<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: ewillbefull</title><link>https://news.ycombinator.com/user?id=ewillbefull</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Wed, 01 Jul 2026 03:12:23 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=ewillbefull" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by ewillbefull in "S230 is a censorship law masquerading as a friend of free speech"]]></title><description><![CDATA[
<p>There's no absolute requirement for using Facebook to communicate with others over the Internet, so there's no sensible reason why they (or anyone else) should be compelled to host content they don't like.<p>Just because certain platforms are popular doesn't really change things from a legal or a moral perspective, and it might be because of their editorial discretion that they are popular in the first place.</p>
]]></description><pubDate>Sun, 22 Nov 2020 15:17:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=25178042</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=25178042</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=25178042</guid></item><item><title><![CDATA[New comment by ewillbefull in "S230 is a censorship law masquerading as a friend of free speech"]]></title><description><![CDATA[
<p>> Banks, electricity companies, railway operators<p>These are bad examples in a discussion about speech protections... those businesses are providing services, not just engaging in speech.<p>Also, those businesses _do_ act to arbitrarily refuse to serve people. My bank sent me a letter last year saying that in ~10 days my account will be closed and they'll send me a check with the account contents. No reason, no appeals.</p>
]]></description><pubDate>Sun, 22 Nov 2020 15:01:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=25177927</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=25177927</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=25177927</guid></item><item><title><![CDATA[New comment by ewillbefull in "Researchers find trapdoor in SwissVote election system"]]></title><description><![CDATA[
<p>> The 'trapdoor' is in the protocol by design.<p>Only due to ignorance. It is well known that the bases of a Pedersen commitment can and should be sampled randomly; a trusted setup is only subverting the security of the primitive.</p>
]]></description><pubDate>Wed, 13 Mar 2019 08:50:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=19376875</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=19376875</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=19376875</guid></item><item><title><![CDATA[New comment by ewillbefull in "The Dark Side of Zero Knowledge: Masking the initial setup in Zk-SNARK"]]></title><description><![CDATA[
<p>That's great! There are many issues with trusted setups that people aren't paying enough attention to.</p>
]]></description><pubDate>Sat, 12 Jan 2019 08:11:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=18890264</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=18890264</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=18890264</guid></item><item><title><![CDATA[New comment by ewillbefull in "The Dark Side of Zero Knowledge: Masking the initial setup in Zk-SNARK"]]></title><description><![CDATA[
<p>There is nothing new about this article. The article is pointing out that in addition to the trapdoors of the proving system, it's possible to subvert the arithmetic circuit used as well. The ceremonies used by Zcash have the property that the parameters are perfectly bound to the circuit.<p>Not sure why this isn't mentioned in the article.<p>> This article is about the fact that there could be a backdoor, whose absence can only be proven by revealing all participants' toxic waste.<p>This is incorrect, as stated above. Instead of revealing their toxic waste, we reveal proofs-of-knowledge so we can use pairings to ensure the parameters encode the circuit correctly.</p>
]]></description><pubDate>Fri, 11 Jan 2019 20:11:30 +0000</pubDate><link>https://news.ycombinator.com/item?id=18886486</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=18886486</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=18886486</guid></item><item><title><![CDATA[The strange story of “Extended Random”]]></title><description><![CDATA[
<p>Article URL: <a href="https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/">https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=15964015">https://news.ycombinator.com/item?id=15964015</a></p>
<p>Points: 2</p>
<p># Comments: 0</p>
]]></description><pubDate>Tue, 19 Dec 2017 20:37:35 +0000</pubDate><link>https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15964015</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15964015</guid></item><item><title><![CDATA[Announcing the world's largest multi-party computation ceremony]]></title><description><![CDATA[
<p>Article URL: <a href="https://z.cash.foundation/blog/powers-of-tau/">https://z.cash.foundation/blog/powers-of-tau/</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=15677507">https://news.ycombinator.com/item?id=15677507</a></p>
<p>Points: 14</p>
<p># Comments: 0</p>
]]></description><pubDate>Sat, 11 Nov 2017 18:45:01 +0000</pubDate><link>https://z.cash.foundation/blog/powers-of-tau/</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15677507</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15677507</guid></item><item><title><![CDATA[New comment by ewillbefull in "HolyJit: A New Hope"]]></title><description><![CDATA[
<p><a href="https://en.wikipedia.org/wiki/Brainfuck" rel="nofollow">https://en.wikipedia.org/wiki/Brainfuck</a><p>The HolyJit repo has a brainfuck jit example in the repository: <a href="https://github.com/nbp/holyjit/blob/master/examples/brainfuck.rs" rel="nofollow">https://github.com/nbp/holyjit/blob/master/examples/brainfuc...</a></p>
]]></description><pubDate>Fri, 20 Oct 2017 12:50:30 +0000</pubDate><link>https://news.ycombinator.com/item?id=15515320</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15515320</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15515320</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p>In our case, the use of grsec was one of the simplest counter-measures that achieved an almost purely additive security improvement. That's even when accepting the risk that grsec has security bugs in it.<p>If the participant did everything right, one of the <i>only</i> remaining ways that the secrets could be exfiltrated from the machine was by exploiting a theoretical vulnerability in xorriso, the software we use to read/write DVDs for airgapped communication in the ceremony. Even then, it was likely to leave an evidence trail on the DVDs for post-hoc review.<p>As an extra precaution, we needed to impose strict policies on the xorriso process. Grsec was trivial to employ using off-the-shelf Alpine Linux tools, and didn't require any dependencies which would increase the cost of auditing afterward. Grsec was also not likely to introduce bugs we couldn't catch in post-hoc review due to the evidence trail left on the DVDs.<p>The hope was to force an adversary to exploit both xorriso and grsec in practice. One important question is: was grsec likely to introduce a category of bugs that would not otherwise exist in Linux already? I think the answer to that question is no. Funny enough, just a day or two before the ceremony the Dirty COW vulnerability was patched in the Linux kernel, and we <i>just</i> managed to update our OS before the scheduled ceremony.</p>
]]></description><pubDate>Tue, 10 Oct 2017 22:02:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=15445692</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15445692</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15445692</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p>I'm Sean from Zcash, I coordinated the MPC and wrote the software. I messaged you on twitter or emailed you or something about this last year.<p>> it made it sound like I repeated the number uncritically<p>I didn't say <i>you</i> regurgitated it. I said the person you talked to did, presumably after looking at libsnark or an unrelated paper.<p>> The fact that competent experts could be unfamiliar with Zcash's crypto to the degree that they could disagree on basic facts like that is a sign of concern, precisely because it's yet another strong sign that the crypto is quite new.<p>I claim the person you talked to was looking at the wrong curve construction. 2^80 is quite a torch to carry into an argument and no experts that we know have ever suggested a security level less than 2^96. The only "disagreements" about security were far more subtle and reasonable than what your blog post suggested.</p>
]]></description><pubDate>Mon, 09 Oct 2017 22:16:44 +0000</pubDate><link>https://news.ycombinator.com/item?id=15437900</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15437900</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15437900</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p><a href="https://eprint.iacr.org/2017/602" rel="nofollow">https://eprint.iacr.org/2017/602</a><p>The protocol scales linearly with respect to the number of participants, but as you can tell, each participant needs to do a lot of time-consuming computations.<p>Each participant needs to maintain custody of the hardware during the process of the ceremony, and then destroy the hardware afterward. If it was your turn, you'd do some stuff for an hour, and then it's the next person's turn in a round-robin circle. You had to wait maybe ~8 hours before it was your turn again. The protocol involved three rounds of this.<p>Nobody can abort (players commit to their moves in advance to defend against adaptive attacks) and so there needs to be a time when all N participants are available for the entire duration of the ceremony. This makes it very sensitive to scheduling problems.<p>If you want to do your own MPC, you also need to perform very expensive fast-fourier transforms in between round 1 and 2. In our ceremony that required a very beefy 128-core server and it still took over an hour.<p>I actually just found a log file from the ceremony's coordinator server (not a privileged server, just handles messages and archives them) which shows the timings of everything, which is kind of fun:<p><a href="https://gist.github.com/ebfull/fde1e167ba35ca67e086ca458eabcf25" rel="nofollow">https://gist.github.com/ebfull/fde1e167ba35ca67e086ca458eabc...</a></p>
]]></description><pubDate>Mon, 09 Oct 2017 19:01:59 +0000</pubDate><link>https://news.ycombinator.com/item?id=15436496</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15436496</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15436496</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p>The protocol could not scale to a large number of participants at the time. Just with six participants it took an entire weekend to perform.</p>
]]></description><pubDate>Mon, 09 Oct 2017 18:14:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=15436139</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15436139</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15436139</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p>> To both yourself and the person you're replying too, please don't put words in my mouth.<p>What words did I put in your mouth? I cited the 2^80 figure in your blog post and a reasonable theory for why you would bring up such a figure. "Regurgitated" came across as snide so I apologize for that.<p>Note that you used this unsubstantiated figure to say "the fact that there’s disagreement is a bad sign." If there isn't actually any disagreement and the figure is unsubstantiated, why is it not baseless FUD? (BTW I notified you of this error in your blog post some time ago but never heard back.)<p>> what I said is that post-hoc review hasn't been done, even a year after the fact.<p>I know, I wasn't replying to you. As I said, I believe more auditing is needed. I also don't believe some kind of one-and-done audit of the software/deterministic builds would satisfy either of us.</p>
]]></description><pubDate>Mon, 09 Oct 2017 17:30:41 +0000</pubDate><link>https://news.ycombinator.com/item?id=15435749</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15435749</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15435749</guid></item><item><title><![CDATA[New comment by ewillbefull in "Cypherpunk Desert Bus: My Role in the 2016 Zcash Trusted Setup Ceremony"]]></title><description><![CDATA[
<p>> 2^80 is not very weak. That's the level of brute forcing a SHA-1 collision. It's low for a new system, but not very weak.<p>Note that the 2^80 figure from Peter's blog post is really unsubstantiated. There's another curve in libsnark (which we don't use) that has 80-bits of security. I suspect what happened is whoever Peter was consulting with just repeated this number to him. We've spoken to many cryptographers who are experts on these curves, and none of them think that figure is reasonable. I actually don't believe there are _any_ cryptographers that have publicly made such a claim about the security.<p>2^96 was the original conservative estimate when the NFS attack was discovered, but subsequent analysis showed concrete security closer to 2^110 (and that's ignoring the unrealistic memory costs of the specific attack.)<p>> How can they not have the basics of a secure toolchain?!?<p>We provided participants with a reproducibly built and stripped down version of Alpine Linux, employed grsec, wrote all of our crypto software in pure Rust, etc. All of our software is reproducibly built, hashed and signed. There is nothing (software-wise) that cannot be caught in post-hoc review. All of it is open-source: <a href="https://github.com/zcash/mpc" rel="nofollow">https://github.com/zcash/mpc</a><p>Several academic papers regarding our protocol have been published since then. We wrote a full security proof of the crypto. We hired NCC group to audit the ceremony as well: <a href="https://z.cash/blog/ceremony-audit-results.html" rel="nofollow">https://z.cash/blog/ceremony-audit-results.html</a><p>More auditing can always be done but this is a continuing process. The primary goal is to make it difficult for someone to undetectably compromise the ceremony.</p>
]]></description><pubDate>Mon, 09 Oct 2017 16:48:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=15435404</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15435404</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15435404</guid></item><item><title><![CDATA[New comment by ewillbefull in "Edward Snowden: Zcash Is 'Most Interesting Bitcoin Alternative'"]]></title><description><![CDATA[
<p>Zooko explained afterward: <a href="https://twitter.com/zooko/status/864341289374023680" rel="nofollow">https://twitter.com/zooko/status/864341289374023680</a></p>
]]></description><pubDate>Fri, 29 Sep 2017 23:07:18 +0000</pubDate><link>https://news.ycombinator.com/item?id=15370031</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15370031</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15370031</guid></item><item><title><![CDATA[New comment by ewillbefull in "Edward Snowden: Zcash Is 'Most Interesting Bitcoin Alternative'"]]></title><description><![CDATA[
<p>Zero-knowledge proofs for a given statement, by definition, reveal nothing about its witness. zk-SNARKs (used by Zcash) are statistically zero-knowledge; there are no cryptographic assumptions involved.</p>
]]></description><pubDate>Fri, 29 Sep 2017 22:56:16 +0000</pubDate><link>https://news.ycombinator.com/item?id=15369963</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15369963</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15369963</guid></item><item><title><![CDATA[New comment by ewillbefull in "Edward Snowden: Zcash Is 'Most Interesting Bitcoin Alternative'"]]></title><description><![CDATA[
<p>There is a tradeoff here that keeps being missed.<p>Ring signatures with small anonymity sets have very serious privacy drawbacks, but they have more sensible assumptions for protecting the monetary base integrity.<p>zk-SNARKs are the opposite: they don't compromise on privacy at all, but require stronger assumptions to protect the monetary base.</p>
]]></description><pubDate>Fri, 29 Sep 2017 22:10:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=15369684</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15369684</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15369684</guid></item><item><title><![CDATA[New comment by ewillbefull in "Edward Snowden: Zcash Is 'Most Interesting Bitcoin Alternative'"]]></title><description><![CDATA[
<p>Zcash's zk-SNARKs are totally private even if that ceremony failed and even if the cryptographic assumptions underlying zk-SNARKs fall apart.<p>I find the comparison with Bitcoin perfect. The same people trusting PoW cartels to keep their system operational are complaining that zk-SNARKs require a parameter setup for proof soundness? That doesn't really make sense to me.</p>
]]></description><pubDate>Fri, 29 Sep 2017 22:07:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=15369666</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15369666</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15369666</guid></item><item><title><![CDATA[New comment by ewillbefull in "Rust 2017 Survey Results"]]></title><description><![CDATA[
<p>The next survey should ask which nightly-only features are keeping them on nightly. :)</p>
]]></description><pubDate>Tue, 05 Sep 2017 17:52:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=15177513</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15177513</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15177513</guid></item><item><title><![CDATA[New comment by ewillbefull in "Rustgo: Calling Rust from Go with near-zero overhead"]]></title><description><![CDATA[
<p>I think you misread the parent comment. :)</p>
]]></description><pubDate>Tue, 15 Aug 2017 19:35:06 +0000</pubDate><link>https://news.ycombinator.com/item?id=15021572</link><dc:creator>ewillbefull</dc:creator><comments>https://news.ycombinator.com/item?id=15021572</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=15021572</guid></item></channel></rss>