# Questions tagged as ['cryptanalysis']

I got an idea which may be wrong because I may have missed some important factor but for the moment I don't know if I really did. Let BM be the method used to break a reused one-time pad cipher (which is explained here : Taking advantage of one-time pad key reuse? ). I was wondering if we can use the same BM on a vigenere cipher text after determining the key lenght (N for example), and that would be by ...

Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save ...

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C

_{1}= C^{49}, C_{2}= C_{1}^{49}, etc. He will find C_{j}= C for 1,2,5 or 10

I do not understand how they figured out they will have M = C_{j-1} in at most 10 steps? They ...

I m new to cryptanalysis and trying to understand differential cryptanalysis. I have read the paper by Howard M. Heys. I understood the concept of differentials but I m not able to understand how to calculate the probability of a differential to occur when we don't know any information regarding the S-boxes.

It is given that, we give 2 inputs with a difference of say, x to an S-box and get output ...

I have a scenario where I do not have the key but I have plaintext 1, ciphertext 1, and ciphertext 2. Ciphertext 2 is built using the same key that was used to build ciphertext 1. Is there somehow a way to decrypt ciphertext 2 to get plaintext 2?

There is a one time pad which works as follows: given message "hello" and key "asdfg", it produces "hwoqu". It only works with the 26 english letters. The output is (h(7) + a(0))%26 = h(7), (e(4) + s(18))%26 = w(22) etc.

So I have two ciphertexts created as above using a single key for both ciphertexts. I'm supposed to be able to crack the plain texts without needing access to the key.

What is the p ...

First, I'm using the settings of https://en.wikipedia.org/wiki/NTRUEncrypt, with $L_f$ set of polynomials with $d_f+1$ coefficients equal to 1, $d_f$ equal to $-1$ and the remaining $N-2d_f-1$ equal to 0; and $L_g$ the set of polynomials with $d_g$ coefficients equal to 1, $d_g$ equal to $-1$ and the remaining $N-2d_g$ equal to 0. The natural numbers $d_f$ and $d_g$ are just fixed parameters of the sche ...

If $P_1, P_2$ are finite permutations, what can we say about $P_3 = P_1 \cdot P_2$? That is, what properties of the *composition* of permutations can be inferred from the properties of the *permutations which are composed*?

Since permutations form a group, for any $P_2$ and $P_3$, there exists a $P_1$ that when composed with $P_2$ gives $P_3$. So there range of composition spans the entire space of ...

Poly1305 uses $r, r^2, r^3$ and $r^4$. I understand this if $r$ is a generator of the finite field. But since $r$ can be any random non-zero number, won't its exponents be non-uniform distributed? That is, even if $r$ is chosen with uniform random over the field, $r^4$ is not uniform over the field. Why isn't this a weakness?

Note that Bernstein's papers* use similar schemes for *any* finite field, u ...

In his design of Salsa20, Bernstein writes to ensure non-linearity he chose

32-bit addition (breaking linearity over $Z/2$), 32-bit xor (breaking linearity over $Z/2^32), and constant-distance 32-bit rotation (diffusing changes from high bits to low bits).

Can you help me understand this? A linear function is one such that $f(ax+by) = af(x) + bf(y)$. It sounds like whether addition and xor are linea ...

Given a ciphertext, after performing a frequency analysis on it, how would you identify it as a hill cipher? What should i expect to see in the statistics?

I am studying on cryptanalysis of WhatsApp software. I know this is secure software but I want to present a documentary on this topic as a seminar at the university for applied mathematics students.

As you know, WhatsApp is based on the Signal protocol, and for this reason, I first focused on the structure of this protocol. The first document I studied was this master's thesis.

The advantage of thi ...

I have been studying on algebraic methods on cryptanalysis of block ciphers. This is where I am reading from currently

I need some help to understand Attack C.

Excluding equations from the first r rounds till which the differential characteristic holds, we are just left with the SBox equations and one constraint from the input difference to the $(r+1)^{th}$ round S Boxes as a consequence of the r ...

In the link below, the author uses the aes as a basis for his cipher. In his words: The thesis investigates and explores the behavior of the AES algorithm by replacing two of its original modules, namely the S-Box and the Key Schedule, with two other chaos-based modules.

One might ask: will this system at least will inherit the security I the aes? In addition, it is a common theme in chaos-based ...

This is just a casual exploration of what could be effectively the worst possible block cipher, but I think it has some educational value on how ciphers work.

I've been reading about unicity distance and I am interested in a block cipher that has a decent-sized keyspace (2^8 or more?) that has the smallest unicity distance possible. If the plaintext effectively looks random such that no frequency analysis ...

Reference : Tutorial by HM Heys

If we find a differential trail that holds with some non negligible probability for n-1 rounds for a n rounds SPN structure, then we can recover some of the bits of the last round subkey.

What happens when we only manage a differential trail that holds with non negligible probability for only few of the rounds R where R < n-1? How do we proceed in that case to make ...

I was wondering if anyone is familiar with any historical aspects (as to whether someone was able to) for discovering code using images on the web as a transport method ? As in hiding byte values in pixel data broken up between the component values ?

** Edit** Answer below adds to a good search tree of how hide text but doesn't relate to discovering the ciphertext.

Given an Input string of N bytes where some bytes positions in the string are fixed/immutable (F Bytes) and rest of the bytes positions can contain any value as we want or are configurable/variable (V = N-F Bytes).

SHA256(SHA256(N)) = H (256 bits).

Now, Given an Input string of N bytes, the values of N, F, V and the positions which can change and which can't:

How do we calculate the probability/formula ...

I recently had a situation where I needed to derive a secondary Curve25519 private key from an existing one programmatically. The obvious solution was to use a KDF, but I wondered at the time about deriving the second key via some algebraic operation on the scalar value, which of course would (at least for some transformations) also make the secondary public key derivable from the original public key. M ...

I am looking for possible ways of attacking a modified Vigenère cipher. Let's say we have two keys e.g. 'stackoverflow' and 'Vigenère'. The V cipher starts with one of those keys but switches as soon as it would create a doublet [so the next plaintext letter would decrypt to the same ciphertext letter like (example for ciphertext:) 'LDJ**AA**IWE' or 'FM**GG**BPV')].

How is it possible to attack this if you ...

The definition of the known-plaintext attack: I have a plaintext and I can encrypt it to have its ciphertext, then I use this pair to break the cipher.

The question: The only thing I further assume is the length of the used known plaintext, not its content. Is this allowable in the known-plaintext attack?

A note: I think if it is not allowable, then the attack should work with whatever pair of plain ...

I have been reading about chaos-based cryptosystems. Every designer claims that his design is a secure system without much cryptographic analysis; however, it turns out that this is a false claim in many cases. I do not know if all these systems are weak or inefficient. I do not have the time to perform cryptanalysis on them all.

For the examples of the chaos-based cipher, almost every designer h ...

How can I identify the cipher that encrypted the data shown below?

I'm very new to this field, so I am not sure.

For example:

How does one know which cipher is used in the following line? How can one decrypt it?

`$&Es6a@I+v5;|`h_$)q?2Kq75w=p|%tK+)8K)K}d!b_l`

I am a researcher in cryptography. Most of the time I generally do theoretical/Mathematical work only and not doing the implementation part.

I am not able to get the feel about the time complexity of algorithms theoretically. We can get the time complexity of algorithms by doing proper implementation. I want to implement algorithms/schemes to find out the time complexity and other aspects of algo ...

According to theorem 3.13, the 6 rounds of AES is 0.472-close to pairwise independence. It is also mentioned t-wise independence used to analyze higher order derivates attacks. it is also mentioned 3-wise indepdent permutations have a potential application in strengthening short encryption keys. My questions are related to the fundamentals of t-wise independence permutations.

**Q.1** What does it mean ...

As the title suggests, I wonder what kinds of attacks there are in the LFSR filter generator. The most representative attack is the fast correlation attack and inversion attack. I wonder what other attacks are possible.

First, we consider those hash functions that can actually provide 256-bit pre-image security, and not something like `SHAKE128<l=256bits>`

where the sponge parameters provides only a security capacity of 128-bit.

We know that cryptanalysis doesn't have just a time dimension - it also has a space dimension, i.e. the amount of working memory needed to execute the cryptanalysis algorithm. So if we expe ...

I found only the abstract and tables of this paper https://dl.acm.org/doi/abs/10.1145/3409501.3409513

From the abstract

*In this paper, the researchers proved that the modified SHA256 is viable to length extension, brute-force and dictionary attacks. Randomness tests also showed uniform random distribution of the hashes generated by the modified SHA256*

The meaning of each randomness test:

Monobit

I am attempting to manually encrypt a plaintext message (message = MI) using RSA.

I receive an answer of: 33,264 and 21,164.

When I enter the same plaintext into CrypTool to confirm that my calculations were correct, I receive a different answer:

What am I doing incorrect? How can I obtain the same result as CrypTool?

I am struggling to understand the DS-MITM attack on AES (Original Paper). Especially the 4-rounds distinguisher by Gilbert and Minier (section 3).

I get the basic idea that we check exactly on which input-bytes and key-bytes the first entry of the AES-State after three rounds $C_{11}^{(3)}$ depends. So we have a function
$f: a_{11} \longrightarrow C_{11}^{(3)}$
(where $a_{11}$ is the first plaint ...