anarchist; hacker; once-upon-a-time theoretical physicist. i might be a cryptographer but i'm not your cryptographer. i use 
𝖍𝖆𝖘𝖍 𝖋𝖚𝖓𝖈𝖙𝖎𝖔𝖓𝖘
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
of course there's ways around non-constant-time multiply instructions, like the well-documented tricks @BearSSLNews uses (cf. https://www.bearssl.org/ctmul.html or below) but afaik all them rely on tricking *some* form of a hardware multiply instruction into good behaviourpic.twitter.com/wDV8N6nUSU
in my quest to make commodore 64s secure against attackers with quantum computers by implementing supersingular isogeny key encapsulation in 6510 assembly, i obviously need constant-time multiplication, but forget even variable-time IT DOES'T HAVE *ANY* MULTIPLICATION INSTRUCTION
before jumping into the assembly (THERE WAS A JOKE THERE, DID YOU SEE, DID YOU SEE IT) maybe i should first show some C taken from an older version of BoringSSL which multiplies two n-bit numbers into a 2n-bit result in constant-time (albeit relying on hardware multiplication)pic.twitter.com/VwLCU6cDrC
here's a fairly "simple" variable-time 8-bit x 8-bit -> 16-bit multiplication algorithm in 6502/6510 assembly, which indexes over the bits of the b multiplicand and conditionally either doubles or add-then-doubles, taking 146 cycles (best case) to 184 cycles (worst case)pic.twitter.com/Nh3hoONQRF
here's the same routine made constant time by always adding-then-doubling which requires 283 instructions AND TAKES 374 CYCLES JUST TO MULTIPLY TWO BYTESpic.twitter.com/TBV7N5mlUh
the 6510 chips in commodore 64s run at ~1MHz depending on whether it's the PAL or NTSC version, and a field element in this 434-bit prime field takes 56 bytes, so multiplying two field elements takes roughly 20,944 cycles or ~21ms assuming page boundaries aren't crossed
i'm not sure how many field element operations i'm going to need to walk the isogeny graph yet, but i feel pretty confident that this is going to be the slowest post-quantum cryptographic implementation in existence, and quite possibly just straight up slowest crypto in the world
this amusingly means that i will hold the title for implementing both the fastest and slowest elliptic curve related cryptographic implementations in the world 
this is arguably the most absurd tweet i have ever read it's amazing
This tweet in Lehman’s terms would need a full thread on making sense of it all 
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
