork)

Last year, I outlined the specific requirements that an app needs to have in order for me to consider it a Signal competitor. Afterwards, I had several people ask me what I think of a Signal fork called Session. My answer then is the same thing I'll say today: Don't use Session. The main reason I said to avoid Session, all those months ago, was simply due to…

http://soatok.blog/2025/01/14/dont-use-session-signal-fork/

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman In that respect, symmetric cryptography is more boring than anything asymmetric, but a proof that P=NP would eventually utterly destroy both.

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman With asymmetric cryptography, you have even more uncertainty from a proofs perspective.

There is no proof that any given number theory operation is a good trapdoor. That's as true for RSA as it is for ECC.

Lattices, codes, isogenies, multivariate schemes, etc. were all considered candidates because they rely on mathematical structures that, even with quantum computers, are not breakable in 2128 queries (or more).

But then SIKE was broken by a laptop on a weekend. And so too was Rainbow.

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman It's not just the security against known attacks, it's "how does each component of this primitive behave, and what are the best strategies for defeating it?"

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman We use a lot of analytic approaches (e.g., bit diffusion in reduced rounds to compare ARX constructions, which help quantify the statistical confusion between inputs and outputs in the full round of a scheme) which are derived from successful attacks against insecure designs. A cipher is a secure as the cost of the best attack (exhaustive key search a.k.a. brute force is the default attack to consider).

@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman Ah. So it's all about that sunk cost, rather than the consensus of experts. I can't help you with that, as I don't own a time machine.

@dalias @risottobias @khm @ambiguous_yelp @sammi @joelanman What exaxtly do you mean "unproven"?

The consensus among lattice experts and cryptanalysts is that, while there is some algebraic structure to some schemes that might be interesting targets for future attacks, their security is pretty well understood. NTRU and whatnot have been around for longer than AES. Is AES "unproven"?

@risottobias @dalias @khm @ambiguous_yelp @sammi @joelanman I'm preferring X-Wing in my designs, but I don't think hybrid should be required, esp in gov systens.

@lunarood @ryanc @gsuberland @f4grx Yeah I'm not continuing this particular series into the floats

@gsuberland @f4grx Download the bcrypt implementation from @ryanc and calculate a high cost so it takes like 3 hours per hash trial

Hot take:

I don't want my GPU to be measured in AI operations.

I don't want AI features.

It turns out, one of my 2022 blog posts was relevant to a NIST cipher modes announcement:

https://csrc.nist.gov/pubs/sp/800/38/d/r1/iprd

Oh no, what did i do?

Pour one out for the very serious pencil-pusher types that just got a face-full of cartoon dhole on their work computer from a NIST publication and are undoubtedly very upset with their life

Why is it that people who are so full of themselves are also so full of shit?

Well, I think that question answers itself.

So, there's been a very stupid development from a blog post I wrote years ago.

The Bi-Symmetric Encryption Fraud was a blog post I wrote in 2021 to study the claims made by CEW Systems about their so-called post-quantum encryption scheme. It's a wild ride.

Behold, the front page of their website (which is showing up in my referrer logs today): https://web.archive.org/web/20250102180928/https://www.cew-s.com/

A little after midnight on Christmas, I received an unsolicited "roast" for one of my open source libraries.

The roast was AI-generated.

Naturally, I decided to look into who's behind this spam campaign and expose them.

https://soatok.blog/2024/12/26/roasted-christmas-spam-from-muhu-ai/

#opensource #ai #spam #muhuai #tech #technology #enshitification

Applied cryptographers during the holidays looking at novel cryptosystems be like:

"But was it necessary to call some Lobsters users assholes?"

Yes, motherfucker, it was necessary.

The blog post opened by acknowledging that forums like Hacker News literally would not give a shit if I died tomorrow.

This isn't because of a lack of technical merit, it's because I'm not ashamed of being gay, or a furry.

I've spent the better part of the past 5 years encouraging other furries to start blogs.

My motive was the antonym to self-interest: The more furry bloggers exist, the less novel or special my own writing will be. If I wish to continue standing out, in such a world, I'd need to push myself harder, cover more interesting topics, or just generally be a more entertaining person.

There would be no resting on one's laurels. "Furry blogger that writes about cryptography? Which one??"

The upside for me is that there'd be more queer representation in professional spaces. Even better, the path to reach this would be bottom-up, not top-down, which almost certainly would result in a more equitable outcome for everyone involved. The true diversity of our communities would shine through.

That is what I actually care about here.

Fuck these thin-skinned tech bros.