# Questions tagged as ['attack']

A cryptographic attack tries to theoretically and/or practically attack the security properties of a cipher and/or algorithm.
Score: 2
Short Nonces in ECDSA signature generation

Recently I noticed that my device generates short-sized Nonces.

Approximately $$2 ^ {243} - 2^{244}$$.

Could it turn out that there will be a small leak of information about the first 3 bits of Nonces?

Accordingly, if Nonces is short, then it must contain null at the beginning. That is, the first 3 bits of Nonces contain null at the beginning.

Hence, for the sake of safety:

When creating an ECDSA signatur ...

Score: 5
Can a series of triangle reflections be used for cryptography?

(I guess no but why is this the case? Any way to make it possible?)

Out of a given equilateral triangle T1 (with his 3 vertices A,B,C lying in a finite Field $$\mathbb F_N^D$$) another equilateral triangle T2 can get constructed by mirroring one of the 3 vertices at the edge in between the two other vertices. This will be repeated multiple times.

Given just two random triangle T1 and T2 (and $$\mathbb F_N^ ...$$

Score: 0
Eavesdropping attack on text-book RSA encryption with public nonce

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $$\text{sk}$$ and $$\text{pk}$$ respectively). Bob has an authentic copy of $$\text{pk}$$. The adversary has an authentic copy of $$\text{pk}$$.

Now, Bob wants to send his $$\text{PIN}$$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $$N_0$$ (a number chosen randomly  ...

Score: 1
Can the salt be derived based on the other components of encrypted data?

I'm using python.cryptography's Fernet with PBKDF2 passphrase hashing to encrypt a piece of data (the value) that is stored, encrypted, in a database. The hashed passphrase is not stored in the database, and for that reason neither is the salt. Instead, the salt comes from a password vault in the application's runtime environment, and then modified to make it unique per value.

One question I hav ...

Score: 0
How does knowing the factors of the key help me decrypt?

I recently started learning about cryptography and its Quantum aspect and I came across Shor's Algorithm (which solves the following problem: "Given an integer N, find its prime factors").

I also came across this video called "How Quantum Computers Break Encryption | Shor's Algorithm Explained"

I am still confused about how knowing the factors of the key is going to help me solve the problem.

Score: 0
What are the main attacks that can be done against a ZK Σ-protocol like Schnorr's identification scheme?

I heard about the "Chess Grandmaster Problem", Eavesdropping attacks and Man-in-the-middle.
Can they be applied in any way to a ZK protocol?
I'm not looking for long examples, just what are the main attacks and briefly how they work will do.
Thank you so much!

Score: 2
kleptography SETUP attack in ecdsa

I'm trying to implement kleptography SETUP attack of ecdsa with python. Just a simply script to verify the algorithm. However i can't get the right output as the paper said. Where is the problem? Can anyone help?

from ecpy.curves import Curve, Point
import hashlib
import gmpy

cv = Curve.get_curve('secp256k1')
G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x48 ...
Score: 0
MAC Security - MAC verification queries

In the applied cryptography book by Boneh and Shoup, Chapter 6 on MACs, it is stated that an adversary that is also capable of requesting the challenger for verification queries (in addition to signing queries) is not stronger than an Adversary that can only ask for signing queries. I do not understand why a verification query cannot be emulated by the signing query Adversary by generating the pair (mi, ...

Score: 4
What would be the requirements for a new-age cipher standard?

While nowhere near being broken, AES has known attacks like reading from the substitution table, memory-based attacks, etc.

If we keep getting better at breaking ciphers and we eventually get close to taking AES down, what would (in your opinion) be the requirements for a cipher of an era where even Rijndael isn't safe enough?

• key sizes
• data sizes
• design (stream/Feistel/PSN, or s ...
Score: 0
rsa attack with plain text, cypher text , public key

starting from the fact that there are different attacks on RSA, based on the starting situation, for example there are different studies, on attacks that find the private key having the freedom of an original arbitration text. But I was wondering this, in this situation: you have several plaintext texts and their encryption, you also have the public key (because you use RSA to authenticate) is it possib ...

Score: 0
Chinese remainder theorem in ECDSA for parameters in secp256k1?

It is known that it is possible to apply the Chinese remainder theorem and attack RSA under precise conditions.

https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf

But the question is, can the Chinese remainder theorem in ECDSA be applied to the parameters in secp256k1?

Score: 2

I have been playing around with Hastad's broadcast attack on RSA with linear padding. Using the implementation and the test function from here: https://github.com/0n5/CTF-Crypto/blob/master/RSA/hastads.sage

The test function and the attack work perfectly well with e=3,5,7. However, with e>=11 the attack does not find a solution. I tried playing around with the values of eps and modifying the at ...

Score: 0
Slide Attacks and FPE

What is a slide attack? I am not able to comprehend how they are used for attacks on FPE schemes like FF3.

Score: 0
Can I copy digital signature for malicious purpose?

1. I signed my QR code with my private key so that people can verify it's mine. QR code has data which is public. I have this QR code on my document. Problem is, can an attacker copy this signature of this QR code on the document, and create a fake document with same QR code signed by me ? I assume signature just a sequence of characters after ...
Score: 0
Crypto Economic Attacks such as Nothing At Stake and Sandwich Attack from Archive Nodes on Polkadot

Could you please advise me if there are threat vectors from archive nodes such as front running attacks, sandwich attacks and nothing at stake attacks as they are quite powerful in terms of the infrastructure and information architecture. How do we prevent scenarios when they become byzantine and become powerful and practical adversaries.

Score: 0

I'm working on a anonymization project and I got interested in linking attacks. For simplicity I only look at data in table format, such as xlxx or csv data. To anonymise such data the most common technique is generalization. There are others like synthetic data, changing data, deleting data, etc.. To evaluate the results one can use definitions like k-anonymity, l-diversity or t-closeness.

So fa ...

Score: 0
How to generate large integer private key for creating CTF challenges?

I am trying to create a RSA CTF challenge, exposing $$n$$, $$e$$, $$c$$, and $$d$$.

I have set $$e=65537$$ and $$n = p * q$$ where $$p$$ and $$q$$ are large primes each with 300 digits.

I have determined $$c=m^e \mod n$$

But I have yet to determine a good way to produce $$d=e^{(-1)} \mod [(p-1)*(q-1)]$$. I tried computing the right as is via code, but

from decimal import Decimal

print(Decimal(e**(-1)) % phi)


returns so ...

Score: 1
Impact of partitioning oracle attacks on file encryption?

I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now.

The aim is the recovery of a password pw. Consider that you want to test the membership of two passwords S∗1={pw1,pw2}. Create two keys K1=PBKDF(salt,pw1) and K2=PBKDF(salt,pw2) (the salt can be found by sniffing!), now use Dodis et, a ...

Score: 2
Time Complexity of Exhaustive Search Algorithm

I have the sets $$S_1=\{2,10,20,6\}$$ and $$S_2=\{25,26,20\}$$ and I want to find which numbers sum to make 32. This is very easy by inspection; 6 and 26. It seems similar to the Knapsack problem, but I am no expert.

However, say I have 1000 sets, each with 500 elements such that summing one term from each set always gives you a unique value. This is much harder to inspect and solve, especially if the sets f ...

Score: 3
Factorization of polynomial in GF(2^128) used in GCM

It is widely known, that using a GCM nonce twice or even more often can be used to disclose the authentication key H. I understand, why this is theoretically possible. However, I have no feeling about the computational effort behind obtaining polynomial roots in GF($$2^{128}$$). Is there a straightforward algorithm available or do we need to apply some brute-force methods to factor a given polynomia ...

Score: 1
Why using same nonce (IV) twice voids confidentiality of plain text or even key?

I understand roughly (without details of GF algebra) the scheme of GCS/GMAC:

IV is to be put into Counter-0, so initializing counters.

It is known, that using a IV twice can not only reveal the plain text but also the AES-Key itself.

I understand neither the first nor the second:

Q1: Why is confidentiality of the messages lost when using the same IV twice? Does it mean the plaintext can be inferred? Or  ...

Score: 2
What happens if the Edwards curve isn't quadratic twist secure?

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $$\#E$$ points on $$Z_p$$ where $$\#E=p+1-t$$, then the quadratic twist curve has $$\#E'=p+1+t$$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist c ...

Score: 2
Can you please explain how Manger's attack against RSA OAEP works?

I searched but found nothing except the original paper, and I can't wrap my head around it. Can you help me by giving an overview and then if possible, a short explanation of the algo?

Score: 2
Is generalized birthday attack only suitable for the problem with multiple solutions?

In David Wagner's article A Generalized Birthday Problem, he said and I quote:

Our algorithm works only when one can extend the size of the lists freely, i.e, in the special case where there are sufficiently many solutions to the k-sum problem.

1. Does that means that the generalized birthday attack only applies for the problems with multiple solutions?
2. Why is it not suitable for the problem with on ...
Score: 1
So is AES-256 more secure or less secure than AES-128 after all?

It seems there are attacks that work more effectively on AES-256 than AES-128, which makes it less secure in some cases. But the bigger key size should add some safety margin on the other hand, for example making it immune to even quantum computers. And I have heard some people say that more rounds make it less secure, and others say that it makes it more secure.

Score: 0
Domain Keys Identified Mail (DKIM)

If a company uses Domain Keys Identified Mail ("sender adds a special signature which includes author name / date signed by RSA Private Key. Receiver verifies the signature by looking up the public key of the sender and ensures that the email's sender name and the date in the regular email header matches the signed name and date in the signature tag") and has an online database with employees public key ...

Score: 1
Crack AES encryption via passphrase dictionary attack?

How easy would it be to crack a AES-256 encrypted file, that is protected by a passphrase?

I understand that the trying to brute force a AES-256 encryption key would be on the unfeasible side, even with quantum computing. But what if that encryption key was instead generated from a passphrase? How easy would it then be to break the encryption?

I'm not experienced at all in cryptography, but tried ma ...