March 22, 2026

From vault to volts of laughter

Article URL →HN comments →

A Copy-Paste Bug That Broke PSpice AES-256 Encryption

From “AES-256 fortress” to a 4‑byte padlock — and the crowd is cackling

TLDR: A bug made PSpice’s “AES‑256” lock effectively a 4‑byte key, and a new tool now lets engineers use those models outside PSpice. Commenters are roasting the use of a notorious weak mode, calling the whole thing vendor lock‑in theater, while a few caution about licenses and ethics.

Engineers are howling after a researcher revealed PSpice’s big “secret”: a copy‑paste oops turned its fancy AES‑256 encryption into something you can brute‑force in seconds. Translation: the lock on many vendor parts was more prop than protection, and now a new tool, SpiceCrypt (link), lets folks use their legally obtained models in any simulator, not just Cadence’s.

The comment section lit up. One top quip pointed to the smoking gun—PSpice used ECB (Electronic Codebook), the “don’t ever do this” mode of encryption—calling it the crypto equivalent of “we vibe‑coded our firewall in PHP.” Another crowd favorite? The idea that this was never real security at all. “Just obfuscation,” sneered one commenter, framing it as pure vendor lock‑in dressed up as protection.

Then came the cool‑headed zinger: crypto bugs don’t make noise. Whether it’s a 4‑byte key or a 32‑byte one, the output looks like gibberish either way—so this flaw hid for 12 years. That line had everyone nodding and wincing at the same time.

While most cheered interoperability and open tooling, a few raised eyebrows about licenses and ethics. But the dominant vibe was pure schadenfreude: engineers celebrating a magician’s curtain yanked down, revealing a “vault” with the keys taped to it. The memes wrote themselves: from “AES‑256? More like AES‑4” to “Fort Knox by Ikea.” Drama, laughter, and a whole lot of unlocked circuit models ensued.

Key Points

  • PSpice’s proprietary encryption has six modes; mode 4 uses AES-256 (ECB) with user-supplied key material via CDN_PSPICE_ENCKEYS.
  • A bug passes only a 4-byte short key to the AES engine, zero-padding the rest, making 28 of 32 AES key bytes known.
  • The effective keyspace drops to 2^32; brute-force recovery of the key is feasible in seconds with AES-NI.
  • A fixed plaintext prefix in the first metadata block (“0001.0000 ”) provides a known-plaintext check for key validation.
  • SpiceCrypt, a Python library/CLI, was released to decrypt PSpice-encrypted models and enable use across simulators.

Hottest takes

"ECB is the least secure… like ‘we vibe‑coded our firewall in PHP’" — pseudohadamard
"It was never security, just obfuscation" — userbinator
"Crypto bugs don’t break loudly—this hid for 12 years" — alexchengyuli

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.