One aspect of cryptography that makes it so fragile is that different constructions have different security properties.
Authenticated encryption schemes are not all equivalent!
You might say “we need authenticated encryption”, choose AES-GCM.
And then later you discover that you want to encrypt more than 4 billion messages per key,
or need key commitment.

one very popular fully encrypted transport protocol over udp
would make traffic analysis of fully encrypted protocols much harder.

there’s apparently technical guidelines^{1} that talk about turning random bits into random numbers between 0 and something other than powers of two.
unfortunately it’s lacking a bit of nuance.

i’ve been wanting a good way to migrate signature keys in converge.
ideally a migrating key pair that:

- signatures can be verified correct with merely the signing public key
- the migrating secret cannot be derived from the signing secret key
- even if the migrating public key is known

yesterday, twitter rolled out encrypted direct messages.

their help page listed some glaring limitations, so i wanted to take a look inside.

the usual use of the shared secret from a diffie-hellman key exchange is as a symmetric encryption key.
of course, there’s nothing preventing anyone from using it as a secret key for a signing algorithm instead.