Scott Arciszewski

@[email protected]
668 Followers
128 Following
167 Posts
Residing at the intersection of PHP, security, cryptography, and open source software. He/him. Opinions are solely mine. RTs != endorsements, etc.
TitleSr. Security Engineer
Pronounshe, him
Bloghttps://scottarc.blog
Scott ArciszewskiFeb 2
Fi 🏳️‍⚧️Nov 11

Hot take:

Discord is not a documentation platform. It is a chat platform. If your project requires connecting to a discord to obtain necessary information, then your project is undocumented.

Scott ArciszewskiDec 30
Paragon Initiative EnterprisesDec 30

# sodium_compat security release

* https://github.com/paragonie/sodium_compat/releases/tag/v2.5.0
* https://github.com/paragonie/sodium_compat/releases/tag/v1.24.0

Further information: https://00f.net/2025/12/30/libsodium-vulnerability/

Release Version 2.5.0 · paragonie/sodium_compat

Security Fix Read: A vulnerability in libsodium This fixes a congruent issue in the main branch of the PHP implementation. For older PHP versions, see v1.24.0 instead.

GitHub
Scott ArciszewskiNov 14
Trail of BitsNov 14
We're releasing pure Go implementations of ML-DSA (FIPS-204) and SLH-DSA (FIPS-205). These libraries are engineered to be constant time, preventing timing side-channel attacks like KyberSlash. https://blog.trailofbits.com/2025/11/14/how-we-avoided-side-channels-in-our-new-post-quantum-go-cryptography-libraries/
How we avoided side-channels in our new post-quantum Go cryptography libraries

We’ve released open-source Go implementations of ML-DSA and SLH-DSA.

The Trail of Bits Blog
Scott ArciszewskiOct 28

@DefuseSec In case you wanted to refresh cryptofails.com sometime

https://eprint.iacr.org/2025/1979

On Singh et. al.'s "Collatz Hash"

Singh et. al. recently uploaded a preprint describing a new hash function inspired by the Collatz Conjecture. After performing some cursory tests, the proposed function appears to be completely unsuitable for cryptographic purposes, and should not be used.

IACR Cryptology ePrint Archive
Scott ArciszewskiSep 2, 2025
Sophie SchmiegSep 2, 2025
A key should always be considered to consist of both raw key material and all metadata required to fully describe and execute the associated cryptographic function.
Scott ArciszewskiJun 27, 2025
Show threadThadJun 27, 2025
@abacabadabacaba @soatok yeah, I’d second the idea to explicitly not allow multiple recipients for this scheme. KCI seems a bit of an edge case for a two party system, but allowing any member in a multiparty group to spoof any other member seems like a bit of a cliff. Unfortunate that schemes like MLS have to pull in signatures for this and can’t just use something similar to Noise_K.
Scott ArciszewskiJun 24, 2025
Sometimes, I get unsolicited Signal messages.
Scott ArciszewskiJun 21, 2025

https://neveragain.tech

This is still relevant, IMHO

neveragain.tech

Today we stand together to say: not on our watch, and never again.

Scott ArciszewskiJun 5, 2025
Trail of BitsJun 5, 2025

$5B in revenue, millions of mobile players, one question: are the dice rolls fair?

When Monopoly GO! players questioned their dice roll outcomes, the game's developers hired us to conduct an independent cryptographic design assessment of their PRNG architecture.

Our cryptographic design assessment evaluated two core concerns:
✅ If the random number generator produces unbiased outcomes for all players
✅ Do the countermeasures effectively prevent malicious actors from predicting or manipulating results through client-side attacks

Read the case study: https://trailofbits.info/monopolygo-casestudy

Scott ArciszewskiMar 12, 2025
PQC League of EvilMar 12, 2025

Urgent release by the PQ League of Evil:
Private key formats for ML-KEM and ML-DSA have been hotly debated recently. We at the league have discovered a missing perspective in the discussion: while the expanded private key format contains most information, it misses the matrix itself, which should be possible to store as well. Therefore, we suggest the following solution:
ASN.1 CHOICE of:
Seed
Expanded private key
Extra expanded private key
Both
More both
Extra both
All

We already have modules in the validation pipeline that only support extra expanded private keys, and it would be unfair to us early adopters to not standardize like this!

Of course, we are aware of the concerns that keys might contain redundant data. To address this, implementers SHOULD randomly flip bits in some of the keys before loading.