A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn’t new—many dozens of papers have been published about it since 1986. What this new result does is extend this known problem to slightly less weird (but still highly contrived) situations. But it’s a completely different matter to extend these sorts of attacks to “natural” situations...

If you’ve ever taken a computer security class, you’ve probably learned about the three legs of computer security—confidentiality, integrity, and availability—known as the CIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intelligence (AI) systems and artificial intelligent agents, integrity will be paramount. What is data integrity? It’s ensuring that no one can modify data—that’s the security angle—but it’s much more than that. It encompasses accuracy, completeness, and quality of data—all over both time and space. It’s preventing accidental data loss; the “undo” button is a primitive integrity measure. It’s also making sure that data is accurate when it’s collected—that it comes from a trustworthy source, that nothing important is missing, and that it doesn’t change as it moves from format to format. The ability to restart your computer is another integrity measure...

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations. > To mitigate that risk, I have developed this simple solution where you can > setup a unique time-based one-time passcode (TOTP) between any pair of > persons. > > This is how it works: > > 1. Two people, Person A and Person B, sit in front of the same computer and > open this page; > 2. They input their respective names (e.g. Alice and Bob) onto the same page, > and click “Generate”; > 3. The page will generate two TOTP QR codes, one for Alice and one for Bob; > ...

Interesting analysis: An Internet Voting System Fatally Flawed in Creative New Ways. > Abstract: The recently published “MERGE” protocol is designed to be used in > the prototype CAC-vote system. The voting kiosk and protocol transmit votes > over the internet and then transmit voter-verifiable paper ballots through the > mail. In the MERGE protocol, the votes transmitted over the internet are used > to tabulate the results and determine the winners, but audits and recounts use > the paper ballots that arrive in time. The enunciated motivation for the > protocol is to allow (electronic) votes from overseas military voters to be > included in preliminary results before a (paper) ballot is received from the > voter. MERGE contains interesting ideas that are not inherently unsound; but > to make the system trustworthy—to apply the MERGE protocol—would require major > changes to the laws, practices, and technical and logistical abilities of U.S. > election jurisdictions. The gap between theory and practice is large and > unbridgeable for the foreseeable future. Promoters of this research project at > DARPA, the agency that sponsored the research, should acknowledge that MERGE > is internet voting (election results rely on votes transmitted over the > internet except in the event of a full hand count) and refrain from claiming > that it could be a component of trustworthy elections without sweeping changes > to election law and election administration throughout the U.S...