I have only read a few passages (and some of the excellent quotes others have shared here), but I find the underlying message here so much more compelling than those found in the various "manifestos" which come out of Silicon Valley.
I think reading this helps me imagine a version of the future I'd actually like to live in. A version where technology is used well (rather than preaching for abstinence from technology) and where values other than "intelligence" (in whatever guise) are on an equal footing.
Even writing that makes me feel naive (and to an extent I know it is) but I think it would be inconsistent for someone who cheers for humanity's efforts to solve/chip away at "impossible" problems (like LLMs were thought to be not so long ago) to shirk from the challenge of making the world better for _everyone_.
The thing is why that this feels so good future is; it is a system with no constraints. A bit like Star Trek universe in Roddenberry's imagination. This kind of utopia can only be achieved with all honest actors, but in reality systems are usually designed around bad actors.
Even with all morally good actors locally, there is no guarantees for external forces. Thinking it hypothetically, even with global coordination ( all good actors ) there is not a proven path that would lead us to better place from any starting point from past.
It's probably more predictive to model actors as being neither good nor bad but constrained by various collective dilemmas, such as prisoners dilemma, the security spiral, tragedy of the commons, race dynamics, collective action or first mover problems, information asymmetries, the commitment problem, among others. Those are the hardest problems to solve because they're pathologies that result from the global, largely amoral structure rather than consequences of the individual exercise of morality.
In the AI case, each firm is in an arms race, and nobody can slow down without effectively collapsing due to positive gross margins only being viable with a frontier model that attracts marginal demand. An appeal to morality might have an impact but more effective action would be to address the structure that the AI companies are situated in that causes this dynamic in the first place. In practice, thats going to be a global agreement to slow down, and global regulations.
This sort of rationalization of evil is a core of technocratic support for Trumpism, I find, and has parallels to the evangelical prosperity gospel. Choice tenets:
- Fuck you, got mine
- If I don’t do it, someone else will
- Might makes right
- Greed is good
It’s always cloaked in a veil of realism, but it’s just the classic 14-year-old-boy-just-got-introduced-to-the-prisoners-dilemma situation. There’s nothing philosophically interesting about it.
Ironically, these are often the same people denouncing multiculturalism, yet the culture they strive for is completely morally bankrupt.
And it's funny because the "realism" has been proven wrong over and over and over again for millennia. People do all sorts of selfless and generous things all the time! The entire premise is trivially disprovable by just going and asking a neighbor for some help with something.
That's not to say we should be naive about greed or malice existing or being powerful motivators (especially the former), but it is obviously not true that they're the only forces at play and therefore you are "just doing the logical thing" by succumbing to them. It's just the more destructive version of the same naiveté.
Seems you and I have together struck a nerve. Maybe our sentiments would have been better received in an alternate subthread, but it’s all I could think about while reading the parent / cousin comments.
I haven’t read the full Magnifica Humanitas yet, but I would be pleasantly surprised if he touched on not just dehumanization of the other, but dehumanization of the self. Expanding on your thought, succumbing to those forces under the guise of just doing the logical thing is in a way self-dehumanization - to believe you are only capable of the “logical” thing instead of the moral thing.
This was not my point at all. Maybe I could explained better, but main criticism I have is: you can bundle together objectives ( which are inherently good ) and create an utopia. But those cannot always be achievable.
Everything in life in trade-offs. Simple example is speed/quality/cost. I can tell easily:
- services should be cheap
- services should be fast
- services should be high quality
Now I created an utopia. Obviously this is amazing to listener. They agree. But is it achievable?
It is not saying greed is good or might makes right. But system means you need to construct from this ideals best outcome ( which comes at some trade offs)
To get from here to Roddenberry's communism, according to Roddenberry's lore, we passed through the Eugenics Wars, the Second Civil War, and then fifty years of World War Three and the 'post-atomic horror' before coming to our senses.
> I think reading this helps me imagine a version of the future I'd actually like to live in. A version where technology is used well (rather than preaching for abstinence from technology)
I believe the Amish figured this out over a century ago.
> The Amish are mindful about their technology adoption.
The central idea concerning the Amish's relationship to technology is that only technology is allowed if it does not destroy their community.
My personal values are much less based on upholding a community, but rather are much more rooted in individual freedom and independence. This means that I (likely) come to very different conclusions regarding this class of problems than the Amish do:
For example, I am less opposed to various kinds of technology that Amish would likely consider as as "community-destroying".
On the other hand, I guess I am much more opposed to technology that can be used to surveil the user and/or makes the user dependent on the whims of big tech companies than I guess the Amish are (i.e. the Amish would likely consider this as a much smaller problem concerning which technology to allow vs disallow; as I wrote: by my understanding their central concern is which consequences some technology has for keeping their community together).
To give evidence for the previous point: (by my impression - I am not US-American) you will rather not find many Amish people at political rallys against surveillance laws. The people who attend such rallys typically also have strong opinions on which technology to use or not to use (just talk to such people who are very strongly opinionated :-) ), but - as I pointed out - these technology choices come from very different basic premises than those of the Amish.
Yeah they probably wouldn't show up to a political rally because of this:
> Separation from Evil
> The community of Christians shall have no association with those who remain in disobedience and a spirit of rebellion against God. There can be no fellowship with the wickedness of this earthly world; therefore there can be no participation in the organizations, works, church services, meetings or civil affairs of those who live in contradiction to the commands of God (this may include Catholics and Protestants as well as other religions and pagans). All evil must be put away, including using weapons of force such as the sword and armor.
> much more compelling than those found in the various "manifestos" which come out of Silicon Valley.
Whenever I hear these "tech overlords", I am always baffled at the total lack of culture, the absence of taste, the empty visions and the implied complete subjugation of humans to ideals of "efficiency" or "quick and easy". Maybe they would have been more interesting people if they had been brought up in beautiful towns and cities, if they had lived in a rich cultural environment instead of being raised as consumer of cheap and flashy pop culture. Maybe we should tax bad architecture, it gives me headaches but others might incur heavier damage.
As an aside, at least Trump is drawn to the grandeur of high culture from historical times, but he also doesn't understand a jota about aesthetics, and so the White House gets turned into a tacky gypsy-style abomination with one dollar ornaments.
We lost the “liberal education” (not the political one, but the “freeing” classical one) and it’s starting to show.
When you compare the robber barons to Google and Meta it’s kind of embarrassing- they build massive empires of iron horses screaming across the world and covered cities in magnificent buildings (stations, libraries, etc). G&M built an empire of advertising and … not much else?
Indeed. The current crop doesn't have an idea for what they hoard their billions, it's just...emptiness. I propose we explain the tech's attachment to Accelerationism as a profound boredom and lack of purpose. "What does it mean to be human"--they don't value that question. Peter Thiel got interviewed a month or two ago, and he could not be brought to say that he sees value in preserving humanity. He would rather turn himself into a robotic contraption to extend his life.
When power fears death, some strange things happens.
I’m reminded (and apropos as the Pope quoted him) of Tolkien’s description of the “eternal life” the Ring gives to mortals, and how it’s … not so desirable in the end.
Indeed It's far more necessary that the utter dregs of humanity (e.g. Peter Thiel) eventually die of old age. Or put another way the damage of mortality killing good people is more than offset by the good of it killing the worst people with the most power. Because in the end it's probably not going to be your sweet mother who will get to live forever, it'll be people like Peter Thiel. No thanks, for the good of our species.
“Those who used the Nine Rings became mighty in their day, kings, sorcerers, and warriors of old. They obtained glory and great wealth, yet it turned to their downfall. They had, as it seemed, unending life, yet life became unendurable to them. They could walk, if they would, unseen by all eyes in this world beneath the sun, and they could see things in worlds invisible to mortal men; but too often they beheld only the phantoms and delusions of Sauron. And one by one, sooner or later, according to their native strength and to the good or evil of their wills in the beginning, they fell under the thraldom of the ring that they bore and of the domination of the One which was Sauron's. And they became forever invisible save to him that wore the Ruling Ring, and they entered into the realm of shadows. The Nazgûl were they, the Ringwraiths, the Úlairi, the Enemy's most terrible servants; darkness went with them, and they cried with the voices of death.” - from the Silmarillion but it’s echoed in LotR also. And even Bilbo complains of being “butter spread over too much bread”.
This is why I like the term "Dragon Sickness." There's seemingly only innate compulsion and no real human thought behind the hoarding. It becomes its own end. I cynically lament that it's human nature for billionaires to exist but if that is true, couldn't they at least be more entertaining about it? Bezos and Musk could be bleeding each other dry to get to the next star system by now.
Google makes phones and phones are somewhat good. Better search had some value for humanity. Meta has no redeeming qualities or achievements, other than helping Trump get into office and defeat Iran.
People become tech-overloads because they are blind to these sorts of beauties - and that'd be fine if it wasn't for the fact that we have collectively allowed these people to come to power and have fallen for their empty promises of freedom and liberation.
> Church and any kind of believe system hurts our society and divides us.
Any belief system? And yet I bet you value freedom over slavery, wisdom over ignorance and compassion over brutality. That’s a belief system, despite not being a religion.
If the majority says, no we want to be able to control other human beings, these people will reinact slavery. From a society point of view though we see that its not a working model anymore.
A real believe system can't be argued with. You believe in this god? This god says x and thats why you do things? Okay thats it. You don't even question were this information even came from.
If we delete all religion tomorrow and science, there is a realistic chance that the society rediscover the same existing rules like math and gravity, but religions might appear again but with different names, different rules etc.
I can change your mind with logic and arguments if its not a believe system, i can't do that with religion.
Wisdom over ignorance: The chance of survival is higher with wisdom
Compassion over brutality: This is just basic Game theory
Fornication culture is a big part of why the west is in decline.
What may make sense for you individually may also be empirically proven to be detrimental to the whole.
The new testament contrasts with the old, the gospel is one of tolerance and equality. It's a big part of why you have the rights that you do, as do women.
That said a lot of what you're saying can be ascribed to religious institutions and sects and individuals and specific churches. But your general prescription is like saying "this logical axiom is evil because XYZ ascribes to it and they are also evil".
You also have a belief system -- that people who believe in God do so because they don't question their beliefs, that religious people are only led by dogma. Yet your belief is wrong. Have you tried questioning it?
> but religions might appear again but with different names, different rules etc
Religions and scripture spread also evolutionarily. Christianity is popular because it is rooted in many truths.
> Compassion over brutality: This is just basic Game theory
"Fornication culture" who said that? We are more people on the planet than ever. Less people have to life lies like being in a marrage but also being homosexual.
Its just a control structure from the church without education.
Its probably even because of missing education. Educate people properly and they can handle "Fornication culture".
I don't have a believe system. I have a theory why people believe in gods and religions. We have evidence for it. People studied the origin of religions:
"It evolved from humanity's psychological and social needs, primarily our desire to make sense of the natural world, cope with the fear of death, and foster community cooperation."
We know how little people knew when religion started to emerge. Never seen space, never seen above a cloud besides a few poeople going up mountains. Thunder was not understood. Between 1400-1700 we had witch trials.
It is dogma. What is your argument against dogma?
"Christianity is popular because it is rooted in many truths." were is your argument for this? Its popular due to luck, power and wars. Missionaries as well and especially probably the most critical thing: Early indoctrination.
>> Compassion over brutality: This is just basic Game theory
> And the game has been played.
Yes exactly. Compassion wins because its better, not because religion says so. Its an evolutionary win.
I don't believe. I accept things i don't know and i know what i know.
There is no inherant issue with this. in contrary it makes me mentally stronger.
I can choose on my own terms if/when i want to end my life. If i get very sick, i don't have to hope for a god or priests blessing to end my life, i will just do it.
But religion is different: if you believe that homosexuality is wrong due to your religion, there is nothing i can argue about. Your priest told you this based on some book or story from 2000 years ago and you do not question this.
I know plenty of strong christians and muslism in germany who do not like homosexual people. And its dividing our society.
> But religion is different: if you believe that homosexuality is wrong due to your religion, there is nothing i can argue about. Your priest told you this based on some book or story from 2000 years ago and you do not question this.
This isn't the Church doctrine. The Church doesn't target homosexuals or even homosexuality in particular but ALL sexual practices that deviates from the unitive and procreative aspects of human sexuality. Christians don't believe in this because a book written thousands of years ago say so but because deep in their souls it makes sense and is the truth for them. Homosexuals are welcome on the Church as any other sinner what is ridiculous is to expect the Church to condone sins and bless sinful relationships be them homosexual or heterosexual.
> I know plenty of strong christians and muslism in germany who do not like homosexual people. And its dividing our society.
No i do not believe. You don't change it just because you say that i believe in not believing.
There is also a clear definition for it:
"Believing is the mental act of accepting something as true, real, or correct, often without requiring absolute, physical proof."
I'm absolutly fine saying that I don't know something. I do not know a god exist, or multiply etc. But honestly that question comes down to me more like "Does randomess exist".
Yes its absoutly a religios thing that homosexuality is bad. You call it yourself 'sinful relationship'. Its not a sin just because church doesn't like it. Also plenty of religions are responsible for making it a sin outside of religion.
And yes if the church condonse all sexual practices, it does include homosexuality and makes it a church doctrine.
So you don't believe in black holes or dark matter? Because neither of them, among many other things, have absolute physical proof. How do you even cross a street or go outside if you don't believe and can't have absolute physical proof that you will not be harmed.
> Christians don't believe in this because a book written thousands of years ago say so but because deep in their souls it makes sense and is the truth for them.
Sorry mate, but that's just cultural indoctrination that made them feel that way, and the culture is intimately tied to the book.
Progressive narratives and ideas are much more prevalent in modern society than religious ones. It would be easier to argue that cultural indoctrination makes progressists feel that way.
Both can be true. We're all susceptible to whatever culture we're indoctrinated to. Progressive narratives are still young though, while established religions have a long history, momentum, and large user base to perpetuate their culture and agenda. In the case of Christianity, it's one of the core goals of the religion.
You can downvote me all you want, but arguing that Christians' beliefs aren't tied to the bible is ridiculous. Their "deep soul" feelings are beliefs, which are formed by cultural indoctrination, and the bible is the cornerstone of the Christian culture.
I can't downvote you even if I wanted. Progressive narratives are not young. The current flavor is young but the US Progressive movement is ~130 years and the Christian eschatology with God removed that it is based upon goes back to the Enlightenment era.
For Catholics the Bible is very important but it is a map not the territory. Tradition is equally important and there is also Revelation, in the Creation, in the Universe and in our own human nature.
You're reducing everything to a book and missing two millenia of reflection upon human nature, on our purpose in this world, the thousands of books written, the millions of debates, you're missing out on a corpus of knowledge that is rich and can't be found elsewhere.
We value the map not because it's old and we are indoctrinated to, but because we see territory and roads that don't show up on the modern maps. The old map is hard to read and uncomfortable, but it leads to true places, whereas the modern maps are pretty, colorful, with good UX ("everything is allowed"), but route you to bad places and dead ends.
This weekend I upgraded the PC of a church lady who has about a 10-year old mini-PC, so now it has the latest Windows 11. This was not easy, it was a shambles of Windows 10 combined literally with amounts of older Windows 11. From which auto-updates would take it no further. OTOH on the bright side autoupdates could do no further damage.
I attribute all success to a miracle, considering there is only 32GB of soldered-in drive space and 4GB memory :\
I don't think it would have come to pass if it weren't for the Pope's smiling face appearing with delight each time I rebooted, when her PC's everyday desktop background picture came into view. This is where he is joining in with the tribal rhythms while visiting Africa, honoring their traditional culture while they honor his visit in their colorful regalia.
When you're dealing with anything that challenging, or more so, you need all the blessings and prayers you can get :)
Indoctrination and cultural erasure isn't unique to the church. With Germanic tribes - the Saxons, Angles, Normans, etc., while women's rights ebbed and flowed over the centuries, they were rife with double standards and were still quite patriarchal. They didn't just believe in nature, they believed in the same pagan gods as the Nordic peoples.
The point is that times change, and institutions change, and holding grudges for long ago sins and policies is ineffective.
This is not true. The number of believers and official people in the church is continuesly declining around the globe.
1990 there were nearly 60 Million people in the church in germany (nearly everyone) now we are down to under 40 Million which crossed the line of 50%
This is real tangable progress.
The only downside is, that we do not sit together and formulate something which might give people hold who are not ready to be self stable mentally and might need something like this. And we also do not try to align together on rituals which help us to live better together.
I'm also still affected by the indoctrination of the church. As you can see, i argue against church not just because I like to argue, but because i really really hate religion and especially the christian church in germany, due to my own values and experience. This is not old i'm only 36.
All national agencies I'm aware of do not support QKD except in "very specific cases" and instead recommend Post-Quantum Cryptography (PQC).
From the UK NCSC [1]:
> QKD does not provide authentication, nor do any other quantum techniques. Therefore, in practice, QKD must be combined with other cryptographic services to provide security against the threat from quantum computing, and therefore should not be relied on as a mechanism that provides substantial security value. [...] The NCSC will not support the use of QKD for government or military applications. PQC is the best mitigation to the threat to cryptography from quantum computers.
And the German BSI (and partners)[2]:
> Together with European partner agencies from France, the Netherlands and Sweden, the BSI has published a Position Paper on QKD. The paper concludes that QKD can only be used in niche use cases due to its technological limitations and that QKD is not yet sufficiently mature from a security perspective. Therefore, in light of the necessary migration to quantum-safe schemes, the clear priority should be the migration to post-quantum cryptography.
This is despite different choices for which PQC algorithms to use. E.g. NIST (and many others including the UK) have gone initially with ML-KEM for key exchange, while Germany/BSI have selected FrodoKEM and Classic McEliece.
I'd expect a finding / paper like this to be submitted to the IACR ePrint server [1] to bring it to the attention of the cryptographic community. I can't see that it's been submitted yet.
Venue should not imply credibility but in this case it would certainly help bring the proper scrutiny.
You can verify the certificates yourself or just wait for us to make an end-to-end collision generator as we did for MD5[1] - you can use that to generate a collision in seconds on your phone or any computer. If you wait for us to complete the end to end collision, in a sense it will be a little too late as TLS certificates and other security that relies on SHA-256 needs time to move away. We think it's responsible to disclose at this stage, and as mentioned, our peer reviewer said it is a "very good result" that is "worth publishing". We've gone to great pains to make our method completely reproducible, even writing in the article that we'll help anyone who is having trouble with any part.
> I find the suddenness, almost haste to be quite interesting.
> But there is a clear change around 2022, 2023.
I think that's probably because the NIST competition [1] to choose their standard algorithms really started to heat up then.
NIST has a very large gravity well in the academic and industrial cryptographic community, so as soon as it became clear which algorithms NIST would pick (they chose Kyber / ML-KEM and Dilithium / ML-DSA), the (cryptographic) world felt it could start transitioning with much more certainty and haste.
Yes, that is one aspect, and when the drafts was published you could see orgs started running (I've got a nice timeline in my slides). But I still find the haste interesting. There is very little time for the transitions compared to the adoption rate of other crypto standards. The NIST algos are imho still quite immature, which is one big motivation for hybrid schemes.
A bit off topic, as a European, what is happening with DOGE, slashing funding for CISA, TAA etc, I'm seriously worried about NIST. As you say, NIST is very important in many areas. For USA, with things like the coordintated universal time normal. But also for federal cybersec standards that have led to interop with the rest of the world cryptographically. Will NIST be slashed, and if so will the crypto department be spared? If not, what would remain? New standards, the validation program? Will Falcon become a standard, or for that matter the new lightweight symmetric algo based on Ascon? (For which I'm eagerly waiting for NIST to publish test vectors so that I'm able verify that my implementation is compliant.)
I think the haste is probably down to a risk calculation. If practical quantum breaks of classical crypto don't materialise in the next 5-10 years, "all" that's happened is we've cycled onto a new cypher suite sooner than we otherwise would have.
The reverse picture, where they do and we haven't, is so colossally damaging that it doesn't matter if the probability of quantum breaks landing is actually quite small. In expected value terms we still come out ahead.
You don't need to assume that someone in an NSA lab has already demonstrated it for this to work out, and you don't need to assume that there is ever a practical quantum computer deployed for this stuff. All you need is for the probability to be above some small threshold (1%? 5%? I could believe something in that range) to make running for the exits the right move today.
> Because the current plans aren't to migrate to just hybrid classical+PQC schemes, the plans are to migrate to PQC fully. Discarding both RSA and ECC.
This isn't true. NIST has been saying that, but everyone else just laughs and implements hybrid since throwing out RSA/ECC is so obviously stupid.
If you have references to nations, governments that state that transition to hybrid I would love to get references. The EU transition will not be hybrid. The NSA plan is not hybrid. ETSI is not hybrid.
My view is that IETF and commercial entities such as Apple, Google and open source world are the ones going hybrid. In this case I would love to be wrong.
That is a very relevant point. Add a bit of scare mongering, herd mentality and downplaying of the technical effects, risks, you get the ones setting policies taking a decision to transition - just like everybody else.
When I have seen time estimates, everyone is referring to Mosca's Theorem. This is the idea that "store now, decrypt later", combined with the estimated time until a working quantum cryptanalysis is feasible, and a finite transition time for existing crypto standards and technologies (think update times for long-living tokens like ID cards with certificates) makes the available delay until a change must start quite short.
> To me what is most surprising is that the attack seemingly came out of nowhere,
This wasn't my understanding at all. The specific issue in isogeny based cryptography which the attack exploits has been a source of worry in the cryptographic community for a while, and is exactly why NIST put SIKE in the "for further consideration & crypt-analysis" category when making their standardization decisions.
You'd basically be building a cryptographic module (industry standard term, with a lot of specs and requirements to go a long with it), which is no small undertaking in terms of correctness, never mind security. The "basic" cryptographic routines aren't easy either. You're talking ECC and some other symmetric primitives. Secure & efficient ECC implementation is an entire discipline on it's own.
I have reservations about the phrase "don't roll your own cryptography" for lots of reasons, but this would be taking rolling your own to the extreme. With all the associated risks.
Absolutely possible and a very cool project, but yeah, it's hard to understate the complexity / requirements of a full cryptographic module on top of the cryptographic primitives it needs to support. I actually really like that this person took an existing commercial TPM and could integrate it into their own PCB this way, I think that's a good compromise between building your own TPM with an Arduino, and having to pay lots of money for an out-of-the-box TPM.
One reasonable way to do this could involve running the reference TPM2 simulator [0] on the Arduino. It's just a C library that already implements all the cryptographic routines and TPM2 commands. In fact, this is basically how TPM vendors implement their chips. They just generally have:
- A lot more hardening against physical attacks
- Cryptographic libraries optimized for their low-resource hardware
- (sometimes) a vendor certificate for a primary TPM key, aka an "EK cert"
Certainly a TPM running on an Arduino wouldn't have the physical hardware properties of a "real" TPM. But you could probably get it into a state with similar software properties.
It really depends on what your threat model is and whether you intend to use the TPM to begin with. If not, you really don't care about the security of any cryptography as long as the output is valid enough to satisfy whatever application is using the TPM.
Creating an adversarial relationship between the user and vendor is a
debasement of security principles. Now, Windows is the threat model
and that's why "mandating" this was the wrong choice altogether.
Microsoft could even have sold this as a feature. The fact that they
chose instead to push it on users tells you everything you need to
know about the future of users' relationship with their products. The
perimeter of my security ends where Microsoft begins.
It could be interesting in terms of debugging and reverse engineering. Seeing what secrets apps are storing. Normally you don't have full view on what's in your TPM as an end user.
Of course it'll be hard to make it really secure but production use isn't the only place this could come in handy.
How do you know it's _a lot_ of work? Correct me if I'm wrong, since you are implying you are familiar with this, but doesn't Windows 11 just want to verify that the device is available, likely with an echo facsimile along the lines of a version or self-test response? I don't believe any version of Windows requires full TPM functionality.
There are lots of good reasons to make cryptographic operations instructions instead of a memory mapped peripheral, but I prefer something like VIA padlock which implemented cipher modes instead of just implementing the round function as instruction. Any implementation could even trap those and implement them in a peripheral. The problem with memory mapped peripherals is that access to them has to be multiplexed and their state preserved by context switches. Specialized instruction on existing registers avoid this problem. VIA padlock solved it by piggybacking on the existing x86 REP prefix for interruptible string instructions and only cached the cipher round keys in the crypto unit reloading them from memory (or repeating the key schedule) after a context switch.
In lots of places this makes sense. E.g. lots of embedded ARM platforms have a separate AES / ECC accelerator peripheral.
The trouble comes when you need to share access to a memory mapped peripheral among multiple threads/processes/users etc. It can be done, but it's usually easier to manage CPU registers than peripheral devices for things like crypto operations in larger systems. Plus, you have to do access control to the peripheral (so other processes don't try and steal your key), if its all within the security boundary of a "normal" process, you get that (mostly) for free.
All of the above has caveats and exceptions, but generally (ARM, SPARC, x86, now RISC-V) take this approach.
That, and other operations requiring three input registers -- therefore a LOT of encoding space -- has been postponed to a possible future extension.
Full GREV and my lovely GORC have also gotten lost, though the encodings for the specific REV and ORC instructions that are included are upwardly compatible with the proposed general versions.
There is some overlap. There's the "Zbkb" (horrible name, I know) extension which contains a subset of instructions from the larger bitmanip extensions which are very useful for cryptography.
The more general bitmanip extensions contain other things useful for e.g. address arithmetic. These are somewhat orthogonal to scalar crypto.
It means that each instruction reads no more than two general purpose registers (i.e. inputs), and writes at most one. When you build CPUs, register files are expensive components, and the more parallel accesses to them you need, the more expensive they become. RISC architectures generally rely on only reading two operands and writing only one result. Sometimes this rule is broken, but RISC-V tries to stick to it unless there's an extremely good reason.
I'm biased, but the spec is supposed to be very accessible to people without a cryptography background. There's a section on who the intended audience is and what assumptions are made about their background. I'd really recommend it.
> The SM3/4 were unfamiliar to me - apparently it is a hash function & block cipher used in Chinese WiFi variant.
SM3/4 are required for use in certain places in China. RISC-V is popular in China, hence their inclusion in the RISC-V spec. My expectation is that SM3/4 will not likely ever be adopted outside China.
> Physical entropy source (with some variants to accommodate low profile variants)
There are no "variants" of the entropy source. There is one entropy source interface definition which is designed to scale across the many RISC-V implementation profiles. It's very different to x86/RDRAND which lots of people are used to.
> SM3/4 are required for use in certain places in China. RISC-V is popular in China, hence their inclusion in the RISC-V spec.
That sounds like a pretty poor reason.
China could create the RISC-V SCE-China spec that extends RISC-V SCE with these, and call it a day, instead of requiring the rest of the world to waste transistors for something that's useless.
The algorithm specific instructions are all optional. You can have AES without SM4 or vice versa. RISC-V is great like that, it's designed to be modular.
> instead of requiring the rest of the world to waste transistors for something that's useless.
I'm sure Chinese manufacturers might feel the same about NIST standards.
> I'm sure Chinese manufacturers might feel the same about NIST standards.
Don't count on it. For example have you ever wondered why there isn't a Russian Certificate Authority trusted in the Web PKI? There's no market for one. If you're a Russian, you can see that a Russian CA is obviously subject to control by Putin, which even if you like Putin today doesn't seem like a perpetually great idea, so you would choose some European CA instead. And if you're not a Russian you clearly don't want to trust this CA.
Now, there are some Chinese CAs, but it's again interesting that they're not popular in China. China has a huge population, plenty of potential customers, but somehow even though there is more than one CA in China, very few certificates between them. Similar to the number issued to the Government of Spain (not all companies in Spain, just their government). Same reasoning. Even if I think Xi Jinping is great and I'm a proud Chinese national, a certificate from the US or Switzerland seems like a better choice.
The Americans fall far below the lofty moral standards they set for others [in the other room is my redacted copy of the Committee Study of the Central Intelligence Agency's Detention and Interrogation Program, grim reading about American torture even though much of what the senate were shown is redacted], but only at your considerable peril should you would mistake that for meaning their cryptography is no better than whatever home grown offering has been chosen in your country despite their billions spent and their expertise in this domain.
Nobody uses those, either, except possibly as required to interact with the cursed government PKI (about as cursed as early 00s EU government PKIs... are those still around?). Also maybe the government people with clearances, but the less said about them the better. But that’s mostly network effects, frankly, not trust. (Nobody uses Camellia, either.) Trust issues as described by the GP do exist but mostly factor into choosing domain names, registrars, hosting, and such.
But China, unlike Russia, does have an internal technological environment meaningfully separate from the world at large. It may also be trying to cultivate an ecosystem of private government contractors, which the intense criminality of Russian government procurement doesn’t permit. (China also has a general-purpose IC fabrication industry worth a damn, whereas for Russia the equivalent question is in any case largely moot.)
My quick summary of sm3/sm4 is:
- sm3 is pretty trivial to implement
- sm4 is about 1/16 the complexity of the spec's aes implementation (one box lookup per clock rather than 8 and no inverted version)
So if you want to court the (giant) Chinese market it's kind of a no brainer
> I'm biased, but the spec is supposed to be very accessible to people without a cryptography background. There's a section on who the intended audience is and what assumptions are made about their background. I'd really recommend it.
Certainly! As you can probably tell from my comment I'm not expert and I found it easy to follow.
I just wanted to post a summary for anyone who is interested but doesn't find time to go into details. I know that I myself often read this site on phone and I appreciate similar comments giving a tl;dr on more complex stories.
> There are no "variants" of the entropy source. There is one entropy source interface definition which is designed to scale across the many RISC-V implementation profiles. It's very different to x86/RDRAND which lots of people are used to.
Maybe I phrased it poorly but section "4.2. Entropy Source Requirements" states: "An implementation of the entropy source should meet at least one of the following requirements sets in order to be considered a secure and safe design". It then gives three options, one of which ("4.2.3 Virtual Sources: Security Requirement") states "A virtual source is not a physical entropy source" and "A virtual source traps access to the seed CSR, emulates it, or otherwise implements it without direct access to a physical entropy source.".
My interpretation is that there is indeed a single interface (CSR) however the hardware implementation could be both real physical entropy source or a CSPRNG. And presumably the latter is more likely on low-end devices.
> My interpretation is that there is indeed a single interface (CSR) however the hardware implementation could be both real physical entropy source or a CSPRNG. And presumably the latter is more likely on low-end devices.
A CSPRNG doesn't do anything without a seed. If you're actually a VM, your host provides the seed (the "virtual source"), which it chose randomly, and since it is actually your host anyway it has no particular reason to give you a bad seed versus just doing whatever else to sabotage you, so you have to assume the seed is good.
In contrast on physical hardware, there is no seed. If you've got a way to provision genuinely random data to the physical CPU, you don't have a "virtual source" at all. So option 4.2.3 isn't relevant to physical CPUs only to a RISC-V VM.
I think reading this helps me imagine a version of the future I'd actually like to live in. A version where technology is used well (rather than preaching for abstinence from technology) and where values other than "intelligence" (in whatever guise) are on an equal footing.
Even writing that makes me feel naive (and to an extent I know it is) but I think it would be inconsistent for someone who cheers for humanity's efforts to solve/chip away at "impossible" problems (like LLMs were thought to be not so long ago) to shirk from the challenge of making the world better for _everyone_.