François Dupressoir

This is exactly the setup in this 5-bit experiment: the DL instance is set up in a subgroup of the curve of order 2^5 = 32.

There's a reason we usually pick prime order subgroups.

Uh... Working in a subgroup of order 32 seems... ill advised. Even with a 256-bit key, if I pick 2^256 as the order of the group I set up my discrete logarithm instance in, Pohlig-Hellman gives a classical attack in 512 guesses max. (256 on average.) No need for a quantum computer here.

You have 12 usable knuckles on each hand. (Usable because you can point to them nicely with your conveniently opposable thumb.)

Rosenpass Build post-quantum-secure VPNs with WireGuard!

This is now also implemented in Rosenpass. (With a more complex PQ key exchange layer.)

rosenpass.eu

Just in case anyone feels really excited, this closed 10 days ago.

ICYMI... Tough, you missed it.

Other governments are still (for now) linking government procurement and transition, and generally aligned on adoption. (France likes XMSS, Germany also likes Classic McEliece.)

Also strong signs that other countries are picking up the advocacy piece.

I'm not going to say it so I don't jinx it.

Abstract. Threshold signatures enable multiple participants to collaboratively produce a digital signature, ensuring both fault tolerance and decentralization. As we transition to the post-quantum era, lattice-based threshold constructions have emerged as promising candidates. However, existing approaches often struggle to scale efficiently, lack robustness guarantees, or are incompatible with standard schemes — most notably, the NIST-standard ML-DSA. In this work, we explore the design space of Fiat-Shamir-based lattice threshold signatures and introduce the two most practical schemes to date. First, we present an enhanced TRaccoon-based [DKM+24] construction that supports up to 64 participants with identifiable aborts, leveraging novel short secret-sharing techniques to achieve greater scalability than previous state-of-the-art methods. Second — and most importantly — we propose the first practical ML-DSA-compatible threshold signature scheme, supporting up to 6 users. We provide full implementations and benchmarks of our schemes, demonstrating their practicality and efficiency for real-world deployment as protocol messages are computed in at most a few milliseconds, and communication cost ranges from 10.5 kB to 525 kB depending on the threshold.

Image showing part 2 of abstract.

Threshold Signatures Reloaded: ML-DSA and Enhanced Raccoon with Identifiable Aborts (Giacomo Borin, Sofía Celi, Rafael del Pino, Thomas Espitau, Guilhem Niot, Thomas Prest) ia.cr/2025/1166

That is called a cryptographic reduction.

An emoji, crying with laughter. Heavy tears are streaming down its face, suggesting that it is also crying with crying.

The joys of the Outlook web client.

"we are simply moving assumptions to a different level of the stack" is all cryptography has ever been about, though. In the end, it's all about informing risk management decisions and moving risk.

The fact that there's nerdy stuff in the way means we get clever people working on it, which is nice.

I think you simplified that a bit too far, there...

The article (and its actual title) are very clear that being fluent with multiplication is good, but that the practice of teaching to the test is not.

A tool that fails safe is more worthy of trust than a tool that fails badly, though. Given that a hybrid KEM is a KEM, I expect it to be made by the tool makers, not by the tool users.

Sorry I missed it, and happy birthday!

I might need to start reining in the beard. I look very preacher-y.

Thanks for organising. Looking forward to participate without standing at the front next year :)

I'd like a lawyer, now.

I simply read the second "breaking" as in breaking news and temporarily found you extremely clever.

vim + vimtex (github.com/lervag/vimtex) + sioyek (sioyek.info)

Not sure how good sioyek is on mac.

Douglas (@douglas.stebila.ca), Cas and Vincent are excellent speakers indeed. Much less sure about that second guy.

Slush 'za?

Thank you for your service.

Sorry to have to miss it. I'll try to make sure I enable Bristol people who are most affected to join.

"software fixes alone won't protect against hardware-level attacks" should probably be a bit more measured: the software fix shifted the attack from a broad timing channel to a very narrow and noisy power channel that is *a lot* harder to exploit in practice.

s/ChatGPT/DeepSeek/

There is no noise, you only need to compute square roots to find preimages, digests are massive.

Why would you need a mathematician or cryptographer to tell you that ChatGPT is not good at designing cryptography?

Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...

The "2FA bypass" described in the write up got me.

samcurry.net/hacking-subaru

Come work with the rather excellent @bedow.bsky.social (and also me)

Abstract. Suppose you have a supersingular ℓ-isogeny graph with vertices given by j-invariants defined over 𝔽_(p²), where p = 4 ⋅ f ⋅ ℓ^(e) − 1 and ℓ ≡ 3 (mod  4). We give an explicit parametrization of the maximal orders in B_(p, ∞) appearing as endomorphism rings of the elliptic curves in this graph that are  ≤ e steps away from a root vertex with j-invariant 1728. This is the first explicit parametrization of this kind and we believe it will be an aid in better understanding the structure of supersingular ℓ-isogeny graphs that are widely used in cryptography. Our method makes use of the inherent directions in the supersingular isogeny graph induced via Bruhat-Tits trees, as studied in [1]. We also discuss how in future work other interesting use cases, such as ℓ = 2, could benefit from the same methodology.

Parametrizing Maximal Orders Along Supersingular ℓ-Isogeny Paths (Laia Amorós, James Clements, Chloe Martindale) ia.cr/2025/033

Khanh and Eamonn are organising UK Crypto Day on 20 February at King's College London.

Registration is free (and open) but required: uk-crypto-day.github.io/2025/02/20/u...

Help us spread the word and see you there.

Thanks for allowing him to contribute.