John Young | 17 May 18:07 2015

NYT on Nick Szabo and Bitcoin

Those around cypherpunks 1993-1998 will recall Szabo's emails on
bitcoin early precursors along with Adam Back, Hal Finney, Tim May,
Wei Dai, Lucky Green, Hettinga, many more burgeoning F-Cs. NYT
piece credits cpunks as subversive birther, now being hyper-monetized
by arch-cryptoanarchist Goldman Sachs and many more centralists.

Szabo denies being Satoshi, but ... others rush to fill the gap
cryptography mailing list

Javascript scrypt performance comparison

Hi all,

does anyone ever made a performance comparison of existing JS scrypt

Currently there are those three:
- scrypt-async-js
- js-scrypt (emscripten compiled)
- webgl-scrypt

Anyone ever analyzed/compared them?

Also for upcoming implementation extending scrypt concept, like
yescrypt/yescrypt-lite it would be very interesting to think how to make
it faster in the context of the browser/javascript/html5.

Being able to exploit fully WebCrypto/WebGL to deliver quasi-native
performance in the browser would be cool.


Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - - -

Designing a key stretching crypto that maximize use of WebCrypto?

Hi all,

testing the lovely slowness of a pure scrypt implementation in
javascript running into the browser, i was wondering anyone ever tried
to think/design an cryptosystem for key stretching purposes that
leverage only existing webcrypto API
( with the goal to use let's
say 80% of cpu time on native-crypto-code rather than JS code?

In the browser native crypto code trough WebCrypto API works obviously
much faster than JS crypto code (how much?)!

stargrave | 3 May 15:44 2015

GoVPN -- reviewable secure state-off-art crypto free software VPN daemon

GoVPN project should be interesting in this maillist:
Aimed to be reviewable, secure, DPI-resistant, state-off-art crypto
free software VPN daemon.

It is written on Go, so has small source code size. Uses fast
Password Authenticated Key Exchange (PAKE) based on Diffie-Hellman (DH)
Augmented Encrypted Key Exchange (A-EKE) for mutual strong
zero-knowledge peers authentication, using Curve25519 and Ed25519. Data
transport is encrypted (Salsa20), authenticated (Poly1305), hides
message's length and timestamp by appending noise and generating
constant packet rate dummy traffic. Perfect Forward Secrecy (PFS)
property, resistance to dictionary attacks (PBKDF2 and server-side
verifiers), replay attacks (nonces). Built-in heartbeating,
rehandshaking. All traffic is indistinguishable from the noise.

Feedback is appreciated!


Happy hacking, Sergey Matveev
John Young | 30 Apr 21:14 2015

Matt Blaze Testimony on Encrytion

Matt Blaze testified yesterday at the House hearing on encryption

Others too:
John Young | 25 Apr 16:44 2015

Re: Shamir Reveals Sisyphus Algorithm

Indeed. Inherent leakiness of digital technology is a gift of Olympus,
aka James Bidzos aka RSA. Never enough fault-rich crypto.

Digitalization might be the quintessential foolhardiness, or comsec
opportunism, which had led to endless apologies, apologias, apoplexies.

And hurrahs among investors, urging hackers and insiders to spill
secrets sufficient to assure comsec-panicky buyers. Bug bounties
hilariously, assuredly, self-defeating as backdoor warnings.

At 09:49 AM 4/25/2015, Ben Laurie wrote:
>On 22 April 2015 at 17:24, John Young <jya@...> wrote:
> > Futility of trying to eliminate every single vulnerability in a given piece
> > of software.
>The name of the game is to protect the secrets despite bugs. And I
>don't mean with cryptography.
John Young | 23 Apr 02:02 2015

NSA releases 52, 000 pages of William F. Friedman Collection

NSA releases 52,000 pages of William F. Friedman Collection, searchable:

Document index spreadsheet:
cryptography mailing list
John Young | 22 Apr 18:24 2015

Shamir Reveals Sisyphus Algorithm

Adi Shamir at RSA Conference:

Fully secure systems don't exist now and won't exist in the future.

Cryptography won't be broken, it will be bypassed.

Futility of trying to eliminate every single vulnerability in a given 
piece of software.

OpenPGP in Python: Security evaluations?

Hi all,

for any developer willing to use OpenPGP with a python developed
application currently the main choice is to go with python-gnupg, that's
a wrapper on top of GnuPG binary (

That's architecturally a very bad choice, plenty of constraint (for
example you need to enable "/bin/sh" execution under apparmor sandboxing
profile of a python application under Linux).

Currently there are only two pure-python OpenPGP implementation:

* PGPy:

* OpenPGP-Python:

Both stacks rely on Python Cryptography for Cryptographic primitives
implementations .

We're considering switching away from GnuPG for the server-side PGP
processing and would like to ask an opinion to the list about those

Are there anyone engaging in metrics to evaluate the security of an
OpenPGP implementation and/or already evaluated PGPy/OpenPGP-Python ?


Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - - -
=JeffH | 20 Apr 18:01 2015

stanford talk: Juan Garay: The Bitcoin Backbone Protocol: Analysis and Applications

this seems to be their associated paper..

Subject: Tuesday,
  April 21 -- Juan Garay: The Bitcoin Backbone Protocol: Analysis
  and Applications
From: David Wu <dwu4@...>
Date: Thu, 16 Apr 2015 18:56:43 -0700
To: security-seminar@...

   The Bitcoin Backbone Protocol: Analysis and Applications

                          Juan Garay

                   Tuesday, April 21, 2015
                        Talk at 4:15pm
                          Gates 498


Bitcoin is the first and most popular decentralized cryptocurrency to date.
In this work, we extract and analyze the core of the Bitcoin protocol,
which we term the Bitcoin "backbone," and prove two of its fundamental
properties which we call "common prefix" and "chain quality" in the static
setting where the number of players remains fixed. Our proofs hinge on
appropriate and novel assumptions on the "hashing power" of the
adversary relative to network synchronicity; we show our results to be
tight under high synchronization.

Next, we propose and analyze applications that can be built "on top'' of the
backbone protocol, specifically focusing on Byzantine agreement (BA)
and on the notion of a  public transaction ledger. Regarding BA, we observe
hat Nakamoto's suggestion falls short of solving it, and present a simple
alternative which works assuming that the adversary's hashing power is
bounded by 1/3. The public transaction ledger captures the essence of
Bitcoin's operation as a cryptocurrency, in the sense that it guarantees the
liveness and  persistence of committed  transactions. Based on this  notion
we describe and analyze the Bitcoin system as well as a more elaborate BA
protocol, proving them secure assuming high network synchronicity and that
the adversary's hashing power is strictly less than 1/2, while the
bound needed for security decreases  as the network desynchronizes.

This is joint work with Aggelos Kiayias (U. of Athens) and Nikos Leonardos
(U. Paris Diderot -- Paris 7).
Ron Garret | 17 Apr 19:56 2015

Introducing SC4 -- feedback appreciated

TL;DR: I took tweet-NaCl-JS and wrapped a little PGP-like webapp around it.  I would like to solicit
feedback and code review from this community before I submit it for a formal audit and release it to the
general public.


Source code:

Live demo:

FAQ for experts:

FAQ for non-experts:

Note that the FAQ links are not secure.  This will be fixed eventually.  The production push process is a work-in-progress.

Unique features of SC4:

1.  It is a standalone web application.  The server only serves static files.  You can even run SC4 from a FILE:
URL, though this requires the keys to be embedded in the code.  SC4 includes code to automatically generate
a standalone version.  This is mainly intended to be a proof-of-concept, but it does work.

2.  It’s tiny, and therefore easy to audit.  It consists of three standard libraries (tweet-NaCl, jQuery,
and purify) plus <1000 lines of additional code, and that includes the HTML and CSS.

3.  It runs in FF, Chrome and Safari.  It might even run in IE but I haven’t tried it.

SC4 aims for a point in the design space that balances security against ease of use.  PGP is bullet-proof, but
not widely deployed because there is a lot of friction in getting it up and running.  SC4 aims to eliminate
this friction while remaining reasonably secure.  It is also based on open standards so that more secure
implementations can be easily produced in the future.  (Part of my long-term plan is to build an HSM dongle
using a Teensy 3 board.)

Feedback and constructive criticism much appreciated.  Also, I’m seeking someone to serve as a paid
consultant on this project.  If you’re interested please contact me off-line.  My SC4 key is:

X-sc4-content-type: public-key
From: ron@...
Timestamp: Fri, 17 Apr 2015 17:40:56 GMT
---END KEY---

Ron Garret