109 comments

[ 3.0 ms ] story [ 182 ms ] thread
Well, for one, iirc Secp256r1 was pseudo random and can be seen glowing in broad daylight.
Glowing...is this metaphorical or some industry term?
Saying that something 'glows in the dark' implies interference, so unfortunately, within cryptography, it has become an industry term as well as metaphor.

Other examples are the 'mystery padding' in keccak vs sha3.

I read the 3 replies and I still don't know what glowing means in cryptographic terms. I even tried to google it with cryptography added but nothing.
It's probably metaphorical, to mean distinguishable ?! And the term has never been used in crypto
(comment deleted)
It's imageboard/IRC slang, you won't find any documentation on it because it's an intentionally obfuscated/dogwhistle phrase intended to only 'make sense' to other browsers who've stuck around long enough to get spoonfed.
Using the term 'dogwhistle' seems like a divisive way to discount what I said. Do you care to articulate yourself in a way that addresses the actual substance of what I said, or is this it?
Glowing is not cryptographic jargon. It's a word used years ago by the developer of TempleOS in a livestream to describe CIA operators. He said he could tell who was CIA because they would glow in the dark. Users of the 4chan technology board witnessed this and it became a meme.

To say something glows means to suggest the US three letter agencies are interfering with it. If some cryptography glows, it means it's been compromised by US authorities. Glowies are the operators themselves.

Agreed that "dogwhistle" is lowkey pejorative. I prefer "shibboleth".
"Glowing" means that it's probably a plot of a government. It's not cryptography-specific.
Isn't Keccak SHA3?
no, keccak is keccak, sha3 is keccak with NIST's mystery padding added in.
Oh huh, I didn't know that, thanks. Sounds like nothing fishy is going on, definitely not.
I’ve never heard a cryptographer use “glow-in-the-dark” when talking about potentially fishy schemes.

Source: am cryptographer

I work with a decent group of academic and industry cryptographers, and I’ve never heard any of them use the term (even as a joke.)

My main familiarity with it is from imageboard culture, where (mostly) reactionaries use it to accuse each other of being feds.

> Saying that something 'glows in the dark' implies interference

Given that "glows in the dark" typically refers to fluorescence[1], where does the interference comes in?

[1]: https://en.wikipedia.org/wiki/Fluorescence

I know that some cryptography protocols have intermediate results that need to be deleted. This is sometimes referred to as 'radioactive waste'
It's a reference to schizophrenic Terry Davis (rip), author of TempleOS, who said CIA agents would glow in the dark, and got popularized through the 4chan /g/ board.

https://www.urbandictionary.com/define.php?term=Glows%20in%2...

weird intersection of the internet.

Terry is/was an HN native, too.

Upvoting all of his shadowbanned stuff that was half-way decent and lucid was a hobby of mine. It still makes me feel good to think about it.

Godspeed Terry.

https://news.ycombinator.com/item?id=7818823

(comment deleted)
I vouched for a few of his comments as well. I definitely think about how a quirk of biology or environment could flip the wrong switch in my brain.

There are millions of sob stories. I don't do as much as I could, but I do more than nothing to help people out. That one, Terry Davis, keeps me up at night sometimes.

Hindsight is 20/20, all we can do is learn for next time.
I watched some of his live streams, saw some cool things but man the things he would say
If we were not meant to distinguish creation from creator, we'd be in a world of trouble. Also, he was quite ill, I'm not sure we can fault him for some of his mannerisms while also admiring his ambition and skill.
Glowie refers to a fed, it started with the templeos guy but is more general now. Glowing means its a fed op to weaken crypto, kinda like the dual ec fiasco.
(comment deleted)
They're saying they don't trust that the constants defining the curve were chosen non-maliciously. The NSA has, in the past, standardized protocols that contained intentional backdoors embedded into the constants used in the definition [1]. Because of things like that, it's desirable for cryptographic protocols to use constants chosen in some way that makes backdooring intractable [2].

1: https://en.wikipedia.org/wiki/Dual_EC_DRBG

2: https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number

4chan's technology board were, let's say, huge fans of Terry Davis, developer of TempleOS. One day during his livestream he said he could see the CIA operators while driving because they would glow in the dark.

Now whenever someone is suspected of being an intelligence agency operator, people reply with pictures of a literal glowing person. Usually happens when someone spreads FUD about technology that's believed to be secure. It is assumed that these agencies are running psychological operations in online communites with the intent to dissuade the use of technology that could defeat them.

Glowing in the dark is something people say when they refer to people from intelligence services. The idea is they stick out when doing dark/stealthy stuff.
“Glows” for something tampered with or “glowies”for agents of three letter agencies doing the tampering is an imageboard culture term first coined by Terry Davis (1969-2018), the iconic developer of TempleOS, who made the probably fantastical but apparently not metaphorical claim that he could distinguish CIA agents from regular people because CIA agents “glowed in the dark”.

After it’s controversial debut on 4chan, Davis’s unsupported claim of selective unexplained human photoluminescence quickly became a meme in imageboard culture. Since imageboard culture is intersectional with software development culture, the terms have worked their way into defacto terminology among a subset of developers that work on things often thought of as adversarial at times to state interests, encrypted chat and cryptocurrency being among these.

The term has bled out some and finds spotty support among other developers in tangential contact. The future of the term is uncertain, as it’s use remains largely isolated despite being canonical since 2017.

please refer to him as The Enlightened One
> These curves were chosen actually for efficiency not security

Isn't this enough?

"efficiency" means not having to deal with federal goons and NDAs, and instead do what they say before your family is suicided.
Being powers of 2 is more efficient because computer memory/buses/caches are aligned to those sizes. It does not necessarily imply that they are less secure than with fields of non-power-of-2 sizes. There might even be a security benefit to having these canonical sizes because it simplifies implementation and makes it easier to perform constant-time operations across different hardware. If you consider that some hardware has additional costs to reading non-aligned memory, you open up the possibility for timing-attacks and other implementation bugs brought about by additional complexity. Sometimes simple is better.
> secp256k1 is a Koblitz curve which is defined in a characteristic 2 finite field,

Secp256k1's base field size is a 256-bit prime. What does he mean?

The bitcoin wiki explicitly says that secp256k1 is not characteristic 2:

> secp256k1 has characteristic p, it is defined over the prime field ℤp. Some other curves in common use have characteristic 2, and are defined over a binary Galois field GF(2^n), but secp256k1 is not one of them.

https://en.bitcoin.it/wiki/Secp256k1

Any recommendations for courses or books that give a 101 intro all the way to understanding these curves and why / how they are used?

I'd like to get a grasp on this from first principles. Thank you!

Wikipedia, honestly. For background math you may want to rely on the citations or other provided texts but a lot of articles have great examples sections.

But... I think you need a more coherent goal than just "understand the math." You can superficially understand the math when guided, but without any reason to retain it I am not sure what you will gain from the experience.

> You can superficially understand the math when guided, but without any reason to retain it I am not sure what you will gain from the experience.

This has been my experience with almost everything I ever learned about math, much of which I have unfortunately not retained.

On my journey into this secret world I sadly had to conclude that understanding of the needed math was severely lacking, and that I'd have to start far back to ever get a grasp on it. But on the flipside it has motivated me to learn a bunch of things I never thought I would when I was younger, and also to program things that I never in my life thought I'd be able to.
Trying to render them in code, or with Desmos, is quite enlightening. Cryptographic tools are also helpful for testing it out in practise, such as OpenSSH. Then read up on the various forums and the Bitcoin Wiki, and try to make your own implementation to generate an address. Next step is trying out other cryptos and their algos, if that's the route you want to take.
Garbage spam page. This shouldn't be on HN. There is a common trend for people to take highly technical subjects do a tiny amount of research and then spam up some page (often full of plagiarism) in order to add bulk to their sites. This is especially common in the "defi / ico" fraud ecosystem.

In this case the article is so poorly researched that even though it says fairly little it manages to make outright false claims about basic facts, e.g. "secp256k1 is a Koblitz curve which is defined in a characteristic 2 finite field, while secp256r1 is a prime field curve"-- which is false, secp256k1 uses a prime field.

Because this isn't getting enough attention, let me point out that nullc is Gregory Maxwell, Bitcoin core developer. The parent comment is the most informed comment here and you should upvote it.
Well, I'm not actually answering the question. :) (and former Bitcoin developer would be more accurate!)

Really people can mostly just speculate on the subject, or offer why they might have chosen it: Satoshi never said much about his choice-- he certainly never said in public that he was concerned with NSA tampered parameters.

I think it was a good choice at the time, esp. now after the expiration of the GLV patent. And the fact that there is no opportunity for NSA tampering scaremongering is a nice feature, but that's my opinion and I have no reason to believe it was Satoshi's.

Thanks for the heads up. Do you have a list of known shady sites, or are there too many popping up to keep up with?

Or perhaps to rephrase, are there are any trustworthy sites covering similar topics?

I wonder if you could track down who Satoshi is based on someone's search queries about Secp256k1 specifically
This is dark… I bet Satoshi is also a regular user of this website.
If he was careful, probably he would have used Tor for his searches.

But I think that NSA-level organization knows who Satoshi is. It's hard to imagine how one would be able to work on such a project, without any background that could be tracked.

Seems like its most likely Hal Finney
I know writing tone can be faked, but his tone doesn't seem like Hal at all. Hal was cheery, and Satoshi was more to the point and intense.
Not to mention he's been playing both sides of a conversation?

https://satoshi.nakamotoinstitute.org/posts/bitcointalk/541/

Bitcoin seems to have been developed by Hal and Satoshi working together with Satoshi being the only other plausible person if you look at the Wikipedia article on him.
I mean yes that too but the Hal is Satoshi camp takes it as a given he was talking to himself in those instances haha.
It's not that hard if you're careful. The last line of defence of using a well-chosen set of WiFi hotspots, auto-generated MAC addresses, and an otherwise silent Linux distro is pretty impenetrable even if all other proxy layering is somehow compromised.

Provided you're disciplined enough to properly containerize all ongoing sessions, of course. Careful planning is all it takes.

The thing is, once you realize you should be careful, it's probably too late.
I don't think there was much "oh no, I didn't realize that yet" with Satoshi. He seemed to have been the epitome of meticulously planning/scheming things well in advance.
But at some point he had to gain this knowledge in this space, and it wasn't instantly that he might have thought to make a cryptocurrency. He didn't start from birth covering his tracks.
Yes but he only has to make it so that there are dozens of people who might plausibly be Satoshi. Which, as far as a decade of scrutiny could uncover, he managed to do.
Only from the outset as lay people we don't know who he is. I'm sure his identity is known by intelligence agencies who have tooling that we aren't privy to.
> otherwise silent Linux distro

So not Windows?

Not sure what the context of your question is, but using Windows for the same purpose is probably doable too. It's just that Linux makes it a lot easier to ensure that your OS isn't any chattier on the network layer than it needs to be. I personally wouldn't feel comfortable trying to be an anonymous Windows user if the stakes were as high as we're alluding to here.
My joke was that Windows phones home too much for good opsec.
Oh, right. Fully agreed then.
> But I think that NSA-level organization knows who Satoshi is.

I'm willing to believe that, but probably not in the way you intended. Obviously the actual truth is unknowable so I am not trying to promote any Theories here and am not fond of anyone who does. However I am willing to entertain reasonably-grounded heterodox speculation and hope you all will indulge me with the same :)

One thing I find very interesting about Bitcoin is how most people seem to automatically assume Satoshi is an individual person due to bearing the name of an individual. I Know Myself well enough to admit how much I love a good underdog story about a smart person-like-myself who's upsetting the status quo, Sticking It To The Man, and/or Raging Against the Machine like Snowden. Doubly so when The Man is the monetary system that hurt my family so badly in the 2008 crash, so I Want To Believe in the (2008) Bitcoin origin story and giving power back to the people. Has it? I guess for a few.

As you mentioned, Tor and cryptocurrency usage go hand-in-hand for certain people and certain classes of transactions. Tor is an admitted creation of the US intelligence community, ostensibly for deployed agents as a sort of bidirectional modern-day Numbers Station. I have to ask myself if that intelligence community would allow the continued existence of such a thing if it came to be used in ways that harmed the USA's agendas. Maybe it would be worth it for them, but again it is unknowable: https://www.bloomberg.com/news/articles/2014-01-23/tor-anony... (http://archive.today/WR9X1)

I know the value proposition of Bitcoin et al for me an an individual, but lately I've been thinking about plausible ways cryptocurrency could simultaneously create incentives/outcomes benefiting others. Cryptocurrency mining sure has done a good job eliminating public availability of general-purpose computing resources since miners will find and exploit them. That kind of thing helps push us all into the open arms of the Tier-1 Internet gatekeepers like AWS and Cloudflare and away from a distributed network where all peers could be equal. Even Github Actions got bitten by this: https://www.bleepingcomputer.com/news/security/github-action...

Privately-owned general-purpose computing seems to be under attack as well. There's no emotion more motivating than fear, and the constant news about CryptoLocker-style ransonware attacks could help manufacture consent for "trusted" computing platforms à la M1 Macs and Windows 11, even among techies who would usually be vehemently against those kind of creeping restrictions. I guess it's an acceptable compromise if it Keeps Me Safe. There wouldn't even be a need for an intelligence community to get their hands dirty since the monetary incentive makes crypto malware inevitable.

What if an intelligence community wanted to buy up a bunch of parallel computing hardware supply (e.g. GPUs) for years without everybody questioning it? Even I don't think twice about blaming miners for the out of control pricing and availability, but I've been reading articles since like 2013 about how ASIC miners spell the end for profitable GPU Bitcoin mining. Aaaany day now would be great. I guess it's all those other coins. Again, unknowable.

I'll stop here since this is rambling and probably too close to Theory territory, but I've been thinking about my assumptions a lot lately and these are a few of them.

spot on, imo
(comment deleted)
> It's hard to imagine how one would be able to work on such a project, without any background that could be tracked.

You have to remember how obscure it was initially, and it's not like it involved terrorism or obviously a thread to national security.

The article basically says that Satoshi went for secp256k1 because for secp256r1 the constants were defined by the NIST under the possible influence of the NSA.

I don't think it is a good argument, I invite every one to take a look at the DES S-Box constants. Many people believed that those were backdoor constants that the NSA planted into the algorithm as there was no explanation on how and why they were chosen. Many years later it turned out that they were picked carefully to protect against differential-linear attacks. An attack only the NSA knew back then. So they gave out safe S-Box constants, and all those who distrusted them and picked random/other S-Boxes were actually screwed, this is really ironic.

https://en.wikipedia.org/wiki/S-box

Right except on the other hand, look at the whole Dual_EC_DRBG fiasco where the NSA gave instructions for how one could pick parameters, but also offered their own suggestion (in some standards, one had to use the suggested parameters.)

The bit about choosing parameters suggests that the NSA didn’t have a benevolent reason to choose those parameters, and the evidence of that algorithm being exploited in the wild suggests that the NSA may have chosen their parameters with that exploit in mind.

The way the Dual_EC_DRBG backdoor worked is that only they (the NSA) could exploit it, they had the equivalent of a master private key.

The NSA has a track record of never putting out Cryptography that could be broken by any other actor than the NSA itself.

"of never putting out Cryptography that could be broken by any other actor than the NSA itself. "

If the only obstacle for others is "unknown Math" - then surely you can rule the script kiddies out, but I believe there are quite some other clever people with strong Math background around, who do not work exclusively for the NSA.

The Dual_EC exploit was possible not because the NSA were cleverer than everyone else but because they wrote the standard and chose the parameters. The parameters involved two points, P and Q, on an elliptic curve group with rank 1 and prime order. Because of these properties there must be some number e such that P = Q^e (written P = e * Q in the common elliptic curve group notation) but it is hard to find e from only P and Q (this is the discrete log problem for this EC group and it, or its close relative the Diffie–Hellman, problem being hard is a common foundation for security in cryptography.) However if you are choosing the parameters, you can just choose Q and e and compute P = Q^e yourself.
The Juniper hack (where their firewall product had a backdoor injected) was enabled by someone breaking into the company and modifying the parameters for Dual_EC_DRBG. It was sufficient for the algorithm to allow for a backdoor for there to be problems. Presumably it would have been caught sooner had the hack required a backdoor to be hidden in the source code and not some bytes that looked like a magic constant.
Dual_EC_DRBG is bad because someone with access to Junipers source repos was able to backdoor their implementation? Do you realise how preposterous that sounds?

> Presumably it would have been caught sooner had the hack required a backdoor to be hidden in the source code and not some bytes that looked like a magic constant.

Have you seen what real life bugdoors look like?

… but that’s exactly the reason Satoshi distrusted the NSA. All else being equal, what possible incentive is there to design Bitcoin in a way that might theoretically be vulnerable to the NSA?
Lots of money? If you can short cut mining, it's cleaner black money than dealing drugs or people, probably. And if you can steal from someone else's address, maybe that's even better... You can seize funds with no red tape. Or mete out that capability to allies etc. Why wouldn't the NSA want to support a parallel financial system that criminals flock to? Just like why wouldn't the NSA want to covertly support encrypted messaging apps or the FBI do that...
If the Bitcoin ecosystem is broken like that, the coins are worthless. You can use an attack like that only once.
There is no such thing. Russia and China have state mathematical capabilities just as good as the US has.
If the standard is that you attach a copy of your message encrypted with an NSA-provided public key, and only the NSA has access to the private key, then being good at math won’t help Russia or China.

Obviously the NSA couldn’t get people to use such a standard but they managed to slip something like that into Dual_EC and had success in getting people to use it.

The right thing to do then was to disclose the attack, explain their choices, and further cryptography.

Instead they seemingly wanted to exploit anyone who didn’t use their constants, I guess?

This was during the cold war. They didn't wanted the soviets to know, but apparently they already knew the attack as well.
Thanks for the context. I’m still pessimistic about them as unelected ultra powerful blameless immortal all seeing eyes - but I get that good people might make the same decisions with the same info.
Uh, their job isn’t to “further cryptography”. It’s to further America’s interests.
Well, advance their chosen clients' interests.
The r-curve parameters were apparently chosen by picking a random number, and hashing it, which somehow "proves" no nefarious play. Problem is that one could keep picking random numbers, hashing them, to get curve parameters vulnerable to an attack not commonly known. There is no attempt to explain how these numbers were chosen, or to use a nothing-up-my-sleeve number.

From "SEC 2: Recommended Elliptic Curve Domain Parameters":

"... one type being parameters associated with a Koblitz curve and the other type being parameters chosen verifiably at random"

"Verifiably random parameters offer some additional conservative features. These parameters are chosen from a seed using SHA-1 as specified in ANSI X9.62 [X9.62]. This process ensures that the parameters cannot be predetermined."

The trick here is to not use a random number as the input. Instead you pick some meaningful input. Say the string "secure random 256 bit curve parameters". You then hash that meaningful string to get a random number that is much harder to manipulate by brute force.

Parameters generated this way are called "nothing up your sleeve" numbers.

Couldn't you generate an arbitrarily large number of variations of vaguely human meaningful sentences, until one of them ended up with a convenient hash? The sentence you wrote as an example sounds like something an ML model would spit out.

Yesterday I texted my coworker a suggestion to dockerize his yocto build so that it would work better in vagrant on a lambda server in the cloud. It's borderline these days, but he realized I was being facetious. He retorted with a serious comment about 500 lines of typescript to run 5 lines of bash.

There are a lot more 1024-bit primes than plausible sentences.
You could, theoretically, yes. Ideally it should be short and low entropy and you're a bit relying on laws of big numbers and a small amount of trust.

"aes" is better than "aes is the best!" which is better than "aes123884586314745"

With "meaningful input" one usually means some prime number or the eg. first X digits of a constant like pi. (and if you chose a strange prime or constant, people would also ask questions)

This generally narrows down the options to something were relatively little trickery is possible: keep in mind that the eg. hashes used to break some encryption would have to be very specific so that the algorithm isn't trivially broken to begin with.

The more important part about nothing-up-my-sleeve is really the justification for choosing a particular hash/number. If, let's say your algorithm needs a prime with at least 10 digits and you pick the first prime with 10 digits nobody asks questions. If you picked the 16th, then people would ask questions.

Similarly, if you can pick any arbitrary ten digit number and you pick the first 10 digits of pi, nobody will ask questions. If you picked the million'th to million-and-tenth digit of pi people would asks questions.

"meaningful" has to be understood more as "from a pool of constants that leave little room for (mallicious) adjustment". The abstracter the number, the higher the potentially used searchspace.

with a precomputed value comes with an enormous “strain”bow table.
I wonder if anything is known about the choice of base point, which in compressed form is:

    G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
Is this choice beneficial for efficiency? If the choice of G doesn't matter, why not choose it as having the smallest possible x coordinate?

Many applications use a second generator H, which must be an unknown multiple of G. This is achieved by defining it as essentially SHA256(G).