Post-Quantum Cryptography – Round Two

See also round 1 and round 3.

After a bit more than a year since round one, we are now in the round two of post-quantum cryptography standardization process.

NIST Status Report trimmed original list of 69 algorithms to 26 that will be further studied. Based on the previous experience I would think there will be a third round in a year or so but NIST leaves open a possibility that we’ll immediately get the two finalists (one for public key exchange and one for signing).

My Star Trek key signing favorite (CRYSTALS-DILITHIUM) is actually still in the game and a further analysis is encouraged - probably as close as it gets to a positive review from NIST. It’s key exchange brother CRYSTALS-KYBER might have gone a bit too far with it’s “fishy” security proof but more analysis is needed there.

Star Wars universe is also strong with NewHope key exchange algorithm. Force is indeed strong within this one and I would dare to say it remains a strong favorite - especially due to it’s current use in Chrome.

NTRU Prime is still in there but NIST did notice a bit overly optimistic security level claims that might need to be adjusted in the future. I believe constant-time decryption this algorithm brings is a really interesting thing - especially when it comes to hardware and side-channel attacks.

I noted FALCON for its performance with a small memory footprint and that won it enough points to get into round two. However, difficulty of correct implementation and a huge potential for side-channel attacks might leave it here.

DAGS, which I loved for it’s tweakability of server/client load unfortunately stayed in round one. Likewise, RLCE-KEM noted for its performance was left behind too - largely due to complexity of (correct) implementation.

One algorithm I didn’t note in round one is Three Bears. Not only it has an awesome name and uses Mersenne primes but it also offers excellent performance. Might be a worthy challenger to NewHope.

Next update in 12-18 months. :)

Local Resolve of Proxied SSH Host Names

If you need to use one SSH machine to jump over to other hosts, you know the drill. The easiest way is to simply edit ~/.ssh/config and add ProxyJump definitions:

Host tunnel
  HostName      ^^192.168.0.1^^
  User          ^^myname^^
  IdentityFile  ~/.ssh/^^id_rsa^^

Host 192.168.1.*
  ProxyJump     tunnel

Example file above essentially assumes you have your jump point at 192.168.0.1 and you are using it to get into machines in 192.168.1.0/24 network. To go into 192.168.1.100, you would simply use

ssh user@192.168.1.100

SSH is then going to use it’s config definitions to connect to tunnel machine first (192.168.0.1) and then to make another connection from that machine to the final destination (192.168.1.100). Easy enough.

However, what if we want names to be resolved too?

If you have DNS or those names defined on your jump point, all is ok. However, what if your jump point is not under your control or you are too lazy to keep /etc/hosts up-to-date on both your local machine and the jump one?

Well, you will see the following error message:

ssh user@myremotehost.internal
 ssh: Could not resolve hostname myremotehost.internal: Name or service not know

In that case, you will need ProxyCommand and dig magic in ~/.ssh/config to do local IP resolve.

Host *.^^internal^^
  ProxyCommand           ssh -W "[`dig +short %h`]:%p" tunnel

Example above will locally resolve all IPs for host names ending in .internal before using the resolved IP on the jump host.

Speeding up BITS

If you deal with Microsoft Software Center you know the annoyance it can cause with extremely low download speeds. BITS protocol it uses was designed to be gentle toward your connection and avoid taking up bandwidth from anything else you might also be running.

However, sometime it can get overly cautious and slow down to a ridiculously low level even if you are not doing anything else with your computer. And good luck pulling those patches down if it gets into that mood.

Fortunately, you can tweak registry to give it a bit of a boost. Just go into regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\BITS. There add a DWORD named UseSystemMaximum and set it’s value to 1.

Alternatively you can get pre-prepared registry file import here (but do be very cautious when downloading registry meddling bits of the Internet).

You should see BITS drop their good guy mask and gobble all the bandwidth they can get. That will make your Software Center run much faster and maybe you get to install that darn patch within a year.

Removing Recording Time Limit on LX100

One of the rare things annoying me on my Panasonic LX100 is recording time limit. No matter how big SD you have, there is only 30 minutes you can record in one go. Yes, this is more than enough 99% of the time, but there are scenarios this disables, for example recording my occasional talk.

Well, reading through some DP Review forum threads I noticed discussion about service mode for the purpose of PAL/NTSC mode switcheroo and I wondered whether service mode offers anything else.

Well, to try it out, I followed instructions from the thread. First I kept Right, Display, and AE/AF Lock buttons while turning on the camera. Once camera has been turned on, I released all those buttons and swiched into Playback. Then I held Up and AE/AF Lock buttons while turning off the camera. If done correctly (and it took me a few tries), camera will flash yellow rectangle at you. Welcome to the service mode!

While in service mode, I suddenly got some limits increased:

FormatModeBefore32 GB64 GB
MP44K 100M 30p15m 00s41m 52s ⬆1h 24m ⬆
MP44K 100M 24p15m 00s41m 52s ⬆1h 24m ⬆
MP4FHD 28M 60p20m 20s20m 20s20m 20s
MP4FHD 20M 30p27m 09s27m 09s27m 09s
MP4HD 10M 30p29m 59s29m 29s29m 29s
MP4VGA 4M 30p29m 59s29m 29s29m 29s
AVCHDFHD 28M 60p29m 59s2h 30m ⬆5h 02m ⬆
AVCHDFHD 17M 60i29m 59s4h 08m ⬆8h 17m ⬆
AVCHDFHD 24M 30p29m 59s2h 55m ⬆5h 52m ⬆
AVCHDFHD 24M 24p29m 59s2h 55m ⬆5h 52m ⬆

As you can see, camera can now record MP4 in 4K limited only by card size and all AVCHD modes got a bump in recording length. Strangely, the same improvement is not visible in other MP4 modes as they all either retained their 30 minute or lower limits.

In case you find exclamation mark annoying, you can always exit service mode by setting both shutter speed and aperture to A. Then press Menu and Right key together and turn off the camera. That will present you with a strange menu where pressing Right, Right will end the service mode. Unfortunately that comes at the cost of your settings as that’ll do factory reset.

Me? I’m gonna keep my service mode on.

Fixing Discord Tray on Ubuntu 18.10

On my Ubuntu 18.10 installation, I had a peculiar problem. While Discord did work, it didn’t appear in the tray. Not broken enough to warrant immediate action, but broken enough to annoy me.

A quick search on Internet narrowed the culprit to unset desktop environment variable. Simply setting XDG_CURRENT_DESKTOP environment variable to Unity fixed the issue altogether.

Armed with that knowledge, I first modified the application launcher for both desktop and startup:

sudo sed -i 's^Exec=/usr/share/discord/Discord^Exec=/usr/bin/env XDG_CURRENT_DESKTOP=Unity /usr/share/discord/Discord^' \
    /usr/share/discord/discord.desktop \
    ~/.config/autostart/discord-stable.desktop

To propagate the change, a quick update of desktop database was in order:

sudo update-desktop-database

Followed by termination of the existing Discord instances:

killall Discord ; killall Discord

Once I started Discord again, its icon appeared in its rightful place.