I would bet against Q day by 2030, but I wouldn't bet against it at 10:1 odds. ~10% risk is unacceptably high here, so I'm very in favor of transitioning to quantum-safe cryptography by 2029: blog.google/innovation-a...
Yes this means I 90% expect to be made fun of in 2030. Oh well.
A cluttered and complicated chart relating qubit counts to qubit error rates, comparing today's devices to cryptographic attacks.
Overdue quantum landscape update: sam-jaques.appspot.com/quantum_land...
A 2d chart can only say so much. tl;dr new results are still overhyped, but definitely worth taking seriously. This chart is based on surface codes and a big question now is whether new codes can be practical (=>useless chart)
Our optimised Threshold MAYO!
Newsletter: Coinbase is accused of holding the cryptocurrency industry hostage over stablecoin rewards, prediction markets face an onslaught of opposition, and a Stand With Crypto poll can’t even get enthusiasm from its own activists
www.citationneeded.news/issue-103/
2026 Caspar Bowden Award - Nominations OPEN! 🏆
Know a groundbreaking PETs paper? Nominate it:
- Eligibility: Papers published between Apr 1, 2024 – Mar 31, 2026.
- Deadline: May 08, 2026
- Nominate: submit.petsymposium.org/award2026/
Info: petsymposium.org/award/cfn.php
#PETS2026 #CasparBowdenAward
In honor of April Fool's Day (which has already started in Australia), I offer you debrisprint.iacr.org for AI-generated cryptology content.
In something you don't see everyday, the Apple gave the FBI the real name and email address of one of its customers using Apple's 'Hide My Email' feature. This lets you generate random email addresses to protect your privacy www.404media.co/apple-gives-...
This is wild: a company is secretly scanning the internet for Zoom meeting links and turning them into AI-generated podcasts for $$$. Some meeting participants only found out after we told them. Included meeting on protecting kids from ICE, was supposed to be private www.404media.co/this-company...
Adding “datacenter blown up by Iranian drone” to my list of distributed systems failure modes www.theguardian.com/world/2026/m...
We still have a few spots left at MaGIC!
Registration closes this week... Hurry up if you want to be on top of all the latest news on Cryptographic Group Actions!
magic-workshop.github.io
<3 logo was mine hahaha I need to make logos for all!!
Great talk @claucece.bsky.social . And cool protocol!! 6 signers is plenty
Look at this beautiful arrrrt
#realworldcrypto
Abstract. Signal is a secure messaging app offering end-to-end security for pairwise and group communications. It has tens of millions of users, and has heavily influenced the design of other secure messaging apps (including WhatsApp). Signal has been heavily analysed and, as a result, is rightly regarded as setting the “gold standard” for messaging apps by the scientific community. We present two practical attacks that break the integrity properties of Signal in its advertised threat model. Each attack arises from different features of Signal that are poorly documented and have eluded formal security analyses. The first attack, affecting Android and Desktop, arises from Signal’s introduction of identities based on usernames (instead of phone numbers) in early 2022. We show that the protocol for resolving identities based on usernames and on phone numbers introduced a vulnerability that allows a malicious server to inject arbitrary messages into one-to-one conversations under specific circumstances. The injection causes a user-visible alert about a change of safety numbers, but if the users compare their safety numbers, they will be correct. The second attack is even more severe. It arises from Signal’s Sealed Sender (SSS) feature, designed to allow sender identities to be hidden. We show that a combination of two errors in the SSS implementation in Android allows a malicious server to inject arbitrary messages into both one-to-one and group conversations. The errors relate to missing key checks and the loss of context when cryptographic processing is distributed across multiple software components. The attack is undetectable by users and can be mounted at any time, without any preconditions. As far as we can tell, the vulnerability has been present since the introduction of SSS in 2018. We disclosed both attacks to Signal. The vulnerabilities were promptly acknowledged and patched: the first vulnerability was fixed two days after disclosure, while the second one was patched after eight days. Beyond presenting these devastating attacks on Signal’s end-to-end security guarantees, we discuss more broadly what can be learned about the challenges of deploying new security features in complex software projects.
Image showing part 2 of abstract.
Signal Lost (Integrity): The Signal App is More than the Sum of its Protocols (Kien Tuong Truong, Noemi Terzo, Kenneth G. Paterson) ia.cr/2026/484
It's RWC. So follow online with @durumcrustulum.com ....
US Defense Secretary Pete Hegseth made comments about “stupid rules of engagement” on Monday, suggesting they may interfere with “fight[ing] to win” in Iran. www.hrw.org/news/2026/03...
In addition to the many things I didn't like about the Natural History Museum in London, one thing I especially disliked is a huge wall given to showing *constellations* (or, as I prefer to think of them, "old-school hallucinations"). Let's have some actual science, people.
Google with AI buttons
Google without AI buttons
I made a filterlist for uBlock Origin to remove Generative AI features on websites. Includes blocks for
* Google AI Summaries
* YouTube Ask button & chat summaries
* GitHub Copilot
* Facebook AI chat
* X's Grok buttons
* Deviantart DreamUp
* Booru AI images
* And more
github.com/Stevoisiak/S...
Do you love free speech, right to repair, and open source tech? If so, you should become a member of EFF today! eff.org/join
So-called 'nudify' apps. Smart glasses that secretly record video. An explosion in sexualised deepfakes.
Tech has turned against women, and it's time to regulate it properly, says author and gender equality campaigner Laura Bates.
Read more: ft.trib.al/Z3gd5bP
GDB will now have a save history command to save the command history to a file whenever you want.
This is cool as I usually need to manually copy-paste commands anyway because GDB tends to crash during my debugging sessions.
Hacktivists tried to find a workaround to Discord’s age-verification software, Persona. Instead, they found its frontend exposed to the open internet, and that was just the beginning.
www.therage.co/persona-age-...
“Based on these ethnographic findings, we initiate the cryptographic study of at-compromise security”
martinralbrecht.wordpress.com/2026/02/17/b...
This is not a failure of zero-knowledge proofs. It is a systems security failure caused by composition: ill-defined semantics, missing binding guarantees, exposed long-lived credentials, unjustified frontend trust assumptions, and opaque trust centralization.
5. Allows for centralization and privacy regressions: JWTs, often containing sensitive identity attributes, are forwarded to third-party services outside the original OIDC consent relationship, with no explicit user awareness or control.
4. Incorrectly trusts the frontend: zkLogin explicitly assumes that the frontend application is trusted and security-irrelevant, arguing that public frontend implies sufficient scrutiny. This assumption does not hold in real-world browser threat models.
3. Exposes long-lived credentials as static, long-lived bearer credentials exposed directly to browser environments. These credentials are commonly: stored in browser-accessible storage (e.g., localStorage), transmitted directly from frontend JavaScript and reused indefinitely.
