Still the shapes fill my head

Dec. 13th, 2025 10:20 pm
viridian5: From a 2009 <i>Model as Muse: Embodying Fashion</i> window display at Bergdorf Goodman. (Mannequin)
[personal profile] viridian5
snowmen 1 (couple)I finally found a warm-ish night when I was available to go, so I traveled into Manhattan on a window display spree.

I've posted Ralph Lauren, Bloomingdale's, Bergdorf Goodman, and Kleinfeld Bridal Christmas/holiday window display photos to my Flickr.

I'll be going through, processing, and posting Saks Fifth Avenue's haul in the near future. They made things so hard on me...

+++

I'm still adjusting the arrangement of ornaments on my tree to my taste and wondering if the (non-thieving) roommate ever notices.
  • Current Mood: tired
  • Current Music: "My Body Is a Cage" by Peter Gabriel
Tags:

But is for others undiminished somewhere

Dec. 13th, 2025 09:07 pm
flemmings: (Default)
[personal profile] flemmings
Good heavens. I have a 'save the date' Christmas card/ wedding invite from my younger nephew and his fiancée. Next May. How very nice of them and do I have to go, in about equal measure. I have no expectation of being walker-free in the next six months, they live a good ways outside of Toronto, and Catholic ceremonies, even weddings, require a lot of up and downing. Ah well, sufficient unto the day etc.

Did not make it to the library. Sidewalks are still ice-fringed, even with two days of near 0C, and a pain to walk over. Thursday is supposed to reach dizzy heights of 7C/ over 40F, which will be soon enough.

Did get to Fiesta which has turkey rolls for less than Lobiaws or Sobey's, also Dufflet cookies, Dufflet chocolate rolls, and a single gingerbread person with a broken leg, all of which I bought, alas.

Was also accosted there by a mother from the daycare and her daughter, the former of whom recognized me while I couldn't quite place her. Trouble was she looked like she might be the Young Ladies' mother's (non-existent) sister, and her 7 year old-ish daughter not only looks like but has the same name as L, so my mind kind of stuttered for a minute, before remembering that L is in uni. Mom says we date from 2018 so maybe she's the Swiss mother we had then? whose kid had moved to toddlers by late 2019. Must confess I kind of stopped registering the individual babies by then, which was yet another sign that I needed to retire.
Tags:

Life lived in dot points

Dec. 14th, 2025 09:44 am
fred_mouse: black and white version of WA institute of technology logo (university)
[personal profile] fred_mouse
  • surgical recovery continues apace. The incision has mostly healed, although the knot of dissolving stitches at one end got caught when I was trying to clean it and pulled it slightly open, so I've now cut off the knot, put a fancy steri-strip over it to hold it together, and a little circular sticking plaster over that. Internals still noticeably sore, externals are itchy; have been putting 'scar therapy gel' on which seems to help (it was in the cupboard; I do not know what any of the ingredients are). I see the surgeon on Tuesday for follow up.
  • reviewers comments for my candidacy proposal are in (received late on Friday). I'm not actually sure what the next step is -- I'll work it out tomorrow. I think it said 'no edits' which is a surprise, given that I have been reading and annotating weekly since submitting, and there are a lot of 'this could be clearer' and 'what did you mean here?' notes. Also, I found another answer to one of the reviewers questions from the presentation about why books and not films/tv, which is that I'm hoping to get a wider range of cultural influences (and I have a paper from Italy in which almost all of the TV/movies that the kids reported was from the USA, which very much supports my 'this would be an issue' argument)
  • there was an HDR and supervisors lunch run by the school I'm in on Monday. This was very interesting and I met a lot of people. Including one who I was unsurprised to discover is an acquaintance of Youngest. Very queer (not very surprising) and neurodiverse (should not have been surprising) bunch that I met.
  • weather has been Warm. To the point that [personal profile] artisanat has been volunteering to put the air-con on.
  • There have been some changes to the mix of South Asian grocers on High Road. One of the two north of Bunnings has gone (and the one still there no longer stocks palak paneer in their shelf-stable preprepared meals; not the regular nor the tofu/vegan option. They do, however, still have some vegan options). There is a new one that is further south than the ones I was aware of -- nearly to where the petrol station is. To the point that it is still so new that not all the shelves are stocked; we couldn't find the box meals there at all, but we had to rush because we ran out of time. Thus there are still three that I'm aware of.
  • Monday's rehearsal I went with the intention to play pizzicato, which was mostly fine, but I got there to discover the C string broken (spare was at home) so had to transpose some of the work up an octave, which ah, that needs practice. As does one of the sections we hadn't got to that I'd failed to realise has a lot of fast notes.
  • craft has stalled
  • reading - one of these week's I'll get around to doing another reading post. Over on the Book Club of Habitica Discord I've joined the TBR Bingo challenge for Dec/Jan and set myself a bingo card of 16 books from my 'paused' list. So far, I've finished 1, which is progress but not as fast as I want.
Tags:

אַ ניקל פֿאַר זיי, אַ ניקל פֿאַר מיר

Dec. 13th, 2025 06:57 pm
sovay: (Viktor & Mordecai)
[personal profile] sovay
Apparently I can no longer re-toast myself a signature half pastrami, half corned beef sandwich from Mamaleh's without spending the rest of the evening singing the same-named hit from a 1917 American Yiddish musical. The Folksbiene never seems to have revived it and if the rest of the score was as catchy, they really should. [edit] I am charmed that the composer clearly found the nickel conceit tempting enough to revisit in a later musical, but that line quoted about the First Lady, didn't I just ask the twentieth century to stay where we left it?

At the other end of the musical spectrum, [personal profile] spatch maintains it is not American-normal to be able to sing the Holst setting of "In the Bleak Midwinter," which until last night I had assumed was just such seasonal wallpaper that I had absorbed it by unavoidable dint of Christmas—it's one of the carols I can't remember learning, unlike others which have identifiable vectors in generally movies, madrigals, or folk LPs. Opinions?

Thanks to lunisolar snapback, Hanukkah like every other holiday this year seems to have sprung up out of nowhere, but we managed to get hold of candles last night and tomorrow will engage in the mitzvah of last-minute cleaning the menorah.
  • Current Music: Bruce Adler & Joanne Borts, "Fifty-fifty"

Fandom when ships collide...

Dec. 14th, 2025 01:22 am
dividedbyblue: A 3d art image of a man holding a sword over his head (bryce warrior)
[personal profile] dividedbyblue
I've been in a fandom of a lovely ship from a Spanish telenovela for a year and a half now. There is this couple, Marta and Fina, who fell in love, and their story was written in a very romantic way, with both of them proclaiming eternal love for one another and saying that being without the other would be like living but dead inside. It's truly a wonder. But as things happen, at the beginning of the year, one of the actresses got pregnant and (most probably temporarily) left the show. So they wrote a dramatic exit in which Fina was blackmailed into leaving Marta without telling her she was being blackmailed or where she would go. She left a simple note with not much information, but asked Marta to go on with her life. Marta grieved for quite some time. The fandom fed on old clips and the hope of the actress's possible return. But then, a new character was introduced as what seems to be a temporary love interest. She flirted with Marta, but wasn't offering her an epic love story, just a new adventure that seemed casual at best, but one that could possibly be healing. Marta's reaction was one of attraction, but she was unable to dive into this yet because of her broken heart. And the fandom went insane. An ugly ship war erupted, where 'true fans' of Fina/Marta were saying nasty things about anyone liking the new character, the new (probably temporary) ship, and going as far as threatening the actress playing the new character. They only see Marta with one woman (Fina), and all else is a betrayal or corruption of their love story. As if the writers didn't separate them of necessity, and if the actress doesn't return, Marta should just be celibate and lonely for the rest of the duration of the show?

I see all that and am just dumbfounded. I enjoy the storyline with the new character, and don't see how that would make me less a fan of the original ship or make me miss them less. But apparently, such a thing cannot exist. I am cautious about what I say on Twitter, and even then, I lose followers just for reposting an image of the new character. It's insane. I have never experienced this. I remember Xena in the old days, and a lot of people shipped Ares with Xena. I never saw any of the Xena/Gab shippers attack them like this. Now, am I just very naive? Is this a new phenomenon? Does this always happen in fandoms? Does anyone have experience with anything like this?
  • Current Mood: confused
Tags:

A very unscientific guide to the security of various PQC algorithms

Dec. 13th, 2025 11:54 pm
[syndicated profile] key_material_feed

Posted by Sophie Schmieg

https://keymaterial.net/2025/12/13/a-very-unscientific-guide-to-the-security-of-various-pqc-algorithms/

https://keymaterial.net/?p=7670

After publishing my series on UOV, one feedback I got was that my blog posts made people feel more confident in the security of the scheme, because “at least someone is looking into these things”. I don’t necessarily know if that is the takeaway I would make from my posts, but it gave me the idea to write my extremely subjective, and very much biased guesstimates for how secure I consider various approaches and problem families within PQC.

Since unfortunately I do not possess infinite wisdom or the gift of time travel, these are at best informed guesses, and I take no responsibility for being wrong on any of them.

Generalities

There is a somewhat popular saying in cryptography “attacks only get better”. It’s a vacuously true statement, since obviously an attacker will always use the most powerful technique currently known, but I think it is also at least slightly misleading, implying that progress on attacks is not only inevitable, but also somewhat continuous.

Instead, what we are seeing is usually something like this: Initially, when a certain technique is first seriously discussed, attacks come in quickly and parameters have to be adjusted to account for them. With time, as our understanding of the space grows, we tend to refine those attacks, but it is a process of diminishing returns. It is possible that some novel mathematical technique starts a new spurt in advances in attacks, but importantly, there is usually no continuous improvement in attacks.

As an example, if we look at RSA, we first have the naive factoring algorithms such as trial division and Fermat’s method, which predate cryptographic use. Then, in the seventies, they get joined by the first major improvement in the space, Pollard’s rho. In the 80s, we get the quadratic sieve, as the first subexponential algorithm, joined by various lattice methods. Finally in the 90s, more than 30 years ago, we get the current best factoring algorithm, the general number field sieve, a refinement of the quadratic sieve, as well as further improvements on lattice techniques. Quantum algorithms also first enter the scene, with Shor’s algorithm. After that, successes die down substantially, mostly confined to relatively minor improvements to the general number field sieve.

This is not because we stopped working on factoring algorithms, but most of the effort shifted to other targets such as The Montes’ algorithm for factoring polynomials over discrete valuation rings.

If we look at elliptic curves, the story of attacks is even less exciting. There is, to this date, no known generic classical attack against elliptic curves that is better than a space-time traded off version of a brute force search. This is again not because the topic isn’t studied, elliptic curves are one of the most fundamental building blocks of algebraic geometry, and we know them in great depth. In fact, we know them well enough that we can even start to explain this lack of attacks: They are the most generic form of Diffie-Hellman out there.

All in all, this makes our job predicting the future of which algorithm is likely to break and which ones are likely to last, very, very hard. We are not looking at nice, predictable trends, but instead are mostly looking at a process that jumps in huge steps every few decades.

A different view to look at the same trends is to say that a scheme gets more trustworthy every time it survives an attack. From that point of view, attacks that fail teach us something about the scheme itself, adjusting our priors, making it more trustworthy. This is particularly true for attacks that tell us something fundamental about the underlying problem; the more general the attack, the more it can teach us why a scheme is resiliant.

But, now, without further ado, my personal list about how safe I think various approaches to PQC are, together with how familiar I am personally with the space and how much I think it has been studied.

1st Place: Hash-based Signatures

There isn’t much to say about hash-based signatures. They have a security reduction to the properties of the hash function used. Any signature scheme, and pretty much any public key encryption scheme requires a hash function somewhere in its construction, be it to compress the message, act as a random oracle, a key derivation function, or as a one-way function. If we cannot construct a secure hash function, we cannot do cryptography. In fact, if we consistently failed in creating secure hash functions, we would most likely live in a universe where P equals NP.

Hash-based signature schemes have reduction proofs that reduce their security to that of their underlying hash function. As such, hash-based signature schemes are at least as secure as any other asymmetric (or symmetric) cryptographic primitive. They have plenty of drawbacks, but lack of security is not one of them. While I haven’t studied them to great depth, there is also just not much to say about their security. They are secure.

Note that one of the drawbacks that some hash-based signature schemes have is the necessity to keep state (LMS/XMSS). While these schemes are as secure as their hash function if used correctly, the same is not true if the state is not managed correctly, i.e. if one-time-signatures are used more than once. While I have extremely high confidence in the mathematics of hash-based signatures, I also have extremely low confidence in our collective ability to not corrupt state once in a while.

2nd Place: Lattices

It is hard to overstate my confidence in lattices. General lattices, such as used in FrodoKEM, being broken is pretty much all but equivalent to proving P = NP, at which point all cryptography vanishes (since symmetric cryptography reduces to boolean satisfiability very easily), and it is time to find another career.

Lattices feature heavily in arithmetic number theory, as they arise very naturally when studying number fields. As such, lattice algorithms are actually far more central to mathematics than factoring algorithms. The number of problems an efficient lattice reduction algorithm solves is far higher than that of an efficient factoring algorithm. The main reason for that is that lattice problems are the simplest form of Diophantine equation problem, the linear Diophantine equation. You can see an example of this in one of my previous blog posts. This makes lattice reduction one of the most useful algorithm to calculate pretty much about anything in discrete mathematics.

Far from being constrained to just algebraic number theory, they also show up in algebraic geometry, in the description of Abelian varieties over the complex numbers. Or, as it turns out, p-adic numbers, as studied in my PhD thesis. Given how central they are to mathematics, I would be extremely surprised if someone, somehow, found a way to improve on generic lattice reduction. Even when it comes to quantum algorithms, lattice reduction is probably one of the most studied one, and so far, no generic improvement has been found, and several fundamental looking obstructions have been identified.

Lattices, as a mathematical object, have been studied pretty much for the same time as elliptic curves have been, since both arise from the same underlying questions about the circumference of an ellipsis. In this study, certain integrals arise naturally, defining a function that has two periods in the complex plane. In other words, functions that can be seen as defined on the complex numbers modulo a lattice. And the simplest of these functions \wp, obeys a differential equation \wp'^2 = 4\wp^3 + g_2\wp + g_3. In other words, \wp and its derivative define a elliptic curve.

In cryptography, lattices also have been studied about as long as elliptic curve have. First as an attack, due to their mentioned ability to solve Diophantine equations, and soon after as cryptosystem themselves, by increasing the lattice rank to the point that the reduction becomes impossible to compute. The main reason you might not have heard of them before is their generally larger overhead compared to elliptic curves and RSA, making them unappealing in a world where elliptic curves and RSA are unbroken.

But we are not using generic lattices, we are specifically using module lattices. Those are the lattices coming from number field orders. A number field is a field extension of \mathbb{Q} (such as adding the imaginary unit i to the rational numbers), and an order in such a number field is a generalization of the integers (such as adding the imaginary unit i to the integers, to obtain the number field order called the Gaussian integers). These number field orders are canonically lattices themselves, and any finitely generated module (I.e. vector space, but for rings) over them is again a lattice in a canonical way.

If there is a break of ML-KEM or ML-DSA, my money would be on exploiting this additional structure. However, even when it comes to this additional structure, it is very well understood and studied.

Looking at MLWE and NTRU specifically, both problems are deeply related to the p-adic rational reconstruction problem. In the case of MLWE, we need to switch to RLWE, but a number field order can be seen as a module over an order of some subfield, so this doesn’t really change the picture all that much.

So what is the rational reconstruction problem? Recall that, in order to attack LWE, we needed to find s, e such that As + e = t \, \text{mod} \, q, which mainly boils down to describing the kernel, the solutions to As + e = 0\, \text{mod} \,q. For RLWE (or indeed, for NTRU), we need to switch to a number field order, which we mainly do by replacing the capital A with a lower case a. We can, of course, without much consequence, switch the sign of the error term, and write as - e = 0 \, \text{mod} \, q, for the lattice we need to reduce. With a slight reordering, this is equivalent to a = e/s \, \text{mod} \, q. Since e and s are small in some metric, this means that what we are asking is given a fraction with bounded numerator and denominator, which is only known modulo some ideal (or more generally a number of finite places), find the numerator and denominator.

We all know this problem when we replace the finite places with infinite places, especially over \mathbb{Q}, albeit usually less dressed up in formal mathematics lingo: This is the question of which fraction fits best with some given limited precision decimal expansion, such as the question of whether an output of 1.666 came from an actual result that was 5/3, or 1666/1000.

This problem (over finite places, i.e. modulo a prime) arises relatively naturally when studying number fields, and the only way we know for solving it is lattice reduction.

This is a very common pattern in arithmetic number theory, you usually take problems that arise there and reformulate them until you can express them as a lattice problem, and then proceed to reduce the lattice when the number field is small enough. The opposite, where you can use the number theoretic properties of the number field to say something about a lattice without reducing it on the other hand is very rare.

That being said, we are not using a random number field when it comes to lattice cryptography, but a fairly small set of very specific ones, which have properties that are not usually encountered in many number fields, such as having a class number of 1, and an easy to calculate group of units (up to some finite cofactor easy to calculate, that is, but still this is usually a hard lattice problem for a random number field, but is easy for the cyclotomic fields heavily ramified over 2 that we want for our cryptographic purposes).

That being said, even with these blemishes, when it comes to module lattice cryptography, we are talking about a very well understood and explored part of mathematics, that should be very safe to use for cryptographic purposes.

3rd Place: Codes

I know a lot less about codes then I do about lattices, I’ve always considered them as the smaller sibling of lattices. Both schemes fundamentally work via underdetermined linear systems, where the solution has certain special properties. Being small in the case of lattices, and having lots of zeroes (i.e. being small in the Hamming metric) in the case of codes. Their construction has many similarities, to the point that code based cryptography can be attacked with the same lattice reduction techniques that lattice cryptography has to deal with. Compared to lattices, codes are far less central to mathematics, but whether that is a good or a bad thing is hard to say. But really, I haven’t studied codes to any necessary detail to have much of an opinion on them, other than that they are fine, probably, at least as long as lattices are fine. They are also less efficient then lattices in pretty much all of their instantiations, and at least I do not know how to think of them as a more general mathematical problem (akin to the p-adic rational reconstruction problem that governs MLWE/NTRU).

4th Place: Isogenies

Now to a bit of a controversial placement: Isogenies. What, even though SIKE was broken? Yeah, well obviously I don’t place SIKE at 4th place, it’s somewhat lower, right above Vigenère ciphers, and only because the attack is more interesting.

SQISign on the other hand is a different story. The main reason to place it ever so slightly above multivariate cryptography in my opinion is that we much better understand the underlying hard problem and how it relates to the scheme itself.

I am not ashamed to admit that I have a bias towards pretty mathematics, and SQISign does some of the most beautiful mathematics I know off. That being said, the scheme is for now too slow to actually be used in practice, and while it can be reduced to the endomorphism problem, we cannot currently rule out that the endomorphism problem ends up being easy, especially given that it is far less central to mathematics then lattices are. It has been studied somewhat extensively, though, but I am somewhat worried that the best experts on the endomorphism problem in algebraic geometry are just now slowly even learning about the existence of isogeny based cryptography. After all, the SIKE attack is based on a theorem discovered in 1997, and yet wasn’t discovered until 2022, showing a huge gap between academic algebraic/arithmetic geometry and cryptographers working on isogeny based crypto.

5th Place: Multivariate Cryptography

I’ve written a whole series on Unbalanced Oil and Vinegar, probably the most basic of the multivariate schemes. Since then, a new attack has come out, leveraging wedge products. While the attack is far from catastrophic, it also feels very arbitrary, similar to the Kipnis–Shamir attack on Balanced Oil and Vinegar, it seems to me that we are missing something to really have a full understanding of the space.

Humorously enough, even before the paper, I had tried unsuccessfully to attack UOV using wedge products, more precisely I tried to figure out if there is a structure in the cotangent space that can be exploited, so the fact that wedge products were a meaningful attack vector is not surprising per se, but still, if we want to trust UOV, we need to, in my opinion, have a better understanding of what the hard problem here actually is.

It is easy to point to Gröbner bases here, but in my opinion the gap from generic Gröbner basis computation to the specific UOV problem is quite large. While all NP-complete problems necessarily reduce to each other, reducing to a Gröbner basis computation is one of the easier reductions, just like you can reduce a computer program to a boolean circuits satisfiability problem by literally translating the instructions, you can reduce a problem about polynomials to a Gröbner basis computation.

One thing that particularly stands out to me about Multivariate Cryptography is that variations that have tried to reduce the size of the public key ended up broken quite often. To me, there is something missing about fully understanding what makes this problem hard to fully trust it, but my progress in understanding the problem space better has at least given me a glimpse of why basic UOV should be secure.

That being said, realistically, I should place them above isogenies, mostly because we have had more survived attacks in this space, but this my list, and if it doesn’t contain at least one upsetting placement, it wouldn’t be very subjective now, would it?

Bonus: Why RSA and Elliptic Curves both fall together

One question that I got asked recently was why RSA and elliptic curves, while looking so different as cryptosystems, are both susceptible to Shor’s attack, when all these other schemes barely spend a word talking about why Shor’s does not apply to them. While it is true that at first glance, RSA and elliptic curves do look very different, they are actually far more related than one might think, some of it is even already visible in classical attacks.

As I described in my post on why elliptic curves are really the only option for discrete logarithm problems, elliptic curves contain the multiplicative discrete logarithm as a subcase (at least if you allow for stable models). And for multiplicative discrete logarithm problems, we already have the same attacks working on RSA and DLOG. From that perspective it might be less surprising that an attack that is polynomial on RSA also solves ECC.

More concretely, the thing that Shor’s algorithm actually solves is the Abelian Hidden Subgroup problem: Given a group G, a function f \colon G \to X is said to hide the subgroup H of G if f is constant on each coset, but different for different cosets. In particular, if H is a normal subgroup, this means that f is defined and injective on G/H. The hidden subgroup problem is Abelian if the group in question is Abelian. This is a bit of a mouthful, so let’s look at a trivial example first, using \mathbb{Z} as our group and try to hide 3\mathbb{Z} as a subgroup. A function would hide this subgroup if it has a different value on the cosets, for example, if the function was just the value of the integer modulo 3. For a slightly more interesting function, which actually meaningfully hides something, we can look at the world of variant Sudoko, where we often see the concept of a modular line or modular mirror or similar, which requires certain digits to have the same residue mod 3 (For example this one or that one). Solving these puzzles is usually done by coloring the corresponding digits in one of three colors, indicating the residue class mod 3. Importantly, it is (at least initially), not known which color corresponds to which residue class, which starts to show why the function is considered hiding this subgroup. Of course, even if you just mapped integers to colors, the hidden subgroup would still be pretty easy to find by anyone who can count to three (and importantly, solving the Sudoko has nothing to do with solving the hidden subgroup problem), but you can imagine that for a larger modulus, this becomes an actually hard problem.

While not necessary, it is very useful to know the classification problem for Abelian groups when looking at this question for Abelian groups in particular. All finitely generated Abelian groups can be written as the product \mathbb{Z}^r \times \mathbb{Z}/m_1\mathbb{Z} \times \mathbb{Z}/m_2\mathbb{Z}\times \dots \times \mathbb{Z}/m_n\mathbb{Z}, where m_1 | m_2 | \dots | m_n. Knowing this means we know very well how, at least in theory, any subgroup of an Abelian group looks like, which is going to make the next bits a bit easier to grasp in their generalities.

Knowing that Shor’s algorithms can solve the Abelian Hidden Subgroup problem, and now knowing what the Abelian Hidden Subgroup problem is, all that is left to do is to show where the subgroup is hiding, for both RSA and elliptic curves. As discussed, elliptic curves are more or less the most generic of all DLOG groups, so we don’t really need to concern ourselves with the intrinsics of how elliptic curves work, and can instead just take a generic group G (and as a bonus, this allows me to use multiplicative notation without feeling dirty). In fact, let’s start with DLOG.

So given two elements a, b \in G, we are looking for k such that a^k = b. Instead of working with G as domain, we use two copies of \mathbb{Z}/n\mathbb{Z}, and define our function f \mathbb{Z}/n\mathbb{Z} \times \mathbb{Z}/n\mathbb{Z} \to G as (m_1, m_2) \mapsto a^{m_1}b^{-m_2}. Since b=a^k, this is equal to (m_1, m_2) \mapsto a^{m_1-k\cdot m_2}, i.e. it’s a linear transform on \mathbb{Z}/n\mathbb{Z} \times \mathbb{Z}/n\mathbb{Z} followed by a discrete exponentiation.

But the discrete exponentiation is a group isomorphism, so we can basically ignore it for the purposes of hidden groups, since the hidden group definition does not really care about the range of the function to begin with. As a linear function, it is easy to see where f maps to the unit, namely exactly for vectors generated by (k, 1).

Since f is a group homomorphism, we can use the group isomorphism theorem to know that f is constant on each of the cosets and injective on the quotient, i.e. f hides an Abelian subgroup. Applying Shor’s algorithm, and obtaining a generator of this subgroup, we can recover k, since all elements of this subgroup have the from (k\cdot m, m).

Reformulating RSA into an Abelian Hidden Subgroup problem is even easier: The security of RSA is build on the attacker not knowing the order of the group, since the order of \left(\mathbb{Z}/n\mathbb{Z}\right)^\times is \varphi(n) = (p-1)(q-1), from which we can recover n’s factors p and q easily. So how is order finding an Abelian Hidden Subgroup Problem? Just take a random element a\in \left(\mathbb{Z}/n\mathbb{Z}\right)^\times and define f as f \colon \mathbb{Z} \to \left(\mathbb{Z}/n\mathbb{Z}\right)^\times\;;\;x\mapsto a^x. This function has the same result exactly for all the multiples of the order of a, in other words it hides ord(a)\mathbb{Z} as a subgroup of \mathbb{Z}. And the order of an element is always a divisor of the order of a group, so we can use this to find factors of n.

Hidden Subgroup Problems are more general than just this, and are mostly just a framework to restate problems to. In fact, we can restate lattice reduction as a hidden dihedral subgroup problem. But importantly, quantum computers are really good at operating on Abelian groups, but have, at least so far, have not shown any success whatsoever on non-Abelian groups. This does make sense, given their construction, and gives us some data on why lattices have withstood quantum cryptanalytic attacks so far.

https://keymaterial.net/2025/12/13/a-very-unscientific-guide-to-the-security-of-various-pqc-algorithms/

https://keymaterial.net/?p=7670

After some digging

Dec. 13th, 2025 07:12 pm
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
I am not aware of any big name authors who got their start with a work published by Baen Books after 2006. If there are recent analogs of Bujold or Weber, I do not know of them.

(no subject)

Dec. 13th, 2025 11:49 pm
beccaelizabeth: my Watcher tattoo in blue, plus Be in red Buffy style font (Default)
[personal profile] beccaelizabeth
I am not a fan of december.
... three tries at the next sentence later I kind of wind up back at 'the dark bit always sucks and it's kind of unsatisfying when feels are fundamentally about the sky orb'.
This too shall pass.



I have been reading fanfic but already I have read all the ones from this new to me throuple and am going again with the filters off, so that's working about as well as it usually does.

There must be really teensy tiny amounts of canon though, none of these resemble the others except for the ending.


Unrelated to the throuple, I keep thinking up plot bunnies that are just the grand confrontation parts, and then not wanting to think up how the confrontation ends up happening. Like obviously it was all a big misunderstanding and the Star gets to be Epic and Misunderstood and then Everyone Says Sorry!
Which is a grand daydream but not a story I let see the light of day.

Got to have some sort of core disagreement
or
got to write a sportslike.

I mean there's no reason not to posit that magic users do duels on the regular, and being really good at duels could be so satisfying, but, I do not read stories like that, I read stories with big epic demon fights etc.


I do have an idea about The Magic Went Away But We Can Bring It Back. Only it keeps veering about not deciding which particular verse it is in or if I need to remix them all.

Also if magic was real here then I think here would end up looking like Golarion. I think Golarion from Pathfinder is a logical end point of it being impossible to take away people's Weapons of Mass Destruction. People there can get upset and just do a Plague Storm and make it everyone's problem. Magic can get fouled up so thoroughly you end up with Mana Wastes. Crashed sky cities can make for problems thousands of years later. That all seems perfectly logical if magic.

So what's the actual up side?


A lot of stories don't want magic, they want to be *the ones with* magic. Like, as soon as the other guy can do the exact same things, that's Hard mode and distinctly less fun. People spend more time dreaming of fireballs than resist or protect from energy spells.

Also the protection spells fail when it is drama, and then there is waking up in hospital, because stakes.
There are so many more stories with magic injuries than magic healing, that I have seen.

Making there be stakes even when there is magic healing seems pretty simples, since it's all the things that do not involve hospital, which is most days.

But then I end up reading a bunch of stories in a row about how magic user abusive relationships can go that wrong, and I'm stuck between, well that is a lot of no fun, and, well if they used the same abilities on each other that we've seen against the bad guys, that is so very not dark enough yet.

Tricky, making something interesting to read once it can go horror story from a standing start.

Memory spells and tracking spells alone make nightmare fuel.



Okay, I shall go think of something else to do.

Last ponymeet of 2025

Dec. 13th, 2025 11:43 pm
loganberrybunny: Christmassy stuff (Bunny Bauble)
[personal profile] loganberrybunny
Public


316/365: Salvation Army band, Worcester
Click for a larger, sharper image

I was in Worcester today for the last meetup with my friends in the My Little Pony fandom for nearly a month, because of the Christmas break. (Hearth's Warming break, in Equestrian terms!) A very good time was had, I unexpectedly ended up the winner of the 2025 Chase the Ace championship – hence that "surprised" mood setting! – and I had an extremely nice orange and cranberry muffin. Earlier on I'd been wandering through the city centre and the Salvation Army band was playing carols, a long-standing sound of Christmas in Worcester. Of course the SA are problematic, though AIUI nowhere near as bad as their US counterparts have been – but I don't think listening to the carols does any harm, and it certainly cheered up quite a few kids in the vicinity who had been grizzling about the cold!
  • Current Mood: surprised
Tags:

Recent reading

Dec. 13th, 2025 06:01 pm
troisoiseaux: (reading 8)
[personal profile] troisoiseaux
Read Tied Up in Tinsel by Ngaio Marsh, one of the later installments in her Roderick Alleyn series (published 1972) and set against the backdrop of a country manor being restored by a wealthy eccentric, whose particular eccentricities include hiring a domestic staff consisting entirely of convicted murderers. I enjoyed this one a lot: Alleyn's wife, painter Agatha Troy, is the focal character until he shows up halfway through to figure out whodunnit, and I always love Marsh's Troy-centric novels; the wealthy eccentric was also a really great character. And it is, as the title suggests, seasonally relevant/a Christmas Episode!

Read The Night Guest by Hildur Knútsdóttir (translated from Icelandic by Mary Robinette Kowal), a novella about a woman who is either having a mental health crisis or in the throes of something more supernatural when she finds herself waking up each morning to the increasingly violent aftermath of apparent sleepwalking episodes. Shades of Ottessa Moshfegh's My Year of Rest & Relaxation, but darker/creepier/gorier. Do not read if you are particularly fond of cats. I picked this up after seeing a review from [personal profile] rachelmanija that both piqued my interest and tempered my expectations, and I'm glad I went in forewarned that the plot's ambiguity is never actually resolved and nothing is explained; I didn't mind the Wouldn't that be messed up? Anyways I'm Rod Serling approach, but it would have been annoying to have expected answers that never came.

Have made some progress in the audiobook of Mary Shelley's Frankenstein, and this is hardly a new/unique observation, but it really is wild to read the classics that have become so diffused into general pop culture, because you'll be like yeah, yeah, we get it, it's a famous book and then you'll actually read it and it really is That Good???
  • Current Music: Stalker's Tango - Autoheart
Tags:

Green Hornet; Al Hirt; Bruce Lee; Batman (1966): One man’s Green Hornet.mpg, by Ricardo Dowridge.

Dec. 13th, 2025 04:57 pm
full_metal_ox: A gold Chinese Metal Ox zodiac charm. (Default)
[personal profile] full_metal_ox posting in [community profile] fancake
Fandom: Green Hornet (1966 and 2011 versions), Batman (1966), Al Hirt (musician), Bruce Lee
Pairings/Characters: Gen; Britt Reid | Green Hornet, Kato, Bruce Wayne | Batman, Dick Grayson | Robin, cameo by Beatrix Kiddo | The Bride (Kill Bill), Black Beauty is practically a character, right?
Rating: General Audiences
Length: 3:03
Content Notes: Rapid flickering image shifts; earworm hazard.
Creator Links: (Instagram) [instagram.com profile] Dorodigital; (YouTube) [youtube.com profile] Dorodigital
Theme: Amnesty, Crossovers & Fusions, FANCAKE IS FIFTEEN, Fandom Classics, Fanvids, Older Fandoms, Underloved Works

Summary: What started out as an attempt to learn flight of the bumble bee on the trumpet evolved into a fascination with the green hornet theme song. Although the show featured one of my favorite Martial Artist ..Bruce lee..the main attraction for me was the frentic trumpet solo performed by another hero of mine Mr. Al hirt. This song was also used in the motor cycle scene in kill bill. I was delighted to learn that they were making a movie version in 2011 starring Seth Rogen and Jay Chou..Alas there could be only one Bruce lee as well as one Al hirt. However I decided to perform this cover in tribute to Al and Bruce...Enjoy

Reccer's Notes: Two great tastes that taste great together: against a montage of thrilling stunts and snappy dialogue, trumpeter Ricardo Dowridge multiplies himself into an orchestra to celebrate his musical and martial heroes.

Fanwork Links:



One man’s Green Hornet.mpg, by Ricardo Dowridge: https://www.youtube.com/watch?v=X8UVF7tkdRw
  • Current Music: Inherent in the subject.
Tags:

(no subject)

Dec. 13th, 2025 05:57 pm
watersword: Keira Knightley, in Pride and Prejudice (2007), turning her head away from the viewer, the word "elizabeth" written near (Default)
[personal profile] watersword

Hi, there's an active shooter situation on my campus; I'm safe and a couple of miles away. ♥

Please recommend books about the French Revolution

Dec. 14th, 2025 09:36 am
lizbee: A sketch of myself (Default)
[personal profile] lizbee
I started playing Assassin's Creed: Unity and realised that I know almost nothing about the French Revolution. We did study it in grade 10, but I missed a lot of time due to a never-identified virus -- I was out for most of the American Revolution and all of the French, and mostly passed the class because I knew more about the Chinese Communist Revolution than my teacher. (It's not her fault, she was an art teacher who was roped in to teach history for ... reasons which I'm sure made sense at the time.) 

Anyway, I've decided to fill the gap in my knowledge. I started out by trying to listen to The Rest Is History, a podcast my mum recommended, but the hosts are two English men, and they spend a weird amount of time comparing Marie Antoinette to Meghan Markle, but in a derogatory "maybe we should decapitate the Duchess of Sussex" way that I did not care for. 

Then I read The French Revolution by Christopher Hibbert, which I think is from 1980. It was a solemn, dispassionate accounting of events and personalities, but didn't get into the question of, for example, why the Parisian mob went from zero to heads on pikes in the storming of the Bastille. 

I've requested an inter-library loan for Citizens by Simon Schama, which I've seen recommended a lot, but I would also be eager to read a history that's not ... British? Because the British, for understandable reasons (I guess) weren't really down with the beheading of the monarch and the end of the monarchy (even though they did it first), and I feel like a pro-aristocratic bias has pervaded a lot of what I've encountered. And obviously the Terror was bad, but, like, maybe Robespierre was an asexual smol bean who was a convenient scapegoat! I'm open to the possibility! 

I am open to suggestions, is what I'm saying. 
Tags:

bidicalc ⇆ a spreadsheet where formulas also update backwards.

Dec. 12th, 2025 09:00 pm

Boost! [personal profile] marina's well-informed meta on Heated Rivalry

Dec. 13th, 2025 04:18 pm
jesse_the_k: chainmail close up (links)
[personal profile] jesse_the_k

I've observed hockey RPF fandom from an immeasurable distance, and I still got a kick out of this post:

https://marina.dreamwidth.org/1576715.html

[personal profile] marina was in hockey fandom, spent her childhood in Ukraine, knows much about filing serial numbers, and has definite opinions about vodka.

I'm reading reading reading.

Hi!

Tags:

Posting; Pinch Hit; Betas

Dec. 14th, 2025 11:09 am
yuletidemods: A hippo lounges with laptop in hand, peering at the screen through a pair of pince-nez and smiling. A text bubble with a heart emerges from the screen. The hippo dangles a computer mouse from one toe. By Oro. (Default)
[personal profile] yuletidemods posting in [community profile] yuletide_admin
The DEADLINE is getting closer and closer!


At this time - 9pm UTC on 17 December - your Yuletide assignment must be posted (published, not a draft!) to the Yuletide collection as a complete work.


Before then, we need your help, Yuletide! We have an outstanding pinch hit (#121) for the fandoms:
SMPLive
Roughhouse SMP
Mirai SMP - XYouly
Highcraft (Web Series)

See details here. Please email us at yuletideadmin@gmail.com if you can help, and spread the word if you have friends who might be interested. This pinch hit is due at 9pm UTC on 19 December.

More pinch hits will be advertised at [community profile] yuletide_pinch_hits, especially after 9pm UTC on the 17th.


Additionally, we love beta reader volunteers! You can connect with writers at this post by filling out a Google form, or you can join the Discord and keep an eye out for beta requests advertised by members with the Hippo role.


Good luck to everyone facing down the deadline!

Schedule, Rules, & Collection | Contact Mods | Participant DW | Participant LJ | Pinch Hits on DW | Discord | Tag set | Tag set app

Please either comment logged-in or sign a name. Unsigned anonymous comments will be left screened.
Tags:

знакомьтесь с альтернативным кинематографом

Dec. 13th, 2025 05:04 pm
Tags:

(no subject)

Dec. 13th, 2025 10:43 pm
goodbyebird: Firefly: Zoe, "We live in a spaceship, dear." (FF like something out of science fiction)
[personal profile] goodbyebird
❄️ ❄️ ❄️ ❄️
Rec-cember Day 13


Star Trek (2009 movie)
Lunch and Other Obscenities by [archiveofourown.org profile] Rheanna (9,717 words). Just a delightful exploration of different cultures colliding.
When Starfleet Academy's Housing and Accommodation Officer—whose name, according to the sign next to her door, was Diane Maza—arrived at her office the next morning, Nyota was already there, waiting.

"My roommate's a sex-crazed exhibitionist with a food phobia," Nyota told her. "You have got to reassign me."

Maza didn't react. She regarded Nyota for a moment with a coolly appraising gaze that seemed designed to silently communicate that she hadn't just seen everything, she'd seen everything plus some other shit as well, and therefore any attempt to shock a reaction out of her was doomed at the outset.
Tags:

brothers in arms (a 100 cql/mdzs ships fic)

18 Dec. 13th, 2025 11:41 pm
Tags:

American Fancy Drinks

Dec. 13th, 2025 09:03 pm
[syndicated profile] metafilter_feed

Posted by chavenet

https://www.metafilter.com/211421/American-Fancy-Drinks

The library is located in Cocktail Kingdom's New York City Headquarters and is available for touring and research by appointment only. The extensive library hails from the private collection of Greg Boehm and is composed of more than 3000 books from the 1600's to more modern day cocktail and spirit books, and ephemera. Treasures from the Collection

More exhibits, including The Evolution of Mixed Drinks: A Timeline, Major Figures of Cocktail History, Essential Drinks of the American Bar, The 'Cocktail Canon' Timeline, and The Dawn of Drinks Writing

https://www.metafilter.com/211421/American-Fancy-Drinks