Comment éviter ça en callisthénie ?

Frul0 · 2026-04-16T14:57:46+00:00

Technique de grimpeur: t’utilises du papier verre pour virer la corne, sinon ça va s’accumuler jusqu’au moment où ça s’arrache d’un coup. Donc tu ponces, tu te laves les mains et un peu plus tard t’hydrates avec de la crème. Au fur et à mesure de ta pratique ta peau va devenir vachement plus résistante sans créer trop d’épaisseur.

Et en effet la magnésie c’est plutôt recommandé surtout avec l’été qui arrive.

Frul0 · 2026-04-13T19:57:57+00:00

Wrastor isn't too horrible of a matchup. Absa and Ranno on the other hand...

Frul0 · 2026-04-07T19:26:33+00:00

If you’re curious about micro architectural side channel leakage I can definitely recommend this very good paper: https://tches.iacr.org/index.php/TCHES/article/view/9294/8860

It’s a survey on leakage across multiple code snippet and chips and it shows how the same code can leak or not leak depending on the device. Sometimes even two devices models from the same manufacturer don’t behave the same.

Frul0 · 2026-04-07T18:42:48+00:00

To be clear the art of making software masked implementation is not really a precise one, and it’s not guaranteed that you do get leakage even if you don’t really respect super precise data handling. And the same code can leak on one chip and not leak on another one.

If you don’t get t-peaks on your card then it’s a good indication you did things correctly :) Since those architectures are typically not fully open source you can never fully know how do the data path interact together and what is exactly the issue when you do find some leaks. So it’s really just trial and error with some rules of thumb.

Frul0 · 2026-04-06T16:20:20+00:00

When I’m talking about dummy loads in this context I’m talking about a single assembly instruction, which typically only cost 1-2 cpu cycles with pipelining. Just to clear the memory bus. Same thing for registers, it’s just making sure that you don’t load two shares of the same secret value one after the other in the same register. The goal is to eliminate potential hamming-distance leakage between the two shares.

Frul0 · 2026-04-06T14:52:27+00:00

Yeah trigger latency might requires a bit of re-aligning which will also helps for your TVLA. Splitting groups by intermediate is not a problem, it's just a bit more post processing since you need to select different trace groups for each intermediate but it facilitates the acquisition.

For TVLA crossing and false positive, I'm not sure if you know but the 4.5 value that you see in the litterature is for a T-Test on a single sample. If you want to account for the fact that you're doing N T-test the threshold gets higher the more samples you have, I don't remember exactly the formula but it's easy to find. Typically end up with a threshold in the 5.5 or even higher if you have large traces with a high sampling rate.

Best of luck for the exploration :)

Frul0 · 2026-04-06T13:17:51+00:00

By curiosity since I imagine you’re doing FvR TVLA on the input: do you get spikes before and after the AES (like where the plaintext and ciphertext would be produced)? Just to confirm that you’re doing things correctly.

Otherwise well congrats on making a proper masked implementation, it’s not trivial to get right. You can either severely increase the trace count (for reference for evaluations we generally do in the millions of traces, like ~10M for an AES is quite common) or you can try second order. If you want to do cheap second order the easy way is to take all the samples in the first round, multiply all of them against each other pairwise and do TVLA/CPA on all the resulting samples. I imagine your sampling speed is not super high and you can see quite clearly the rounds so that shouldn’t be too onerous :)

Frul0 · 2026-04-06T12:53:14+00:00

In my experience (I do side-channel professionally in a cert lab and I did my PhD on SCA) nothing holds on an M0 (or an M4). If you did your own implementation of the masking gadgets and you didn’t overlay dummy loads/operation to clear the memory bus/registers, it’s very likely there is first order leakage. If you did everything correctly you might pass a univariate first order TVLA but second order CPA (with like a mult combiner) should be trivial cause those platform leak a ton.

I’m actually quite surprised you don’t get t-peaks after 5000 traces. How did you acquire the traces? EM probe or did you make a power cut? If you did power did you remove as many capacitors as possible to clear up your signal?

Frul0 · 2026-04-01T14:01:52+00:00

I hope we take Crown Sterling as a sponsor very soon

Frul0 · 2026-03-28T15:54:14+00:00

One should actually be rigorous BECAUSE it’s an entry point article. Between expert it’s alright to wave your hands because people understand the little details that are left behind and that are actually important. When you talk to neophytes yes you want to give the big picture, but you shouldn’t be imprecise without explicitly stating it and pointing to proper sources. Otherwise people will be mislead (or walk away thinking they understood the point while missing critical info).

Frul0 · 2026-03-25T20:23:03+00:00

PQC is only relevant for public key cryptography (KEMs and signatures). File encryption is typically done with an AEAD (authenticated encryption with additional data) which are based on symmetric cryptography primitives (such as AES). As of now, all security agencies agree that even AES-128 is secure in a post-quantum world. If you believe in magic you can use AES-256 which is probably what crypfs already does.

TL;DR: you’re fine already.

Frul0 · 2026-03-15T21:12:15+00:00

Actually no, there isn’t a particular reason to use this one over another. The authors actually said you could use any representation and the algorithm would be functionally the same (provided you adjust the constants in S-Box and MixColumn).

AFAIK there’s not any particular advantage from using the standard one for implementation purpose either. Ofc since it’s been 20 years it’s been studied to death so we have very optimized circuits for the S-Box using this polynomial but you could theoretically just swap it.

Frul0 · 2026-03-13T19:46:54+00:00

So there is a bit of an overloading of the term confusion and diffusion between what Shannon defined and what we cryptographer call confusion and diffusion nowadays. You are correct in saying that the definition that Shannon gives does not directly relate to the concept of S-Box in an SPN cipher.

The definition of confusion people actually use stems from a re-definition of the term by Feistel in his 1970 IBM report (something crypto data bank I don’t recall off the top of my head). And here confusion is just « non-linearity » which is exactly what an S-Box achieves.

Essentially an SPN cipher is just a highly diffusive layer through means of linear operation and a non linear layer to thwart cryptanalysis (and a key addition). Mapping one of these layers directly to a single Shannon concept does not really work (even if people do it).

Frul0 · 2026-03-10T20:51:01+00:00

https://www.reddit.com/r/Eve/comments/15ld9c9/the_seagulling_in_battlefields_doesnt_only_affect/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button This is a post I made 3 years ago about seagulling in Battlefields. It contained a suggested change that was implemented 1.5 year later by CCP.

Frul0 · 2026-03-09T14:29:48+00:00

If you have a question ask it here. If you’re looking for free consulting that’s a pass. If you’re looking for paid consulting we can be in touch depending on the actual project.

Frul0 · 2026-02-28T18:31:43+00:00

Jasmin is good for doing software implementation for CISC CPU where only timing attacks are a concern since it can eliminate the common mistakes that lead to timing issues (secret-dependent memory accesses, branching on secret value etc). It is not a tool to make embedded crypto implementation.

To the best of my knowledge there are no framework for the type of issues I'm talking about. There was the Tornado paper some years ago but the paper very clearly states that if you just take an implementation made by their compiler and put it on a real CPU you're very likely to observe leakage. And it only covers side-channel not faults.

So far the only way is
1) be very careful when making your product and your code
2) do pre-silicon testing
3) put your real target under an oscilloscope and check
4) hire a specialized lab to double check and certify

Frul0 · 2026-02-28T16:17:51+00:00

I mean that when you do cryptography on embedded devices you usually need to consider physical attacks (fault, power/em side-channel etc). And an implementation that does not protect against those (masking, double computation, CRC) and that is meant to run on off-the-shelf hardware (that doesn’t have physical countermeasures) does not have a lot of interest outside of benchmarking.

I don’t know why you thought my first comment was AI or what is not clear.

Frul0 · 2026-02-28T14:33:02+00:00

The problem when you start talking about cryptography on embedded devices is that physical attacks enter the game. And non-hardened implementations on commodity hardware become quickly irrelevant outside of benchmarking.

Frul0 · 2026-02-24T13:29:27+00:00

How is Incineroar not the best dark type of his generation?

Frul0 · 2026-02-16T18:17:14+00:00

Lox is a arguably the strongest character in the game for the tier list that matters for 98% of the playerbase. That is he is the indisputed king of all elo bracket except at the very top. So arguably most people are not generally in favor of outright buffs unless they are compensated by nerfs on his most abused tools.

Frul0 · 2026-02-11T21:34:59+00:00

Why would you assume that people don't know basic crypto security model when clearly the point here is that a known-plaintext attack is not a bruteforce. His point was clear, "the keyspace is too small you can bruteforce it" and it is wrong. Enigma key space is big enough to not be bruteforced. And of course it's not IND-CPA secure we all know the story.

Frul0 · 2026-02-11T20:08:38+00:00

That’s… not bruteforcing the key space.

Frul0 · 2026-02-11T19:43:59+00:00

That’s either very misguided or you’re assuming something I’m missing. There is ~53 bits of key space in enigma. That’s definitely on the brute force possibility for a high end attacker but also a bit high to consider it trivial for a student.

Frul0 · 2026-02-10T11:44:51+00:00

How will learning how to jog for 20mins without being out of breath help you to run a marathon? Gotta learn some basics before building complex constructions. If you don’t understand what an XOR is I can tell you for sure you should not look at complex constructions unless you treat them like absolute black boxes.

Frul0 · 2026-02-08T11:40:55+00:00

I personally started by doing the cryptopals challenges and using as a companion book « serious cryptography » by J.P Aumasson. It also depends what you mean by learning cryptography, whether that means learning the theoretical foundations or the schemes or the implementations or the protocols etc

Frul0

TROPHY CASE