Twitter disagreements are a daily occurrence, and even when they result in blocking, they're usually not worthy of any follow-up.
"Never argue with stupid people, they will drag you down to their level and then beat you with experience." - Mark Twain
However, Phillip Hallam-Baker is a noteworthy exception for multiple reasons:
- He claims expertise in cryptography, and self-describes as an "expert witness" in his Twitter bio.
- Experts aren't stupid, categorically.
- Despite his expertise, he published misleading claims about X25519 in a discussion on the security levels of symmetric ciphers.
- I'll explain in detail below.
- After he decided to block me on Twitter, he accused me of mansplaining and then doubled down on an off-hand remark he made about the furry fandom that you most often hear from others as a homophobic dog-whistle.
Note: Excluded from the list above was his conduct during our discussion. I understand that sometimes emotions can run high and cloud one's judgment, and will not offer that as criteria for consideration of further analysis.
As someone who opposes misinformation and mansplaining in equal measure, I'm especially offended by this particular accusation. And since the offender claims to be an expert, I feel that retorting to this claim is warranted and necessary.
Also, me writing this might save someone a few precious minutes of their life when deciding whether or not to engage with this particular dude when he's both incorrect and wrong.
If you don't care, feel free to bail out. Nobody's forcing you to read this (I hope).
This gist covers a few different topics:
- The Setting
- Phillip's Misleading Tweet
- My Response to Phillip's Misleading Tweet
- The actual problematic behavior
The first 3 topics are necessary to understand the context of the fourth (which is the focus of this document), so they are included for completeness and transparency. I don't expect anyone to really care about this part, but I want to show I have nothing up my sleeves.
The Twitter thread started with a discussion about the security levels of symmetric ciphers. Specifically AES-128 vs AES-256.
People often ask the question - is 128-bit security enough? Is AES-128 enough for high security applications? In this thread, I’ll do the calculation. I’ll assume that AES should be about 8 times faster than SHA256 in ASIC (this is conservative). 1/n
The thread continued for a bit.
(Note: I wrote this in a nested quoting style to preserve context in Markdown. They're actually tweet replies.)
mik235 wrote:
IIUC AES128 has no security margin (it's already broken down to ~126 bit security?) - so requiring extra rounds seems prudent, unless for some reason you need smaller keys, which is a probably a red flag anyway.
LinedllYehuda wrote:
I don’t agree at all. What are you basing this on? In what sense does it have no security margin?
hallam wrote:
Talk to Audi Shamir. He is the authority on symmetric ciphers. He would like more rounds, AES 256 has more rounds.
Since even X25519 produces a 255 bit result, we always use a KDF and the performance impact is negligible, I see no argument for 128 bits. I only ever use 256.
This is a misleading thing to cite, for a couple of reasons:
-
They were talking about the number of queries needed to guess a secret key for AES (a.k.a. symmetric key security). Phillip chimed in with a remark about asymmetric security.
-
The output size of X25519 being a "255 bit result" carries the risk of misleading newcomers into believing that X25519 targets the 256-bit security level. It doesn't.
Regardless of whether or not Phillip understood this nuance is irrelevant: The wording is misleading, and needed correction before someone was misled.
In the abstract, no. People are wrong on the Internet all the time.
However, when you post misinformation online as an "expert", you're inviting corrections. The only reason I participated at all was to correct a misleading tweet. If you care about things like "motive", then you'll benefit from the transparency. (If you don't, feel free to skip this part](#it-gets-weird).)
Faced with misinformation from a self-styled expert, I replied with the facts.
SoatokDhole wrote:
X25519's security against Pollard's Rho is about 2^126. The result of a computation is a random element of the group, not a uniformly random bit string. Using a KDF is necessary to prevent Cheon's attack.
Comparing asymmetric key sizes to symmetric key sizes is risky.
This was a gentle nudge that the 255-bit figure is misleading.
The discussion continued from there, but I don't want to ruminate on the play-by-play. (It's a little boring; read the linked archives if you're curious.)
Without being prompted, Phillip suddenly starts talking about something unrelated. When I expressed confusion over him feeling the need to share this tangent, he replies:
hallam wrote:
Well you felt the need to share elementary crypto protocol design with the guy who broke SSL 1.0 in ten minutes. So it seemed only fair.
This is a really weird thing to say, in any context:
- What does your street cred have to do with your misleading word choice in a tweet? If Whitfield Diffie wrote that tweet, I would've fucking corrected him (probably even more vigorously, considering the number of students that look up to him).
- Why would anyone care about how many minutes it took you to break SSL 1.0? If someone present chimed in with, "Actually it took 11 minutes and 14 seconds, I timed it because I'm an insufferable pedant," would it matter?
So I responded:
SoatokDhole wrote:
You had responded to a thread about 128-bit vs 256-bit security levels with an misleading remark about the security of X25519.
If you don't want an elementary explanation, try to avoid making such elementary mistakes.
Naturally, he didn't pick up on the intent at all and continued to double down.
Eventually he blocked me and then accused me of mansplaining. (He also misunderstood the purpose of bunnypa.ws--a sticker database for Telegram--as a sex gear store, which betrays false beliefs about the furry fandom that are often used to construct queerphobic rhetoric.)
The term mansplaining has obvious gender connotations, but it's more about power dynamics.
Mansplaining is the word feminists use wheever a man presumes the incompetence of the other person (typically a women or enbie) and then explains, with overconfidence and cluelessnes.
The power dynamic of such things are obvious: Men have systemic power and wield it to belittle non-men.
So it's really, really fucking strange to hear a married (and presumably straight) guy who's far more established in his career accuse a younger LGBTQIA+ person of "mansplaining".
If I were to be generous, I'd assume the intent is congruent to kindergarten insults. "I heard these words used in an argument once, and I'm going to use them again even though I don't know what they mean."
However, the more likely interpretation is that Phillip Hallam-Baker is appropriating feminist theory to publicly assuage his own ego after making an elementary mistake in a tweet and being toxic to someone who called him on it.
Regardless: When a self-proclaimed expert posts an incorrect or misleading statement, pointing this out isn't mansplaining.
I don't know Phillip Hallam-Baker very well. My brief interaction with him online was public and very uncomfortable. It certainly made other LGBTQIA+ folks uncomfortable enough to alert me to his follow-up tweets about me and the furry community, after he and I had already blocked each other and I was perfectly content moving on.
If it's true that Phillip is a cryptography expert, he should think more carefully about the weight his words carry, especially with neophytes. It's very easy to accidentally hurt someone who could have become a paragon of your niche by being a jerk at the wrong time. It's equally easy to confuse someone's understanding with poor word choice, especially on a platform that encourages rapid, rather than carefully considered, communication.
If it's not true that Phillip is a cryptography expert, then he should stop LARPing one on Twitter, in case someone really gets deceived.
Either way, I won't be accepting any apologies (should he even deign to offer one with his massive ego). Do better instead.