Tommaso Gagliardoni

@[email protected]
233 Followers
127 Following
640 Posts

Cryptography, privacy, quantum security, infosec, retro vibes.

I am a mathematician and computer security scientist, with a strong interest in cryptography and anonymity, specialized in quantum security and complex cryptographic protocols. I am also a privacy hacktivist and public speaker, blahblahblah, read my Linkedin bio for this s**t, this is my Mastodon corner.

I co-develop Shufflecake, an open source privacy disk encryption tool to help journalists, activists, and whistleblowers evade unjust prosecution.

I am an advocate of digital self-sovereignty. You will see me often ranting about Big Tech, enshittification, and surveillance capitalism.

Fascinated with anime, Japan, RPGs, retro computing, and all things 80-90's. Notice I wrote "fascinated", not "knowledgeable".

Here you won't find peace nor forgiveness, but just: #cryptography #privacy #quantum #security #infosec #retro vibes!

Homepagehttps://gagliardoni.net/
Linkedinhttps://www.linkedin.com/in/tommasogagliardoni/
Shufflecakehttps://shufflecake.net/
My own companyhttps://www.lucumo.net/
Tommaso Gagliardoni1d ago
ℹ️❤️🖥 aka Compy-chan2d ago
Sums up my experience growing up
Tommaso GagliardoniMar 13
TablasteMar 13

I traced $2 billion in nonprofit grants and 45 states of lobbying records to figure out who's behind the age verification bills

https://linux.community/post/4606267

Tommaso GagliardoniMar 13
Dane 🌎🖖✌️☮️⚛️☸️🕉️Mar 13

A long and WELL sourced post on exactly who has been behind all the state level legislation aimed at OS level age verification.

"I traced $2 billion in nonprofit grants and 45 states of lobbying records to figure out who's behind the age verification bills. The answer involves a company that profits from your data writing laws that collect more of it."

*EDIT*
Direct link to the GitHub dataset:

https://github.com/upper-up/meta-lobbying-and-other-findings

Original redlib post and comments:

https://redlib.catsarch.com/r/linux/comments/1rshc1f/i_traced_2_billion_in_nonprofit_grants_and_45/

#AgeVerification #Infosec #Privacy #Discord #Mastodon #Meta #Zuckerberg #FollowTheMoney

GitHub - upper-up/meta-lobbying-and-other-findings

Contribute to upper-up/meta-lobbying-and-other-findings development by creating an account on GitHub.

GitHub
Tommaso GagliardoniMar 13

This is big but not unexpected: Meta built a multi-channel influence operation to pass age verification laws.

https://github.com/upper-up/meta-lobbying-and-other-findings

The original Reddit posts were removed, but they are archived:

https://web.archive.org/web/20260313090844/https://www.reddit.com/r/linux/comments/1rshc1f/i_traced_2_billion_in_nonprofit_grants_and_45/

https://web.archive.org/web/20260313125244/https://old.reddit.com/r/linux/comments/1rshc1f/i_traced_2_billion_in_nonprofit_grants_and_45/

This is your daily reminder that if you're a cryptographer and work for Meta - including taking their grant money - you need some serious 4d chess creativity to look at yourself in the mirror.

#security #privacy #cryptography #meta #surveillance #politics #censorship #lobbying #ageverification

GitHub - upper-up/meta-lobbying-and-other-findings

Contribute to upper-up/meta-lobbying-and-other-findings development by creating an account on GitHub.

GitHub
Tommaso GagliardoniMar 13

Hello!

#usa #politics #war #iran #finance

Tommaso GagliardoniMar 12
Soatok DreamseekerMar 11

At #RealWorldCrypto this year, there was a session on "privacy-enhancing technologies".

The first talk in the session was about a new encryption method for Tor.

The next two were painful examples of "a person cannot be convinced of something when their salary depends on them not knowing it".

Advertisers wants to collect signals about populations without being individually identifying. So let's talk about differential privacy techniques to let them do that.

One example was "Meta wants to know what percentage of its teneage users blocked a contact today".

At no point did they address the elephants in the room.

  • Why do they want this data in the first place?
  • What are they even doing with this signal?
  • Have you considered telling them to fuck off and not collect it in the first place?

As tempting as it might be to hand wave it, and say "well yes but their business model depends on it", I say to advertisers, "then perish".

Tommaso GagliardoniMar 9

Interesting paper on Eprint: A Quantum-Safe Private Group System for Signal from Key Re-Randomizable Signatures

https://eprint.iacr.org/2026/453

E2E encryption in group chats is complex, because security should be many-to-many while allowing for large, dynamic groups. Signal uses state of the art cryptography for this, but it's mostly based on discrete log, so quantum-vulnerable. This paper proposes a new, efficient quantum-resistant construction for this task.

A few caveats by having just a quick skim at the paper:

1) Not everything is quantum-resistant, only parts of the protocol, namely those inherent to privacy. Authentication, instead, is left quantum-vulnerable. The rationale is that harvest-now-decrypt-later attacks are of a more immediate concern, and partial patching allows to not degrade performance too much. While this is a sensitive and pragmatic choice, I think the security community should stop underestimating the danger of trust-now-forge-later attacks, i.e. those involving signatures/authentication: In real-world scenarios, those would probably be much more dangerous than "we'll just switch to PQ signatures when quantum computers arrive". The paper considers this as well, though, as the choice of authentication mechanisms is modular, thereby providing crypto agility.

2) The role of the central server is still crucial to ensure correct execution of the protocol. This is just a reminder that Signal, at the end of the day, is a centralized service. It's way, way better than your Whatsapp, but if centralization is a concern, please consider federated or peer-to-peer alternatives (although Signal's encryption is undoubtedly the gold standard for now).

#signal #cryptography #privacy #security #im #whatsapp #quantum #quantumcomputing #postquantum #pqc

A Quantum-Safe Private Group System for Signal from Key Re-Randomizable Signatures

Instant messaging services are an integral part of today's communication and their privacy has wide societal implications. Major messengers deploy end-to-end encryption, hiding message contents from the service provider. Group messaging, however, creates the challenge of also keeping the group membership list private. The Signal messenger currently implements private group management using techniques inspired by Chase, Perrin, and Zaverucha (CCS 2020). Transitioning this system to quantum-safe turns out to be challenging: While one-to-one messaging can often adopt the newly standardized KEMs and signatures in a relatively direct way, private group management is more complex. Signal’s existing design heavily relies on the discrete-log structure to combine anonymous credentials, verifiable encryption, and oblivious PRFs for privacy and functionality. Quantum-safe versions of these components are unfortunately, typically far less efficient, requiring heavy zero-knowledge proofs and large communication per group operation. As a result, simply "swapping in" quantum-safe primitives is unlikely to yield an optimal protocol. This paper reconsiders the design of the entire group system from the ground-up. Our result is a scheme that possesses the same strong privacy guarantees, but is built in a more modular way using simpler underlying cryptographic building blocks that permit a more efficient quantum-safe instantiation. The modularity of our protocol further allows for gradual migration to quantum-safe: we can immediately transition components vulnerable to harvest-now-decrypt-later attacks (such as classical public-key encryption, computationally hiding commitments, etc.) while deferring the transition of other building blocks, such as authentication. We prove our design secure in an extended security model that more comprehensively captures the rich feature set of Signal's group messaging system.

IACR Cryptology ePrint Archive
Tommaso GagliardoniMar 6
Julian OliverMar 5

Every week, sometimes more than once, we are taking calls or messages about the same single situation facing an activist(s) post arrest. It is this:

They have taken their phone to a protest, were arrested, cops took their phone (often a lot more interested in phone than owner), phone was on at the time.

Here's what we tell them: It does not matter if you use the best E2EE app (Signal is common) and have a 9x9 18 line pattern unlock, it's time to act like it's game over.

Here's why.

1/n

Tommaso GagliardoniMar 4
Hard LOL https://www.bye-dubai.com/
Bye Dubai — Special Repatriation Programme 2026 | EU Council of Finance Ministers

EU citizens in Dubai? We're bringing you back. Provided you bring back your tax returns.

Tommaso GagliardoniMar 4
Stefan DaschekMar 3
Hahahaha https://bye-dubai.com/de
Bye Dubai — Sonderrückholaktion 2026 | EU-Rat der Finanzminister

EU-Bürger in Dubai? Wir holen Sie zurück. Vorausgesetzt, Sie holen Ihre Steuererklärung nach.