Paul Miller
@paulmillr
Followers
5K
Following
63
Media
43
Statuses
3K
đ Security, open-source software, austrian school. Noble cryptography.
Joined August 2009
2024 progress on JS cryptography & ecosystem:. - noble-hashes: 1.7M => 4.9M downloads per week.- curves: 0.9M => 3M.- ciphers: 25K => 413K, got audited.- new post-quantum package.- chokidar: 40M => 58M, got rewritten. Looking forward to crazy new stuff in 2025.
2023 progress on JS cryptography:. - noble-hashes: 400K => 1.7M downloads per week.- noble-curves: ~0 => 0.9M, got 2 audits.- noble-ciphers: 0 => 25K.- Finally adopted by @ProtonMail, MetĐ°MĐ°Ńk, @rainbowdotme, @Rabby_io, ethers, web3.js, viem. Takes time, but weâre getting there.
6
11
89
Twitter launched encrypted* DMs for verified accounts. * No sync.* No group chats.* No attachments.* No timers.* Vulnerable to MITM.* No reporting (msg franking).* No Forward Secrecy.* No Key Transparency.* Private keys are NOT erased after web logout.
54
254
1K
Just took a look at @solanaâs official web3.js library. Installing it downloads 723 dependencies packed in 202MB from NPM. It then creates 310MB directory with 17682 files. Almost all deps have unbound version ranges. Any dep update could bring trojans to your SOL apps.
55
104
741
Announcing noble-curves: the culmination of work on elliptic curve cryptography. Pkg defines ed25519, ed448, secp256k1, P384, P521, bls12-381, bn254, pasta, stark curves. Edwards, Weierstrass, Montgomery primitives, hash2curve & pairings are also in.
16
106
612
Proud to release ethereum-cryptography 1.0 funded by @ethereum foundation. The new audited libraries behind it will empower all kinds of projects in the space.
99
167
512
Itâs impossible to run ETH node over TOR. Even worse: no plans for it. This drastically reduces anonymity & censorship resistance of staking. You either get a KYC-ed hosted server, or homestake â which in most cases is also KYC-ed to yourself. VPNs are not of any help.
24
56
364
Releasing ESPLR - a local ETH block explorer. Big problem of ecosystem is reliance on 3rd party RPCs (infura, alchemy, quicknode). Also reliance on 3rd party explorers (etherscan). They track users: it makes system one big panopticon. Local nodes can make the situation better!
16
49
349
Chokidar v4 is out!. Chokidar was created in 2012 to solve file watching issues in node.js. In 2024, node APIs are still useless, so the development is continued. New release removes glob support and decreases dependency count from 13 to 1.
13
32
303
This is your regular reminder that âsecret chatsâ in telegram rely on server-provided prime numbers (messages.getDhConfig). The server could send âbadâ prime numbers to clients and decrypt conversations later. Section 1.2.1 of tel-03245433
13
75
227
Releasing micro-zk-proofs: JS library to create and verify zk-SNARK proofs. Proofs are created in parallel using Web Workers. Noble cryptography is utilized underneath. During development of zkp, a vulnerability was found in wasmsnark, alternative proof generation library.
3
32
193
How important are supply chain attacks? Extremely. @ethereum foundation agrees, so theyâve funded the development of fast & secure cryptographic JS library that implements hashing and KDFs. Happy to release it! The first version is out:
7
27
182
4KB cryptography. Does that sound safe? Because it should. Announcing v2 of single-feature modules noble secp256k1 and noble ed25519. secp is just 430 lines of code (4KB gzipped), ed is only 330 lines (3.3KB gzipped) â 4x smaller than previous versions.
5
26
157
2023 progress on JS cryptography:. - noble-hashes: 400K => 1.7M downloads per week.- noble-curves: ~0 => 0.9M, got 2 audits.- noble-ciphers: 0 => 25K.- Finally adopted by @ProtonMail, MetĐ°MĐ°Ńk, @rainbowdotme, @Rabby_io, ethers, web3.js, viem. Takes time, but weâre getting there.
13
10
149
@elonmusk @KanekoaTheGreat I speak russian. Never got a wrong treatment. Unaware of anyone else who got. Please stop spreading nonsense.
1
1
125
New vulnerability in elliptic.js allows attackers to extract private keys from signatures. This can happen to any library, because deterministic signatures are not your friends. Letâs switch to hedged signatures today. Check out my latest blog post:.
5
24
140
@haydenzadams @Uniswap Your security sucks. The audit report of @Uniswap Wallet clearly says: No dependency audit has been done, on page 11. Youâre using 1387 dependencies which consume 1.08GB of space. Malware could basically be anywhere in your deps: rewriting globals etc. Impossible to audit.
4
13
121
@JoeNakamoto Fake news. Unhosted to unhosted is still legal. Unhosted to hosted will require kyc.
7
2
112
The new ETH client is live. All historical transactions (aka âarchive nodeâ) fit in just 2.3TB. Full node is 1.2TB. Syncing from genesis takes 50 hours. This means anybody could run RPC on a cheap pc, like orange pi. No need to pay for 3rd party RPCs, which track users.
đ¨ Releasing Reth 1.0 đ¨. After almost two years of development and a successful audit by Sigma Prime, we are finally releasing Reth 1.0, the first âprod-readyâ release of our blazing-fast Ethereum execution client. We invite RPC providers and stakers to run Reth. More below.
4
9
107
Great comparison of frameworks on top of Backbone.js by @molily (Marionette, Thorax & Chaplin): http://t.co/G7dxalwW.
1
43
107
Some thoughts on how ETH can become quantum-resistant. Address formats, bip32, precompiles, staking, node discovery. Lots of small tasks, but seems quite doable.
1
18
101
Banning ECDSA in 2035 is tight. HTTPS, messengers, cryptocurrencies and everyone else will need to move to new algorithms. Not all functionality is currently feasible in pq setting. Hereâs an excerpt from noble-post-quantum on speed & key size in JS implementations.
So we have an "official" (i.e. NIST-based) deadline now: ECDSA should be deprecated by 2030 (for 112 bits only) and completely disallowed by 2035. Thx for the crazy ride secp256k1 (and secp256r1).
7
13
103
micro-eth-signer, the smallest JS library for Ethereum transactions now supports London and Berlin (EIP 1559, EIP 2930). It has also been validated through >3MB of ethers.js test vectors (kudos to @ricmoo). Check it out, it's less than 500 lines of code:
2
9
87
Elliptic curve calculator just got a new big update:. 1. Select a curve, including NIST, ed448, BLS.2. Create custom curves.3. Add and multiply points.4. Sign messages with different hashes. The demo works offline. Itâs great for learning! Check it out:.
0
15
86
Thanks to Appleâs new iOS 14.3, the App Store now displays privacy labels next to each app. Hereâs Facebook. The amount of data they collect is mind-blowing.
5
33
69
Signal is cool, but do you know what is cooler? Chatting on decentralized social network. Weâve implemented and audited secure direct messaging for nostr. Thanks to Jonathan Staab, @OpenSats, Cure53, @matthew_d_green and others.
6
14
79
Signal is upgrading all conversations to a combination of X25519 and CRYSTALS-Kyber. Probably the first large-scale deployment of Kyber.
Announcing PQXDH! The first step in post-quantum resistance for the Signal Protocol, PQXDH protects your Signal calls & chats from potential future threats of breakthroughs in quantum computing. And it's already rolling out to Signal clients everywhere.
1
7
68
We've just released ethereum-cryptography@next. It's the official package for js cryptographic primitives that are common for ETH apps. The new version is 15 times smaller and uses 3 dependencies instead of 38. Waiting for security audit now!.
2
9
63
That feeling when the new trendy editor by Microsoft @code uses your NPM packages. http://t.co/wEkfT3m1Uh.
4
19
59
@VitalikButerin Been working for the last 5 years on this. Specifically, no-deps JS cryptography. Low-deps eth libraries. Etc.
3
0
61
noble-curves got audited by @trailofbits. The JS library for elliptic curve cryptography is production-ready now. The audit has been funded by Ryan Shea. Check out the report at
6
13
59
Announcing noble-ciphers: tiny 0-dependency cryptographic library, implementing.Salsa20, ChaCha, Poly1305, AES-SIV and others. Bonus: a reasonable wrapper around native WebCrypto's AES. Check out its README for some insights:
3
6
52
This is one of the best cryptography libraries:. - ~High level language (nim).- Tons of useful docs and comments. Check out repository issues!.- All kinds of algorithms. ECC, pairings, r1cs, you name it.- Solid for educating newcomers. Great job @m_ratsim
Releasing Constantine v0.1.0, the fastest backend for Ethereum cryptography. BLS signatures, EVM crypto-precompiles, KZG polynomial commitments for blobs (EIP-4844). All accelerated, with multithreading support. And the fastest MSM for elliptic curves.
2
6
52
Closed-source nature of SOL software contributes a lot to its fragility. Iâve just checked Phantom: it still uses elliptic.js as ed25519 backend, which has scalar multiplication bugs etc. There are a bunch of files that play media from FB/YT/Spotify etc. Does not look great.
Tried to investigate the Solana wallet key theft issue but are all the wallets closed source? Seriously?.
3
10
47
BitcoinJS used math.random instead of webcryptoâs getRandomValues 9 years ago, when the secure API was rare. As a result, mnemonics generated with it could be bruteforced. Unfortunate, but could still happen any time today with webcrypto: browsers had bugs that made it weak.
Earlier this week, @UncipheredLLC disclosed that BitcoinJS, the most widely used JavaScript library for bitcoin wallets, relied on weak randomness until 2014. This issue puts millions of wallets at risk. Hereâs what we know:.
1
10
52
micro-eth-signer 0.9 is out. No more block explorers: the release adds ability to fetch full account history and token balances using an archive node, such as @ErigonEth. It also implements SSZ in just 900 lines: nearest library is 8x larger.
2
4
50
Happy to release micro-eth-signer. Fully functional library that works with Ethereum transactions & addresses in just 5KB (+26KB of deps). For comparison, web3js is 1.3MB. Berlin support coming soon!.
1
6
45
JS built-in fetch() is great, however, itâs hard to use in secure environments. Releasing micro-ftch: wrappers over fetch() providing network killswitch, logging, timeouts, concurrency limits, basic auth, batched json-rpc and replays / mocks.
1
3
49
Avalanche switched to noble and got 10x smaller. Good stuff.
The focus on minimal dependencies paid off tremendously. The bundle size of v4 is 10x smaller than the bundle size of v3:. Minified: 1.1MB -> 129.7 kB.Minified + Gzipped: 337 kB -> 38.3 kB
0
4
49
@thekitze Guess which countries have open, public corporate registries?. Most of them. That includes U.S. states.
1
0
47
noble-ciphers v0.4 is out. Now with the fastest available pure JS implementation of AES. The update is a big deal for platforms such as React Native, which donât have native WebCrypto AES.
2
11
48
Minimal JS implementation of sr25519 cryptography is out. Last month, weâve engaged with Edgetributor from @EdgewareDAO & @Polkadot OpenGov. That resulted in implementation of Schnorr sigs on Ristretto, Merlin, Strobe, VRF, HDKD. Check it out!.
0
13
47
#btc halving is imminent and there is still no reliable ordinals library in JS. Releasing micro-ordinals. Built on top of audited btc-signer, it exposes simplistic typescript API for ord. And, as a bonus, CLI utility for uploading files as inscriptions.
8
4
46
Using a hardware wallet, just like using any piece of software, ultimately comes down to trust. Suppose your device is 100% offline. Iâm talking about no wifi/bluetooth/usb kind of deal. Like, youâre passing messages to it by manually typing them down. If it is using shitty.
5
7
40
New noble cryptography releases are out:. - NPM provenance is now used for transparent builds, to strengthen supply chain security [1].- ed25519 and ed448 now provide non-repudiation (Strongly Binding Signatures). The feature is not present in most other libraries [2].- tweetnacl
2
6
45
Starting from today, unauthorized users can no longer view anything on Twitter. This is unfortunate. Know what could save us from suffering? Digital signatures. See below whyđ. Releasing an open-source, privacy-focused nostr web client http://nostr.spa (.
2
6
42
Mozilla Developer Network (MDN) documentation erroneously said that JS âBigInts are unsuitable for cryptographyâ. Many people read it and pointed out the noble stuff is unsafe. Helped Mozilla folks to update the page. Now it looks like this
1
8
36
Was happy to work with @ArkLabsHQ to produce MuSig2 implementation for btc-signer. Go get it!.
ICYMI: scure's btc-signer latest release now supports MuSig2 đ. A key step toward secure, production-ready Ark deployment. MuSig2 brings practical covenant emulation to Bitcoin. Scalability & security đ. A privilege to collaborate with @paulmillr on this important update đ
1
7
40
Any transaction including staking activity must be sent through some node. If you host a node by yourself, an attacker could easily tie all outgoing transactions to your server. Which is most likely KYC-ed. Easy way to identify all node hosters and stakers on Ethereum.
3
1
39
micro-eth-signer 0.8 with support for dencun EIP4844 âblob-carryingâ transactions is out. - Alternative to ethers and viem when you only need basics.- New 100-line RLP parser.- Very friendly debugging experience.- Tested against 150MB of vectors.
2
6
41
Ethereum ABI parsers are vulnerable to DoS. Itâs also possible to inject information in transactions, hidden from parsers. This allows tracking users across different wallets and even stealing private data. Details in a new article.
5
3
41
There are challenges in upgrading blockchains to be post-quantum safe, however, some of them seem easy. Most keys these days are generated from BIP39 mnemonics. Bip39 is pq-safe. We freeze all balances. To unfreeze, we ask users to generate a STARK proof which shows seedphrase.
4
8
41
Signal is not fully end-to-end encrypted. Contacts are stored server-side. They say itâs protected by SGX, but SGX has been broken many times. It is deprecated on desktop CPUs. There is no need to store contacts in the cloud.
Signal's also end to end encrypted!. AND unlike WhatsApp we don't collect intimate metadata like profile info, who's talking to whom, who's in a group. Signal's also a nonprofit, not owned by big tech = we're not one bad earnings report away from killing privacy for profit.
4
7
38
Someone published NPM fork of noble-curves that sent private keys to a server in China. Be careful and check for typos.
2
9
32
Tornado Cash is now legal again. A quick reminder: itâs not scalable yet, just like any other modern privacy solution. To redeem a note, user has to download *all* historical notes and try decrypting each one. If you want to work on a privacy, might be a good target.
The Fifth Circuit has just opined that the smart contracts that comprise the Tornado Cash cryptocurrency tumbler are "not property because they are not capable of being owned", and thus cannot be sanctioned by OFAC.
2
1
39
Yesterday was 2 hours of sleep and 18 hours of driving. Trying to stay safe. đşđŚ.
4
0
38
@pedrouid - Supply chain security: no dependencies, or minimal dependency on a package from 1 author. If you use something like elliptic, you're exposing yourself to rogue dep updates.- JS, not WASM: js can be audited easily, wasm cannot. You may be executing malware when using wasm lib.
1
2
37
Currently, telegram has access to all user messages - with exception of secret chats. The messages are stored in their cloud. Why are they refusing to add encryption by default?. E2EE backups have been solved. Multi-device has been solved. There are no more excuses.
Seems like weâre getting a major push for activists to switch from Signal to Telegram, which has no encryption by default and a pretty shady history of refusing to add it. Seems like a great idea, hope folks jump all over that.
4
2
36
After noble-curves are audited, what could happen to old libraries?. Experimenting with noble-secp256k1 right now: made it 4x smaller (1697 => 424 lines) and added comments everywhere. This could serve as a solid foundation for education of newcomers.
2
3
37
Announcing noble-post-quantum: minimal JS implementation of ML-KEM, ML-DSA and SLH-DSA. Also known as Kyber, Dilithium & SPHINCS+. Only 2000 lines of code - great learning resource for anyone whoâs messing with PQ stuff. Check out README for comparison.
3
6
34
Last month, we've collaborated with @starknet and released a new addition to "scure" family of audited libraries. The audit was done by Kudelski security. The package includes stark curve and poseidon / pedersen hashes. Check it out:.
1
7
31
GitHub actions CI supply chain attacks are a thing. They are, however, preventable when one pins action to a specific commit. Do not use git tag versions, which are mutable. Example here:
Oh wow, a popular GitHub Action (tj-actions/changed-files) was fully compromised. Someone committed a base64-encoded payload that runs a script that in turn prints out encoded secretsâŚ. Stay safe out there!.
2
4
33
React-friendly Cuer uses "paulmillr/qr" as backend, which was renamed to a simple "qr". Install it via "npm i qr".
1
2
32
Fresh drop from australian NSA:. âtaking into account projected technological advances in quantum computingâ. - DH / ECDH / ECDSA will not be approved for use beyond 2030.- Also AES-128 and AES-192.- Also SHA-256 (!).- Also ML-KEM-768 / ML-DSA-65 (!!).
3
7
32
@debarghya_das Congratulations. Based on these timelines, the immigration system clearly doesnât want extraordinary immigrants like yourself. 12-18 years to get a permanent residence is a bad joke.
1
1
27
The update is live now. Go get your short usernames.
Signal is introducing User IDs so you wonât have to hand out your phone number.
3
8
29
Chokidar, an open-source file watcher for Node - just hit 5,000 stars on GitHub. It's one of the most popular NPM pkgs: ~10 million downloads over the last week, 350M in 2018. That's 1.7x more than React. Crazy, how it got to this level without marketing
3
4
30
For anyone missed the story, hereâs my new post: The story of Telegram or âWhy you shouldnât listen to Hacker Newsâ http://t.co/uGK0PjMZMO.
9
32
29
@ekryski @aeyakovenko @sintaxi @solana Check out micro-sol-signer iâve released last month. 600 lines of code, or 3000 with all deps bundled. Works great.
3
4
25
PC with an archive node only costs $40/mo or $500 one-time. 3rd parties can be used as fallback for high availability. Esplr only needs RPC URL of an archive node. It can view transactions, account balances and token transfer history (unique feature).
1
1
29
Human Rights Foundation @hrf awarded us some money for improving security of nostr chats. Looks like weâll be having an audit of noble-ciphers and remaining parts of curves later in the summer!.
4
3
26
New ESM-only package manager looks cool. Just published 4kb noble/secp256k1 and noble/ed25519 there. Npm, deno and bun are all supported.
I wrote a blog post addressing some of the confusion around @jsr_io .
1
1
28
Releasing new package: micro-rsa-dsa-dh. Minimal implementation of older cryptography algorithms. Elliptic curves have gained adoption these days, however, classical algos are still needed sometimes. As usual, the code is simple and good for education.
1
3
28
@dhh This is nonsense. Switzerland has wealth tax just like Norway (top bracket 1% vs 1.1%). And swiss income tax in Geneva can get to 45%.
11
1
26
Another security researcher had his devices confiscated at U.S. border. There are many stories like that. For example, this happened to @moxie (Signal founder) back in 2010.
My phone and laptop were searched for 3 hours by US CBP at a land border crossing. I tried to refuse and return to Canada but I was not allowed to. If anyone has any advice on forensic analysis I can do to my own device to see what they did I would be grateful for it.
2
4
26
Fun fact: elliptic, the most popular secp256k1 lib for node & browsers is unmaintained and recently had terrible private key leak (CVE-2020-28498). All sorts of important projects keep using it!. Do the right thing and switch your stuff to noble. It is audited and the fastest one.
1
7
27
@mer__edith This was a wake up call about slow iteration speed. Signal Desktop has long been mediocre. It still requires running phone app to sync messages. Even whatsapp removed this requirement. Macos utilizes SIP to protect sensitive files. It works great. It should be used.
2
1
23
tl;dr:. - donât use a globally hosted site to handle $1.5B, prefer LAN.- After signing, before broadcast, verify using tool such as Ideally 2 tools.- subresource integrity, hourly tests which verify frontend can help.- donât store prod keys on dev PCs.
Bybit Hack Forensics Report.As promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains .Screenshotted the conclusion and here is the link to the full report:
2
0
26
noble-secp256k1 ECC library for JS just got an audit from @cure53berlin. No critical vulnerabilities, one high (boolean allowed as private key), two medium-severity. Already fixed all of 'em. You can use it in your mission-critical projects. The report:
3
4
25
Wasmsnark vulnerability reduced entropy of proof's components from 32 bytes to 8 bytes. This made some proofs less secure. It has since been fixed, and the pkg has been upgraded to noble cryptography. micro-zk-proofs is available on github and NPM:.
3
3
25
@mer__edith Telegram secret chats are using parameters, provided by their server. The parameters could make a secret chat readable, when needed.
This is your regular reminder that âsecret chatsâ in telegram rely on server-provided prime numbers (messages.getDhConfig). The server could send âbadâ prime numbers to clients and decrypt conversations later. Section 1.2.1 of tel-03245433
0
3
24
noble-ciphers got audited, while curves got their third audit. Thanks to @OpenSats for funding & @cure53berlin for the work! PDF in repo. Contact me if youâre:. - auditor (paid / unpaid) willing to review new open-source goods.- willing to fund auditors.
0
5
23
Telegramâs reply to post on âbad prime numbersâ is wrong. 1. Specially created primes are vulnerable to SNFS, which breaks DL much faster. There is no test against those.2. 30 Miller Rabin iterations for primeness check is too low. See FIPS 186-5. Proof.
@paulmillr This is FALSE. Clients always check the prime numbers. Read the đ manual: (and anyone can check the code to confirm this đ¤ˇââď¸).
2
3
23
Telegram states in their privacy policy (§8.3) theyâve never given out any data. Der Spiegel tells a different story Privacy policy mentions all data requests would be published at which is also false: the reports are empty.
4
4
22
@bantg Lido bad because 40B$ contract must not be upgradeable. There are 100 different sub-contracts. Some of them are randomly upgradeable without aragon. Security is opaque. But keep promoting your bags ofc.
1
3
22
It takes a long time to upgrade the whole JS ecosystem, but weâre getting there. Since 2019:. - secp is now installed 550K times per week and used in 85K github repos.- for ed itâs 282K installs per week and 21K github repos. A lot of important projects have switched.
1
1
23
Six years ago, we've proposed JS promises to conform to Monad interface. It was easy to accomplish back then; the specification was not finalized yet. Promise spec authors aggressively dismissed the idea â mostly because they didn't understand Monads.
1
1
23
New release of eth-signer is out. A lot of new features have been added:. - EIP-7702 AA transactions.- EIP-4844 KZG implementation in pure JS.- EIP-712 / EIP-191 message signing.- EIP-7495 SSZ stable container.
0
4
22
@FireWithCrypto @elonmusk He plans on having Forward Secrecy disabled even in the future. Which is really a huge deal and makes dms inferior to whatsapp and signal.
1
0
18
Safari 6 web inspector was terrible. 6 months of iterations and itâs usable & shiny. Evolution shots & log: @xeenon.
3
27
20
Having fun in Ukraine. Donât believe all the lies the western media/governments are spreading.
4
0
19
New blog post: Learning fast elliptic-curve cryptography in JS.
0
9
21
Keeping your dependencies small is very important. New post: Chokidar 3: How to save 32TB of traffic every week with one NPM package. Check it on Hacker News:
1
8
19
Hardware wallets are mostly proprietary nonsense. We need a better solution. How about a reputable software wallet running on an offline machine? To reduce attack surface, no bluetooth/wifi/usb: all data is transferred via QR codes.
nightmare intensifiesâŚ. imagine if your hw wallet last firmware update integrate ofac checks and you cannot sign or even worse, recover your overfitted wallet. whereâs the boundary? (and open source hw wallets). đŤ .
10
0
20
Updated the 2020 article about building an elliptic curve library from scratch. We need more implementations, in different languages. Itâs really easy. Check it out:.
0
1
19
Ethereum $130B staking contract was created using Tornado Cash. Torn has mostly been used for legit on-chain privacy. An example is the transaction by anon dev, deploying the contract. The repo rebuilds it using modern tech. Great for ZK education!.
f*ck it, . Tornado Cash as a foundry project (with forge test cases), using latest versions circomlibjs, snarkJS, etc.
0
1
20
Just released post-quantum v0.2.0, implementing final FIPS 203 / 204 / 205 specs. You can now use PQ cryptography in JS apps today!.
0
5
20
We've been working on a group of extremely auditable cryptographic libraries for JS (node & browsers). Each lib is self-contained in one file, has NO deps & can be read by non-cryptographer. Glad to release first 3 projects: ed25519, secp256k1 & ripemd160
2
4
19