Hello, I'm in the process of trying to optimise an applicative network stack by replacing an old school TCP stream of framed datagrams with a QUIC-based connection (between a client and a server). The TCP stream can be considered properly E2E encrypted and both peers are authenticated in the eyes of the other (no MITM possible at this stage). As a matter of simplicity and not changing what's already working, I want to keep the whole auth/encryption phase in the start of the legacy TCP protocol and optimistically upgrade to the QUIC-based one if both peers allow it, instead of immediately starting a TLS. Note that both servers/listeners (TCP and QUIC) are in the same process, so they have shared memory.

If I were transitioning from TCP to a new simple TCP stream (not QUIC), it would probably be sufficient to:

• have the client identify itself in cleartext in the new stream, possibly with a random value that was sent in the old stream by the server, so the server knows which encryption key will be needed
• immediately have both peers start conversing with symmetric encryption, using keys that were sent in the old encrypted stream
• I don't think any DH key exchange is necessary at all
• that's it! Correct me if I'm wrong

But in my case, QUIC is based on TLS, which is higher level than simple stream-ciphered TCP. Though I don't think I actually need any of this certificate chain/trust store stuff. I could simply have both peers generate a random self-signed cert to use them as simple keypairs, and omit every single metadata field (including the SubjectAlternativeName of the domain name). These certs would be sent over the old TCP stream by both peers, and then they would initiate a mutual TLS (mTLS) over the new QUIC connection. At this stage, the QUIC connection is encrypted between the same exact peers as the old TCP stream. Does this sound correct? Am I making wrong assumptions? Is this over-engineered?

A few notes:

• some certificate generation libraries require a domain name, so I could use an invalid TLD (RFC2606) like "myprojectname.invalid". It wouldn't be read anyway, as both peers check certs by strict equality/fingerprint.
• generating certs may be slow, in which case the server could generate a single one in memory, on startup, with a very high expiration date (or none, if possible in x.509), and reuse it every time. Clients would check its validity with strict equality with the one sent over TCP anyway, so the long expiration doesn't weaken security at all. Clients would probably still create one different cert per connection attempt, to make user fingerprinting harder. It shouldn't take more than a few millisecond to generate an EC key and that's acceptable on a client device

Final note: I'm a bit of a newbie in crypto. I think I have a decent understanding of the general concepts, but it's pretty much 100% self-taught – and "self-taught cryptologist" doesn't sound great in a CV or a protocol definition document. I know that it can be easy to overlook MITM or replay attack vectors, and these are what worry me the most. Also none of this is for a very serious project, I won't lose any money or reputation if I'm given bad advice (but please don't 👉👈).

I wrote this blogpost about Groth16 - https://risencrypto.github.io/Groth16/

Posting it here for feedback. If you find any mistakes or if you have any suggestions or something is not clear, please comment.

I really enjoy speaking to all of you here on this subreddit. Are there any other online communities where you all discuss cryptography matters? If so please share them here. I think all of us can benefit from such knowledge.

Hello everyone!

I have been working on a list of books cryptographic engineers have found helpful in the past and have decided to share it here.

Here is a quick table of contents:

Outline

1. Program Cryptography: Introduction
2. Program Cryptography: Background
   1. Start with Python
   2. Learn C Next
   3. Why Learn Python First?
   4. The Best Book to Learn Data Structures & Algorithms
   5. Relevant Data Structures & Algorithms for Cryptography
   6. LeetCode to Build Data Structures & Algorithms
3. Secure Coding Practices
   1. Side-Channel Attacks
   2. Fault-Injection Attacks
4. Books to Learn Math for Cryptography
5. Books to Learn Programming Cryptography
6. A Simple Request

Do you see any books I have missed in the list. If so please let me know! I think all of these sources are helpful for people trying to enter this field.

I was learning about DES, particularly the initial permutation and inverse of IP steps, which were noted to have an unknown motivation. That is it's not known why the look-up table is how it is or why the step even exists. The lecturer noted while a conspiracy, this could be some "math-based" back door baked into the algorithm itself so the NSA can break it. My question is how would something like that work either a general explanation or an example would be greatly appreciated. The answer can be technical or math-heavy if needed.

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

I have seen Reddit posts here cursing RSA before.

Is the usage of RSA decreasing with time as we all expect it too?

We expect post-quantum, timing attack-resistant programs to replace them.

Is there valid reason to believe this is the case based on the data we have. If so what data are you drawing from and how did you draw the conclusion.

If not why not with a similiar analysis.

I've read the article from Unciphered about it, multiple times, and still fail to understand it

It basically says that wallets generated by BitcoinJs front end library from 2011 to 2015 are vulnerable because of the poor randomness generation. Especially those generated between May 4, 2011 to March 2012

But it's really vague on explaining what the actual exploit is. It could be just summarized as: it used Math.random() for randomness before March 2014, and it is a bad function

Let's look at the initial commit from March 4, 2011 : eckey.js is used for generating the private key, while rng.js and prng4.js in the jsbn folder are used for harvesting randomness.

rng.js

If rng_pool is not already initialized, it is filled with random values from Math.random()

while(rng_pptr < rng_psize) {  // extract some randomness from Math.random()
    t = Math.floor(65536 * Math.random());
    rng_pool[rng_pptr++] = t >>> 8;
    rng_pool[rng_pptr++] = t & 255;
  }

Math.random() according to the article has the cycle of 2^60 values before they repeat. The article also mentions that it fails modern benchmark test, but I'm not sure about them

Is Math.random() the whole weakness of the story? What is the weakness actually about?

Later, the time in milliseconds is seeded to the pool

function rng_seed_time() {
  rng_seed_int(new Date().getTime());
}

And later for

SecureRandom.prototype.nextBytes = rng_get_bytes;

we initialize the state, and pass the pool as the key into the RC4 cipher

rng_state = prng_newstate();
rng_state.init(rng_pool);

from prng4.js

prng4.js

which creates a 256 values array

this.S = new Array();

and fills it with the loop

for(i = 0; i < 256; ++i) {
    j = (j + this.S[i] + key[i % key.length]) & 255;
    t = this.S[i];
    this.S[i] = this.S[j];
    this.S[j] = t;
  }

eckey.js

eckey.js uses SecureRandom() and creates our private key

var rng = new SecureRandom();
....
this.priv = ECDSA.getBigRandom(n);

But again, this tells us next to nothing about the actual vulnerability and what attacks might be used. Unciphered's article suggests that if we have GUID or IV (I guess that's a public key?), then we can do the work with just 2^32 to 2^64 values (2^48 most commonly)

Also, not sure about the clicks being added in the entropy pool, apart from:

<body onClick='rng_seed_time();' onKeyPress='rng_seed_time();'> comment.

In what way, other things are added into entropy pool apart from the initial timestamp seed?

Edit July 23, 2024:

Sorry, I forgot that ecdsa.js also has its own context

ecdsa.js

Basically getBigRandom() method is realized in this file with rng = new SecureRandom();

Bitcoin.ECDSA = (function () {
var ecparams = getSECCurveByName("secp256k1");
var rng = new SecureRandom();
....
var ECDSA = {
getBigRandom: function (limit) {
return new BigInteger(limit.bitLength(), rng)
.mod(limit.subtract(BigInteger.ONE))
.add(BigInteger.ONE)
;
},

.

To All Employed Cryptographic Engineers in this subreddit,

I am considering joining cryptographic engineering teams at work.

Since some of you have far more experience developing crypto code at work than I do I wanted to ask:

Writing your own crypto code is discouraged. Why did you get started and how did you build your skills?

Would you do it again?

What are the biggest issues you face as a cryptographic engineer?

Are there any frequent work problems you deal with when working with others?

What is the part of being a crypto developer that you enjoyed the most?

I thank everyone who takes the time to respond!

I was reviewing fault injection tools on the Wiki article for Fault Injection.

Which would you say are the most effective tools to test for fault injection attacks targeting cryptographic code? The ones easy to use, easy to study and learn from, and that at least defend against the practical ( and therefore most realistic ) fault injection exploits. Here is a paper on which Fault Injection Attacks are most practical.

Hello,

My name is Romão Costa.

As part of my master's thesis, I am conducting a research study on the usage and security features of the Signal app, and I am looking for participants to complete a short survey.

If you are a Signal user please click on the link below to answer the survey. It will take approximately 5-10 minutes.

Survey: https://qualtricsxmk7m49cmg9.qualtrics.com/jfe/form/SV_bwrCeOJ9AjTqxWm

Your contribution is important for the research on privacy and security in communication apps and could help improve the user experience and security features of Signal.

Your participation is voluntary and anonymous. Thank you for your time and valuable input!

P.S: When i joined the subreddit this information was passed to the mods and it was authorized beacuse they accepted my invite to join this subreddit

Hello everyone,

I am struggling to research coding techniques for constant-time when programming cryptography. Of course a simple solution is study and read the source code from pre-existing crypto libraries.

Which crypto libraries would you recommend I study and learn from? The ideal crypto libraries are the ones whose source code is:

1. Easy to Understand
2. Constant-Time
3. Lab Tested to Be Secure Against Common Attacks (E.g. FIPS-validated)

The closest library I could think of so far is BearSSL since Thomas Pornin wrote decent documentation on constant-time cryptography and Multi-Precision Arithmetic.

What other such libraries do you recommend?

This is the CRS generated by Groth16 Trusted Setup.

https://preview.redd.it/6j48x6a1redd1.png?width=515&format=png&auto=webp&s=48f10d930771d9ea0147e8ccb5342d551e4942b7

As per the moonmath manual this is a circuit specific Trusted Setup & I agree with the moonmath manual on this. If the number of gates in the circuit changes, then the full CRS changes.

​

If you split this into 2 phases

- Phase 1 - you generate the Powers of Tau for A & B (i.e. Powers of Tau for G1 & G2) & discard Tau as toxic waste

- Phase 2 - you generate the remaining things

However, there is a problem here - using just the Tau powers, you can compute every part of the remaining CRS except one part - the last part which I have marked in Red - the h(tau).t(tau) part.

This cannot be generated without knowing the value of t(tau) & the value of t(tau) changes if the number of gates increases or decreases.

​

So why split into 2 parts - this is what I think is the purpose of splitting into 2 parts.

It's to enable the perpetual powers of Tau ceremony.

https://medium.com/coinmonks/announcing-the-perpetual-powers-of-tau-ceremony-to-benefit-all-zk-snark-projects-c3da86af8377

​

In the above description of the Perpetual Powers of Tau Ceremony, I see the following

> any zk-SNARK project can pick a round from the common phase 1

> any zk-SNARK project can pick any point of the ceremony to begin their circuit-specific second phase.

​

What I think this means is

- Perpetual Rounds means Phase 1 doesn't stop.

- In Round 1 of Phase 1, they generate a CRS for n gates - they generate a tau, compute the powers of tau & store it. They also compute Tn(tau) & store it along with it.

- In Round 2 of Phase 1, they generate a CRS for (n+1) gates - they generate a new tau from the older tau, compute the powers of the new tau & store the powers. They also store the newly computed Tn+1(tau) along with it.

- In Round 3 of Phase 1, they generate a CRS for (n+2) gates - they generate a new tau from the 2nd tau, compute the powers of the new tau & store the powers. They also store the newly computed Tn+2(tau) along with it.

​

And so on & so forth - anything someone has a circuit with a higher number of gates, another round of Phase 1 is done.

​

Now if a zkSNARK with n gates wants to use the Phase 1 output, they use the Round 1 output, if they have n+1 gates, they use the Phase 1 Round 2 output & so on.

And since the output contains T(tau) also along with the powers of tau, the full second phase can be computed for that tau

Can someone who understands this, let me know if what I describe is correct? If it is not, how what is the procedure used which allows Phase 2 to be done without knowing the value of T(tau)? T(tau) is required for generate the CRS which helps compute the commitment of H.T - this is that part of the CRS - (tau^i * t(tau))/delta}_{i=0 to n-2}. T depends on number of gates in the circuit - i.e. T(tau) changes if now of gates in the circuit changes.

In a previous blog post I was told to benchmark my cryptographic code to test if it is constant time.

I was considering ctgrind and other tools from this paper. How accurate are these tools at detecting constant-time flaws in code? Do you recommend I use a combination of tools if so? When I should conduct real lab experiments to test if the code is truly constant-time?

Please let me know.

Thanks!

This is another installment in a series of monthly recurring cryptography wishlist threads.

The purpose is to let people freely discuss what future developments they like to see in fields related to cryptography, including things like algorithms, cryptanalysis, software and hardware implementations, usable UX, protocols and more.

So start posting what you'd like to see below!

Hello Everyone,

I have attempted to write a blog post that guides the reader on how to program multi-precision arithmetic. I have done my best to ensure all the code and explanations are easy to follow even for a complete beginner.

This is the first article where I attempt to present constant-time code. I welcome any feedback on how to improve my code to meet this requirement.

I decided to *not* care about speed here for this article--learning how to write Multi-Precision Arithmetic in constant-time for beginners would be hard enough.

The following is an outline of the topics in the article:

Outline

1. Introduction to Constant-Time Programming Techniques
2. Branch-free Comparison Predicates
   1. Equals Comparison
   2. Not Equal to Comparison
   3. Greater Than Comparison
   4. Greater Than or Equal To Comparison
   5. Less Than Comparison
   6. Less Than or Equal To Comparison
3. Storing Big Numbers as Vectors in C++
4. Comparison Predicates with Big Numbers
5. Addition with Big Numbers
6. Subtraction with Big Numbers
7. Multiplication with Big Numbers
   1. Grade School Multiplication
   2. Karatsuba Multiplication

Happy reading and please let me know what can be improved!

Since the http://terrapin-attack.com on SSH I've noticed some people on SuperUser recommend against chacha20-poly1305 - AFAIK there is no issue with ChaCha and it's still a better choice than AES-CBC/GCM/CTR - does anyone disagree, once running a version of SSH that mitigates Terrapin ChaCha is still a great choice for symmetric cipher?

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

How do coders of hardware implementations (e.g. SystemVerilog) of cryptographic primitives fortify their programs with proper side channel countermeasures? Do they have to deal with the issue of the compiler optimizing away side channel and fault injection countermeasures just as with software?

Hi

I want to write some code to demonstrate a length extension attack on a homemade HMAC construction. Where a signature is constructed as:

digest = hash(key+ message)

and then I want to construct a digest from the output of those two.

I read up on it a little, and figured I could do a really simple small code example in c# (if anyone can help with snippets in other similar languages it would be really cool too :D )

My approach

So I figured that if I have a secret and a message that add up to the sha1 block length of 64 bytes, then the hash of these two would simply be a single block of hashing.

Then I could simply take the signature of this message, and append whatever to it, from which I would get a new hash, which would valid

And so I made this little snippet:

using System.Security.Cryptography;

using System.Text;

// secret and message, together they are 64 bytes

string secret = "secret222222222222222222222222222222222222222222222222222222";

string msg = "data";

// the digest

var digest = StringExtensions.hash(secret+msg);

// forging digest, simply trying to append "appendeddata"

string append = "appendeddata";

// and now trying to forge a new digest:

var forgedPayload = StringExtensions.hash(digest + append);

// and then checking it

var constructed = StringExtensions.hash(secret+msg+append);

public static class StringExtensions

{

public static string hash(this string input)

{

if (input == null) throw new ArgumentNullException(nameof(input));

using (SHA1 sha256 = SHA1.Create())

{

byte[] bytes = Encoding.UTF8.GetBytes(input);

byte[] hashBytes = sha256.ComputeHash(bytes);

StringBuilder hash = new StringBuilder();

foreach (byte b in hashBytes)

{

hash.Append(b.ToString("x2"));

}

return hash.ToString();

}

}

}

However, this does'nt work. The two final hashes are always different.

What have i misunderstood, why are these values not adding up?

Hello, want to share the FAQ and Forum for the encryption application Spot-On at Reddit with you, if you like to join:

https://www.reddit.com/r/Spot_On_Encryption/

Spot-On is an open-source Encrpytion Suite for secure Chat & E-Mail, File Transfer and also Websearch in a F2F distributed URL-Database.

Means: Spot-On is a Messaging and File-Transfer Application. With RSS you can import, read, search and distribute your feeds f2f to your friends over encrypted connections.

Enhanced encryption processes have been invented and improved for implementation in Spot-On: such as McEliece-Messaging (Linux), Cryptographic Calling, Zero-Knowledge-Proofs, AutoCrypt via REPLEO and EPKS, Fiasco Forwarding, POPTASTIC-Messaging over E-Mail-Servers, Chipher-Text conversion tools like Rosetta Crypto Pad, Socialist-Millionaire-Security and many more.

Spot-On utilized the Echo-Protocol for the network, it provids end-to-end encryption (and therefore utilizes not a web-of-trust, which is only point-to-point encryption). Spot-On is in the groupchat and for servers compatible with Smoke Crypto Chat Messenger from F-Droid.org

I am aware compilers can optimize code such that it can destroy the constant-time guarantees written in source code. Why don't cryptographic engineers develop specialized compilers that compile to cryptography safe code so that the output is optimized without destroying these essential security features?

Can anyone point me to pseduocode explaining how to implement barrett reduction across multiple words? I've been trying to find a good resource on this but all the stuff I can find are either single word or not quite clear on how to implement the algorithm(if it even explains the multi word variant). Ideally the pseduocode will contain information on how to generate the integer approximation using only bitshifts.

I will update this post with a list. This includes all cryptography.

When writing Circom code, you write verification logic as a system of rank one constraints using the <== syntax. Sometimes expressing a constraint ‘in reverse’ is simpler, and there you use <— syntax followed by a === to express the relevant constraints explicitly. I’m wondering, ‘how bad are almost-proofs’. How many circuit constraints do you really need to demonstrate you know a hash-preimage for example? Are there any examples of removing one RC1S constraint and falsifying knowledge of a Keccak preimage for example?

From my understanding, in order to have maximally hard discrete logarithm instances, one needs to instantiate it over an adequately large prime modulus p such that p = 2q + 1 where q is a prime number. Doing so allows the creation of subgroups of order 2, q, and 2q.

When a generator that generates the subgroup of order q is used for discrete logarithm, you lose half the possible outputs compared to the subgroup of order 2 but you also prevent leakage regarding the output from what I recall. The converse is true when you use a generator for the 2q order group(more outputs but you leak a bit of information). This means from a cryptographic perspective, both options are effectively similar(either q possible outputs or 2q possible outputs but you can exclude one half of the outputs due to leakage).

I would like to know if there would be any reason to prefer one subgroup over another for uses of finite field discrete logarithms in this scenario.

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

Hello. I have an Android App that stores encrypted data using a key derived from user entered password (PBKDF2). If any user forgets their password, they loose access to all their data. Hence, I am trying to implement a password recovery feature that is hacker resistant, including in cases where the phone may be rooted and the sqlite database is accessible.

Here's my solution. I randomly generate and store an internal password in the app. I then encrypt the user's password using this internal password using AES, and further encrypt the output and the user's email using my RSA public key. I store this RSA encrypted value.

If the user forgets their password, I submit the RSA encrypted value to my website. The website will decrypt the value using my private key and will email the app encrypted user password value to the email address found, as an attachment. On clicking the attachment, the user password is decrypted using the internal password, user is logged in and made to change their password.

Do you foresee any weaknesses with this approach? I guess if the user's phone is compromised, then the person holding the phone can check emails and retrieve the password. So perhaps adding a secret question and answer would help, but some people end up forgetting the answer to that as well.