Search
Items tagged with: MetaTag
In the grand scheme of things, I’m a nobody.
This blog is enjoyed by a few people (mostly technologists, furries, and furry technologists), but it’s not really providing a service that anyone would pay for. There is no “team” behind it. There is no monetization strategy or business plan. It’s just some nerd with “cringe” hobbies/interests that likes to write things far too long for Twitter.
I’m not telling you all this to be self-deprecating. I’m saying it to level out expectations.
Art: LvJ
Every once in a while, one of my blog posts reaches escape velocity and gets noticed by a larger Internet community. This leads to a stark increase in comments from people wanting to “debate” me. There is no more prominent example of this than my blog post about the dumb “sigma male” grift that became a meme.
The dumb comments on that post–which I will never approve–became so tiring that I left a comment at the bottom to ward off would-be debate-bros.
I’ve received a lot of inappropriate comments on this blog post, in particular. If you disagree, write your own blog post to rebut what I wrote instead of expecting me to approve your comments.
This prompted another rando to leave the comment featured prominently in the header:
You could just approve the comments. I’m sure nobody is trying to hurt your feelings; a civil conversation of disagreement should be allowed. Peace brother 👍
Art: LvJ
Fucking incredible. I’m having flashbacks of the sealioning on Twitter back when the anti-feminist movement “GamerGate” was in full swing.
Since some people are confused, allow me to clear up some misconceptions about this blog–and the comment policy it adheres to.
Comment Moderation Policy
This blog is not a public service provided by any country’s government. It is not the work of any company or business.
Nobody has the right or privilege to have their words platformed here, except myself.
I pay roughly $100/year for the privilege of being able to write about things that interest me without having to fuss over hosting infrastructure or secure application design. (Like hell I would self-host WordPress and be responsible for maintenance! I’d never find time to write anything!)
One big motivator for this blog–instead of, say, a Medium page–is that I can write the things I want without being pressured to paywall my content, and without advertisers getting their filthy hands all over my ideas. Having no real incentives allows me to write what I want, how I want, and when I want.
Art by @loviesophiee, inspired by this comic
It doesn’t matter if it’s a “civil conversation of disagreement”, or the hundreds of comments I get every year (post spam filter) telling me to kill myself for being gay and/or a furry.
Whether a comment gets approved or not is decided at my sole discretion, and my answer will almost always be, “No.”
If you believe you have a right to Free Speech that this policy might hypothetically violate, you’re more than welcome to start your own goddamn blog and write your opinions there. I don’t owe you or anyone a damn thing.
This isn’t censorship, it’s called having personal boundaries.
If you can’t tell the difference between personal boundaries and an attack on your “rights”, please do the world a favor and permanently remove yourself from the dating pool before you hurt someone.
Starting a blog is easy. Maintaining one can be challenging.
If you believe what you have to say is important enough to get published somewhere, go put the time and money into building your own platform instead of demanding access to the one I built.
That being said, by all means, continue to write your comments. Just don’t expect me to blindly approve them all just because you wrote them. The overwhelming majority of comments I receive get chucked in the trash bin.
https://soatok.blog/2021/11/10/my-blog-isnt-a-platform-for-internet-randos/
The year 2021 has taught us, if nothing else, that we can be sure that lies, misinformation, and bullshit are post-scarce resources in modern society.In such an information economy, it should come as no surprise–yet an abundance of disappointment–that ideas like the “Sigma Male” even exist.
What is a Sigma Male?
I’m not going to mince words.https://twitter.com/LilySimpson1312/status/1353674278722392066
“Sigma Male” is a ploy to recruit insecure young men into the same involuntary celibate (incel) / anti-feminist / pick-up artist trifecta that’s been making the Internet a worse place for everyone since at least 2005, and an evolution of the widely debunked “alpha male” myth.
https://www.youtube.com/watch?v=YTyQgwVvYyc
Trust me on this one, guys: I’m a gay furry. The whole alpha/beta dynamic gets referenced a lot by neophytes to furry/kink culture. Sometimes we entertain it as harmless fun, but practically no one (especially with a canid fursona) takes it remotely seriously.
Why is This Even a Thing?
(Art by Swizz.)Let me tell you what’s really going on here:
When the career date-rapists and grifters behind the pick-up artist and “alpha male” circle-jerk realized that their audience was becoming disillusioned by the fact that their attempts to act “more alpha” was not resulting in healthy sexual or romantic relationships with women, they decided to invent a totally new concept–divorced of any psychological basis, of course–in order to keep their audience faithful to their bullshit and ensnare additional desperate, insecure young men.
Since trying to act “more alpha” just makes most people total jerks, which results in women running away as fast as they can, they decided to invent a more-hipster alternative for the failures in their revenue base to aspire to: One of silent edginess and marked by deliberate rejection of social structures. Since nothing comes before alpha in Greek, but video game culture places S-Rank above A-Rank, they decided to opt for the label “Sigma”.
Naturally, this results in a litany of book deals, YouTube videos, and public relations to sell their audience the idea that achieving this fictional aspiration is “what women really want”. The proposition here is, “If you know what women really want, you can get what you really want from them.” (i.e. sexual gratification).
It’s not just gross. It’s also a kind of exploitative that begets more exploitative behavior.
The same crowd that invented “Sigma Male” also conceived “negging”.
Here’s an actual list of “qualities” ascribed to a so-called Sigma Male, according to one of the peddlers of this moronic belief, only rearranged to emphasize the contradictions and meaninglessness of this description:
“SIgma Males” are… …but also apparently…? 10. He’s Incredibly Self-Aware 14. He Can’t Be Told What To Do When It Comes To Anything 13. He Could Be an Alpha If He Wanted 4. He Treats Everyone Around Him The Same Way 2. He Is a Silent Leader 9. His Social Skills Could Use Some Work 6. He Understands the Importance of Silence 12. It’s Hard To Understand Him 1. He Loves Being Alone, But He Values Other People 3. He Knows How To Adapt To Different Situations 11. He’s the Master of His Own Fate 8. He Hates Living Life Safely 5. He Doesn’t Need a Social Circle To Be Himself 7. He’s Morally Grey, Or Worse A lot of words could be written about these contradictory or vacuous statements.
How can you be a leader with inadequate social skills? If he really understands the importance of silence, why is it hard to understand him? Sure sounds like he’s misusing silence to me. Who isn’t a master of their own destiny? Who does need a social circle to be themselves?
The “Sigma Male” con is what happens if you take the tactics of cold reading and apply them in reverse:
Instead of starting general and drilling down to more specific based on your audience’s response, you start specific (“rarest type of male”) and then generalize the definition to become completely meaningless while also maximizing the relatability of the label to catch unaware rubes off-guard.
Just say no to bullshit.
(Art by Khia.)While we’re on the subject of some of the sleaziest pieces of shit to ever walk the earth, let’s examine some more crimes against culture by these self-aggrandizing embarrassments to the male gender.
The “Friend Zone”
If you want to doom someone to a lifetime of unhealthy relationships, convince them that there’s this tragic place called the “Friend Zone” wherein, if someone you’re attracted to views you as a “friend”, you’re doomed to never have sexual relations with them.If you’ll notice, I omitted gender in the previous paragraph. This one is so pernicious that I occasionally encounter it in the LGBT community.
For adherents to this particular cognitive distortion, relationships exist in a linear hierarchy:
- Spouse–You want to be here
- Significant Other
- Friends with Benefits / Sexual Partner
- Friend (Platonic)–You don’t want to be here
- Acquaintance
- Stranger
Friendship isn’t valued on its own merits. Instead, it’s a stepping stone; a mere transitional fossil between where you are and where you want things to be. I’ve talked about this before.
When someone adheres to this belief, it shapes the way they interact with people they’re attracted to, and often creates a negative feedback loop. This in turn gives rise to the incel (involuntary celibate) mentality–except now, it’s almost always by men against women.
Failure to become an “alpha” leaves you delegated as a “beta”–or worse, a “cuck”.
Let’s put a pin on that point for a moment.
Interlude: On the Modern Usage of the Word “Cuck”
Right-wingers love to use the word “cuck” to describe someone they dislike.It became a meme during the 2016 Election in the United States, with some labels (“cuckservative”) being used to demonize Republicans who weren’t reactionary enough.
The origins of the insult began with a term for a sexual fetish called cuckoldry: The enjoyment of watching other people have sex with your significant other.
Most bloggers treat this as a clinical subject and stop there. I am not most bloggers.
An under-reported and unfortunate truth of cuckold fetishists is that there’s often a significant racial component to their fantasy: White couples almost always seek out a black man to be the “bull” (the person whom displaces the cuckold) of the scene. (This is as much a problem within the LGBT community as it is outside of it.)
If you thought the depraved minds of 4chan users wouldn’t pick up on this cue, you haven’t been paying attention to the Internet since 2007.
The insult “cuck” has less to do with the fetish, tangibly, than it does to do with a white supremacist worldview.
To white supremacists, white women are the “property” of white men, and any man who “allows” white women to have sex with a person of color is a cuck.
Thus, there are two kinds of people who use the word “cuck”: Those who know its intent and mean it, and the oblivious masses who mask the dog-whistle. Propagandists call the latter useful idiots.
https://twitter.com/katienotopoulos/status/814635817650028545
In Want of Money and Power
If you want to find the truth behind a person’s actions, you need to first discover their incentives. This is the “follow the money” approach, but generalized: Some people don’t need money, they want power. Political power, specifically.It should come as no surprise that pick-up artists, anti-feminists, and incels all subscribe vehemently to the “friend zone” mythos. Additionally, incels, in particular, are prone to self-loathing and projection around the “cuck” insult.
This ultimately leads to a very dark place.
The Fascist Event Horizon
Most of us, in our youth, are varying degrees of socially awkward. This leads to anxiety, insecurity, and a sense of listlessness in most young adults.Typically, we grow out of this by building relationships, learning through a litany of easily avoidable mistakes, and acquire the understanding we lack.
Pick-up artists prey on the rest of us, convincing them that the reason they don’t have a fulfilling sex life is because they’re not adhering to some aggressive social stereotype that gives them superpowers over women.
The ones that “succeed” go on to perpetuate that cycle. The ones that fail become self-loathing incels that stew in their own awkwardness and contempt.
It’s no secret that white nationalism courts Internet nerd culture.
Once you start to head down this path, you’re almost guaranteed to internalize a lot of the beliefs that are espoused:
- “Women want strong alpha males.”
- “Alpha males are dominant, assertive, adhere strongly to evangelical Christian values, and embody tradition.”
- “Women would rather sleep with a jerk than a nice guy.”
- “If you’re friend-zoned, that makes you a cuck to the girl you deserve.”
It’s here that two competing interests will clash.
Incentives Rule Everything Around Me
People who want money and influence are incentivized to find some mental framework that allows a diverse set of personality types to somehow succeed at their relationship goals. This is why they went on to invent the Sigma Male, and insist “they’re equal to alphas, but separate from the hierarchy”.People who want political power and true believers to perform political violence and stochastic terrorism on their behalf are incentivized to set the bar high and make everyone feel inadequate.
That’s why, immediately after the end of Donald Trump’s presidency and a general shunning of his rabid supporters, the Sigma Male meme is suddenly on a rise in popularity.
Preventing the Poisonous Patriarchy
If you want to prevent a friend or family member from falling into the trappings of abusive con men, white nationalist recruiters, and toxic masculinity, there are a few things you can do to stop them from going down this road.
- Consent is sexy.
Establish good habits. “Yes means Yes” is a better framework than “No means No”, because it implies a negative default in the absence of a specific answer. There’s a lot of literature on BDSM culture and sex work that you can pull inspiration from.- Emphasize healthy friendships.
Fuck the hierarchy worldview; friends are amazing. Whatever it takes, make sure you can appreciate your friends for who they are, not what they might later become.
If you’re struggling to make friends, I recommend reading this article.- The only thing we have to cringe is cringe itself.
Fuck what other people think: If you’re having fun with an activity, who cares if it’s “cringe”? Authentic enjoyment becomes fleeting for many adults once you progress through puberty; and while I’m not sure if that’s nature or nurture, I do know that being shamelessly yourself at all times maximizes your enjoyment.- Abandon tradition, embrace modernity.
Tradition is stupid. It’s literally doing what people have always done because a better idea hasn’t yet come along–even when a better idea does come along!
Instead of relying on traditions, practice creative and imaginative thinking every chance you get. Step out of your comfort zone from time to time. Introspect and plan differently for the next time you’re in a similar situation. That’s how you grow as a person.If you practiced all of the above and are still bewildered by “what women want” and worried you’ll be alone forever, here’s my final bit of advice: Ask them! Especially if you’re close enough friends that they’ll answer in earnest, because they know that you’re trustworthy and not trying to objectify them.
Literally nobody knows what a given woman is looking for in a partner more than she does. Anyone who claims otherwise is full of shit or dangerously manipulative.
If you ask 100 women what they want in a partner, you’ll get 100 different answers. Gender roles aren’t a symptom of a homogeneous population. People are people.
If anyone is truly your friend, they’re already emotionally invested in seeing you find someone that will make you happy. Trust them more than you’d trust me, or anyone who confidently claims to know “what women want” and then proceeds to totally misunderstand everything women say.
Additionally, everything I said above is also true of men and enbies. People are people, dammit!
(Art by Khia.)
What Do I Do if Someone Calls Themselves a “Sigma Male”?
Reply “Sigma balls“.Ridicule might not adequately discourage participation (after all, the unscientific Myers-Brigg Type Indicator is still prevalent everywhere), but it’s cathartic.
https://twitter.com/M3rcaptan/status/1355665303540215817
Questions and Answers
Since I first published this article, I’ve received a lot of feedback. I’m going to attempt to respond to some of the questions I’ve received over the past few month in order to save everyone time asking the same questions.(Art by Scruff.)
Is the Notion of a Sigma Male as Scam or Grift?
Yes! See above for details.The goal of the “sigma male” idea is to capture more of the “desperate and lonely single man” market segment–in particular, the ones that don’t buy the whole “alpha male” shtick. It’s pure bullshit and it’s bad for you.
Is Sigma Male “Cringe”?
Cringe culture is stupid, but I’m willing to make an exception for the whole “sigma male” meme (but only insofar as we also treat “alpha male” with the same level of earned contempt).Science has shown that biological sex is not binary. Furthermore, sex isn’t the same thing as gender identity, which can be different from your biological sex and has to do with your role within society. This is what science has to say about the subject; it’s not up for debate.
So, with all that in mind, why do the same crowds of people who insist that sex is binary and assigned at birth (in spite of what science actually suggests) turn around and invent multiple kinds of male that someone can be, only to then arrange them in an imaginary hierarchy?
That’s pretty cringe, bro.
(Art by Khia.)
Why Are You Falsely Equivocating PUAs and Incels?
I’m not, and you have to be acting in bad faith to think listing two groups together is the same as equivocating the two.Both groups are the consequence of the same harmful and false beliefs about gender, sex, and masculinity. Their beliefs about women are disgusting and they prey on the insecurity of other men to secure book deals and speaking gigs.
Pick-up artists are predators that spread predatory ideas. Incels are the desperate dregs that don’t buy the PUA books but still internalize the same values, usually expressed through self-deprecation. These are clearly not the same thing, but both groups are the consequence of the same delusional bullshit rooted in anti-feminism.
Eww, a furry!
Wow, you sure got me there.(Art by Khia.)
How will I ever recover from this startling revelation?
Sigmas are REAL! They’re the introverted version of the Alpha. Period.
Nope. Alpha Males aren’t a real thing either.The person who coined the term “alpha male” in wolf populations spent the rest of their career trying to correct the misconception they accidentally created. I covered all of this in the blog post already.
The people who purport that “being alpha” is a meaningful descriptor of humans rather than incomplete software are either delusional or trying to pull one over on you.
The unproven hypothesis of “sigma male” is predicated on debunked pseudoscience. Why bother believing something whose entire foundation is false?
The science of personality (a discipline of psychology) is extremely complicated. The people peddling the [Greek Letter Here] Male are trying to sell you on the belief that masculinity is a hierarchy of tribes. It’s just as stupid as the Myers-Brigg Type Indicators.
(Art by Khia.)
If you want an actual model for personality based on real cognitive science, look at HEXACO. Notably, your personality scores do not yield a reliable partitioning (“Are you an T or a P?”) nor is a hierarchy proposed.
(Art by Khia.)
Anything that says your entire personality or existence can be summarized as belonging to one of N groups (with N less than 100), or by a ranking in an imaginary social ladder, is bullshit–pure and simple.
Note: The header for this section is from one of the many unapproved comments submitted to this blog post with a fake email address. Comments like this aren’t an expression of introverted personalities. The word you’re looking for is “cowardice”.
Why aren’t you approving my comments on this blog post?
Mandatory reading: My blog isn’t a platform for internet randos.https://soatok.blog/2021/01/25/no-youre-not-a-sigma-male/
#alphaMale #cuck #Fascism #hateSpeech #Incels #PickupArtists #SigmaMale #Society #toxicity
I started this blog in April 2020 after a brief and irregular stint as a writer on Medium, because while I like putting my thoughts on a screen, I really disliked how Medium’s website constantly nags you to monetize your content. (I really dislike paywalls and I’m not arrogant enough to expect anyone to fork over their hard-earned money to read my writing.)
It hasn’t quite been a year since the inaugural post on Dhole Moments, but since 2020 is almost over, I thought it would be a good time to recap some of the stuff I’ve managed to publish thus far.
(Art by Khia.)
Some Quick Stats for 2020
- Total number of blog posts: 56 (including this one)
- Most popular blog post: Why AES-GCM Sucks
- Least popular blog post: A Few Missing Lessons from American Education
- Blog comments (not counting hate or pingbacks): 43
- Ad revenue: $0 (and this will stay that way, dammit!)
- Bugs found in WordPress.com just by using it: 1
- Zero-days published: 3
- Two against the Proctorio family of edutech spyware
- One against Twitter’s Gender field
- Open source projects spawned from blog posts: 2
- Hate emails/tweets/DMs/comments/etc. received: At least 100
- People who became cool with furries after interacting with me on social media (after other users failed to troll me) and subsequently admitted this to me privately: 4
- Furries I’ve inspired to make a dhole fursona (that I’m aware of): 0
- Fursuits commissioned: 1
- Fursuits acquired: 0 (hopefully in 2021)
- Amount spent on art commissions specifically for blog posts/series: $1500
- Bad puns and wordplay-based jokes:
I might make an effort to post a congruent, updated stats summary at the end of 2021.
We’ll see if 2021 is as interesting for this blog.
Notable Happenings in 2020
One of my early blog posts in April (about source code leaks being effectively meaningless to endpoint security) got a lot of attention on social media and even got cited by The Register.
My traffic graph was all downhill from there, though!
(Art by Kerijiano)
In May, I discovered some fraudulent “COVID-19 contact tracing” apps on the Google Play store which all appear to have since been taken down, then proceeded to teach the furry fandom how to deanonymize scam/knock-off sites on CloudFlare (and the scam/knock-off site in question went down within 24 hours).
In June, I published Furward Momentum, a guide to acquiring a technology career for as close to $0 as humanly possible with no prior experience, to help mitigate the economic pain of the pandemic for furries and furry-adjacent, LGBTQ-accepting folks. The introduction to the series is a blog post, but the other 9 pages of content are not.
In July, I published a post about trivial collisions in the new hash function in the IOTA hash function (Kerl), which led to a lot of angry IOTA fanboys flaming me with… arguments about the previously broken hash function in IOTA (Curl-P).
In August, I wrote a somewhat in-depth guide to side-channel attacks and how to mitigate them, which caused Reddit moderators to come to terms with a lot of their communities’ internalized ableism and homophobia as expressed through hatred of furries and–just kidding, it got flamed to oblivion on technical forums without a single technical disagreement and a lot of the moderators shrugged and did nothing.
In September, I decided to reverse engineer Proctorio, a browser extension used by schools to proctor tests which acts basically like spyware and compare its cryptography implementations to its marketing copy. Obviously, I found that Proctorio was deceptive to its customers as it is abusive to students, and its cryptography was pathetic. This got a shout-out from the Electronic Frontier Foundation on Twitter.
(Art by Khia.)
In October, I wrote too much for anything to really stand out, but if you’re interested in the design and security of Zoom’s end-to-end encryption, I found it to be somewhat bizarre but not dangerous. Also, I got tired of reiterating the same statements about furry art commission prices on Twitter, so I turned that into a blog post too.
In November, I wrote my guide to end-to-end encryption and got a second EFF shout-out!
And in December… I mostly rested.
(Art by Kyume.)
Soatok’s Goals for 2021
- Continue the Dead Ends in Cryptanalysis series.
- Commission more furry art for my blog.
- Write about more cool stuff!
- Acquire Soatok fursuit from DrakonicKnight, post pics. (Already paid in full, just have to be patient.)
- Eventually write something so useful and high-quality on here that popular infosec Twitter/HN/Reddit/etc. users can’t help but talk about it. (Looking at you, @tqbf!)
- Help at least one furry get their first high-paying job in technology with a team they enjoy (if I haven’t already).
🙁){ :|:& };:
(Header art derived from art made by Atlas Inu and Johanna Tarkela, photoshopped by the author.)
https://soatok.blog/2020/12/24/the-story-so-fur/
If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”.I specialize in secure implementations of cryptography, and my years of experience in this field have led me to dislike AES-GCM.
This post is about why I dislike AES-GCM’s design, not “why AES-GCM is insecure and should be avoided”. AES-GCM is still miles above what most developers reach for when they want to encrypt (e.g. ECB mode or CBC mode). If you want a detailed comparison, read this.
To be clear: This is solely my opinion and not representative of any company or academic institution.
What is AES-GCM?
AES-GCM is an authenticated encryption mode that uses the AES block cipher in counter mode with a polynomial MAC based on Galois field multiplication.In order to explain why AES-GCM sucks, I have to first explain what I dislike about the AES block cipher. Then, I can describe why I’m filled with sadness every time I see the AES-GCM construction used.
What is AES?
The Advanced Encryption Standard (AES) is a specific subset of a block cipher called Rijndael.Rijndael’s design is based on a substitution-permutation network, which broke tradition from many block ciphers of its era (including its predecessor, DES) in not using a Feistel network.
AES only includes three flavors of Rijndael: AES-128, AES-192, and AES-256. The difference between these flavors is the size of the key and the number of rounds used, but–and this is often overlooked–not the block size.
As a block cipher, AES always operates on 128-bit (16 byte) blocks of plaintext, regardless of the key size.
This is generally considered acceptable because AES is a secure pseudorandom permutation (PRP), which means that every possible plaintext block maps directly to one ciphertext block, and thus birthday collisions are not possible. (A pseudorandom function (PRF), conversely, does have birthday bound problems.)
Why AES Sucks
Art by Khia.Side-Channels
The biggest reason why AES sucks is that its design uses a lookup table (called an S-Box) indexed by secret data, which is inherently vulnerable to cache-timing attacks (PDF).There are workarounds for this AES vulnerability, but they either require hardware acceleration (AES-NI) or a technique called bitslicing.
The short of it is: With AES, you’re either using hardware acceleration, or you have to choose between performance and security. You cannot get fast, constant-time AES without hardware support.
Block Size
AES-128 is considered by experts to have a security level of 128 bits.Similarly, AES-192 gets certified at 192-bit security, and AES-256 gets 256-bit security.
However, the AES block size is only 128 bits!
That might not sound like a big deal, but it severely limits the constructions you can create out of AES.
Consider the case of AES-CBC, where the output of each block of encryption is combined with the next block of plaintext (using XOR). This is typically used with a random 128-bit block (called the initialization vector, or IV) for the first block.
This means you expect a collision after encrypting (at 50% probability) blocks.
When you start getting collisions, you can break CBC mode, as this video demonstrates:
https://www.youtube.com/watch?v=v0IsYNDMV7A
This is significantly smaller than the you expect from AES.
Post-Quantum Security?
With respect to the number of attempts needed to find the correct key, cryptographers estimate that AES-128 will have a post-quantum security level of 64 bits, AES-192 will have a post-quantum security level of 96 bits, and AES-256 will have a post-quantum security level of 128 bits.This is because Grover’s quantum search algorithm can search unsorted items in time, which can be used to reduce the total number of possible secrets from to . This effectively cuts the security level, expressed in bits, in half.
Note that this heuristic estimate is based on the number of guesses (a time factor), and doesn’t take circuit size into consideration. Grover’s algorithm also doesn’t parallelize well. The real-world security of AES may still be above 100 bits if you consider these nuances.
But remember, even AES-256 operates on 128-bit blocks.
Consequently, for AES-256, there should be approximately (plaintext, key) pairs that produce any given ciphertext block.
Furthermore, there will be many keys that, for a constant plaintext block, will produce the same ciphertext block despite being a different key entirely. (n.b. This doesn’t mean for all plaintext/ciphertext block pairings, just some arbitrary pairing.)
Concrete example: Encrypting a plaintext block consisting of sixteen NUL bytes will yield a specific 128-bit ciphertext exactly once for each given AES-128 key. However, there are times as many AES-256 keys as there are possible plaintext/ciphertexts. Keep this in mind for AES-GCM.
This means it’s conceivable to accidentally construct a protocol that, despite using AES-256 safely, has a post-quantum security level on par with AES-128, which is only 64 bits.
This would not be nearly as much of a problem if AES’s block size was 256 bits.
Real-World Example: Signal
The Signal messaging app is the state-of-the-art for private communications. If you were previously using PGP and email, you should use Signal instead.Signal aims to provide private communications (text messaging, voice calls) between two mobile devices, piggybacking on your pre-existing contacts list.
Part of their operational requirements is that they must be user-friendly and secure on a wide range of Android devices, stretching all the way back to Android 4.4.
The Signal Protocol uses AES-CBC + HMAC-SHA256 for message encryption. Each message is encrypted with a different AES key (due to the Double Ratchet), which limits the practical blast radius of a cache-timing attack and makes practical exploitation difficult (since you can’t effectively replay decryption in order to leak bits about the key).
Thus, Signal’s message encryption is still secure even in the presence of vulnerable AES implementations.
Hooray for well-engineered protocols managing to actually protect users.
Art by Swizz.However, the storage service in the Signal App uses AES-GCM, and this key has to be reused in order for the encrypted storage to operate.
This means, for older phones without dedicated hardware support for AES (i.e. low-priced phones from 2013, which Signal aims to support), the risk of cache-timing attacks is still present.
This is unacceptable!
What this means is, a malicious app that can flush the CPU cache and measure timing with sufficient precision can siphon the AES-GCM key used by Signal to encrypt your storage without ever violating the security boundaries enforced by the Android operating system.
As a result of the security boundaries never being crossed, these kind of side-channel attacks would likely evade forensic analysis, and would therefore be of interest to the malware developers working for nation states.
Of course, if you’re on newer hardware (i.e. Qualcomm Snapdragon 835), you have hardware-accelerated AES available, so it’s probably a moot point.
Why AES-GCM Sucks Even More
AES-GCM is an authenticated encryption mode that also supports additional authenticated data. Cryptographers call these modes AEAD.AEAD modes are more flexible than simple block ciphers. Generally, your encryption API accepts the following:
- The plaintext message.
- The encryption key.
- A nonce (: A number that must only be used once).
- Optional additional data which will be authenticated but not encrypted.
The output of an AEAD function is both the ciphertext and an authentication tag, which is necessary (along with the key and nonce, and optional additional data) to decrypt the plaintext.
Cryptographers almost universally recommend using AEAD modes for symmetric-key data encryption.
That being said, AES-GCM is possibly my least favorite AEAD, and I’ve got good reasons to dislike it beyond simply, “It uses AES”.
The deeper you look into AES-GCM’s design, the harder you will feel this sticker.
GHASH Brittleness
The way AES-GCM is initialized is stupid: You encrypt an all-zero block with your AES key (in ECB mode) and store it in a variable called . This value is used for authenticating all messages authenticated under that AES key, rather than for a given (key, nonce) pair.
Diagram describing Galois/Counter Mode, taken from Wikipedia.
This is often sold as an advantage: Reusing allows for better performance. However, it makes GCM brittle: Reusing a nonce allows an attacker to recover H and then forge messages forever. This is called the “forbidden attack”, and led to real world practical breaks.Let’s contrast AES-GCM with the other AEAD mode supported by TLS: ChaCha20-Poly1305, or ChaPoly for short.
ChaPoly uses one-time message authentication keys (derived from each key/nonce pair). If you manage to leak a Poly1305 key, the impact is limited to the messages encrypted under that (ChaCha20 key, nonce) pair.
While that’s still bad, it isn’t “decrypt all messages under that key forever” bad like with AES-GCM.
Note: “Message Authentication” here is symmetric, which only provides a property called message integrity, not sender authenticity. For the latter, you need asymmetric cryptography (wherein the ability to verify a message doesn’t imply the capability to generate a new signature), which is totally disparate from symmetric algorithms like AES or GHASH. You probably don’t need to care about this nuance right now, but it’s good to know in case you’re quizzed on it later.
H Reuse and Multi-User Security
If you recall, AES operates on 128-bit blocks even when 256-bit keys are used.If we assume AES is well-behaved, we can deduce that there are approximately different 256-bit keys that will map a single plaintext block to a single ciphertext block.
This is trivial to calculate. Simply divide the number of possible keys () by the number of possible block states () to yield the number of keys that produce a given ciphertext for a single block of plaintext: .
Each key that will map an arbitrarily specific plaintext block to a specific ciphertext block is also separated in the keyspace by approximately .
This means there are approximately independent keys that will map a given all-zero plaintext block to an arbitrarily chosen value of (if we assume AES doesn’t have weird biases).
Credit: Harubaki
“Why Does This Matter?”
It means that, with keys larger than 128 bits, you can model the selection of as a 128-bit pseudorandom function, rather than a 128-bit permutation. As a result, you an expect a collision with 50% probability after only different keys are selected.Note: Your 128-bit randomly generated AES keys already have this probability baked into their selection, but this specific analysis doesn’t really apply for 128-bit keys since AES is a PRP, not a PRF, so there is no “collision” risk. However, you end up at the same upper limit either way.
But 50% isn’t good enough for cryptographic security.
In most real-world systems, we target a collision risk. So that means our safety limit is actually different AES keys before you have to worry about reuse.
This isn’t the same thing as symmetric wear-out (where you need to re-key after a given number of encryptions to prevent nonce reuse). Rather, it means after your entire population has exhausted the safety limit of different AES keys, you have to either accept the risk or stop using AES-GCM.
If you have a billion users (), the safety limit is breached after AES keys per user (approximately 262,000).
“What Good is H Reuse for Attackers if HF differs?”
There are two numbers used in AES-GCM that are derived from the AES key. is used for block multiplication, and (the value of with a counter of 0 from the following diagram) is XORed with the final result to produce the authentication tag.The arrow highlighted with green is HF.
It’s tempting to think that a reuse of isn’t a concern because will necessarily be randomized, which prevents an attacker from observing when collides. It’s certainly true that the single-block collision risk discussed previously for will almost certainly not also result in a collision for . And since isn’t reused unless a nonce is reused (which also leaks directly), this might seem like a non-issue.
Art by Khia.
However, it’s straightforward to go from a condition of reuse to an adaptive chosen-ciphertext attack.
- Intercept multiple valid ciphertexts.
- e.g. Multiple JWTs encrypted with
{"alg":"A256GCM"}
- Use your knowledge of , the ciphertext, and the AAD to calculate the GCM tag up to the final XOR. This, along with the existing authentication tag, will tell you the value of for a given nonce.
- Calculate a new authentication tag for a chosen ciphertext using and your candidate value, then replay it into the target system.
While the blinding offered by XORing the final output with is sufficient to stop from being leaked directly, the protection is one-way.
Ergo, a collision in is not sufficiently thwarted by .
“How Could the Designers Have Prevented This?”
The core issue here is the AES block size, again.If we were analyzing a 256-bit block variant of AES, and a congruent GCM construction built atop it, none of what I wrote in this section would apply.
However, the 128-bit block size was a design constraint enforced by NIST in the AES competition. This block size was during an era of 64-bit block ciphers (e.g. Triple-DES and Blowfish), so it was a significant improvement at the time.
NIST’s AES competition also inherited from the US government’s tradition of thinking in terms of “security levels”, which is why there are three different permitted key sizes (128, 192, or 256 bits).
“Why Isn’t This a Vulnerability?”
There’s always a significant gap in security, wherein something isn’t safe to recommend, but also isn’t susceptible to a known practical attack. This gap is important to keep systems secure, even when they aren’t on the bleeding edge of security.Using 1024-bit RSA is a good example of this: No one has yet, to my knowledge, successfully factored a 1024-bit RSA public key. However, most systems have recommended a minimum 2048-bit for years (and many recommend 3072-bit or 4096-bit today).
With AES-GCM, the expected distance between collisions in is , and finding an untargeted collision requires being able to observe more than different sessions, and somehow distinguish when collides.
As a user, you know that after different keys, you’ve crossed the safety boundary for avoiding collisions. But as an attacker, you need bites at the apple, not . Additionally, you need some sort of oracle or distinguisher for when this happens.
We don’t have that kind of distinguisher available to us today. And even if we had one available, the amount of data you need to search in order for any two users in the population to reuse/collide is challenging to work with. You would need the computational and data storages of a major cloud service provider to even think about pulling the attack off.
Naturally, this isn’t a practical vulnerability. This is just another gripe I have with AES-GCM, as someone who has to work with cryptographic algorithms a lot.
Short Nonces
Although the AES block size is 16 bytes, AES-GCM nonces are only 12 bytes. The latter 4 bytes are dedicated to an internal counter, which is used with AES in Counter Mode to actually encrypt/decrypt messages.(Yes, you can use arbitrary length nonces with AES-GCM, but if you use nonces longer than 12 bytes, they get hashed into 12 bytes anyway, so it’s not a detail most people should concern themselves with.)
If you ask a cryptographer, “How much can I encrypt safely with AES-GCM?” you’ll get two different answers.
- Message Length Limit: AES-GCM can be used to encrypt messages up to bytes long, under a given (key, nonce) pair.
- Number of Messages Limit: If you generate your nonces randomly, you have a 50% chance of a nonce collision after messages.
However, 50% isn’t conservative enough for most systems, so the safety margin is usually much lower. Cryptographers generally set the key wear-out of AES-GCM at random nonces, which represents a collision probability of one in 4 billion.These limits are acceptable for session keys for encryption-in-transit, but they impose serious operational limits on application-layer encryption with long-term keys.
Random Key Robustness
Before the advent of AEAD modes, cryptographers used to combine block cipher modes of operation (e.g. AES-CBC, AES-CTR) with a separate message authentication code algorithm (e.g. HMAC, CBC-MAC).You had to be careful in how you composed your protocol, lest you invite Cryptographic Doom into your life. A lot of developers screwed this up. Standardized AEAD modes promised to make life easier.
Many developers gained their intuition for authenticated encryption modes from protocols like Signal’s (which combines AES-CBC with HMAC-SHA256), and would expect AES-GCM to be a drop-in replacement.
Unfortunately, GMAC doesn’t offer the same security benefits as HMAC: Finding a different (ciphertext, HMAC key) pair that produces the same authentication tag is a hard problem, due to HMAC’s reliance on cryptographic hash functions. This makes HMAC-based constructions “message committing”, which instills Random Key Robustness.
Critically, AES-GCM doesn’t have this property. You can calculate a random (ciphertext, key) pair that collides with a given authentication tag very easily.
This fact prohibits AES-GCM from being considered for use with OPAQUE (which requires RKR), one of the upcoming password-authenticated key exchange algorithms. (Read more about them here.)
Better-Designed Algorithms
You might be thinking, “Okay random furry, if you hate AES-GCM so much, what would you propose we use instead?”I’m glad you asked!
XChaCha20-Poly1305
For encrypting messages under a long-term key, you can’t really beat XChaCha20-Poly1305.
- ChaCha is a stream cipher based on a 512-bit ARX hash function in counter mode. ChaCha doesn’t use S-Boxes. It’s fast and constant-time without hardware acceleration.
- ChaCha20 is ChaCha with 20 rounds.
- XChaCha nonces are 24 bytes, which allows you to generate them randomly and not worry about a birthday collision until about messages (for the same collision probability as AES-GCM).
- Poly1305 uses different 256-bit key for each (nonce, key) pair and is easier to implement in constant-time than AES-GCM.
- XChaCha20-Poly1305 uses the first 16 bytes of the nonce and the 256-bit key to generate a distinct subkey, and then employs the standard ChaCha20-Poly1305 construction used in TLS today.
For application-layer cryptography, XChaCha20-Poly1305 contains most of the properties you’d want from an authenticated mode.
However, like AES-GCM (and all other Polynomial MACs I’ve heard of), it is not message committing.
The Gimli Permutation
For lightweight cryptography (n.b. important for IoT), the Gimli permutation (e.g. employed in libhydrogen) is an attractive option.Gimli is a Round 2 candidate in NIST’s Lightweight Cryptography project. The Gimli permutation offers a lot of applications: a hash function, message authentication, encryption, etc.
Critically, it’s possible to construct a message-committing protocol out of Gimli that will hit a lot of the performance goals important to embedded systems.
Closing Remarks
Despite my personal disdain for AES-GCM, if you’re using it as intended by cryptographers, it’s good enough.Don’t throw AES-GCM out just because of my opinions. It’s very likely the best option you have.
Although I personally dislike AES and GCM, I’m still deeply appreciative of the brilliance and ingenuity that went into both designs.
My desire is for the industry to improve upon AES and GCM in future cipher designs so we can protect more people, from a wider range of threats, in more diverse protocols, at a cheaper CPU/memory/time cost.
We wouldn’t have a secure modern Internet without the work of Vincent Rijmen, Joan Daemen, John Viega, David A. McGrew, and the countless other cryptographers and security researchers who made AES-GCM possible.
Change Log
- 2021-10-26: Added section on H Reuse and Multi-User Security.
https://soatok.blog/2020/05/13/why-aes-gcm-sucks/
#AES #AESGCM #cryptography #GaloisCounterMode #opinion #SecurityGuidance #symmetricCryptography