https://paseo.sh/ supports self-hosting, though I've only used it a mild amount tbh.
I don't think quibbling over "equivalence" vs "equality" is useful personally. They're both "equality". Just what the sign "=" means differs depending on the type information. E.g x: ZmodN == y: ZmodN is a different…
there's been some forward movement on doing this via an appropriate intrinsic in LLVM https://github.com/llvm/llvm-project/pull/166702 note that this isn't the only "trick" needed for constant-time programming though.…
that has some technical limitations. For example, their impl can compile to wasm, which makes giving an online interpreter simpler/lighter weight than relying on running python in the browser.
note that similar concepts appear in mathematics. Generally the term for it is a "mollified" function. applied to the step function, you would get a smooth cutoff function…
as a heads up, there is another attack paper against McEliece today https://eprint.iacr.org/2026/1339 Note that this is by someone from the BSI. It's worth mentioning the BSI is very familiar with lattice-based schemes…
you'd probably call it "Product NTRU" then, and be a minimum a decade out of date. So you'd probably have to do all that weird shit with co-different ideals Peikert was trying to get us all to do (I know it was "right"…
huh. I really wouldn't want the Nobel Prize committee in medicine doing cryptographic work then. good thing your comment has nothing to do with cryptography then :)
it's worth clarifying that its entrants were all qualified, and 2 other essentially identical schemes, namely New Hope and Saber, made it very deep into the NIST competition. All 3 (roughly) took the approach of 1. take…
It really depends on what the precise details of the attack look like. 1. algebraic structure: sure use frodoKEM 2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates…
that's really not possible for ML-KEM. They took a well-known "boring" design, and tweaked certain internal sub-components of it. Their tweaks were good, and their analysis/exposition of it were good. So they deserve to…
the NSA also recommends elliptic curve cryptography, and designed SHA2 themselves. if you want we can talk through how to disable all of these ciphersuites, so you can be stuck with a bunch of shitty stuff from the 90s…
as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known. https://en.wikipedia.org/wiki/NOBUS note that there is no even candidate way the NSA…
1. Kyberslash is mostly marketing. Some implementations (including the Kyber reference implementation, but *not* including the Kyber AVX implementation) had a non-constant time component. This is a meaningful CVE. It is…
there is no indication there are similar papers. Curiously, the best lattice cryptanalysts in the world are chinese and european (here I'm thinking of people like Ducas, Albrecht, and Ding). It's actually a weird…
this is not what I said before. As I mentioned in the post you replied to, there are certain scenarios (e.g. hardware) where pure ML-KEM has significant performance benefits. It instead should not be the default…
if you blindly distrust the NSA, you should stop using x25519 immediately. It uses SHA2, which was solely developed by the NSA. If DJB blindly distrusts the NSA, he would also recommend against SHA2. But he doesn't, and…
you would make poor decisions then. McEliece recently (in the last month) had a large new attack against it https://eprint.iacr.org/2026/1232 This doesn't hit classic McEliece yet, but is part of a line of work that…
this is entirely wrong. Lattice-based cryptography has been extremely well-studied theoretically and practically, even before standardization. For example, a (hybrid) lattice-based KEM was (experimentally) deployed in…
NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100)…
using pure ML-KEM is not a footgun. Some people may have doubts about lattice-based cryptography, despite being securely deployed in Chrome nearly a decade ago. Some people have doubts about many things. The fact that…
note that this says something more limited than what you're saying. Specifically, an american company was not allowed to give access to the cryptography you describe to non-Americans. This was still a very bad policy,…
actually another more basic point: SIKE is much more closely related to elliptic-curve cryptography than lattices. People would not use SIKE to argue that ECC is unreliable though.
those are not remotely the same things though? You're also (formally) wrong about DUAL_EC_DRBG for two reasons 1. the payment to RSA (in 2004) was secret. So it could not have been a public indication of a problem, as…
there has been no hint of a backdoor in ML-KEM. In fact, it (and every lattice-based scheme) has been made less efficient on purpose to rule out the only possible backdoor (the ephemeral "a" part in LWE-type samples…
https://paseo.sh/ supports self-hosting, though I've only used it a mild amount tbh.
I don't think quibbling over "equivalence" vs "equality" is useful personally. They're both "equality". Just what the sign "=" means differs depending on the type information. E.g x: ZmodN == y: ZmodN is a different…
there's been some forward movement on doing this via an appropriate intrinsic in LLVM https://github.com/llvm/llvm-project/pull/166702 note that this isn't the only "trick" needed for constant-time programming though.…
that has some technical limitations. For example, their impl can compile to wasm, which makes giving an online interpreter simpler/lighter weight than relying on running python in the browser.
note that similar concepts appear in mathematics. Generally the term for it is a "mollified" function. applied to the step function, you would get a smooth cutoff function…
as a heads up, there is another attack paper against McEliece today https://eprint.iacr.org/2026/1339 Note that this is by someone from the BSI. It's worth mentioning the BSI is very familiar with lattice-based schemes…
you'd probably call it "Product NTRU" then, and be a minimum a decade out of date. So you'd probably have to do all that weird shit with co-different ideals Peikert was trying to get us all to do (I know it was "right"…
huh. I really wouldn't want the Nobel Prize committee in medicine doing cryptographic work then. good thing your comment has nothing to do with cryptography then :)
it's worth clarifying that its entrants were all qualified, and 2 other essentially identical schemes, namely New Hope and Saber, made it very deep into the NIST competition. All 3 (roughly) took the approach of 1. take…
It really depends on what the precise details of the attack look like. 1. algebraic structure: sure use frodoKEM 2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates…
that's really not possible for ML-KEM. They took a well-known "boring" design, and tweaked certain internal sub-components of it. Their tweaks were good, and their analysis/exposition of it were good. So they deserve to…
the NSA also recommends elliptic curve cryptography, and designed SHA2 themselves. if you want we can talk through how to disable all of these ciphersuites, so you can be stuck with a bunch of shitty stuff from the 90s…
as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known. https://en.wikipedia.org/wiki/NOBUS note that there is no even candidate way the NSA…
1. Kyberslash is mostly marketing. Some implementations (including the Kyber reference implementation, but *not* including the Kyber AVX implementation) had a non-constant time component. This is a meaningful CVE. It is…
there is no indication there are similar papers. Curiously, the best lattice cryptanalysts in the world are chinese and european (here I'm thinking of people like Ducas, Albrecht, and Ding). It's actually a weird…
this is not what I said before. As I mentioned in the post you replied to, there are certain scenarios (e.g. hardware) where pure ML-KEM has significant performance benefits. It instead should not be the default…
if you blindly distrust the NSA, you should stop using x25519 immediately. It uses SHA2, which was solely developed by the NSA. If DJB blindly distrusts the NSA, he would also recommend against SHA2. But he doesn't, and…
you would make poor decisions then. McEliece recently (in the last month) had a large new attack against it https://eprint.iacr.org/2026/1232 This doesn't hit classic McEliece yet, but is part of a line of work that…
this is entirely wrong. Lattice-based cryptography has been extremely well-studied theoretically and practically, even before standardization. For example, a (hybrid) lattice-based KEM was (experimentally) deployed in…
NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100)…
using pure ML-KEM is not a footgun. Some people may have doubts about lattice-based cryptography, despite being securely deployed in Chrome nearly a decade ago. Some people have doubts about many things. The fact that…
note that this says something more limited than what you're saying. Specifically, an american company was not allowed to give access to the cryptography you describe to non-Americans. This was still a very bad policy,…
actually another more basic point: SIKE is much more closely related to elliptic-curve cryptography than lattices. People would not use SIKE to argue that ECC is unreliable though.
those are not remotely the same things though? You're also (formally) wrong about DUAL_EC_DRBG for two reasons 1. the payment to RSA (in 2004) was secret. So it could not have been a public indication of a problem, as…
there has been no hint of a backdoor in ML-KEM. In fact, it (and every lattice-based scheme) has been made less efficient on purpose to rule out the only possible backdoor (the ephemeral "a" part in LWE-type samples…