I wrote something: sockpuppet.org/blog/2026/03...

Cryptographer Matt Green as God Emperor Leto II

AI Finds Vulns You Can Returning champion Nicholas Carlini comes back to talk about using Claude for vulnerability research, and the current vulnpocalypse. It’s all very high-brow ...

Yeah, so, I'm going to have more to say about this later, but, for now... yeah.

securitycryptographywhatever.com/2026/03/25/a...

I'm particularly proud of that graf. I lived in Evanston earlier in my life, and have been in Oak Park for 20 years. Anybody in Evanston who wants to compare notes with us, I promise, we won't sabotage your efforts to legalize housing just so we can get their first. But we will get there first.

Extremely psyched about two upcoming SCW guests, one of them this week. We've got very crunch vulnerability research and cryptography stuff coming.

Y'all, I've seen some shit, but I've never seen someone want *both* DNSSEC ceremonies *and* the CA/B Forum before.

Ozamataz Buckshank. Stanford University.

("Current LLMs are better vulnerability researchers than I am.")

Nicholas Carlini at [un]prompted. If you know Carlini, you know this is a startling claim.

None of you are giving me enough credit for not participating on the TLS working group mailing list. You're welcome. Everything I don't do, I don't do it for you.

Annals of things people have actually written down for other people to read: "No one trusts NIST. But people do trust the IETF."

People who hope to apply Daniel Bernstein's rules-lawyering tactics at IETF, which were honed in the DNS WGs (where he was probably in the right), would do well to remember that those tactics have consistently failed. They've merely won him standing to complain about the IETF.

All this debate about whether MLKEM breaks formal methods results on the TLS protocol, when the answer all along was simply to deploy Additive Cryptography.

There's only one correct way forward for handling the introduction of MLKEM into TLS, and, indeed, all future tls-wg cryptography debates, and it's this proposal:

snkth.com/add-crypto/

Given how i am only

a) a beneficiary of air travel (thanks for all the miles so far)
b) A non-avionics-expert reader of the EUROCAE WG-128 RTCA/DO-254 drafts
c) A spectator usually attending this type of debate with popcorn

I hope my comments are useful...

"Auchentoshan" is inarguably the best distillery name.

Stop making videos you don't love sharing. Jesus.

ok so this is obviously very old news and also nobody is ever going to solve it better than this:

web.archive.org/web/20220421...

Here's a trivial one-word-at-a-time implementation of the same rough idea (I'm not using their algorithm, it'll take you more guesses than it takes them, but you'll still get them in like <10 guesses).

semvec3-jpn.sprites.app

Very fun: if you have the dictionary of embeddings Semantle uses, solving it is a trivial linear algebra problem: they're giving you the cosine similarity back on every guess, so you can filter out most of the vocabulary on a single guess.

victoriaritvo.com/blog/semantl...

Chapoly authenticates the ciphertext whose keys you establish with 25519, but authenticating the key exchange is a separate problem. In the messaging setting, this is what 3DH is about in Signal Protocol.

It's mostly just me making dumb noises at clips from a (great) paper, so I don't think people are missing all that much.

No, you have the same problem with 25519! You still have to authenticate the keys.

Sort of. Moxie Marlinspike once wrote a blog called "the cryptographic doom principle" that went viral so everybody knows you have to encrypt your CBC ciphertext, but no commercial entity appears ever to have realized they needed to do that with RSA ciphertexts as well.

For a lot of years I was in the habit of criticizing cryptography designs that used asymmetric constructions because RSA is much more complicated and hard to get right than symmetric crypto. But the real problem is that it's against the law to authenticate an RSA key.

It was when I got to the attack labeled "Lucky 64", after this paper managed to fit Thai and Juliano's BEAST into a short predicate building-block attack, that I realized that the authors of this paper were conducting a sick game to see how many TLS attacks they could cram into a non-TLS paper.

(Akon voice) STILL COUNTS!

Ok so my takeaway so far is that Bitwarden managed somehow to recapitulate DROWN in a simple client/server password manager app with a single vendor.

Claude, tell me, what would the worst possible feature to have be if your cryptosystem had the property of lots of k=v field and arbitrarily swappable ciphertexts?

The problem with this paper is that every paragraph of it is screenshot-worthy.