Tim Bouma's avatar
Tim Bouma
trbouma@safebox.dev
npub1q6mc...x7d5
| Independent Self | Pug Lover | Published Author | #SovEng Alum | #Cashu OG | #OpenSats Grantee x 2| #Nosfabrica Prize Winner
Tim Bouma's avatar
Tim Bouma 2 weeks ago
Making great progress on developing a generic verification and web of trust capability for #nostr #safebox @nosfabrica #hackathon image
Tim Bouma's avatar
Tim Bouma 2 weeks ago
‘Are you PQC-ready?’ ‘Yes. And so is my 32TB publicly accessible legacy database stored in the clear, protected by a 16 character password.’
Tim Bouma's avatar
Tim Bouma 2 weeks ago
Questions surround Taiwan’s decentralised military model Lawrence Chung lawrence.chung@scmp.com South China Morning Post Dec 21, 2025 Lawmakers briefed on heightened risk of sudden strike paralysing command and control systems Taiwan’s military has stepped up training in decentralised command and control, aiming to ensure frontline units can operate independently in the event of a sudden attack from Beijing. The shift comes as defence and intelligence officials warn lawmakers that mainland China has significantly expanded its ability to pivot from military exercises to actual combat. This expansion raised the risk that a crisis in the Taiwan Strait could escalate with little warning and overwhelm traditional topdown command structures, according to a briefing provided to legislators on Wednesday. In a written report to the legislature, the defence ministry said the People’s Liberation Army (PLA) had steadily intensified multi-service and combatoriented drills, moving away from episodic exercises towards routine, real-world operational training. That had narrowed Taiwan’s response window and heightened the risk of a sudden strike designed to paralyse command and control systems at the outset of a conflict, the ministry warned. Under existing plans, if Beijing were to announce large-scale or “composite” military operations around the Taiwan Strait, the island’s armed forces would activate a response centre, raise readiness levels and hold immediate combat-readiness drills to prevent the PLA from “shifting from exercises to war”, it said. Further, if units were to come under sudden attack, they would be authorised to act without waiting for orders, operating under decentralised guidance, according to the ministry. Defence Minister Wellington Koo Li-hsiung said the approach was “not about abandoning command but about ensuring mission continuity, when communications are disrupted or decisions must be made faster than centralised systems allow”. “All training programmes incorporate decentralised command-and-control concepts,” he told lawmakers. Koo described the approach as mission command – ensuring that every unit clearly understood its assigned task and could act on a commander’s intent when faced with an unexpected attack. The concept had been practised in this year’s Han Kuang exercises, the island’s largest annual war games, he said. Pressed by opposition lawmakers on whether such authority presupposed that war would have already broken out, Koo said the scenario “applies only after our forces have come under attack” – a worst-case situation in which “the right of self-defence must be exercised immediately”. Senior officers argued that decentralisation was increasingly essential, given the PLA’s growing emphasis on speed, saturation and electronic warfare. Lieutenant General Hsieh Jihsheng, a senior intelligence official at the defence ministry, told lawmakers that PLA “combat-readiness patrols” could rapidly shift from training to drills – or from drills to war – leaving frontline troops no time to wait for instructions from higher command. “That is why training must give basic units the knowledge and capability to act independently,” he said on Wednesday. But the concept has ignited a debate among Taiwanese security experts, with critics warning it risks becoming a euphemism for abandonment if not matched by clear rules of engagement, resilient logistics and realistic assessments of battlefield conditions. Ying-yu Lin, a professor of strategic studies at Tamkang University in New Taipei City, said the execution of a decentralised strategy would hinge “less on slogans” than on “clearly defined rules of engagement”. “The key questions are when units are required to raise readiness levels and under what conditions frontline troops are authorised to open fire,” Lin said. “Decentralisation only works if rules of engagement are explicit, pre-authorised and understood in advance, so soldiers act according to clear guidance rather than improvisation.” Shu Hsiao-huang, a researcher at the government-funded Institute for National Defence and Security Research, said grey-zone operations – which fall below the threshold of open conflict – differed fundamentally from fullscale war. “Many grey-zone actions carry political intent, whether probing, coercion or attempts to trigger miscalculation,” he said. “Leaders must distinguish between isolated incidents and the prelude to mobilisation for war.” The most blistering criticism came from Armand Tan, a senior researcher at the Taiwan International Strategic Study Society think tank, who said decentralised command risked masking deeper structural weaknesses. “Some claim that over-reliance on higher command is a weakness of Taiwan’s ground forces,” Tan said. “I believe decentralised command and control, as currently framed, is a deployment for defeat – a fool’s consensus.” Tan questioned how far decentralisation was meant to extend, warning that Taiwan risked stripping away the operational “transfer function” of higher command before frontline units were capable of fighting independently. “In theory, decentralisation can go down to the individual soldier, or up through companies, battalions and brigades,” he said. “But where is the line? What is the basic combat unit?” In a war scenario, the PLA would first establish air, sea and electromagnetic dominance, severing command chains and external communications – including the Global Positioning System – just as assumed in recent Han Kuang exercises, Tan said. “An individual soldier would not be facing PLA infantry,” he said. “They would face drones, loitering munitions and ground combat robots. Can a single soldier realistically cope with that?” Scaling up to company-level operations, Tan questioned how an infantry company under attack by suicide drones and combat robots could request electronic warfare or drone support from other units if command links were severed. “Similarly, if an electronic warfare company’s equipment were fully jammed, how could it support others – or even request support itself? A battalion commander might nominally have forces, but in wartime he may not be able to direct even one soldier.” Tan warned that decentralised command without intact coordination could “push combat into civilian areas or force units to surrender, increasing civilian casualties rather than resilience”. Beijing sees Taiwan as part of China to be reunited by force if necessary. Most countries, including its main international partner the United States, do not recognise Taiwan as an independent state, but Washington is opposed to any attempt to take the selfruled island by force and is committed to supplying it with weapons. Shared via PressReader connecting people through news
Tim Bouma's avatar
Tim Bouma 2 weeks ago
A Bluffer's Guide to PQC Digital Signatures: (Source: Bill Buchanan) - In digital signing, a private key is used to sign the hash of a message, and the associated public key will verify it. - RSA, ECDSA and EdDSA are all broken by Shor's algorithm. - For digital certificates, RSA is currently the most popular method for public keys and signing. - NIST-approved signatures are defined in FIPS 186-5 (Digital Signature Standard - DSS). - NIST has defined that RSA, ECDSA and EdDSA will be deprecated in 2030, and disallowed from 2035. - NIST have approved two main standards for FIPS 204 (ML-DSA) and FIPS 2025 (SLH-DSA). - ML-DSA is based on the Dilithium method, and SLH-DSA is based on the SPHINCS+ method. - SLH-DSA is a stateless hash method, and where there is no need to remember the previously used private keys. - There are three levels of security of PQC signatures: Level 1 (128-bit equiv security), Level 3 (192-bit equiv security) and Level 5 (256-bit equiv security). - ML-DSA is a lattice-based method. For 128-bit security, we have ML-DSA-44, for 192-bit, we have ML-DSA-65, and for 256-bit security, we have ML-DSA-87. - SLH is a hash-based method. For 128-bit security, we have SLH-DSA-SHA2-128f, for 192-bit, we have SLH-DSA-SHA2-192f, and for 256-bit security, we have SLH-DSA-SHA2-256f. We can have SHA-2 or SHAKE as the hashing method (SHAKE is faster). - With SLH-DSA, we can have a fast version, such as SLH-DSA-SHA2-256f, or a slower version, such as SLH-DSA-SHA2-256s. - For ML-DSA-44, we have a 1,330-byte public key, a 2,602-byte private key, and a signature size of 2,420 bytes. Reasonable key sizes and reasonable signature size. - For SLH-DSA-SHA2-128f, we have a 33 public key, a 64-byte private key, and a signature size of 17,088 bytes. Small keys, large signature. - ML-DSA is generally much faster than SLH-DSA, but SLH-DSA has strong security guarantees. - ML-DSA and SLH-DSA are now supported in OpenSSL 3.5. - NIST have also approved FIPS 206 (Falcon) as a standard, and which has smaller key and signature sizes and but is slower than ML-KEM. - In Round 2 for Additional Signatures, NIST is assessing other methods for future signatures, and include Multivariate Cryptography (MC), and Unbalanced Oil and Vinegar (UOV), MPC-in-the-Head, and Code-based methods. - The XMSS methods allow for stateful signature replacements, but these often require hardware-based controls and can be slow. - There are some worries about the long-term security of lattice-based methods, but hash-based ones generally have few worries about their long-term security. - ML-DSA is generally as fast for key generation and signing as elliptic curve methods, and much faster than RSA. - With PQC signing, we can have pre-hash sign, and where we take the hash of the message and before feed it into the signature method. This has esser performance effect. See them in action with OpenSSL 3.5 here: Signature Generation: https://asecuritysite.com/openssl/mldsa_keygen Certificate Generation:
Digital Certificate (X.509) for ML-DSA and SLH-DSA Keys with OpenSSL 3.6