# Questions tagged as ['cryptanalysis']

Analysis of individual security aspects of a cipher or algorithm, not the security of a cipher or algorithm in general (which would lean towards “algorithm-design”).
Score: 0 Breaking vigenere cypher using the one-time pad flaw when used for a second time I got an idea which may be wrong because I may have missed some important factor but for the moment I don't know if I really did. Let BM be the method used to break a reused one-time pad cipher (which is explained here : Taking advantage of one-time pad key reuse? ). I was wondering if we can use the same BM on a vigenere cipher text after determining the key lenght (N for example), and that would be by  ...

Score: 1 how high is the possibility of getting a hash collision in text files? Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save  ...

Score: 0 How to find iteration exponent in a cycling attack? In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C1 = C49 , C2 = C149, etc. He will find Cj = C for 1,2,5 or 10

I do not understand how they figured out they will have M = Cj-1 in at most 10 steps? They  ...

Score: 2 How do we find differentials in differential cryptanalysis when we don't the details about the S-boxes I m new to cryptanalysis and trying to understand differential cryptanalysis. I have read the paper by Howard M. Heys. I understood the concept of differentials but I m not able to understand how to calculate the probability of a differential to occur when we don't know any information regarding the S-boxes.

It is given that, we give 2 inputs with a difference of say, x to an S-box and get output ...

Score: 0 recover plain text from cipher text in AES-128 ECB mode I have a scenario where I do not have the key but I have plaintext 1, ciphertext 1, and ciphertext 2. Ciphertext 2 is built using the same key that was used to build ciphertext 1. Is there somehow a way to decrypt ciphertext 2 to get plaintext 2?

Score: 0 cracking a one time pad using key reuse There is a one time pad which works as follows: given message "hello" and key "asdfg", it produces "hwoqu". It only works with the 26 english letters. The output is (h(7) + a(0))%26 = h(7), (e(4) + s(18))%26 = w(22) etc.

So I have two ciphertexts created as above using a single key for both ciphertexts. I'm supposed to be able to crack the plain texts without needing access to the key.

What is the p ...

Score: 3 How to decide if an element is a public key in NTRU encryption scheme? First, I'm using the settings of https://en.wikipedia.org/wiki/NTRUEncrypt, with $$L_f$$ set of polynomials with $$d_f+1$$ coefficients equal to 1, $$d_f$$ equal to $$-1$$ and the remaining $$N-2d_f-1$$ equal to 0; and $$L_g$$ the set of polynomials with $$d_g$$ coefficients equal to 1, $$d_g$$ equal to $$-1$$ and the remaining $$N-2d_g$$ equal to 0. The natural numbers $$d_f$$ and $$d_g$$ are just fixed parameters of the sche ...

Score: 0 Structure of composition of permutations If $$P_1, P_2$$ are finite permutations, what can we say about $$P_3 = P_1 \cdot P_2$$? That is, what properties of the composition of permutations can be inferred from the properties of the permutations which are composed?

Since permutations form a group, for any $$P_2$$ and $$P_3$$, there exists a $$P_1$$ that when composed with $$P_2$$ gives $$P_3$$. So there range of composition spans the entire space of ...

Score: 2 Poly1305 reuse of r Poly1305 uses $$r, r^2, r^3$$ and $$r^4$$. I understand this if $$r$$ is a generator of the finite field. But since $$r$$ can be any random non-zero number, won't its exponents be non-uniform distributed? That is, even if $$r$$ is chosen with uniform random over the field, $$r^4$$ is not uniform over the field. Why isn't this a weakness?

Note that Bernstein's papers* use similar schemes for any finite field, u ...

Score: 0 Understanding non-linearity in Salsa20 over various rings In his design of Salsa20, Bernstein writes to ensure non-linearity he chose

32-bit addition (breaking linearity over $$Z/2$$), 32-bit xor (breaking linearity over $Z/2^32), and constant-distance 32-bit rotation (diffusing changes from high bits to low bits). Can you help me understand this? A linear function is one such that $$f(ax+by) = af(x) + bf(y)$$. It sounds like whether addition and xor are linea ... Score: 2 What are some statisitcal characteristics of a hill cipher? Given a ciphertext, after performing a frequency analysis on it, how would you identify it as a hill cipher? What should i expect to see in the statistics? Score: 6 Introduce a reference for cryptanalysis of WhatsApp software I am studying on cryptanalysis of WhatsApp software. I know this is secure software but I want to present a documentary on this topic as a seminar at the university for applied mathematics students. As you know, WhatsApp is based on the Signal protocol, and for this reason, I first focused on the structure of this protocol. The first document I studied was this master's thesis. The advantage of thi ... Score: 1 Algebraic differential cryptanalysis I have been studying on algebraic methods on cryptanalysis of block ciphers. This is where I am reading from currently I need some help to understand Attack C. Excluding equations from the first r rounds till which the differential characteristic holds, we are just left with the SBox equations and one constraint from the input difference to the $$(r+1)^{th}$$ round S Boxes as a consequence of the r ... Score: 1 Chaos-based AES, is it secure? In the link below, the author uses the aes as a basis for his cipher. In his words: The thesis investigates and explores the behavior of the AES algorithm by replacing two of its original modules, namely the S-Box and the Key Schedule, with two other chaos-based modules. One might ask: will this system at least will inherit the security I the aes? In addition, it is a common theme in chaos-based ... Score: 0 What is the easiest encryption/cipher to brute force? This is just a casual exploration of what could be effectively the worst possible block cipher, but I think it has some educational value on how ciphers work. I've been reading about unicity distance and I am interested in a block cipher that has a decent-sized keyspace (2^8 or more?) that has the smallest unicity distance possible. If the plaintext effectively looks random such that no frequency analysis ... Score: 1 Differential analysis of SPN Reference : Tutorial by HM Heys If we find a differential trail that holds with some non negligible probability for n-1 rounds for a n rounds SPN structure, then we can recover some of the bits of the last round subkey. What happens when we only manage a differential trail that holds with non negligible probability for only few of the rounds R where R < n-1? How do we proceed in that case to make ... Score: 1 Crypt-analysis for finding information hidden in images? I was wondering if anyone is familiar with any historical aspects (as to whether someone was able to) for discovering code using images on the web as a transport method ? As in hiding byte values in pixel data broken up between the component values ? ** Edit** Answer below adds to a good search tree of how hide text but doesn't relate to discovering the ciphertext. Score: 2 A query regarding SHA256 output hash structure vs input entropy? Given an Input string of N bytes where some bytes positions in the string are fixed/immutable (F Bytes) and rest of the bytes positions can contain any value as we want or are configurable/variable (V = N-F Bytes). SHA256(SHA256(N)) = H (256 bits). Now, Given an Input string of N bytes, the values of N, F, V and the positions which can change and which can't: How do we calculate the probability/formula ... Score: 0 (Non)security of algebraically derived EC keys I recently had a situation where I needed to derive a secondary Curve25519 private key from an existing one programmatically. The obvious solution was to use a KDF, but I wondered at the time about deriving the second key via some algebraic operation on the scalar value, which of course would (at least for some transformations) also make the secondary public key derivable from the original public key. M ... Score: 1 Vigenère cipher with switching keys I am looking for possible ways of attacking a modified Vigenère cipher. Let's say we have two keys e.g. 'stackoverflow' and 'Vigenère'. The V cipher starts with one of those keys but switches as soon as it would create a doublet [so the next plaintext letter would decrypt to the same ciphertext letter like (example for ciphertext:) 'LDJAAIWE' or 'FMGGBPV')]. How is it possible to attack this if you ... Score: 1 Is it allowable to put a restriction on the length of the plaintext used in the known-plaintext attack? The definition of the known-plaintext attack: I have a plaintext and I can encrypt it to have its ciphertext, then I use this pair to break the cipher. The question: The only thing I further assume is the length of the used known plaintext, not its content. Is this allowable in the known-plaintext attack? A note: I think if it is not allowable, then the attack should work with whatever pair of plain ... Score: 1 How can I do cryptanalysis on a chaos-based cipher? I have been reading about chaos-based cryptosystems. Every designer claims that his design is a secure system without much cryptographic analysis; however, it turns out that this is a false claim in many cases. I do not know if all these systems are weak or inefficient. I do not have the time to perform cryptanalysis on them all. For the examples of the chaos-based cipher, almost every designer h ... Score: 1 Decryption of an unknown cipher How can I identify the cipher that encrypted the data shown below? I'm very new to this field, so I am not sure. For example: How does one know which cipher is used in the following line? How can one decrypt it? $&Es6a@I+v5;|h_\$)q?2Kq75w=p|%tK+)8K)K}d!b_l

Score: 0 Which contemporary programming language is apt for implementation of algorithms in cryptography? I am a researcher in cryptography. Most of the time I generally do theoretical/Mathematical work only and not doing the implementation part.

I am not able to get the feel about the time complexity of algorithms theoretically. We can get the time complexity of algorithms by doing proper implementation. I want to implement algorithms/schemes to find out the time complexity and other aspects of algo ...

Score: 1 ε-close to t-wise inependence of SPN (AES) According to theorem 3.13, the 6 rounds of AES is 0.472-close to pairwise independence. It is also mentioned t-wise independence used to analyze higher order derivates attacks. it is also mentioned 3-wise indepdent permutations have a potential application in strengthening short encryption keys. My questions are related to the fundamentals of t-wise independence permutations.

Q.1 What does it mean ...

Score: 4 What vulnerabilities does the LFSR filter generator have? As the title suggests, I wonder what kinds of attacks there are in the LFSR filter generator. The most representative attack is the fast correlation attack and inversion attack. I wonder what other attacks are possible.

Score: 2 Does SHA-256 have (128-time + 128-space = 256-overall)-bit collision resistance? First, we consider those hash functions that can actually provide 256-bit pre-image security, and not something like SHAKE128<l=256bits>` where the sponge parameters provides only a security capacity of 128-bit.

We know that cryptanalysis doesn't have just a time dimension - it also has a space dimension, i.e. the amount of working memory needed to execute the cryptanalysis algorithm. So if we expe ...

Score: -1 Does this paper find cryptographic weakness of SHA-256? I found only the abstract and tables of this paper https://dl.acm.org/doi/abs/10.1145/3409501.3409513

From the abstract

In this paper, the researchers proved that the modified SHA256 is viable to length extension, brute-force and dictionary attacks. Randomness tests also showed uniform random distribution of the hashes generated by the modified SHA256 The meaning of each randomness test:

Monobit

Score: 1 CrypTool RSA Features I am attempting to manually encrypt a plaintext message (message = MI) using RSA. When I enter the same plaintext into CrypTool to confirm that my calculations were correct, I receive a different answer: What am I doing incorrect? How can I obtain the same result as CrypTool?

Score: 0 A few questions regarding the 4-Round AES-Distinguisher (by Gilbert and Minier) and DS-MITM I am struggling to understand the DS-MITM attack on AES (Original Paper). Especially the 4-rounds distinguisher by Gilbert and Minier (section 3).

I get the basic idea that we check exactly on which input-bytes and key-bytes the first entry of the AES-State after three rounds $$C_{11}^{(3)}$$ depends. So we have a function $$f: a_{11} \longrightarrow C_{11}^{(3)}$$ (where $$a_{11}$$ is the first plaint ...