/r/crypto

Photograph via snooOG

Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited to encryption of messages such that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This is a technical subreddit covering the theory and practice of modern and strong cryptography.

Cryptography

... is the art of creating mathematical / information theoretic assurances for who can do what with data, including but not limited to the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This subreddit is intended for links and discussions surrounding the theory and practice of modern and strong cryptography.

Please note that this subreddit is technical, not political! The focus is on the algorithms and the security of the implementations.


Want to join?

Because this subreddit currently is in restricted mode, you will NOT be able to post or comment before your account has been approved. Send us a reason for why you want to join via mod mail, click here and tell us why you want to discuss cryptography;

https://www.reddit.com/message/compose/?to=/r/crypto


NOTE: This is NOT a cryptocurrency subreddit, see /r/cryptocurrency

RULES

(along with normal reddiquette)

Don't forget to read our RULES PAGE! The rules listed there are also used as this sub's report reasons. The quick version;

  • Assume good faith and be kind. This is a friendly subreddit.
  • Codes, simple ciphers, ARGs, and other such "weak crypto" don't belong here. (Rule of thumb: If a desktop computer can break a code in less than an hour, it's not strong crypto.) You're probably looking for /r/codes.
  • Do not ask people to break your cryptosystem without first sharing the algorithm. Sharing just the output is like...
  • "Crack this cipher" challenges also belong in /r/codes unless they're based on interesting crypto implementation bugs, e.g. weak RSA keys.
  • Familiarize yourself with the following before posting a question about a novel cryptosystem, or else the risk is nobody will take their time to answer:
  • Don't use this sub to cheat on competitions or challenges! You're expected to solve such problems yourself. You may ask for help to understand it, but you should disclose the source.
  • Systems that use crypto are not necessarily relevant here, e.g. Bitcoin. Maybe try /r/cryptocurrency? Political news also very rarely belong here. See the list of related subs below for alternatives. Remember that this sub is focused on the algorithms, and isn't political.

  • RESOURCES

    Internal:

    External:

    Other subreddits that may be of interest:

    Theory:

    Practical:

    Educational, hobbyist:

    Political and in the news:

    Software:

    Related:

    Memes and low effort submissions:


    Feel free to message the moderators with suggestions for how to improve this subreddit, as well as for requesting adding links in the sidebar.

    /r/crypto

    297,426 Subscribers

    5

    Adapting Hashcat's mul_mod for Multiplication mod N

    Hello! I am trying to perform some EC arithmetic on the secp256k1 curve.

    Specifically, I am having trouble performing a modular multiplication using Hashcat’s OpenCL implementation mul_mod function.

    The function as-written is for performing modular multiplication mod P, but I am needing to perform modular multiplication mod N. I previously tried to modify the function to use the lib’s SECP256K1_N* values, but was not getting the proper result.

    I noticed that the function uses an optimized algorithm from Modular Multiplication using special prime moduli (p.354 or p.9 in that document), and as such uses a “magic number” from the curve (omega: 0x3d1) related to the curve’s P value in the internal calculations.

    Is there a straight-forward way to alter this function to perform multiplication mod N? Or, is this specific implementation not compatible due to the “special moduli”? If not compatible, can someone help point me in the right direction of an OpenCL compatible mul_mod secp256k1 implementation?

    3 Comments
    2024/03/18
    12:15 UTC

    3

    Weekly cryptography community and meta thread

    Welcome to /r/crypto's weekly community thread!

    This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

    Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

    So, what's on your mind? Comment below!

    0 Comments
    2024/03/18
    11:00 UTC

    3

    Monthly cryptography wishlist thread

    This is another installment in a series of monthly recurring cryptography wishlist threads.

    The purpose is to let people freely discuss what future developments they like to see in fields related to cryptography, including things like algorithms, cryptanalysis, software and hardware implementations, usable UX, protocols and more.

    So start posting what you'd like to see below!

    0 Comments
    2024/03/18
    11:00 UTC

    2

    Most optimized Fermat Factoring algorithm

    Hello, I am an amateur cryptographer and have seen a few variations on factoring p * q like Fermat's method. I've come up with a variation that has undergone some speed testing. Are there any other simple algorithms before one gets into sieving? Share yours.

    My algorithm adds 1 to the square root of n if it is even and then adds 2 to each loop that the condition (n % a) != 0.

    https://github.com/iagmla/Fermat/blob/main/zfermat.py

    4 Comments
    2024/03/11
    18:58 UTC

    10

    Request for a Cryptography Book containing a Chapter about Padding Oracle

    I am new to this sub but have been looking through past posts. I am looking for a cryptography book which contains a chapter about padding oracles. I looked through books from authors that are often recommend (s.a. Schneier, Ferguson, Singh, Paar etc.) but they only seem to edge the topic of padding oracles in one sentence while going into depth into CBC or similar.

    On top of that, could you guys maybe enlighten me. Is there a reason, why this topic is usually not worthy for an own sub-chapter? Is it a trivial thing or is it just too vague?

    Why padding oracles? I am interested in having some literal content, other than the same explanations on the internet. Don't get me wrong, they are good and helpful, but while learning for my crypto exam, I often realized, that I want to go the extra mile.

    Regarding the book. I would like for it to be a general book, which also contains knowledge about encryption, authentication, netsec, and IPSEC/DNS(SEC) if possible.

    Thanks in advance!

    Edit: I also asked this question in r/cybersecurity.

    9 Comments
    2024/03/11
    11:23 UTC

    5

    Weekly cryptography community and meta thread

    Welcome to /r/crypto's weekly community thread!

    This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

    Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

    So, what's on your mind? Comment below!

    0 Comments
    2024/03/11
    11:00 UTC

    6

    Constructing authenticated primitives with signatures

    Instead of using AES in CBC with a HMAC (created with a key derived from the agreed symmetric key), is it possible to achieve similar using AES in CBC with digital signatures, like EdDSA?

    If so, is it possible to use ephemeral keys in some way on the signature front and bind them to the underlying cipher text, or do the signing keys need to be verified/authenticated to an identity out of band?

    4 Comments
    2024/03/07
    17:37 UTC

    7

    redactable signed documents

    does this scheme exist or can be constructed?

    motivation: bank releases a signed document about your monthly transactions. you want to show it to someone, but redact certain fields.

    kinda something like this:

    bank has a signing key, the public key of it is PUB

    the bank signs a document m that is a series of submessages m_1 ... m_n. the bank also publishes S signature.

    then i can redact any of the messages, and construct, e.g:

    m_1, redacted(m_2), m_3, ..., and a modified S'

    anyone with S' and PUB can verify the redacted signature against the redacted m.

    it is okay if S' has a totally different format than S.

    it should be clear and verifiable which parts are redacted and which parts are original.

    the parts must still be linked together. so individually signing parts is not enough.

    however, it should not be feasible to figure out any redacted elements, even with brute force. this is important, because m_i can be of a small set, like birth year, or can be guessable, like a suspected recipient bank account number.

    9 Comments
    2024/03/07
    11:26 UTC

    6

    Key and message equivocation

    Lately I've become increasingly interested in the study of cryptography from a information theory point of view. I've come across the concept of key and message equivocation, in particular I've learnend the key equivocation is in general greater than message equivocation and it all makes sense to me. What I'm having an hard time undestranding is why we focus on key equivocation while studying the security of a secrecy system(e.g. unicity distance). Wouldn't it be better to focus on message equivocation since it's smaller? I'm sure there is something I'm not fully understanding and i hope some of you could kindly help me :)

    0 Comments
    2024/03/07
    09:44 UTC

    7

    Weekly cryptography community and meta thread

    Welcome to /r/crypto's weekly community thread!

    This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

    Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

    So, what's on your mind? Comment below!

    2 Comments
    2024/03/04
    11:00 UTC

    7

    25519 clamping - quick question

    Are both:

    `ed25519` and `curve25519` keys both required to be clamped?

    I read both are, but isn't it only applicable to curve25519 which is used for ECDH to avoid small subgroup attacks?

    Both keys are just random 32 byte scalars anyway right, so I wonder if I can use the same key in both systems where one version is clamped and the other not.

    4 Comments
    2024/03/01
    16:30 UTC

    5

    Is ECDHE (over curve25519) with ChaCha20-Poly1305 considered "semantically secure"?

    Is ECDHE (over curve25519) with ChaCha20-Poly1305 considered "semantically secure"?

    Thanks you

    6 Comments
    2024/02/28
    14:27 UTC

    26

    Apple adds PQ primitives to iMessage

    Apple did a nice job IMO adding PQC to iMessage, essentially using Kyber - and it's forward secret.

    They still only sign key exchange with P-256 (not a PQ scheme), which also isn't a curve I like. They also assume AES-CTR is "quantum secure" - which I guess gets reduced to ~127bit security with Grovers.

    Overall nice to see PQ primitives used at this scale.

    https://security.apple.com/blog/imessage-pq3/

    8 Comments
    2024/02/28
    14:25 UTC

    3

    FHE data encodings

    Hi r/crypto!

    I have a question about data encoding for various FHE schemes.

    I've read the original CKKS paper, and as I understand, with CKKS, we have to use canonical embedding encoding procedures to encode our data into polynomials from Rq, which means that with degree-N polynomials, we can encode at most N/2 numbers.

    I have a couple of questions Are there other encoding schemes for CKKS with better encoding efficiency? What encoding schemes are used by BGV and/or BFV? What is their efficiency? What other encoding schemes exist, and what schemes use them?

    Thank you!

    0 Comments
    2024/02/27
    19:40 UTC

    5

    Valid use of scrypt for AES256?

    I'm working on a database project with Python and I'm using scrypt to generate two hashes derived from a password with salt.

    One for comparison/authorisation and the second is a key for encrypted data.

    Is this a safe use-case?

    I personally think so due to the fact the only way you'll get the second hash is if you brute-force the first one which would ultimately mean they have your password.

    At the moment I just wanna be safe, thank you for your advice!

    2 Comments
    2024/02/27
    17:47 UTC

    5

    Weekly cryptography community and meta thread

    Welcome to /r/crypto's weekly community thread!

    This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

    Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

    So, what's on your mind? Comment below!

    0 Comments
    2024/02/26
    11:00 UTC

    5

    Classic McEliece: AES_CTR rng

    Looking at the ref implementation for mceliece348864 (and other variants) it looks like the random number generation is done using AES in counter mode. I assume this is an NIST constraint for the PQ standardization project, but I was wondering if there is any reason why it wouldn't make sense to have a variant that uses ChaCha for rng on devices that don't have hardware acceleration (like what's been done with TLS or adiantum on Android).

    2 Comments
    2024/02/25
    16:14 UTC

    26

    Build an End-to-End Encrypted Shazam-like Application Using Fully Homomorphic Encryption (FHE)

    Hey here,
    Jeremy from Zama, for those of you who don't know we work on both the research and application of FHE for AI and Blockchain.
    We just released a tutorial on how to build a end-to-end encrypted Shazam-like app using FHE and our ML library Concrete ML. This illustrates how FHE could solve our worry of giving access to our phone microphone to benefit from app we all use, as all data processing is securely encrypted with FHE.

    Thought I'd share it here as it's a cool example that shows FHE is really becoming more and more practical, and that is what we thrive for at Zama :)

    Read the full post here: https://www.zama.ai/post/encrypted-shazam-using-fully-homomorphic-encryption-concrete-ml-tutorial

    0 Comments
    2024/02/21
    09:41 UTC

    7

    CryFS

    Hi, I use CryFs at daily base to protect sensitive files like private keys, sensitive configuration files which are linked to configuration destination as links for usage.. etc..

    Now I want to seal up part of data and launch them few years into future when I will need them again.

    I wonder if there was a case where CryFS was not able to decrypt backed up files after few years(15 years ) with same configuration?
    Possible reasons:

    1. hash function changed algorithm
    2. AES dropped Rijndael for new algorithm .. etc..

    Is CryFS considered good in preserving backward compatibility ?

    Should I consider using other method ?

    4 Comments
    2024/02/19
    21:55 UTC

    6

    Weekly cryptography community and meta thread

    Welcome to /r/crypto's weekly community thread!

    This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

    Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

    So, what's on your mind? Comment below!

    0 Comments
    2024/02/19
    11:00 UTC

    6

    Monthly cryptography wishlist thread

    This is another installment in a series of monthly recurring cryptography wishlist threads.

    The purpose is to let people freely discuss what future developments they like to see in fields related to cryptography, including things like algorithms, cryptanalysis, software and hardware implementations, usable UX, protocols and more.

    So start posting what you'd like to see below!

    6 Comments
    2024/02/18
    11:00 UTC

    Back To Top