Martin R. Albrecht
@malb.bsky.social
Cryptography Professor at King's College London and Principal Research Scientist at SandboxAQ. Erdős–Bacon Number: 6. He/him or they/them.
https://malb.io
https://malb.io
You may think of a mode of operation as a way of constructing an encryption algorithm from a PRP. So, in particular: "AES" is not an encryption algorithm but "AES-GCM" is an encryption algorithm (achieving IND-CCA security).
Similarly, "RSA" is not an encryption algorithm, but "RSA-OAEP" is.
Similarly, "RSA" is not an encryption algorithm, but "RSA-OAEP" is.
October 23, 2025 at 8:08 AM
You may think of a mode of operation as a way of constructing an encryption algorithm from a PRP. So, in particular: "AES" is not an encryption algorithm but "AES-GCM" is an encryption algorithm (achieving IND-CCA security).
Similarly, "RSA" is not an encryption algorithm, but "RSA-OAEP" is.
Similarly, "RSA" is not an encryption algorithm, but "RSA-OAEP" is.
Sorry for being so opaque! AES is a block cipher which is modelled as pseudorandom permutation (PRP) or a strong pseudorandom permutation (SPRP). The usual way you are taught that these are not encryption schemes is: "the penguin", see Example 2 in malb.io/7CCSMATC/lec...
malb.io
October 22, 2025 at 7:53 AM
Sorry for being so opaque! AES is a block cipher which is modelled as pseudorandom permutation (PRP) or a strong pseudorandom permutation (SPRP). The usual way you are taught that these are not encryption schemes is: "the penguin", see Example 2 in malb.io/7CCSMATC/lec...
I believe the big pioneer here was Allan Steel magma.maths.usyd.edu.au/users/allan/
Allan Steel's Homepage
magma.maths.usyd.edu.au
October 21, 2025 at 8:39 PM
I believe the big pioneer here was Allan Steel magma.maths.usyd.edu.au/users/allan/
Yup, Magma, LinBox, M4RI(E) et al are all running Strassen in dimensions of the hundreds or thousands linalg.org github.com/malb/m4ri but last time I checked this is a no go for floating point matrices due to numerical stability issues with the asymptotically fast algorithms.
Tools for exact linear algebra
Home page for project LinBox, a library for high-performance exact linear algebraic computations.
linalg.org
October 21, 2025 at 8:38 PM
Yup, Magma, LinBox, M4RI(E) et al are all running Strassen in dimensions of the hundreds or thousands linalg.org github.com/malb/m4ri but last time I checked this is a no go for floating point matrices due to numerical stability issues with the asymptotically fast algorithms.
Go ask a room full of cryptography-adjacent practitioners if "AES" or "RSA" are encryption algorithms, I bet you'll hear a lot of "yes" (at least that was the outcome for me today). How many university modules even teach that falsehood? What a failure of our field.
October 21, 2025 at 7:27 PM
Go ask a room full of cryptography-adjacent practitioners if "AES" or "RSA" are encryption algorithms, I bet you'll hear a lot of "yes" (at least that was the outcome for me today). How many university modules even teach that falsehood? What a failure of our field.
Isn't the answer mostly Heartbleed?
May 15, 2025 at 10:09 AM
Isn't the answer mostly Heartbleed?
Reposted by Martin R. Albrecht
Ooh -- also: The "More is Less" paper (eprint.iacr.org/2017/713 ) pointed out this group membership issue with WhatsApp in 2017 -- almost 8 years ago!
More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema
Secure instant messaging is utilized in two variants: one-to-one communication and group communication. While the first variant has received much attention lately (Frosch et al., EuroS&P16; Cohn-Gordo...
eprint.iacr.org
May 8, 2025 at 10:05 PM
Ooh -- also: The "More is Less" paper (eprint.iacr.org/2017/713 ) pointed out this group membership issue with WhatsApp in 2017 -- almost 8 years ago!
Reposted by Martin R. Albrecht
... who have to constantly monitor the UI for changes to the member list. And it is a burden that is unnecessary: Signal deploys cryptographic control of group membership at scale, for example. Thanks @dangoodin.bsky.social for your coverage of our work in this piece: arstechnica.com/security/202...
WhatsApp provides no cryptographic management for group messages
The weakness creates the possibility of an insider or hacker adding rogue members.
arstechnica.com
May 8, 2025 at 9:59 PM
... who have to constantly monitor the UI for changes to the member list. And it is a burden that is unnecessary: Signal deploys cryptographic control of group membership at scale, for example. Thanks @dangoodin.bsky.social for your coverage of our work in this piece: arstechnica.com/security/202...