Paul Miller
@paulmillr
Followers
5,019
Following
82
Media
33
Statuses
2,518
🔑 Security, open-source software, austrian school. Noble cryptography🦇🔊
Joined August 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
PAVILLON DES FOLIES X SAROCHA
• 942062 Tweets
توتنهام
• 417294 Tweets
ANILPIN LOVE ON THE BEACH
• 282006 Tweets
Daniel
• 157417 Tweets
SPILL THE FEELS TRACK SAMPLER
• 93401 Tweets
呪術廻戦
• 75803 Tweets
Manchester United
• 66731 Tweets
イッテQ
• 57667 Tweets
Tottenham
• 56870 Tweets
#プロセカ4周年
• 51793 Tweets
John Kerry
• 51090 Tweets
WELCOME TO GOLD ERA
• 44071 Tweets
Spurs
• 41676 Tweets
手越イッテ
• 40097 Tweets
手越復活
• 37092 Tweets
呪術完結
• 28796 Tweets
手越くん
• 27704 Tweets
#MUNTOT
• 25841 Tweets
芥見先生
• 23756 Tweets
Rashford
• 22673 Tweets
#EIGHTJAM
• 19503 Tweets
ツイステ
• 19322 Tweets
衆議院解散
• 15503 Tweets
Ipswich
• 15485 Tweets
Pogacar
• 15405 Tweets
呪術最終回
• 12413 Tweets
#乃木坂工事中
• 11517 Tweets
ぐらんぶる2期
• 11296 Tweets
#呪術本誌
• 10861 Tweets
Van de Ven
• 10128 Tweets
Pinned Tweet
2023 progress on JS cryptography:
- noble-hashes: 400K => 1.7M downloads per week
- noble-curves: ~0 => 0.9M, got 2 audits
- noble-ciphers: 0 => 25K
- Finally adopted by
@ProtonMail
, MetаMасk,
@rainbowdotme
,
@Rabby_io
, ethers, web3.js, viem
Takes time, but we’re getting there.
13
11
140
Twitter launched encrypted* DMs for verified accounts.
* No sync
* No group chats
* No attachments
* No timers
* Vulnerable to MITM
* No reporting (msg franking)
* No Forward Secrecy
* No Key Transparency
* Private keys are NOT erased after web logout
59
292
1K
Just took a look at
@solana
’s official web3.js library.
Installing it downloads 723 dependencies packed in 202MB from NPM. It then creates 310MB directory with 17682 files.
Almost all deps have unbound version ranges. Any dep update could bring trojans to your SOL apps.
58
106
745
Announcing noble-curves: the culmination of work on elliptic curve cryptography.
Pkg defines ed25519, ed448, secp256k1, P384, P521, bls12-381, bn254, pasta, stark curves.
Edwards, Weierstrass, Montgomery primitives, hash2curve & pairings are also in.
20
110
627
Proud to release ethereum-cryptography 1.0 funded by
@ethereum
foundation.
The new audited libraries behind it will empower all kinds of projects in the space.
127
179
522
It’s impossible to run ETH node over TOR.
Even worse: no plans for it.
This drastically reduces anonymity & censorship resistance of staking. You either get a KYC-ed hosted server, or homestake — which in most cases is also KYC-ed to yourself. VPNs are not of any help.
29
57
365
This is your regular reminder that “secret chats” in telegram rely on server-provided prime numbers (messages.getDhConfig).
The server could send “bad” prime numbers to clients and decrypt conversations later.
Section 1.2.1 of tel-03245433
This is your regular reminder that most communications on Telegram are not end-to-end encrypted. Channels and groups are never end-to-end encrypted and 1-on-1 messages are only end-to-end when explicitly enabled.
33
447
1K
13
79
233
How important are supply chain attacks? Extremely.
@ethereum
foundation agrees, so they’ve funded the development of fast & secure cryptographic JS library that implements hashing and KDFs.
Happy to release it! The first version is out:
8
27
184
4KB cryptography. Does that sound safe? Because it should.
Announcing v2 of single-feature modules noble secp256k1 and noble ed25519. secp is just 430 lines of code (4KB gzipped), ed is only 330 lines (3.3KB gzipped) — 4x smaller than previous versions.
5
28
157
@elonmusk
@KanekoaTheGreat
I speak russian. Never got a wrong treatment. Unaware of anyone else who got.
Please stop spreading nonsense.
1
1
132
@haydenzadams
@Uniswap
Your security sucks.
The audit report of
@Uniswap
Wallet clearly says: No dependency audit has been done, on page 11.
You’re using 1387 dependencies which consume 1.08GB of space. Malware could basically be anywhere in your deps: rewriting globals etc.
Impossible to audit.
4
15
123
@JoeNakamoto
Fake news.
Unhosted to unhosted is still legal.
Unhosted to hosted will require kyc.
7
2
114
The new ETH client is live.
All historical transactions (aka “archive node”) fit in just 2.3TB. Full node is 1.2TB. Syncing from genesis takes 50 hours.
This means anybody could run RPC on a cheap pc, like orange pi. No need to pay for 3rd party RPCs, which track users.
🚨 Releasing Reth 1.0 🚨
After almost two years of development and a successful audit by Sigma Prime, we are finally releasing Reth 1.0, the first “prod-ready” release of our blazing-fast Ethereum execution client. We invite RPC providers and stakers to run Reth.
More below.
84
240
1K
4
10
110
Great comparison of frameworks on top of Backbone.js by
@molily
(Marionette, Thorax & Chaplin):
http://t.co/G7dxalwW.
1
43
111
micro-eth-signer, the smallest JS library for Ethereum transactions now supports London and Berlin (EIP 1559, EIP 2930). It has also been validated through >3MB of ethers.js test vectors (kudos to
@ricmoo
). Check it out, it's less than 500 lines of code:
2
9
89
Elliptic curve calculator just got a new big update:
1. Select a curve, including NIST, ed448, BLS
2. Create custom curves
3. Add and multiply points
4. Sign messages with different hashes
The demo works offline. It’s great for learning! Check it out:
0
15
85
Signal is cool, but do you know what is cooler? Chatting on decentralized social network.
We’ve implemented and audited secure direct messaging for nostr.
Thanks to Jonathan Staab,
@OpenSats
, Cure53,
@matthew_d_green
and others.
,
6
14
80
Thanks to Apple’s new iOS 14.3, the App Store now displays privacy labels next to each app.
Here’s Facebook. The amount of data they collect is mind-blowing.
5
36
76
Signal is upgrading all conversations to a combination of X25519 and CRYSTALS-Kyber.
Probably the first large-scale deployment of Kyber.
Announcing PQXDH! The first step in post-quantum resistance for the Signal Protocol, PQXDH protects your Signal calls & chats from potential future threats of breakthroughs in quantum computing. And it's already rolling out to Signal clients everywhere.
68
796
3K
1
7
68
We've just released ethereum-cryptography
@next
. It's the official package for js cryptographic primitives that are common for ETH apps. The new version is 15 times smaller and uses 3 dependencies instead of 38.
Waiting for security audit now!
2
9
64
That feeling when the new trendy editor by Microsoft
@code
uses your NPM packages.
http://t.co/wEkfT3m1Uh
4
19
62
noble-curves got audited by
@trailofbits
. The JS library for elliptic curve cryptography is production-ready now.
The audit has been funded by Ryan Shea. Check out the report at
6
13
59
This is one of the best cryptography libraries:
- ~High level language (nim)
- Tons of useful docs and comments. Check out repository issues!
- All kinds of algorithms. ECC, pairings, r1cs, you name it
- Solid for educating newcomers
Great job
@m_ratsim
Releasing Constantine v0.1.0, the fastest backend for Ethereum cryptography.
BLS signatures, EVM crypto-precompiles, KZG polynomial commitments for blobs (EIP-4844). All accelerated, with multithreading support. And the fastest MSM for elliptic curves.
7
26
171
2
7
57
Announcing noble-ciphers: tiny 0-dependency cryptographic library, implementing
Salsa20, ChaCha, Poly1305, AES-SIV and others.
Bonus: a reasonable wrapper around native WebCrypto's AES.
Check out its README for some insights:
4
6
54
Closed-source nature of SOL software contributes a lot to its fragility.
I’ve just checked Phantom: it still uses elliptic.js as ed25519 backend, which has scalar multiplication bugs etc. There are a bunch of files that play media from FB/YT/Spotify etc. Does not look great.
Tried to investigate the Solana wallet key theft issue but are all the wallets closed source? Seriously?
11
19
140
3
11
52
BitcoinJS used math.random instead of webcrypto’s getRandomValues 9 years ago, when the secure API was rare.
As a result, mnemonics generated with it could be bruteforced.
Unfortunate, but could still happen any time today with webcrypto: browsers had bugs that made it weak.
Earlier this week,
@UncipheredLLC
disclosed that BitcoinJS, the most widely used JavaScript library for bitcoin wallets, relied on weak randomness until 2014. This issue puts millions of wallets at risk. Here’s what we know:
6
28
125
1
10
54
micro-eth-signer 0.9 is out.
No more block explorers: the release adds ability to fetch full account history and token balances using an archive node, such as
@ErigonEth
.
It also implements SSZ in just 900 lines: nearest library is 8x larger.
2
5
52
@thekitze
Guess which countries have open, public corporate registries?
Most of them. That includes U.S. states.
1
0
49
Happy to release micro-eth-signer. Fully functional library that works with Ethereum transactions & addresses in just 5KB (+26KB of deps). For comparison, web3js is 1.3MB. Berlin support coming soon!
1
6
47
Avalanche switched to noble and got 10x smaller. Good stuff.
The focus on minimal dependencies paid off tremendously. The bundle size of v4 is 10x smaller than the bundle size of v3:
Minified: 1.1MB -> 129.7 kB
Minified + Gzipped: 337 kB -> 38.3 kB
2
1
19
0
4
50
noble-ciphers v0.4 is out. Now with the fastest available pure JS implementation of AES.
The update is a big deal for platforms such as React Native, which don’t have native WebCrypto AES.
2
11
48
JS built-in fetch() is great, however, it’s hard to use in secure environments.
Releasing micro-ftch: wrappers over fetch() providing network killswitch, logging, timeouts, concurrency limits, basic auth, batched json-rpc and replays / mocks.
1
3
50
#btc
halving is imminent and there is still no reliable ordinals library in JS.
Releasing micro-ordinals. Built on top of audited btc-signer, it exposes simplistic typescript API for ord. And, as a bonus, CLI utility for uploading files as inscriptions
8
4
48
Using a hardware wallet, just like using any piece of software, ultimately comes down to trust.
Suppose your device is 100% offline. I’m talking about no wifi/bluetooth/usb kind of deal. Like, you’re passing messages to it by manually typing them down.
If it is using shitty
5
7
42
New noble cryptography releases are out:
- NPM provenance is now used for transparent builds, to strengthen supply chain security [1]
- ed25519 and ed448 now provide non-repudiation (Strongly Binding Signatures). The feature is not present in most other libraries [2]
- tweetnacl
2
6
46
Mozilla Developer Network (MDN) documentation erroneously said that JS “BigInts are unsuitable for cryptography”. Many people read it and pointed out the noble stuff is unsafe.
Helped Mozilla folks to update the page. Now it looks like this
2
8
37
Starting from today, unauthorized users can no longer view anything on Twitter. This is unfortunate.
Know what could save us from suffering? Digital signatures. See below why👇
Releasing an open-source, privacy-focused nostr web client
http://nostr.spa
()
3
6
43
micro-eth-signer 0.8 with support for dencun EIP4844 “blob-carrying” transactions is out.
- Alternative to ethers and viem when you only need basics
- New 100-line RLP parser
- Very friendly debugging experience
- Tested against 150MB of vectors
2
6
43
Any transaction including staking activity must be sent through some node. If you host a node by yourself, an attacker could easily tie all outgoing transactions to your server. Which is most likely KYC-ed. Easy way to identify all node hosters and stakers on Ethereum.
3
1
39
Ethereum ABI parsers are vulnerable to DoS.
It’s also possible to inject information in transactions, hidden from parsers. This allows tracking users across different wallets and even stealing private data.
Details in a new article.
5
3
42
Signal is not fully end-to-end encrypted.
Contacts are stored server-side. They say it’s protected by SGX, but SGX has been broken many times. It is deprecated on desktop CPUs.
There is no need to store contacts in the cloud.
Signal's also end to end encrypted!
AND unlike WhatsApp we don't collect intimate metadata like profile info, who's talking to whom, who's in a group.
Signal's also a nonprofit, not owned by big tech = we're not one bad earnings report away from killing privacy for profit.
89
527
2K
5
7
39
Someone published NPM fork of noble-curves that sent private keys to a server in China. Be careful and check for typos
2
9
32
Yesterday was 2 hours of sleep and 18 hours of driving. Trying to stay safe. 🇺🇦
4
0
38
@pedrouid
- Supply chain security: no dependencies, or minimal dependency on a package from 1 author. If you use something like elliptic, you're exposing yourself to rogue dep updates
- JS, not WASM: js can be audited easily, wasm cannot. You may be executing malware when using wasm lib
1
2
37
After noble-curves are audited, what could happen to old libraries?
Experimenting with noble-secp256k1 right now: made it 4x smaller (1697 => 424 lines) and added comments everywhere. This could serve as a solid foundation for education of newcomers.
2
3
37
Currently, telegram has access to all user messages - with exception of secret chats. The messages are stored in their cloud.
Why are they refusing to add encryption by default?
E2EE backups have been solved. Multi-device has been solved. There are no more excuses.
Seems like we’re getting a major push for activists to switch from Signal to Telegram, which has no encryption by default and a pretty shady history of refusing to add it. Seems like a great idea, hope folks jump all over that.
63
297
1K
4
2
36
Announcing noble-post-quantum: minimal JS implementation of ML-KEM, ML-DSA and SLH-DSA.
Also known as Kyber, Dilithium & SPHINCS+. Only 2000 lines of code - great learning resource for anyone who’s messing with PQ stuff. Check out README for comparison.
3
6
34
@DawsonBotsford
ETH often (not always) uses UDP, TOR doesn’t support UDP. However, main reason is lack of interest from protocol developers. Sharding is in the focus, instead of censorship resistance.
4
5
33
Last month, we've collaborated with
@starknet
and released a new addition to "scure" family of audited libraries. The audit was done by Kudelski security.
The package includes stark curve and poseidon / pedersen hashes. Check it out:
1
7
31
The update is live now. Go get your short usernames.
Signal is introducing User IDs so you won’t have to hand out your phone number.
13
61
275
4
11
31
@debarghya_das
Congratulations.
Based on these timelines, the immigration system clearly doesn’t want extraordinary immigrants like yourself. 12-18 years to get a permanent residence is a bad joke.
1
1
27
For anyone missed the story, here’s my new post: The story of Telegram or “Why you shouldn’t listen to Hacker News”
http://t.co/uGK0PjMZMO
9
33
29
Chokidar, an open-source file watcher for Node - just hit 5,000 stars on GitHub.
It's one of the most popular NPM pkgs: ~10 million downloads over the last week, 350M in 2018. That's 1.7x more than React.
Crazy, how it got to this level without marketing
3
4
30
@ekryski
@aeyakovenko
@sintaxi
@solana
Check out micro-sol-signer i’ve released last month. 600 lines of code, or 3000 with all deps bundled. Works great.
4
4
26
Human Rights Foundation
@hrf
awarded us some money for improving security of nostr chats.
Looks like we’ll be having an audit of noble-ciphers and remaining parts of curves later in the summer!
4
3
27
New ESM-only package manager looks cool.
Just published 4kb noble/secp256k1 and noble/ed25519 there. Npm, deno and bun are all supported.
2
1
28
Releasing new package: micro-rsa-dsa-dh
Minimal implementation of older cryptography algorithms. Elliptic curves have gained adoption these days, however, classical algos are still needed sometimes.
As usual, the code is simple and good for education.
1
3
28
Fun fact: elliptic, the most popular secp256k1 lib for node & browsers is unmaintained and recently had terrible private key leak (CVE-2020-28498). All sorts of important projects keep using it!
Do the right thing and switch your stuff to noble. It is audited and the fastest one
@JulianHille
@ChristianHeimes
@okoeroo
I would avoid using elliptic. It's unmaintained and there appear to be other issues with it too. For secp256k1 I recommend by
@paulmillr
it's maintained & audited
1
0
2
1
7
26
@mer__edith
This was a wake up call about slow iteration speed. Signal Desktop has long been mediocre.
It still requires running phone app to sync messages. Even whatsapp removed this requirement.
Macos utilizes SIP to protect sensitive files. It works great. It should be used.
2
1
26
Another security researcher had his devices confiscated at U.S. border.
There are many stories like that. For example, this happened to
@moxie
(Signal founder) back in 2010.
My phone and laptop were searched for 3 hours by US CBP at a land border crossing. I tried to refuse and return to Canada but I was not allowed to. If anyone has any advice on forensic analysis I can do to my own device to see what they did I would be grateful for it.
58
62
361
3
4
25
noble-secp256k1 ECC library for JS just got an audit from
@cure53berlin
No critical vulnerabilities, one high (boolean allowed as private key), two medium-severity. Already fixed all of 'em. You can use it in your mission-critical projects.
The report:
3
4
25
It takes a long time to upgrade the whole JS ecosystem, but we’re getting there. Since 2019:
- secp is now installed 550K times per week and used in 85K github repos
- for ed it’s 282K installs per week and 21K github repos
A lot of important projects have switched.
1
1
23
Telegram states in their privacy policy (§8.3) they’ve never given out any data. Der Spiegel tells a different story
Privacy policy mentions all data requests would be published at , which is also false: the reports are empty
4
4
21
Six years ago, we've proposed JS promises to conform to Monad interface. It was easy to accomplish back then; the specification was not finalized yet.
Promise spec authors aggressively dismissed the idea — mostly because they didn't understand Monads.
1
1
23
@bantg
Lido bad because 40B$ contract must not be upgradeable. There are 100 different sub-contracts. Some of them are randomly upgradeable without aragon. Security is opaque.
But keep promoting your bags ofc.
2
3
22
@FireWithCrypto
@elonmusk
He plans on having Forward Secrecy disabled even in the future.
Which is really a huge deal and makes dms inferior to whatsapp and signal.
1
0
21
Safari 6 web inspector was terrible. 6 months of iterations and it’s usable & shiny. Evolution shots & log:
@xeenon
3
29
22
@mer__edith
Telegram secret chats are using parameters, provided by their server.
The parameters could make a secret chat readable, when needed.
This is your regular reminder that “secret chats” in telegram rely on server-provided prime numbers (messages.getDhConfig).
The server could send “bad” prime numbers to clients and decrypt conversations later.
Section 1.2.1 of tel-03245433
13
79
233
0
3
22
Telegram’s reply to post on “bad prime numbers” is wrong.
1. Specially created primes are vulnerable to SNFS, which breaks DL much faster. There is no test against those
2. 30 Miller Rabin iterations for primeness check is too low. See FIPS 186-5
Proof
@paulmillr
This is FALSE. Clients always check the prime numbers. Read the 🙄 manual: (and anyone can check the code to confirm this 🤷♂️)
23
1
27
2
3
22
New blog post: Learning fast elliptic-curve cryptography in JS
0
9
21
Having fun in Ukraine. Don’t believe all the lies the western media/governments are spreading.
4
0
20
Keeping your dependencies small is very important.
New post: Chokidar 3: How to save 32TB of traffic every week with one NPM package
Check it on Hacker News:
1
8
21
Hardware wallets are mostly proprietary nonsense. We need a better solution. How about a reputable software wallet running on an offline machine? To reduce attack surface, no bluetooth/wifi/usb: all data is transferred via QR codes.
nightmare intensifies…
imagine if your hw wallet last firmware update integrate ofac checks and you cannot sign or even worse, recover your overfitted wallet
where’s the boundary? (and open source hw wallets)
🫠
4
6
38
10
0
20
It would be great to use IPFS to host websites and blogs, but it’s too annoying to self-host IPFS node.
Ideally something like github pages, free for small / oss projects.
Is there anything like that?
17
0
19
We've been working on a group of extremely auditable cryptographic libraries for JS (node & browsers). Each lib is self-contained in one file, has NO deps & can be read by non-cryptographer.
Glad to release first 3 projects: ed25519, secp256k1 & ripemd160
2
4
19
Ledger libraries have been compromised. All dapps and wallets who’ve integrated them are at-risk.
To prevent similar issues: stop using 3rd party CDN, self-host everything. Use script element’s “integrity” property and Content Security Policy to prohibit third party scripts.
My understanding of the ledger situation:
- connect-kit v1.1.8 is the fix, supposed to be safe.
- connect-kit v1.1.7 is verified to be compromised, seen in most tweets, and contains the drainer code itself. Published a few hours ago.
- connect-kit v1.1.6 is pulling in remote
20
69
270
0
4
18
noble-ed25519 getting popular these days: projects like libp2p.js started using it. Some updates:
1.
@cure53berlin
just finished its audit. No vulnerabilities have been found, which is outstanding
2. ZIP-215 support, makes it consensus-friendly
3. X25519
0
6
18
3 months have passed since the war began.
I’m glad to be alive & to get back into developing OSS & cryptography. Some exciting stuff coming up soon.
1
0
19
Why functional programming matters (aka MapReduce for humans) . Examples taken from talk of
@deanwampler
.
0
15
19
MLS is a new open protocol for e2e encrypted group messaging. Think of it as Signal ratchet v2023, or OTR.
Did you know Signal group chats are basically a bunch of 1-to-1 messages? Not very efficient. The new protocol has just received the RFC number and will improve on that.
The Messaging Layer Security (MLS) protocol has been published as RFC 9420 today! It is the first standardized and fully specified end-to-end encryption protocol.
Check out our blog for a high-level overview, practical applications, and why it matters.
2
32
56
1
3
18
@levelsio
@dexterleng
Secret chats are backdoorable due to their architecture (server sent prime numbers).
Privacy policy and transparency reports are lying about not giving any data to govs as we can see per court orders.
Tell me more about honesty.
0
0
18
Farcaster is building a decentralized social network. Anyone could run a p2p hub. Important data is stored on the blockchain.
Thanks to their support, we would be able to engage another auditor soon.
Warpcast is giving out grants to all the teams building open source software in the Farcaster ecosystem.
Thank you for making it easier for others to build on Farcaster!
6
10
83
0
0
18
4 developers / 1 platform. 1B downloads. $19B valuation. Whatsapp shows us how the work should be done. Minimum people, maximum focus.
1
16
18
Is base58 quadratic? What's KangarooTwelve? When 64-bit integers in JS? And other fun details behind the project:
Kudos to
@alcuadrado
,
@zfran
,
@NomicLabs
and
@EF_ESP
for helping with the project!
2
1
16
@junderwood4649
They create separate encrypted conversations for now, won’t affect past ones. Which is of course also not great.
1
0
15
Releasing micro-web3:
- Tiny (1600LOC w deps) web3.js replacement: call eth contracts directly from JS
- Connect to any web3 node
- Decode transactions: create readable tx descriptions from tx data & ABIs
- No network code in main package, usable offline
0
5
16
Was happy to collaborate with 3 teams last month:
-
@Ryaneshea
on micro-btc-signer, a minimal Bitcoin js library that supports Schnorr, Taproot, PSBT
-
@Kin_ecosystem
on micro-ed25519-hdkey, a SLIP0010-compliant library
-
@ProtocolLabs
on noble-bls12-381 hashToCurve improvements
1
5
15
Plans for 2024:
- More audits & open-source stuff
- Post-quantum cryptography
- Make Ubuntu noble by releasing 24.04 noble numbat
0
0
16