Arnaud ๐ก๐
@arnaudbrousseau
Followers
587
Following
299
Media
60
Statuses
570
Founding engineer @turnkeyhq. Ex-@Coinbase. Proud pup owner.
ATX
Joined June 2009
Bullish on Fusaka: https://t.co/bXjxAxFgjC Bearish on React & Next: https://t.co/cp2U1gOqli //
0
0
0
Blind signing? RUST IN PEACE ๐ค
0
1
5
Yes. Remote attestations are useless without reproducible builds:
quorum.tkhq.xyz
Turnkey spends a lot of time thinking about software builds, and has invested a lot of resources to make them reproducible. Do you really need your software to yield byte-for-byte identical artifac...
TEEs are grossly underutilized right now. To understand how, you need to understand reproducibility, which is not talked about enough in this context. Not leveraging reproducibility in TEEs is a bit like driving an F1 car with 1 hand up your ass.
0
0
4
super happy to see this in the open! months of behind-the-scenes work went into it ๐โโ๏ธ
As presented in my @summit_defi lightning talk, I have put together an MVP Wallet Integration guide for Wallets that want to use Visualsign and follow along more closely. VisualSign is a framework for decoding raw transactions across chains, built on @turnkeyhq's QuorumOS,
0
0
6
If you're down but your customers can't notice because they're also down, are you actually down? ๐ฉ๏ธ
1
0
1
Turnkey is having a littl' Cloud bรฉbรฉ! We're busy making it happen internally. More to report Soon ยฎ
Weโre excited to announce a first look at Turnkey Verifiable Cloud, a new way to bring provable security to your most sensitive flows. Now in private beta, run trusted code in secure, isolated, verifiable infra using the same guarantees that protect millions of Turnkey wallets.
2
2
10
crypto(GRAPHY) nugget of the day: 020000000000000000000000000000000000000000000000000000000000000000 is a valid P-256 public key! And no, it's not the point at infinity (its private key is not 0). This pubkey represents the point with:
github.com
A repository to explore public keys and their validity - r-n-o/valid-pubkeys
1
0
2
...and that's a wrap. I've got everything written down in detail at https://t.co/7u63Ittssn if you're hungry for more.
0
0
0
Lesson #8: RSA has fixed points! A fixed point is a plaintext which, when encrypted, yields itself. And every RSA key pair has at least nine of them. WTF.
1
0
0
Lesson #7: rainbow tables aren't simple lookup tables. They're _optimizations_ to trade-off space for time when cracking digests. A pic is worth a thousand words:
1
0
0
Lesson #6: padding oracle attacks remind us that leaking even one bit of info via error messages (โwrong padding!โ) is catastrophic. More generally: how your software fails is crucial for security.
1
0
0
Lesson #5: Confusion vs. diffusion ๐ก Confusion hides relationships between plaintext & ciphertext. Diffusion spreads the effect of each byte across many bytes. Stream ciphers rely on confusion. Block ciphers rely on diffusion.
1
0
0
Lesson #4: stream ciphers are the practical child of the One-Time Pad: instead of sharing huge random keys, you share a seed and expand it with a CSPRNG. The XORing mechanics stay the same.
1
0
0
Perfect example of this grey area: the "maybe backdoor'd" DUAL_EC_BG, from our friends at the NSA. A "CSPRNG" recommended by NIST for years. Nobody knows if it's actually backdoor'd or not, to this day (it most likely is, if you ask me!)
1
0
0
Then we move from true randomness to fake randomness โ PRNGs and CSPRNGs. Lesson #3: the difference between the two is more subtle than it seems. All hinges on the strength of forward secrecy and backward secrecy.
1
0
0
Lesson #2: even โtrueโ, "good" random sources need cleanup. Enter randomness extractors โ simple algorithms that turn biased randomness into denser entropy streams. They can be as simple as "output a bit only when two successive bits differ". Elegant and powerful.
1
0
0
True Random Number Generators (TRNGs) rely on physics โ radioactive decay, diode noise, CPU drift, you name it โ but most are messy, model-less, and vulnerable. Lesson #1: to know if a TRNG device is working, an underlying physical model is needed.
1
0
0
It made a few things "click" for me; wrote them all down in https://t.co/7u63Ittssn for posterity nuggets below โฌ๏ธ
1
0
0
Link to the book:
manning.com
Learn how the good guys implement cryptography and how the bad guys exploit it.
1
0
0