/r/crypto

Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited to encryption of messages such that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This is a technical subreddit covering the theory and practice of modern and *strong* cryptography.

... is the art of creating mathematical / information theoretic assurances for who can do what with data, including but not limited to the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This subreddit is intended for links and discussions surrounding the theory and practice of modern and *strong* cryptography.

**Please note that this subreddit is technical, not political!** The focus is on the algorithms and the security of the implementations.

Because this subreddit currently is in restricted mode, you will NOT be able to post or comment before your account has been approved. Send us a reason for why you want to join via mod mail, click here and tell us why you want to discuss cryptography;

https://www.reddit.com/message/compose/?to=/r/crypto

(along with normal reddiquette)

Don't forget to read our **RULES PAGE**! The rules listed there are also used as this sub's report reasons. The quick version;

- Assume good faith and be kind. This is a friendly subreddit.
- Codes, simple ciphers, ARGs, and other such "weak crypto" don't belong here. (Rule of thumb: If a desktop computer can break a code in less than an hour, it's not strong crypto.) You're probably looking for /r/codes.
- Do not ask people to break your cryptosystem without first sharing the algorithm. Sharing just the output is like...
- "Crack this cipher" challenges also belong in /r/codes
*unless*they're based on interesting crypto implementation bugs, e.g. weak RSA keys. - Familiarize yourself with the following before posting a question about a novel cryptosystem, or else the risk is nobody will take their time to answer:

Internal:

- Our wiki pages
- Threads on starting in crypto one & two
- Thread of crypto links - older thread
- Our monthly cryptography wishlist threads!
- Our hiring threads

External:

- Cryptology ePrint archive
- Discussion site for ePrint papers
- Libera Chat's IRC:s #crypto - (IRC protocol URL)
- Metzdowd cryptography mailing list
- Randombit cryptography mailing list
- StackExchange cryptography community

**Other subreddits that may be of interest:**

Theory:

Practical:

- /r/netsec - Network Security
- /r/RNG - Randomness generation
- /r/compsec - Local computer security
- /r/websec - Security in the browser
- /r/security - General security subreddit
- /r/privacy - General privacy subreddit
- /r/compsci & /r/ComputerScience - Development and application of algorithms

Educational, hobbyist:

- /r/codes & /r/breakmycode - For cracking basic codes
- /r/gpgpractice - Learn to use GPG here
- /r/primitiveplayground - test your homebrew ciphers here
- /r/stanfordcrypto

Political and in the news:

- /r/privacypatriots/
- /r/NSAleaks - Snowden documents and more
- /r/restorethefourth

Software:

- /r/gpg (fairly empty)
- /r/bitcoin, /r/cryptocurrency - crypto applied to money

Related:

- /r/cryptography
- /r/encryption
- /r/weboftrust (fairly empty)
- /r/capabilities - A type of security model
- /r/Intelligence - Espionage

Memes and low effort submissions:

Feel free to message the moderators with suggestions for how to improve this subreddit, as well as for requesting adding links in the sidebar.

/r/crypto

27

https://eprint.iacr.org/2024/555.pdf

Hopefully we can start a thread discussing insights and updates.

7 Comments

2024/04/11

11:40 UTC

11:40 UTC

11

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

2 Comments

2024/04/08

10:00 UTC

10:00 UTC

2

My understanding of TPM is there are essentially 3 parties:

- Manufacturer, e.g. ASUS
- The cloud provider, or owner of a host machine which contains a TPM manufactured by ASUS, call her Eve
- The relying party, Bob

The short of what I'm trying to understand is this. Supposing Bob trusts ASUS the manufacturer, and does not trust Eve, can Bob be assured that Eve is running an application he created as is, with nothing else?

So suppose Bob is developing some web application, call it Survey Ape. Bob makes a build for Survey Ape and loads it into a custom linux image so that if he puts that image on his own HDD it will load linux and auto-start Survey Ape. He sends that build to Eve to run on her host machine. I think the TPM can be used to assure Bob that Eve is in fact running untampered ASUS hardware. But can the TPM attestations also be used to assure Bob that Eve did not modify the linux image before loading it into the hard drive, perhaps changing Survey Ape to harvest credentials?

Suggestions for further reading are appreciated.

3 Comments

2024/04/07

18:09 UTC

18:09 UTC

14

Hello, recently I came across "A Friendly Introduction to Supersingular Isogeny Diffie-Hellman" to SIDH by David Urbanik (link). His explanation was very digestible for a layman like me and gave a very clear overview on how SIDH works.

I'm currently looking for something similar but for CSIDH. Many papers on CSIDH assume too much mathematical background for me which makes it very difficult for me to understand what's happening. Does anyone know of a high level overview of CSIDH that assumes a similar mathematical background like Urbanik's?

Particularly, from what I understand, CSIDH works by commutative group action where the group is isogenies acting on some elliptic curve E0. What I'm confused is:

- How are the isogenies constructed?
- How do isogenies even compose and commute: say I have phi: E0 -> E1 and tau: E0 -> E2, how would (phi . tau) even makes sense, let alone being equivalent to (tau . phi), when the domains and codomains don't even match?
- An extension to 2: what even is the group? I can't convince myself isogenies would form a group under composition since composition doesn't make sense.
- Wouldn't algebraic actions like this be suspectable to quantum attacks? Or is it okay for CSIDH specifically because we aren't sending group elements, but rather elements which is being acted on by a group?

3 Comments

2024/04/05

20:50 UTC

20:50 UTC

9

SW5zZXJ0IEFwcmlsIEZvb2xzJyBqb2tlIGhlcmU=

Edit: Oops! Looks like today's post was lost in a supply chain attack! Sorry about that, we moderators know you were looking forward to the yearly traditional post, we promise we will review our security practices for next year so it doesn't happen again! Fortunately our brief internal review says no user data was lost, so there's nothing for you to worry about.

5 Comments

2024/04/01

20:30 UTC

20:30 UTC

9

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/04/01

10:00 UTC

10:00 UTC

4

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/03/25

11:00 UTC

11:00 UTC

14

I looked at FHE more than 5 years ago and it was not quite there to be useful yet. Microsoft had their SEAL library but nothing outside of that. I think things have changed and it's usable now. How can I get up to date on this topic, papers, blogs, source code, libraries I can read?

2 Comments

2024/03/22

22:01 UTC

22:01 UTC

46

2 Comments

2024/03/20

14:58 UTC

14:58 UTC

6

From openssl-project/2024-March/003285

This webinar is designed to take you from an understanding of basic cryptography concepts to writing your first secure application using OpenSSL. It's the perfect starting point for anyone looking to dive into the world of secure application development.

- Date: Mar 28, 2024
- Time: 09:00 AM Pacific Time (US and Canada)
- Location: Online (Zoom)

Check the mailing list for registration link and full info!

0 Comments

2024/03/19

08:33 UTC

08:33 UTC

7

Hello! I am trying to perform some EC arithmetic on the secp256k1 curve.

Specifically, I am having trouble performing a modular multiplication using Hashcat’s OpenCL implementation mul_mod function.

The function as-written is for performing modular multiplication `mod P`

, but I am needing to perform modular multiplication `mod N`

. I previously tried to modify the function to use the lib’s `SECP256K1_N*`

values, but was not getting the proper result.

I noticed that the function uses an optimized algorithm from Modular Multiplication using special prime moduli (p.354 or p.9 in that document), and as such uses a “magic number” from the curve (omega: `0x3d1`

) related to the curve’s P value in the internal calculations.

Is there a straight-forward way to alter this function to perform multiplication `mod N`

? Or, is this specific implementation not compatible due to the “special moduli”? If not compatible, can someone help point me in the right direction of an OpenCL compatible mul_mod secp256k1 implementation?

3 Comments

2024/03/18

12:15 UTC

12:15 UTC

5

Welcome to /r/crypto's weekly community thread!

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/03/18

11:00 UTC

11:00 UTC

4

This is another installment in a series of monthly recurring cryptography wishlist threads.

The purpose is to let people freely discuss what future developments they like to see in fields related to cryptography, including things like algorithms, cryptanalysis, software and hardware implementations, usable UX, protocols and more.

So start posting what you'd like to see below!

0 Comments

2024/03/18

11:00 UTC

11:00 UTC

2

I would need to implement ISO/IEC 9796-2 Schema 1 Signing with private keys stored on a HSM. The modulus **MUST** be 1024 bit and the hash algorihm **MUST** be SHA-1. Note, that there is a reference implementation in bouncycastle. I am aware that the length of the modulus and the SHA-1 algorithm are outdated/insecure. Now my question is if there is a cloud based Hardware Security Module provider that offers RSA-1024 with SHA-1 signing. From what I saw this is neither possible with AWS nor Google. Any ideas on how to approach this?

2 Comments

2024/03/12

20:24 UTC

20:24 UTC

3

Hello, I am an amateur cryptographer and have seen a few variations on factoring p * q like Fermat's method. I've come up with a variation that has undergone some speed testing. Are there any other simple algorithms before one gets into sieving? Share yours.

My algorithm adds 1 to the square root of n if it is even and then adds 2 to each loop that the condition (n % a) != 0.

4 Comments

2024/03/11

18:58 UTC

18:58 UTC

14

I am new to this sub but have been looking through past posts. I am looking for a cryptography book which contains a chapter about padding oracles. I looked through books from authors that are often recommend (s.a. Schneier, Ferguson, Singh, Paar etc.) but they only seem to edge the topic of padding oracles in one sentence while going into depth into CBC or similar.

On top of that, could you guys maybe enlighten me. Is there a reason, why this topic is usually not worthy for an own sub-chapter? Is it a trivial thing or is it just too vague?

Why padding oracles? I am interested in having some literal content, other than the same explanations on the internet. Don't get me wrong, they are good and helpful, but while learning for my crypto exam, I often realized, that I want to go the extra mile.

Regarding the book. I would like for it to be a general book, which also contains knowledge about encryption, authentication, netsec, and IPSEC/DNS(SEC) if possible.

Thanks in advance!

Edit: I also asked this question in r/cybersecurity.

9 Comments

2024/03/11

11:23 UTC

11:23 UTC

4

Welcome to /r/crypto's weekly community thread!

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/03/11

11:00 UTC

11:00 UTC

8

Instead of using AES in CBC with a HMAC (created with a key derived from the agreed symmetric key), is it possible to achieve similar using AES in CBC with digital signatures, like EdDSA?

If so, is it possible to use ephemeral keys in some way on the signature front and bind them to the underlying cipher text, or do the signing keys need to be verified/authenticated to an identity out of band?

4 Comments

2024/03/07

17:37 UTC

17:37 UTC

10

does this scheme exist or can be constructed?

motivation: bank releases a signed document about your monthly transactions. you want to show it to someone, but redact certain fields.

kinda something like this:

bank has a signing key, the public key of it is PUB

the bank signs a document m that is a series of submessages m_1 ... m_n. the bank also publishes S signature.

then i can redact any of the messages, and construct, e.g:

m_1, redacted(m_2), m_3, ..., and a modified S'

anyone with S' and PUB can verify the redacted signature against the redacted m.

it is okay if S' has a totally different format than S.

it should be clear and verifiable which parts are redacted and which parts are original.

the parts must still be linked together. so individually signing parts is not enough.

however, it should not be feasible to figure out any redacted elements, even with brute force. this is important, because m_i can be of a small set, like birth year, or can be guessable, like a suspected recipient bank account number.

9 Comments

2024/03/07

11:26 UTC

11:26 UTC

7

Lately I've become increasingly interested in the study of cryptography from a information theory point of view. I've come across the concept of key and message equivocation, in particular I've learnend the key equivocation is in general greater than message equivocation and it all makes sense to me. What I'm having an hard time undestranding is why we focus on key equivocation while studying the security of a secrecy system(e.g. unicity distance). Wouldn't it be better to focus on message equivocation since it's smaller? I'm sure there is something I'm not fully understanding and i hope some of you could kindly help me :)

0 Comments

2024/03/07

09:44 UTC

09:44 UTC