Log on Aashutosh Poudel

PQ Playbook by Symbolic Software

Sat, 13 Jun 2026 00:00:00 +0000

risk asymmetry
- premature migration - engineering cost
- late migration - HNDL (harvest now decrypt later), keys, signatures can’t be trusted
  - “data that has been exfiltrated cannot be un-exfiltrated”
synthesis of common and subtle bugs in pq implementations
good sample of libraries supporting pq algorithms and rollout strategies
quick intro to standards and recommended pq algorithms
discussion on what pq rollout for TLS, PKI, signatures, messaging, attestations, hashes, etc mean
very well written and a joy to read

Links

Mon, 13 Apr 2026 00:00:00 +0000

A very basic overview of CP-ABE vs KP-ABE

Policy vs Attribute
- attribute describes a person/entity (something they are or they have)
- policy is a set of conditions a person/entity needs to satisfy with their attributes
- attributes can be compared to a key an entity has
- policy can be compared to a lock an encryptor decides
Ciphertext-Policy Attributed Based Encryption (CP-ABE)
- policy is embedded inside the ciphertext, attributes are defined on the key
- Example: a student with their student id card (key with attributes: “cs department”, “grad student”) can only access a certain set of labs or classrooms (locks/ciphertexts with policy) within a school
- useful if the encryptor is a user/client who want to limit access to data
Key-Policy Attributed Based Encryption (KP-ABE)

Wed, 25 Mar 2026 00:00:00 +0000

isolation between individual http requests is fundamentally broken in http/1.1
- no reliable way to say when one request finishes and next request starts
- multiple ways to specify request length + requests are concatenated under single connection without delimiters
request smuggling
- between client and application servers, request passes through multiple components such as load balancers, reverse proxies, etc.
- HTTP request parsers inconsistency: an attacker can craft a request that one component sees as complete, but the other continues to parse into a second, malicious request made on the same connection.
- the malicious request could inject headers and its URL into a subsequent valid request sent on the same connection.

Links

Tue, 24 Mar 2026 00:00:00 +0000

Very interesting talk by Nadim Kobeissi on teaching Cryptography in Post-Crisis Lebanon.
The course syllabus, assignments, and projects are awesome.
For students with zero crypto experience.
Based on Joy of Cryptography (Mike Rosulek) and Serious Cryptography (Jean-Philippe Aumasson).
“Earning Attention, Not Assuming It”
- enfranchise students and earn their attention
“Break the intimidation barrier”
- hard math behind cryptography is “intimidation”
- “intimidation” stemming from “notation”
- “notations” (mathematical formalisms) are scarier than the “ideas” they contain
- “ideas” are intuitive and easy to explain

Links

Mon, 23 Mar 2026 00:00:00 +0000

“bearer” token grants access to the “bearer” of the token
sender-constrained tokens to solve the problem of leaked “bearer” tokens
client using a “bearer” token provides “a proof” every time it uses the token
- “proof” ensures client has a secret private key
- “proof” is usually a JWT signed by the secret private key
- binds “proof” to a specific HTTP request
application layer
no PKI required

Links