“just tryna get my horn swoggled”

is this anything

Everybody wanna earn 5% interest, but don’t nobody wanna learn about no fractional reserve banking

Behold, a venture capitalist.

Chipmunks On 16 Speed - Sludgefest (Full Album)

Turns out when you play 1980’s Chipmunk Punk by Alvin And The Chipmunks on a 16 RPM turntable it fuckin’ slaps.


In a recent presentation, we promoted the use of 12-round instances of Keccak, collectively called “TurboSHAKE”, in post-quantum cryptographic schemes, but without defining them further. The goal of this note is to fill this gap: The definition of the TurboSHAKE family simply consists in exposing and generalizing the primitive already defined inside KangarooTwelve.

Fewer rounds, more fast.

Fixing the Next 10,000 Aliasing Bugs

Invariants are essential to large scale programming, because it is impossible to hold the entire state of a system in your head at once. Invariants allow you to focus only on the parts of the code responsible for upholding that invariant, and to just assume it holds elsewhere, thus reducing the combinatorial explosion of the state space and allowing the development of software larger than trivial toy examples.

However, code inevitably needs to temporarily violate an invariant while performing updates. The problem comes when there are multiple references to the relevant data, and another reference observes this temporarily violated invariant.

This post does an excellent job of explaining why Rust’s borrow checker is useful for correctness, not just memory management. I spent a lot of time in Go trying to both re-use slices to reduce allocations and shooting my toes off by modifying slices to which I’d accidentally retained references.

How to defeat Ed25519 and EdDSA using faults (blog post) and Practical fault attack against the Ed25519 and EdDSA signature schemes (paper)

We demonstrated it on an Arduino Nano, using the Arduino Libs’ Crypto Ed25519 implementation and simple voltage glitches. We were able to cause single byte random errors at the end of the computation of H(R,A,M), allowing us to efficiently brute-force the error location and value, thus recovering half of the secret key. This allowed us to generate seemingly valid signatures for any message, thanks to randomly generated r values, in a way that is indistinguishable from the real signer to the verifier, since the value r has to be kept secret by the signer.

Basically, use voltage faults to make embedded systems using deterministic signature scheme (e.g. Ed25519) sign the same message with related nonces.

Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears

In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. Although we didn’t recover Satoshi’s private key (we’d be throwing a party instead of writing this blog post), we could see evidence that someone had previously attacked vulnerable wallets with a different exploit and drained them. We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems.

The non-academic blog post for that ECDSA attack.

A Novel Related Nonce Attack for ECDSA

We describe a new related nonce attack able to extract the original signing key from a small collection of ECDSA signatures generated with weak PRNGs. Under suitable conditions on the modulo order of the PRNG, we are able to attack linear, quadratic, cubic as well as arbitrary degree recurrence relations (with unknown coefficients) with few signatures and in negligible time. We also show that for any collection of randomly generated ECDSA nonces, there is one more nonce that can be added following the implicit recurrence relation, and that would allow retrieval of the private key; we exploit this fact to present a novel rogue nonce attack against ECDSA. Up to our knowledge, this is the first known attack exploiting generic and unknown high-degree algebraic relations between nonces that do not require assumptions on the value of single bits or bit sequences (e.g. prefixes and suffixes).

RFC 6979-only ECDSA implementations, please. (Or deterministic signatures with noise, modulo patent issues.)

Normalizing crash risk of partially automated vehicles under sparse data (pre-print)

By correcting for roadway usage differences between the Autopilot and active safety only data, much of the crash reduction seen by vehicles using Autopilot appears to be explained by lower crash rates experienced on freeways. While the raw crash rate shows an average 43% reduction in crash rate for Autopilot compared to active safety only, this improvement is only 10% after controlling for different rates of freeway driving. Correcting for age demographics likewise produced an11% increase in the estimated crash rate.