1. 37

  2. 18

    The first time I released Monocypher, I was wildly over-confident:

    Monocypher is probably already bug-free.

    Something tells me this might be the second round of “wildly over-confident”

    1. 3

      It’s not obvious from the way it’s styled, but that quote is Loup quoting themselves from that first time around, not a present claim. The text of that quote in the article links to its original context.

      1. 2

        Sure but the line below implies he still feels that way.

        my crypto library, is done and ready for production

        He speaks about how auditing is important but nothing about how it has been done with his software. I’m sorry but if your crypto has not been audited it is not ready for production.

        1. 1

          Oh, I’m on board with your point! …

          we now have a crypto library that could displace Libsodium itself

          And, re-parsing your comment now, I think I’m reading it the way you meant, which is not as unfair as the way I first understood it. I think the quote-in-quote threw me off. Sorry!

      2. [Comment removed by author]

        1. 17


          • Don’t claim to be bug free
          • Has been audited more thoroughly
          1. 4

            It’s 1,300 lines of portable C; auditing it is far easier than libsodium, openssl, etc.

            1. 2

              That’s cool but until it happens it’s pretty irresponsible to say that it’s production ready.

      3. 16

        All this talk of performance and comparisons, where’s the part about how Monocypher is coded carefully to avoid branch predictors or other covert channels? Stopping timing channels usually requires a performance hit or at least something visible in code. Aside from having more bugs per Kloc, the Monocypher may also introduce covert channels that aren’t in NaCl. I wouldn’t trust it.

        At least the author had a fun time learning crypto and dark corners of C. Also, the report incidentally exposes people to existence of Frama-C, property-based testing, and equivalence checks. Increased use of those in security-critical code might give a real benefit even if Monocypher doesn’t.

        1. 0

          Why would you need to worry about covert timing channels if you are encrypting email?

          1. 3

            You read email in a room with other people who can listen to the sound of your computers capacitors?

            1. 2

              He said a NaCl replacement. I was talking in general if you want to do that. However, the same thing applies for encrypting if it’s a multi-process system or VM where some things have secrets to protect w/ no comms and some things without secrets are insecure enough for a hack to be easier. The main way a covert channel works is they have two things on the machine: one thing intentionally or accidentally leaking information about the key material; one thing with access to communication subsystem that can watch the source of the leak. It receives the covert channel’s information and ships it along. In this case, they’d want either the master key(s) or at least the one used to encrypt the email that the untrusted subsystem only saw in encrypted form (without key).

              Many systems have an even more vulnerable setup where there’s things with secrets and comms access where it’s pretty straight-forward to leak. Covert-channel suppression is for the advanced case where you’ve limited privilege or comms but leaks still happen with shared resources like CPU, cache, RAM, or filesystem (esp metadata or access patterns). They’re more reliable and high bandwidth versus what people would expect despite noise.

          2. 5

            2 types of people build their own crypto: geniuses and idiots.

            1. 10

              Don’t forget students. They gotta learn somehow. We just don’t let that stuff go into production. ;)

              1. 1

                students can safely be grouped into idiots :)

                1. 2

                  Many start that way. Myself included on numerous concepts then and now. I think there’s a distinction to be made that I at least thought you were making between idiots-by-default-working-toward-skill and idiots-showing-lack-of-skill-like-geniuses. That’s not the only categories but I thought they were worth differentiating. I’d rather not rag on people who admit they know little on the path to learning much more.

                  1. 2

                    Yeah, I’m not ragging on students - hence the smiley. The distinction I’m making is between frighteningly smart people and everyone else.

                    There’s real wisdom in the tongue-in-cheek phrase (2 types of…). Doing crypto correctly is nontrivial. A very few (geniuses) get it right, but most people should not even try.

                    Tinkering with crypto libs is fun and yeah, people should do that, but that should not be confused with trying to design crypto algorithms/protocols/math. (BTW, I don’t group myself in the set of geniuses.)

            2. 2

              He or someone else should investigate KLEE and AFL and see if they can catch anything.