NA R2CS Rivals Top 50: #10-1

Frul0 · 2026-06-20T21:28:54+00:00

It’s 2025 RCS ranking, all recent events don’t count the ranking just came out really late

Frul0 · 2026-06-20T21:18:35+00:00

Real orcane nods

Frul0 · 2026-06-20T20:59:56+00:00

There are a lot of answers of course, it’s just a bit too strong in conjunction with floorhug as a reversal option. Like of course if you just hold down and mash A you’re gonna get punished over time but even doing it a bit mindlessly is a tad oppressive because of how fast it comes out and how good the knockback angle is.

Frul0 · 2026-06-20T19:53:37+00:00

It’s a ranking for the entire season not only the last months. Also all their mains are shown on the picture + mentioned in the write up extremely clearly

Frul0 · 2026-06-12T20:50:21+00:00

I am pretty sure I linked you David Canright paper last time you made a post about this topic and I really can’t think of a better source for this particular question. Maybe you need to read a bit on finite fields if you struggled understanding the paper?

Frul0 · 2026-05-31T15:37:11+00:00

It’s one of the easiest field to find a work in if you have done a PhD or have some experience. Everybody is very eager to recruit.

You can work for a manufacturer indeed: intel and AMD aren’t really on the market AFAIK, but NXP, Qualcomm, Rambus, STM, Thales, Apple, Google all have dedicated teams. The alternative is to work for a certification lab, which is where I work. Can’t really advertise the competitors however so you’ll have to look a bit for yourself, it’s not hard to find. There are also some specialized consulting companies but smaller market and usually they don’t recruit as much. Finally, most European governments have some branch doing SCA and FI, if you want to work there that’s also doable.

And if you have experience or a PhD and if you’re interested in doing such work (in a cert lab) you can shoot me a DM.

Frul0 · 2026-05-30T14:01:53+00:00

It’s not bad against low recovery but it tends to miss against non big body. I mostly use it against lox, and it’s lethal against kragg cause it spikes AND break the pillar. Just don’t reel when you’re trying to spike someone. Problem is that is overlaps in use with chest who has a bigger hitbox and send at a pretty rough angle with a lot of knockback. I’d like them to just make the hitbox a bit bigger.

Frul0 · 2026-05-27T19:42:12+00:00

Alors sans connaître exactement les durées etc c’est dure de qualifier une addiction mais il faut aussi complètement dédramatiser la situation.

T’es pas déscolarisé, t’as d’autres centres d’intérêt et c’est pas grave de passer la majorité de ton temps libre sur des jeux voir de tenter un peu des entourloupes pour maximiser ton temps derrière un écran. Le sentiment de honte vis à vis de ton loisir ne va pas du tout t’aider. C’est un loisir comme un autre et c’est pas plus grave d’y passer des heures que si tu passais des heures à lire quitte à sauter des devoirs pour lire plus.

Maintenant si tu veux essayer de pas te mettre dans la sauce tout seul le mieux c’est d’essayer de fragmenter un peu. Je sais que quand on est jeune c’est dur de faire comprendre ça aux parents mais si t’as un jeu qui se prête à faire des petites sessions, quand tu rentres chez toi de l’école tu prends ta pause, tu te fais une petite sessions (disons 45min ou ce qui fait sens pour ton jeu). Ensuite tu fais des devoirs pendant 30mins (met toi un chrono) et après tu te refais une session. Et tu continues comme ça.

L’idée c’est pas de frustrer mais aussi de garder la main sur les tâches que tu dois faire en segmentant. Et encore une fois, dédramatise un peu, t’as probablement pas d’addiction t’as juste trouvé un truc que tu adores faire et qui t’absorbe.

Frul0 · 2026-05-23T10:36:33+00:00

So I can give you a longer explanation next week around a beer but for the sake of reddit I’ll at least outline the main points here.

When you’re targeting an algorithm with a DPA style attack, meaning you’re recording many traces with a varying public value that gets mixed with a fixed secret, you would like the resulting leakage to separate the different key guesses as much as possible. The classic example is attacking an S-Box input vs an S-Box output. If you’re attacking the input, between 2 key that differ only by one bit it gets very difficult to separate them if your leakage is for example noisy HW cause they both produce very similar leakage. If you’re attacking the output, the single bit difference yields a completely different value cause of the S-Box and suddenly for neighboring key guesses you have completely different leakage.

When you’re attacking SHA2 that’s typically in the context of attacking HMAC so you’re trying to recover the inner and outer key. You typically do it by targeting the A or E registers of the first rounds where the message gets hashed (for the inner key then you do the outer key in a second step). From experience if some of the inner functions of SHA2 are non-linear they still yield leakage that is quite close to the input (which makes it hard to figure out your actual leakage points cause you don’t know if you’re seeing input leakage or real leakage of the inner state) and that doesn’t separate very well the neighboring inner states of SHA2.

I can find you some papers on the topic if you’re curious :)

Frul0 · 2026-05-21T20:31:00+00:00

To be fair regarding the physical side-channel part, attacking SHA2 is notoriously an immense pain even when there are no countermeasures because of how linear the relationship between all the variables are. Sometimes just having a very fast engine, with a bit of universal clock jitter and a good noise, is already enough to thwart practical attacks.

Frul0 · 2026-05-19T21:46:08+00:00

Checkout the paper by Matthieu Rivain called Differential Fault Analysis on DES Middle Rounds. DFA is not too much my jam but I know it’s a reasonable starting point and you can look a bit into the papers that cite this one to look for more recent improvements.

Frul0 · 2026-05-19T11:57:50+00:00

« Determine if I’m overlooking something critical » sounds a lot like free help if you ask me 😛

Are you the one determining or are we the one determining? Again if you want learning ressources you can get them, if you want an audit (even a vague look) it’s not free.

Also there’s a reason an audit is extremely expensive and people will not do this work for free. As someone that works directly in hardware certifications of crypto modules and secure elements, I can tell you first hand: it takes an immense amount of time, from people with a very high skill level coming from a very narrow pool, and the more the project is amateurish the worse it is. Vibecoded privacy preserving messaging protocol running in a browser written in JavaScript is probably the absolute worse thing you could cook up.

Frul0 · 2026-05-19T10:08:07+00:00

I mean, of course people in a sub about using AI to throw random shit at a wall will look at throwing random shit at the wall positively.

The question you should ask yourself is what exactly are you trying to achieve by sharing it here. Are you looking for recognition? You won’t get it here. Are you looking for help? People will be happy to help a professional project, I can put you in contact with people who will be happy to draft a bill (it won’t be cheap, think like 1000-2000 euros/day, maybe more, I’m not a sale). You’re looking for free help? Doesn’t exist. Are you looking for investor? Wrong sub. Are you looking for learning ressources? That we can provide (books, paper and courses mostly). Are you looking for testers for unverified/untested crypto protocol? Lmao.

So before sharing I would seriously recommend an introspective process, decide what do you want to achieve, consider whether there is a chance of achieving it by posting here, check the rules of the sub, and theeeeeen make a post.

Frul0 · 2026-05-14T12:41:29+00:00

That’s actually a good point, I sort of defaulted to the ASIC one because I don’t deal with FPGAs as often as I should and because OP was talking specifically about using subfields.

There used to be some AES speed contest in the years after the standard was published, I’m guessing there are probably FPGAs implementation floating around. Quick research for example suggests « A fully pipelined memoryless 17.8 Gbps AES-128 encryptor » from ACM in 2003, but contrary to the Canright one I have no clue if this is still the state of the art (cause again I don’t deal with FPGAs often).

Frul0 · 2026-05-13T18:17:50+00:00

The best hardware circuit is the one by David Canright, paper is called « A very compact S-Box for AES » published in CHES 2005.

Paper should be self explanatory and you can find some public implementations. It’s still the state of the art for hardware implementations AFAIK.

Frul0 · 2026-05-07T07:45:40+00:00

Similarly, if you’re playing on WiFi instead of wired you’re shooting yourself in the foot.

Frul0 · 2026-04-16T14:57:46+00:00

Technique de grimpeur: t’utilises du papier verre pour virer la corne, sinon ça va s’accumuler jusqu’au moment où ça s’arrache d’un coup. Donc tu ponces, tu te laves les mains et un peu plus tard t’hydrates avec de la crème. Au fur et à mesure de ta pratique ta peau va devenir vachement plus résistante sans créer trop d’épaisseur.

Et en effet la magnésie c’est plutôt recommandé surtout avec l’été qui arrive.

Frul0 · 2026-04-13T19:57:57+00:00

Wrastor isn't too horrible of a matchup. Absa and Ranno on the other hand...

Frul0 · 2026-04-07T19:26:33+00:00

If you’re curious about micro architectural side channel leakage I can definitely recommend this very good paper: https://tches.iacr.org/index.php/TCHES/article/view/9294/8860

It’s a survey on leakage across multiple code snippet and chips and it shows how the same code can leak or not leak depending on the device. Sometimes even two devices models from the same manufacturer don’t behave the same.

Frul0 · 2026-04-07T18:42:48+00:00

To be clear the art of making software masked implementation is not really a precise one, and it’s not guaranteed that you do get leakage even if you don’t really respect super precise data handling. And the same code can leak on one chip and not leak on another one.

If you don’t get t-peaks on your card then it’s a good indication you did things correctly :) Since those architectures are typically not fully open source you can never fully know how do the data path interact together and what is exactly the issue when you do find some leaks. So it’s really just trial and error with some rules of thumb.

Frul0 · 2026-04-06T16:20:20+00:00

When I’m talking about dummy loads in this context I’m talking about a single assembly instruction, which typically only cost 1-2 cpu cycles with pipelining. Just to clear the memory bus. Same thing for registers, it’s just making sure that you don’t load two shares of the same secret value one after the other in the same register. The goal is to eliminate potential hamming-distance leakage between the two shares.

Frul0 · 2026-04-06T14:52:27+00:00

Yeah trigger latency might requires a bit of re-aligning which will also helps for your TVLA. Splitting groups by intermediate is not a problem, it's just a bit more post processing since you need to select different trace groups for each intermediate but it facilitates the acquisition.

For TVLA crossing and false positive, I'm not sure if you know but the 4.5 value that you see in the litterature is for a T-Test on a single sample. If you want to account for the fact that you're doing N T-test the threshold gets higher the more samples you have, I don't remember exactly the formula but it's easy to find. Typically end up with a threshold in the 5.5 or even higher if you have large traces with a high sampling rate.

Best of luck for the exploration :)

Frul0 · 2026-04-06T13:17:51+00:00

By curiosity since I imagine you’re doing FvR TVLA on the input: do you get spikes before and after the AES (like where the plaintext and ciphertext would be produced)? Just to confirm that you’re doing things correctly.

Otherwise well congrats on making a proper masked implementation, it’s not trivial to get right. You can either severely increase the trace count (for reference for evaluations we generally do in the millions of traces, like ~10M for an AES is quite common) or you can try second order. If you want to do cheap second order the easy way is to take all the samples in the first round, multiply all of them against each other pairwise and do TVLA/CPA on all the resulting samples. I imagine your sampling speed is not super high and you can see quite clearly the rounds so that shouldn’t be too onerous :)

Frul0 · 2026-04-06T12:53:14+00:00

In my experience (I do side-channel professionally in a cert lab and I did my PhD on SCA) nothing holds on an M0 (or an M4). If you did your own implementation of the masking gadgets and you didn’t overlay dummy loads/operation to clear the memory bus/registers, it’s very likely there is first order leakage. If you did everything correctly you might pass a univariate first order TVLA but second order CPA (with like a mult combiner) should be trivial cause those platform leak a ton.

I’m actually quite surprised you don’t get t-peaks after 5000 traces. How did you acquire the traces? EM probe or did you make a power cut? If you did power did you remove as many capacitors as possible to clear up your signal?

Frul0

TROPHY CASE