# Questions tagged as ['attack']

Recently I noticed that my device generates *short-sized* `Nonces`

.

Approximately $2 ^ {243} - 2^{244}$.

Could it turn out that there will be a small leak of information about the first * 3 bits* of

`Nonces`

?Accordingly, if `Nonces`

is short, then it must contain null at the beginning.
That is, the first * 3 bits* of

`Nonces`

contain null at the beginning.*Hence, for the sake of safety:*

When creating an **ECDSA** signatur ...

(I guess no but why is this the case? Any way to make it possible?)

Out of a given equilateral triangle T1 (with his 3 vertices A,B,C lying in a finite Field $\mathbb F_N^D $) another equilateral triangle T2 can get constructed by mirroring one of the 3 vertices at the edge in between the two other vertices. This will be repeated multiple times.

Given just two random triangle T1 and T2 (and $\mathbb F_N^ ...

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $\text{sk}$ and $\text{pk}$ respectively). Bob has an authentic copy of $\text{pk}$. The adversary has an authentic copy of $\text{pk}$.

Now, Bob wants to send his $\text{PIN}$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $N_0$ (a number chosen randomly ...

I'm using python.cryptography's Fernet with PBKDF2 passphrase hashing to encrypt a piece of data (the value) that is stored, encrypted, in a database. The hashed passphrase is *not* stored in the database, and for that reason neither is the salt. Instead, the salt comes from a password vault in the application's runtime environment, and then modified to make it unique per value.

One question I hav ...

I recently started learning about cryptography and its Quantum aspect and I came across Shor's Algorithm (which solves the following problem: "Given an integer N, find its prime factors").

I also came across this video called "How Quantum Computers Break Encryption | Shor's Algorithm Explained"

I am still confused about how knowing the factors of the key is going to help me solve the problem.

I heard about the "Chess Grandmaster Problem", Eavesdropping attacks and Man-in-the-middle.

Can they be applied in any way to a ZK protocol?

I'm not looking for long examples, just what are the main attacks and briefly how they work will do.

Thank you so much!

I'm trying to implement kleptography SETUP attack of ecdsa with python. Just a simply script to verify the algorithm. However i can't get the right output as the paper said. Where is the problem? Can anyone help?

```
from ecpy.curves import Curve, Point
import hashlib
import gmpy
cv = Curve.get_curve('secp256k1')
G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x48 ...
```

In the applied cryptography book by Boneh and Shoup, Chapter 6 on MACs, it is stated that an adversary that is also capable of requesting the challenger for verification queries (in addition to signing queries) is not stronger than an Adversary that can only ask for signing queries. I do not understand why a verification query cannot be emulated by the signing query Adversary by generating the pair (mi, ...

While nowhere near being broken, AES has known attacks like reading from the substitution table, memory-based attacks, etc.

If we keep getting better at breaking ciphers and we eventually get close to taking AES down, what would (in your opinion) be the requirements for a cipher of an era where even Rijndael isn't safe enough?

I'm talking about:

- key sizes
- data sizes
- design (stream/Feistel/PSN, or s ...

starting from the fact that there are different attacks on RSA, based on the starting situation, for example there are different studies, on attacks that find the private key having the freedom of an original arbitration text. But I was wondering this, in this situation: you have several plaintext texts and their encryption, you also have the public key (because you use RSA to authenticate) is it possib ...

It is known that it is possible to apply the Chinese remainder theorem and attack `RSA`

under precise conditions.

https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf

But the question is, can the Chinese remainder theorem in `ECDSA`

be applied to the parameters in `secp256k1`

?

I have been playing around with Hastad's broadcast attack on RSA with linear padding. Using the implementation and the test function from here: https://github.com/0n5/CTF-Crypto/blob/master/RSA/hastads.sage

The test function and the attack work perfectly well with e=3,5,7. However, with e>=11 the attack does not find a solution. I tried playing around with the values of eps and modifying the at ...

What is a slide attack? I am not able to comprehend how they are used for attacks on FPE schemes like FF3.

I am reading Cryptography. I have multiple questions to ask.

- I signed my QR code with my private key so that people can verify it's mine. QR code has data which is public. I have this QR code on my document. Problem is, can an attacker copy this signature of this QR code on the document, and create a fake document with same QR code signed by me ? I assume signature just a sequence of characters after ...

Could you please advise me if there are threat vectors from archive nodes such as front running attacks, sandwich attacks and nothing at stake attacks as they are quite powerful in terms of the infrastructure and information architecture. How do we prevent scenarios when they become byzantine and become powerful and practical adversaries.

I'm working on a anonymization project and I got interested in linking attacks. For simplicity I only look at data in table format, such as xlxx or csv data. To anonymise such data the most common technique is generalization. There are others like synthetic data, changing data, deleting data, etc.. To evaluate the results one can use definitions like k-anonymity, l-diversity or t-closeness.

So fa ...

I am trying to create a RSA CTF challenge, exposing $n$, $e$, $c$, and $d$.

I have set $e=65537$ and $n = p * q$ where $p$ and $q$ are large primes each with 300 digits.

I have determined $c=m^e \mod n$

But I have yet to determine a good way to produce $d=e^{(-1)} \mod [(p-1)*(q-1)]$. I tried computing the right as is via code, but

```
from decimal import Decimal
print(Decimal(e**(-1)) % phi)
```

returns so ...

I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now.

According to this thread,

The aim is the recovery of a password pw. Consider that you want to test the membership of two passwords S∗1={pw1,pw2}. Create two keys K1=PBKDF(salt,pw1) and K2=PBKDF(salt,pw2) (the salt can be found by sniffing!), now use Dodis et, a ...

I have the sets $S_1=\{2,10,20,6\}$ and $S_2=\{25,26,20\}$ and I want to find which numbers sum to make 32. This is very easy by inspection; 6 and 26. It seems similar to the Knapsack problem, but I am no expert.

However, say I have 1000 sets, each with 500 elements such that summing one term from each set always gives you a unique value. This is much harder to inspect and solve, especially if the sets f ...

It is widely known, that using a GCM nonce twice or even more often can be used to disclose the authentication key H. I understand, why this is theoretically possible. However, I have no feeling about the computational effort behind obtaining polynomial roots in GF($2^{128}$). Is there a straightforward algorithm available or do we need to apply some brute-force methods to factor a given polynomia ...

I understand roughly (without details of GF algebra) the scheme of GCS/GMAC:

IV is to be put into Counter-0, so initializing counters.

It is known, that using a IV twice can not only reveal the plain text but also the AES-Key itself.

I understand neither the first nor the second:

Q1: Why is confidentiality of the messages lost when using the same IV twice? Does it mean the plaintext can be inferred? Or ...

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $\#E$ points on $Z_p$ where $\#E=p+1-t$, then the quadratic twist curve has $\#E'=p+1+t$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist c ...

I searched but found nothing except the original paper, and I can't wrap my head around it. Can you help me by giving an overview and then if possible, a short explanation of the algo?

In David Wagner's article A Generalized Birthday Problem, he said and I quote:

Our algorithm works only when one can extend the size of the lists freely, i.e, in the special case where

there are sufficiently many solutionsto the k-sum problem.

- Does that means that the generalized birthday attack only applies for the problems with multiple solutions?
- Why is it not suitable for the problem with on ...

It seems there are attacks that work more effectively on AES-256 than AES-128, which makes it less secure in some cases. But the bigger key size should add some safety margin on the other hand, for example making it immune to even quantum computers. And I have heard some people say that more rounds make it less secure, and others say that it makes it more secure.

If a company uses Domain Keys Identified Mail ("sender adds a special signature which includes author name / date signed by RSA Private Key. Receiver verifies the signature by looking up the public key of the sender and ensures that the email's sender name and the date in the regular email header matches the signed name and date in the signature tag") and has an online database with employees public key ...

How easy would it be to crack a AES-256 encrypted file, that is protected by a passphrase?

I understand that the trying to brute force a AES-256 encryption key would be on the unfeasible side, even with quantum computing. But what if that encryption key was instead generated from a passphrase? How easy would it then be to break the encryption?

I'm not experienced at all in cryptography, but tried ma ...