Lightnews — Scholar-powered news

Reposted by Alexandre Adomnicăi

Filippo Valsorda

@filippo.abyssdomain.expert

Wow, QUIC Retry Packets use AES-GCM with a fixed key/nonce, empty plaintext, and associated data prefixed with a secret as a sort of MAC. That's... terrifying?

They essentially do MAC(K, v) = AES-GCM(key=const, nonce=const, plaintext=empty, aad=K||v). Does that actually hold?

RFC 9001: Using TLS to Secure QUIC

This document describes how Transport Layer Security (TLS) is used to secure QUIC.

quicwg.org

November 24, 2025 at 10:51 AM

Reposted by Alexandre Adomnicăi

Matthew Green

@matthewdgreen.bsky.social

Keys are hard. www.nytimes.com/2025/11/21/w...

Cryptographers Held an Election. They Can’t Decrypt the Results.

www.nytimes.com

November 22, 2025 at 2:07 AM

Reposted by Alexandre Adomnicăi

Filippo Valsorda

@filippo.abyssdomain.expert

I had a bug in my new ML-DSA implementation that caused Verify to reject all signatures. I gave up after half an hour. On a whim, I threw Claude Code at it. Surprisingly (to me!) it one-shotted it in 5 minutes.

A small case study of useful AI tasks that aren't generating code that requires review.

Claude Code Can Debug Low-level Cryptography

Surprisingly (to me) Claude Code debugged my new ML-DSA implementation faster than I would have, finding the non-obvious low-level issue that was making Verify fail.

words.filippo.io

November 1, 2025 at 6:26 PM

Reposted by Alexandre Adomnicăi

ePrint Updates

@eprint.ing.bot

What is Cryptography Hiding from Itself? (Diego F. Aranha, Nikolas Melissaris) ia.cr/2025/1951

Abstract. The European Commission’s 2022 proposal for a regulation on child sexual abuse material, popularly labelled ChatControl, obliges online services to detect, report, and remove prohibited content, through client-side scanning.
This paper examines the proposal as a case of undone science in computer security ethics: a domain where technical feasibility and rights-compatibility questions remain systematically underexplored. Combining legal analysis with philosophy of technology, the paper argues that client-side scanning transforms end-to-end encryption from a right to secrecy into a conditional privilege of use. By integrating Isaiah Berlin’s concept of negative liberty, Langdon Winner’s account of the politics of artifacts, and David Hess’s notion of undone science, the analysis traces how design choices become moral constraints.
The discussion situates the European debate within broader concerns about proportionality, epistemic selectivity, and the governance of digital infrastructures. Ultimately, the study shows that the controversy over ChatControl is not only about privacy or child protection but about the epistemic norms that define what counts as legitimate technological knowledge.

October 20, 2025 at 1:09 AM

Reposted by Alexandre Adomnicăi

Fredrik Dahlgren

@fegge.bsky.social

Why factoring (of numbers that aren’t 15) isn’t a good benchmark for tracking the progress of quantum computers.

algassert.com/post/2500

Why haven't quantum computers factored 21 yet?

Craig Gidney's computer science blog

algassert.com

August 31, 2025 at 3:40 PM

Reposted by Alexandre Adomnicăi

ePrint Updates

@eprint.ing.bot

Cryptographic Treatment of Key Control Security – In Light of NIST SP 800-108 (Ritam Bhaumik, Avijit Dutta, Akiko Inoue, Tetsu Iwata, Ashwin Jha, Kazuhiko Minematsu, Mridul Nandi, Yu Sasaki, Meltem Sönmez Turan, Stefano Tessaro) ia.cr/2025/1123

Abstract. This paper studies the security of key derivation functions (KDFs), a central class of cryptographic algorithms used to derive multiple independent-looking keys (each associated with a particular context) from a single secret. The main security requirement is that these keys are pseudorandom (i.e., the KDF is a pseudorandom function). This paper initiates the study of an additional security property, called key control (KC) security, first informally put forward in a recent update to NIST Special Publication (SP) 800-108 standard for KDFs. Informally speaking, KC security demands that, given a known key, it is hard for an adversary to find a context that forces the KDF-derived key for that context to have a property that is specified a-priori and is hard to satisfy (e.g., that the derived key consists mostly of 0s, or that it is a weak key for a cryptographic algorithm using it). We provide a rigorous security definition for KC security, and then move on to the analysis of the KDF constructions specified in NIST SP 800-108. We show, via security proofs in the random oracle model, that the proposed constructions based on XOFs or hash functions can accommodate for reasonable security margins (i.e., 128-bit security) when instantiated from KMAC and HMAC. We also show, via attacks, that all proposed block-cipher based modes of operation (while implementing mitigation techniques to prevent KC security attacks affecting earlier version of the standard) only achieve at best 72-bit KC security for 128-bit blocks, as with AES.

June 16, 2025 at 9:21 PM

Reposted by Alexandre Adomnicăi

Microsoft Research

@msftresearch.bsky.social

We're rewriting parts of Microsoft's SymCrypt cryptographic library in Rust to improve memory safety and defend against side-channel attacks, enabling formal verification while maintaining backward compatibility via a Rust-to-C compiler: msft.it/6011SU7Fc

Three white icons on a gradient background that transitions from blue on the left to pink on the right. The first icon, on the left, is a microchip with a padlock in the center. The middle icon is a flowchart diagram with connected shapes. The third icon, on the right, consists of two angle brackets facing each other.

June 10, 2025 at 4:31 PM

Reposted by Alexandre Adomnicăi

Carsten Baum

@cryptocarsten.bsky.social

Oh wow, this is really great work. Recent results on PCGs allowed much more efficient MPC preprocessing (among other things) using somewhat new assumptions. Apparently, these assumptions are too strong.

Congratulations to the authors on their IACR grant slam of breaks :)

ePrint Updates @eprint.ing.bot · May 19

Practical cryptanalysis of pseudorandom correlation generators based on quasi-Abelian syndrome decoding (Charles Bouillaguet, Claire Delaplace, Mickaël Hamdad, Damien Vergnaud) ia.cr/2025/892

Abstract. Quasi-Abelian Syndrome Decoding (QA-SD) is a recently in- troduced generalization of Ring-LPN that uses multivariate polynomials rings. As opposed to Ring-LPN, it enables the use of small finite field such as GF(3) and GF(4). It was introduced by Bombar et al (Crypto 2023) in order to obtain pseudorandom correlation generators for Beaver triples over small fields. This theoretical work was turned into a concrete and efficient protocol called F4OLEage by Bombar et al. (Asiacrypt 2024) that allows several parties to generate Beaver triples over GF(2).

We propose efficient algorithms to solve the decoding problem underlying the QA-SD assumption. We observe that it reduce to a sparse multivariate polynomial interpolation problem over a small finite field where the adversary only has access to random evaluation points, a blind spot in the otherwise rich landscape of sparse multivariate interpolation. We develop new algorithms for this problem: using simple techniques we interpolate polynomials with up to two monomials. By sending the problem to the field of complex numbers and using convex optimization techniques inspired by the field of “compressed sensing”, we can interpolate polynomials with more terms.

This enables us to break in practice parameters proposed by Bombar et al. at Crypto’23 and Asiacrypt’24 as well as Li et al. at Eurocrypt’25 (IACR flagship conferences Grand Slam). In the case of the F4OLEage protocol, our implementation recovers all the secrets in a few hours with probability 60%. This not only invalidates the security proofs, but it yields real-life privacy attacks against multiparty protocols using the Beaver triples generated by the broken pseudorandom correlation generators.

May 20, 2025 at 4:02 AM

Alexandre Adomnicăi

@aadomn.bsky.social

Awesome to see my Cortex-M4/7 Keccak implementations further improved by SLOTHY, a very promising optimization tool!

ePrint Updates @eprint.ing.bot · Mar 4

Enabling Microarchitectural Agility: Taking ML-KEM & ML-DSA from Cortex-M4 to M7 with SLOTHY (Amin Abdulrahman, Matthias J. Kannwischer, Thing-Han Lim) ia.cr/2025/366

Abstract. Highly-optimized assembly is commonly used to achieve the best performance for popular cryptographic schemes such as the newly standardized ML-KEM and ML-DSA. The majority of implementations today rely on hand-optimized assembly for the core building blocks to achieve both security and performance. However, recent work by Abdulrahman et al. takes a new approach, writing a readable base assembly implementation first and leaving the bulk of the optimization work to a tool named SLOTHY based on constraint programming. SLOTHY performs instruction scheduling, register allocation, and software pipelining simultaneously using constraints modeling the architectural and microarchitectural details of the target platform.

In this work, we extend SLOTHY and investigate how it can be used to migrate already highly hand-optimized assembly to a different microarchitecture, while maximizing performance. As a case study, we optimize state-of-the-art Arm Cortex-M4 implementations of ML-KEM and ML-DSA for the Arm Cortex-M7.

Our results suggest that this approach is promising: For the number-theoretic transform (NTT) – the core building block of both ML-DSA and ML-KEM – we achieve speed-ups of 1.97× and 1.69×, respectively. For Keccak – the permutation used by SHA-3 and SHAKE and also vastly used in ML-DSA and ML-KEM – we achieve speed-ups of 30% compared to the M4 code and 5% compared to hand-optimized M7 code. For many other building blocks, we achieve similarly significant speed-ups of up to 2.35×. Overall, this results in 11 to 33% faster code for the entire cryptosystems.

March 5, 2025 at 6:49 AM

Reposted by Alexandre Adomnicăi

Pascal Junod

@cryptopathe.me

Confidential computing is a pretty cool paradigm; in theory, you don’t need to trust your cloud provider to not steal or tamper with your data anymore, you *just* have to trust the hardware. In practice, don’t forget about defense in depth & co 😉

AMD: Microcode Signature Verification Vulnerability

### Summary Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside...

github.com

February 4, 2025 at 7:03 AM

Reposted by Alexandre Adomnicăi

ePrint Updates

@eprint.ing.bot

How to Prove False Statements: Practical Attacks on Fiat-Shamir (Dmitry Khovratovich, Ron D. Rothblum, Lev Soukhanov) ia.cr/2025/118

Abstract. The Fiat-Shamir (FS) transform is a prolific and powerful technique for compiling public-coin interactive protocols into non-interactive ones. Roughly speaking, the idea is to replace the random coins of the verifier with the evaluations of a complex hash function.

The FS transform is known to be sound in the random oracle model (i.e., when the hash function is modeled as a totally random function). However, when instantiating the random oracle using a concrete hash function, there are examples of protocols in which the transformation is not sound. So far all of these examples have been contrived protocols that were specifically designed to fail.

In this work we show such an attack for a standard and popular interactive succinct argument, based on the GKR protocol, for verifying the correctness of a non-determinstic bounded-depth computation. For every choice of FS hash function, we show that a corresponding instantiation of this protocol, which was been widely studied in the literature and used also in practice, is not (adaptively) sound when compiled with the FS transform. Specifically, we construct an explicit circuit for which we can generate an accepting proof for a false statement.

We further extend our attack and show that for every circuit C and desired output y, we can construct a functionally equivalent circuit C^(*), for which we can produce an accepting proof that C^(*) outputs y (regardless of whether or not this statement is true). This demonstrates that any security guarantee (if such exists) would have to depend on the specific implementation of the circuit C, rather than just its functionality.

Lastly, we also demonstrate versions of the attack that violate non-adaptive soundness of the protocol – that is, we generate an attacking circuit that is independent of the underlying cryptographic objects. However, these versions are either less practical (as the attacking circuit has very large depth) or make some additional (reasonable) assumptions on the underlying cryptographic primitives.

January 27, 2025 at 1:59 AM

Reposted by Alexandre Adomnicăi

Sofia Celi

@claucece.bsky.social

Very excited to share our first exploration of threshold MAYO (yes, the PQC algorithm)! 🎉 Joint work with the amazing
Daniel Escudero and Guilhem Niot. The ideas can extend to UOV as well—let’s have MV-based threshold cryptography!

📄 eprint.iacr.org/2024/1960.pdf