Why AES-GCM Sucks - Dhole Moments
If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implemen…| Dhole Moments
If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implemen…| Dhole Moments
Message franking enables cryptographically verifiable reporting of abusive content in end-to-end encrypted messaging. Grubbs, Lu, and Ristenpart recently formalized the needed underlying primitive, what they call compactly committing authenticated encryption (AE), and analyzed the security of a number of approaches. But all known secure schemes are still slow compared to the fastest standard AE schemes. For this reason Facebook Messenger uses AES-GCM for franking of attachments such as images...| IACR Cryptology ePrint Archive
By now, many people have run across the Invisible Salamander paper about the interesting property of AES-GCM, that allows an attacker to construct a ciphertext that will decrypt with a valid tag un…| Key Material
Short URL: https://www.nist.gov/pqcrypto For a plain-language introduction to post-quantum cryptography, go to: What Is Post-Quantum Cryptography? The initial public draft of NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms, is now...| csrc.nist.gov
This document describes the "X3DH" (or "Extended Triple Diffie-Hellman") key agreement protocol.| Signal Messenger
The phenomenon of unsolicited and unwanted messaging dates back to the earliest communication platforms: from prehistoric cave graffiti and postal chain letters to popup ads and robocalls. To prevent spam, most online services rely on large-scale inspection of plaintext conversation content or de...| Signal Messenger
