Paul Miller (@paulm) on Farcaster

3mo

NPM hack. A full thread. https://x.com/officer_cia/s...

4mo

Releasing noble cryptography v2. Time to make JS ecosystem safer once again. Lots of changes. Details below👇

8mo

Releasing micro-zk-proofs: JS library to create and verify zk-SNARK proofs. Proofs are created in parallel using Web Workers. Noble cryptography is utilized underneath. During development of zkp, a vulnerability was found in wasmsnark, alternative proof generation library.

9mo

Releasing ESPLR - a local ETH block explorer. Big problem of ecosystem is reliance on 3rd party RPCs (infura, alchemy, quicknode). Also reliance on 3rd party explorers (etherscan). They track users: it makes system one big panopticon. Local nodes can make the situation better! PC with an archive node only costs $40/...

272

10mo

New vulnerability in elliptic.js allows attackers to extract private keys from signatures. This happened because fully deterministic signatures are not your friends. Check out my latest blog post describing the bug and prevention methods:

paulmillr.com

Deterministic signatures are not your friends

11mo

Updated the 2020 article about building an elliptic curve library from scratch. We need more implementations, in different languages. It’s really easy. Check it out:

paulmillr.com

Learning fast elliptic-curve cryptography

11mo

A few updates: - Repos are now deployed to JSR.io and work in Deno / Bun. JSR auto-generates docs! - Tests run 5x faster with “micro-should” (400-line parallel ESM replacement for Jest) - A server is fuzzing noble for 8 hours every day. Code coverage stats have been added

Some thoughts on how ETH can become quantum-resistant. There are lots of small tasks, but it seems quite doable.

ethresear.ch

Tidbits of post-quantum ETH

Fresh drop from australian NSA: “taking into account projected technological advances in quantum computing” - DH / ECDH / ECDSA will not be approved for use beyond 2030 - Also AES-128 and AES-192 - Also SHA-256 (!) - Also ML-KEM-768 / ML-DSA-65 (!!)

cyber.gov.au

There are challenges in upgrading blockchains to be post-quantum safe, however, some of them seem easy. Most keys these days are generated from BIP39 mnemonics. Bip39 is pq-safe. We freeze all balances. To unfreeze, we ask users to generate a STARK proof which shows seedphrase is related to their address. After that f...

NIST wants to ban ECDSA in 2035. It is tight. HTTPS, messengers, cryptocurrencies and everyone else will need to move to new algorithms. Not all functionality is currently feasible in pq setting. Here’s an excerpt from noble-post-quantum on speed & key size in JS implementations.

105

noble-ciphers got audited, while curves got their third audit. Thanks to OpenSats for funding & Cure53 for the work! PDF in repo. Contact me if you’re: - auditor (paid / unpaid) willing to review new open-source goods - willing to fund auditors

github.com

GitHub - paulmillr/noble-ciphers: Audited & minimal JS implementation of Salsa20, ChaCha and AES

Ethereum $130B staking contract was created using Tornado Cash. Torn has mostly been used for legit on-chain privacy. An example is the transaction by anon dev, deploying the contract. The repo rebuilds it using modern tech. Great for ZK education!

github.com

GitHub - nkrishang/tornado-cash-rebuilt: Tornado Cash as a foundry project, using latest versions of tools such as Circom, snarkJS, etc.

etherscan.io

Etherscan

Kinda sad there are people working on eth who think Tornado should be shut down due to crime. Even though most of its usage is legitimate privacy, which cannot be reliably achieved in other methods. Anti privacy ethos all the way.