This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
You Cannot Rotate What You Cannot See: Crypto-Agility and the Cryptographic Bill of Materials
The hard part of post-quantum is not the new algorithms -- it is finding the old ones. A field guide to crypto-agility, discovery, and the CycloneDX CBOM.
-
Correct, Constant-Time, and Still Owned: A Field Guide to Side Channels, Faults, and Key Custody
Correct, constant-time crypto still leaks keys through timing, cache, speculation, and fault channels, and deployed systems break most often at key custody.
-
One Event, Three Assumptions, Five Answers: A Field Guide to the Post-Quantum Toolkit
A field guide to the five NIST post-quantum primitives -- ML-KEM, ML-DSA, SLH-DSA, FN-DSA, HQC: math intuition, exact sizes, failures, and decision rules.
-
The Discrete Log Held; The Proofs Leaked: A Field Guide to Commitments and Sigma Protocols
How the discrete log stayed hard for forty years while the proofs built on it kept breaking: Pedersen commitments, Schnorr, Sigma protocols, and Fiat-Shamir.
-
Nobody Broke Shamir: A Field Guide to Secret Sharing and Threshold Cryptography
Shamir 1979 splits a secret so any t-of-n rebuild it and t-1 learn nothing. The perfect-secrecy core never broke; every failure was in the machinery around it.
-
The Server Helped, and Never Saw: A Field Guide to Oblivious Pseudorandom Functions
How a server applies its secret key to your secret input without ever seeing it: OPRF, VOPRF, and POPRF (RFC 9497), the engine of OPAQUE and Privacy Pass.
-
The Standard Was Boring; That Was the Point: A Field Guide to HPKE (RFC 9180)
The industry standardized encrypt-to-a-public-key four incompatible ways. HPKE (RFC 9180) is the boring, correct fix -- and its non-goals are the whole discipline.
-
Nobody Broke the Discrete Log: A Field Guide to Diffie-Hellman and Forward Secrecy
The discrete log held for fifty years; Logjam, small-subgroup, and invalid-curve attacks broke the deployment instead. A field guide to FFDHE, ECDH, and X25519.
-
The Math Held; The Interface Leaked: A Field Guide to Digital Signatures
ECDLP and RSA held; the nonce, the canonical form, and the verifier broke instead. A field guide to ECDSA, EdDSA, RSA-PSS, determinism, and malleability.
-
The Doorway Into the Group: A Field Guide to Hashing a String Onto an Elliptic Curve (RFC 9380)
Turning a string into an elliptic-curve point is a two-decade problem behind a one-line API. Why H(m)*G and hunt-and-peck both fail, and how RFC 9380 fixes it.
-
The Curve Was Hard; The Gap Was Soft: A Field Guide to Using Elliptic Curves Safely
Textbook ECC is hard; deployed ECC broke anyway. A field guide to P-256, Curve25519, Ristretto255, invalid-curve attacks, cofactors, and constant-time.
-
One Secret Is Not One Key: The Discipline of Key Derivation with HKDF
A raw DH or ML-KEM shared secret is key material, not a key. How HKDF extract-then-expand, key separation, and the TLS 1.3 key schedule get it right.