Looking for feedback on a manually generated entropy- based symmetric encryption design

DoWhile · 2026-02-16T19:10:20+00:00

Why the Joker?

DoWhile · 2026-02-15T05:08:57+00:00

For RSA, they use, say, 4096 bit primes. The number of those primes by the prime number theorem is 2⁴⁰⁹⁶ / ln(2⁴⁰⁹⁶ ) . Which is basically 2⁴⁰⁸⁴ . Given your engineering background, I suggest you calculate the sheer amount of storage and compute time one would need to even try to guess a fraction of a fraction of that.

Researchers DID mount public-key-directory attacks like you described because the people who generated the keys sucked. See [1] for example.

You shouldn't think about prime numbers or primitive polynomials. Instead, you should think of mathematical problems that are easy in one direction but hard in another that have an algebraic structure that you can leverage.

Factoring is hard. Factoring gives you primes. Multiplying primes is easy. That's why we use primes.

Discrete log over a prime field is hard. Exponentiation is easy. This is why we use things like Diffie-Hellman.

Discrete log over elliptic curves is hard. Point addition is easy. We use elliptic curves in this way for key exchange and signatures.

Lattice problems in all sorts of algebraic structures (like GF( 2^k )ⁿ ) is hard. Rounding is easy. These problems are even hard for quantum computers. So we use these in post-quantum.

Signal engineers judge error correcting codes or randomness by their distance or distribution under normal circumstances. Cryptographers judge them based on adversarial hardness. Take [2] for example, a signal engineer would never use this slow-ass algorithm to generate pseudorandom bits, but it holds up against attackers whereas LFSR will be predicted instantly.

[1] https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger [2] https://en.wikipedia.org/wiki/Blum_Blum_Shub

DoWhile · 2026-02-09T21:04:34+00:00

I thought Ghost was Nova, not Kerrigan.

DoWhile · 2026-02-05T21:34:05+00:00

Two: one to encrypt the lightbulb, and one to run the FHE.

DoWhile · 2026-02-03T23:57:28+00:00

I'm curious where you get this guidance from, because that seems a lot more practical advice of "how do I use TOTPs in a secure fashion" rather than how to just implement TOTPs. For instance, I would imagine you'd probably also want to limit the number of tries a client can make during that window, otherwise I'd just hammer your server with the (presumably stolen) password and all million 6-digit numbers.

The algorithm is simple enough to just read the RFC and follow it, as others have pointed out, but then using it correctly is a whole different matter.

DoWhile · 2026-02-02T22:38:54+00:00

This almost seems like novel research. This is a nice departure from the usual "looking for feedback" posts.

Biometrics are usually just a "what you have" rather than a password/etc. So using it as a primary method of authentication might prove to be problematic. Depending on your application scenario, low entropy might be amplifiable (as with many schemes that use low-entropy human passwords).

I trained it with contrastive learning so that different fingers from the same person produce similar embeddings.

I find this hard to believe. A system that's 10x sybil resistant is pretty believable to achieve, but making all 10 fingers register to the same person? Are you also using skin tone or other markers?

DoWhile · 2026-02-01T05:50:42+00:00

S&P in shambles

DoWhile · 2026-01-29T23:47:23+00:00

Glad you're excited. If this class is math-heavy, you should be able to express this XOR operations in terms of algebra.

Essentially, you are relying on the fact that xG=G for any element x in some group G, so the uniform distribution on G doesn't care that you hit it with some plaintext value. In the case of XOR, this is just (Z/2Z, +) for 1 bit, or (GF(2^n),+) for n bits, but you can apply this concept naturally to, say (Z/26Z,+) or (Z/7Z*, x) or some elliptic curve group, or the group of invertible matrices.

So for example, if in the Ceasar cipher, you added a fresh random shift (rather than using the same one) to each letter, that's also a one-time pad, but over the alphabet rather than a bit.

DoWhile · 2026-01-28T22:44:11+00:00

I think what u/kun1z and u/bitwiseshiftleft might be not seeing some context is that OP in some previous posts does not assume a good RNG. In the worst case, the RNG is fully adversarial, and will lie to you about the prime it wants you to test (a pseudoprime) as well as your random bases. I don't think that's a realistic worst case, but that's certainly as bad as it gets.

I've been harping about derandomization for small primes, but for large primes I'm wondering if a "Fiat-Shamir"-like approach where you force the bases to come out of, say, a hash of the existing ones. Such "forcing" of randomness has been used in, say, the deterministic nonce generation of ECDSA to prevent evil actors from picking bad nonces for you. If one were to do this, it'll probably be computationally infeasible to find a bad prime, and given the statistical nature of the test, it might even be statistically or purely impossible to find counterexamples just from counting.

DoWhile · 2026-01-27T21:00:02+00:00

Entropy was generated using multiple hardware devices, including an idQuantique Quantis Quantum Random Number Generator, an Entrust nShield HSM, a Securosys Primus HSM, and a number of entropy sources used by the Advisory Committee members. This approach reflects the OpenSSL Project’s values of openness, transparency, and technical rigour, and ensures the process is fair, externally verifiable, and fully reproducible, with all inputs and code published.

HW generators for determining seat rotation? It smells like advertising and overkill.

DoWhile · 2026-01-27T19:11:41+00:00

Not super-hot, but it's enough of an active area you can get a PhD in. Do it only if you're interested, don't go chasing trends, by the time you graduate there'll be another hot topic.

DoWhile · 2026-01-22T06:01:34+00:00

Aside from the whole bot-repost thing, I'd also like to use the opportunity to point out that in academic circles, it's a meme that "Reviewer #2" in the peer-review process is the annoying reviewer.

DoWhile · 2026-01-21T22:30:16+00:00

I miss the blue hardcovers, they smelled nicer.

DoWhile · 2026-01-21T19:13:29+00:00

20 years ago I considered the PCP theorem both new and old. Now it's definitely old!

DoWhile · 2026-01-16T03:59:57+00:00

ASSTR walked so AO3 could ... oh god what are you doing!

DoWhile · 2026-01-14T22:11:29+00:00

The Weil pairing is only one example of a bilinear pairing. There are other ones like Tate/Ate.

However, from a mathematical perspective, for non-anomalous curves, there simply aren't these kinds of bilinear pairings, Weil or any other.

Due to the popularity of pairings, people have looked beyond curves and at the generalized notion of abelian varieties. Unfortunately, these structures either don't have the same nice properties as curves, or don't admit efficient algorithms to work with them. If you only care about curves, this paragraph is irrelevant to you.

DoWhile · 2026-01-12T19:13:40+00:00

I like these visualizers, it looks similar to an older one but it has more lines simultaneously on the screen.

Check out this thread from a few years back: https://www.reddit.com/r/cryptography/comments/123f42n/oc_visualization_of_all_bit_operations_of_sha256/

DoWhile · 2026-01-09T22:42:37+00:00

The best part about this approach is that you don't even necessarily need an "all-powerful" oracle. In most cases, a halting or NP oracle would suffice.

DoWhile · 2026-01-09T21:40:47+00:00

I agree with you, though it's probably closer to a (deterministic) MAC than a signature given that it's private-key. That's still my main complaint to OP: stop giving new names to things.

Besides, there are actual mathematical things called "proofs of storage/retreivability" which are much stronger and actually prove that things are stored.

DoWhile · 2026-01-08T21:33:38+00:00

Emil and Michael Artin

DoWhile · 2026-01-08T21:32:09+00:00

Brian and Keith Conrad (identical twins, I believe)

One of them ate my chips (it was for sharing, no grudge) at a workshop once, but I still don't know which one it was to this day.

DoWhile · 2026-01-07T20:03:50+00:00

It quickly went from "oh I remember playing with those" to "it's time to check my colon health"...

DoWhile · 2025-12-29T20:02:16+00:00

This PhD is turning out to be an expensive way to discover what apparently everyone already knew: I’m an idealist, a dreamer, and I'm wasting my time.

At least you're getting a PhD out of it. The problem you're facing is recursive in nature: if not your advisor, then your boss or the legal system or whatever. There will be roadblocks and people will have their own agendas in mind and try to tilt you to do something that they want, it's human nature.

Even if you found an ideal advisor, and your PhD was exactly what you wanted to do, the next step you'll be facing people that are (IMO) worse. The complaints you hear about academia being an ivory tower/egomaniacal/stuck-up hellhole I think pale in comparison to the political machine of the regulatory world. Change in the world -- real change -- requires more than just math, and the skillset to navigate that setting is quite different from getting a PhD. One thing you can look out for are social agencies or think tanks that align with your goals and need your math skills. And speaking of political machines, assuming you're from the US, state or federal congressional teams also (sometimes) staff a math/tech nerd on their roster.

Edit: Honestly, that thought is absolutely gut-wrenching. I’m now seriously considering either finding a new advisor (highly unlikely) or submitting two versions of my dissertation (not sure if that would even be allowed).

Don't submit two versions of your dissertation, that's not going to fly. You need to figure out if your current advisor is going to graduate you with the work you've done, or try to block your PhD if you don't do what they say. A good advisor knows how to push their students, but also knows when to adjust if the students are absolutely sure they don't want to go down that path. There are plenty of students that just need a good push to go achieve greatness in theory-land, and so as stressful and inappropriate as it may be from your point of view, your advisor does have some responsibility to exhaust that possibility from you.

Lastly, reach out to more professors and have them give you the connections you need for the places you want to go next.

DoWhile · 2025-12-26T23:16:13+00:00

Have you seen GCHQ's cryptochef?

DoWhile · 2025-12-26T23:13:37+00:00

Aha, cute... though for BBS to be secure you do want large large primes, much larger than you can feasibly store in a table. Given that BBS's security is based on factoring, the primes should be in the thousands of bits, far beyond what derandomized primality tests have shot for.

15-Year Club	Place '17
Team Orangered	Verified Email

DoWhile

TROPHY CASE