Cryptography and Cybersecurity

Research

• A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithms
• The first collision for full SHA-1
• Watermarks in the Sand Impossibility of Strong Watermarking for Generative Models
• NIST National Vulnerability Database (NVD)

Resources 📚

• ✨ Practical Cryptography for Developers
• cryptography (pyca/cryptography) - cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions
• Crypto 101, by Laurens Van Houtven
• The Cryptopals Crypto Challenges
• Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone
  • Table of Contents pdf
  • Chapter 1 - Overview of Cryptography pdf
  • Chapter 2 - Mathematics Background pdf
  • Chapter 3 - Number-Theoretic Reference Problems pdf
  • Chapter 4 - Public-Key Parameters pdf
  • Chapter 5 - Pseudorandom Bits and Sequences pdf
  • Chapter 6 - Stream Ciphers pdf
  • Chapter 7 - Block Ciphers pdf
  • Chapter 8 - Public-Key Encryption pdf
  • Chapter 9 - Hash Functions and Data Integrity pdf
  • Chapter 10 - Identification and Entity Authentication pdf
  • Chapter 11 - Digital Signatures pdf
  • Chapter 12 - Key Establishment Protocols pdf
  • Chapter 13 - Key Management Techniques pdf
  • Chapter 14 - Efficient Implementation pdf
  • Chapter 15 - Patents and Standards pdf
  • Appendix - Bibliography of Papers from Selected Cryptographic Forums pdf
  • References pdf
  • Index pdf
• Cryptography 101: online courses on cryptography and related areas by Alfred Menezes
  • The Mathematics of Lattice-Based Cryptography (SIS, LWE, lattices)
  • Kyber and Dilithium (standardized lattice-based cryptosystems
  • Crypto 101: Building Blocks (fundamental cryptographic primitives
  • Crypto 101: Real-World Deployments (beginning in February 2025)
  • Error-Correcting Codes (linear, Hamming, Golay, cyclic, BCH, Reed-Solomon codes)
• Cryptography 101 Playlists - Lectures by Alfred Menezes on applied cryptography and related areas
• The CTF Primer by Samuel Sabogal Pardo, Jeffery John, Luke Jones
• crackmes.one - a simple place where you can download crackmes to improve your reverse engineering skills
• OpenSSL - The OpenSSL software library is a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication. It is developed under the OpenSSL Mission with support from the OpenSSL Foundation and OpenSSL Corporation.
• OpenSSL Cookbook: A short book that covers the most frequently used features and commands (Feisty Duck)
• Short-form Video lectures:
  • Assorted lectures available from channels Jake Danniel and Osiris Salazar (original author not clear)
  • Some lectures by Muhammed Mustaqim are helpful
• Cryptography & Network Security by Neso Academy (Course)
• Lectures series by Cihangir Tezcan
  • Blockchain & Cryptocurrency Technologies from Cihangir Tezcan
  • CSEC 507: Applied Cryptology
  • Network Security

Articles

• Welcome to Minicrypt
• Digital hygiene by Andrej Karpathy
• Turning Google smart speakers into wiretaps for $100k
• How To Crack WEP and WPA Wireless Networks 2008-11-21 (updated: 2013-02-25) by Philip
• backdoor in US medical device calls out to chinese university
• Satoshi Nakamoto - Wikipedia

Concepts

• Kerckhoffs’s principle - Wikipedia: “No security through obscurity”
• Public-key cryptography - Wikipedia
• Diffie–Hellman key exchange - Wikipedia
• Forward secrecy - Wikipedia
• Information-theoretic security - Wikipedia is unconditional security or perfect secrecy and requires a One-time pad - Wikipedia
  • Simply put, what does “perfect secrecy” mean?
• Semantic security - Wikipedia is the practical notion of secrecy assuming a computationally bounded adversary
  • due to Goldwasser and Micali 1982: Probabilistic encryption & how to play mental poker keeping secret all partial information
• RSA (cryptosystem) - Wikipedia (Rivest–Shamir–Adleman)
• Digital Signature Algorithm - Wikipedia
• Federal Information Processing Standards - Wikipedia
• What are the differences between a digital signature, a MAC and a hash? - this post has a fantastic answer containing a table that outlines the differences between digital signatures, message authenticating codes (MACs) and hashing which I’ve kept a note of in: What are the differences between a digital signature, a MAC and a hash?
• Joan Daemen - Wikipedia

Mathematical prerequisites

• Group (mathematics) - Wikipedia
• Abelian group - Wikipedia
• Field (mathematics) - Wikipedia
• Finite field - Wikipedia - Galois field (“like a prime field, but with polynomials”)
• Ring (mathematics) - Wikipedia
• Bijection, injection and surjection - Wikipedia
• One-way function - Wikipedia
• Trapdoor function - Wikipedia
• Elliptic curve - Wikipedia
• Chinese remainder theorem - Wikipedia
• Discrete logarithm - Wikipedia
• Modular exponentiation - Wikipedia - Modular exponentiation is efficient to compute, even for very large integers. On the other hand, computing the modular discrete logarithm – that is, finding the exponent e when given b, c, and m – is believed to be difficult. This one-way function behavior makes modular exponentiation a candidate for use in cryptographic algorithms.
• Euclidean algorithm - Wikipedia
  • Bézout’s identity - Wikipedia - Let a and b be integers with greatest common divisor d. Then there exist integers x and y such that ax + by = d. Moreover, the integers of the form az + bt are exactly the multiples of d.
  • Lamé’s theorem - Wikipedia showed that the version of the Euclidean algorithm using remainders finishes in at most 5d steps for integers a and b where d is the number of digits in the (decimal) representation of b
• Extended Euclidean algorithm - Wikipedia
• Sieve of Eratosthenes - Wikipedia
• Primality test - Wikipedia
• AKS primality test - Wikipedia

See also the general section on Math for more.

Symmetric Cryptography

• FIPS 197 Federal Information Processing Standards Publication Advanced Encryption Standard (AES)
• Lecture 8: AES: The Advanced Encryption Standard from Lecture Notes on “Computer and Network Security” by Avi Kak (February 6, 2025)
• Advanced Encryption Standard - Wikipedia (AES)
  • AES Explained (Advanced Encryption Standard) - Computerphile
  • EXTRA BITS: AES Explained- Computerphile
  • was based on/extended from Square (cipher) - Wikipedia
• Almost All Web Encryption Works Like This (SP Networks) - Computerphile - Substitution-Permutation (SP) networks
• Feistel cipher - Wikipedia
  • Feistel Cipher - Computerphile
  • EXTRA BITS: Feistel Modes of Operation Code - Computerphile
• Block cipher mode of operation - Wikipedia - block cipher modes of operation
  • How to choose an AES encryption mode (CBC ECB CTR OCB CFB)? [closed]
  • Modes of Operation - Computerphile
  • ECB: Electronic Code Book - bad (insecure; see ECB tux / penguin)
  • CBC: Cipher Block Chaining - secure but not parallelisable; adversary can affect subsequent blocks by flipping bits in earlier ones; vulnerable to padding attacks
  • Counter Mode: convert block cipher into stream cipher; nonce (unique to each communication; not private); XOR the cipher stream (for each block) with the message; like key stream cipher but operating block-wise; (by the way: no authentication); don’t need decryption $\to$ just use encryption to obtain “key stream” and XOR this with the ciphertext like for encryption; size of nonce puts hard limit on number of messages possible to send before need to change key
  • GCM: Galois Counter Mode - authenticate the ciphertext (related to the plaintext), the nonce and the length of the message,
    • AES GCM (Advanced Encryption Standard in Galois Counter Mode) - Computerphile
    • EXTRA BITS - AES GCM Maths Bit - Computerphile
    • Understanding AES Encryption Modes AES-GCM, AES-CBC, AES-CTR - has a decent comparison table of AES-GCM vs AES-CBC vs AES-CTR
• Welcome to Minicrypt

Cryptographic Hash Functions

• SHA-1 - Wikipedia
  • message digest (output or “signature”) length: 160-bit
  • block size: 512-bit blocks
  • initialized based on constants (see standard)
  • works on 5 32-bit words
  • 80 rounds
  • Merkle-Damgard (iterate on input until expended)
  • Collision resistance: $2^{6}3$
  • Marc Stevens showed collisions for SHA-1 when attacker can choose IV in 2015 and with large GPU compute (from Google) with SHA-1 IV in 2017 in: The first collision for full SHA-1
• RIPEMD - Wikipedia - Developed by Dobbertin, Bossaelaers, Preneel in 1996 (developed in the open academic community, in contrast to the NSA-designed SHA-1 and SHA-2 hash algorithms)
  • Block size: 512 bits
  • Message digest length (n): 128, 160, 256, 320 bits
  • Number of rounds: 80
  • Туре: Merkle-Damgard
  • Collision resistance: $2^{8}0$ (due to birthday paradox)
  • (RIPEMD-160 is the only remaining 160 bit digest size hash function that has not been broken yet)
  • Bitcoin script allows RIPEMD-160 with the opcode OP_RIPEMD160
  • Bitcoin uses RIPEMD-160 (after using SHA-256) for address generation with the opcode OP-HASH160
• SHA-2 - Wikipedia - uses 256 or 512 bit internal state; uses Merkle–Damgård construction with Davies–Meyer compression function
  • Merkle–Damgård construction - Wikipedia
  • One-way compression function - Wikipedia
• SHA-3 - Wikipedia - Keccak, winner of SHA-3 competition, is designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
  • Block size: 1152, 1088, 832, 576 bits
  • Message digest length (n): 224, 256, 384 or 512 bits
  • Number of rounds: 64 or 80
  • Type: Sponge construction
  • Resources:
    • SHA: Secure Hashing Algorithm - Computerphile
    • EXTRA BITS - SHA1 Problems - Computerphile
    • SHA3 in Cryptocurrency Mining from Cihangir Tezcan
• Desiderata of secure hash functions
  1. Preimage resistance: Given $y=h(x)$ it is computationally infeasible to find $x$ s.t. $h(x)=y$
     • is this equivalent to one-wayness?
     • Brute force attack requires $2^n$ operations
     • Practical Use Case: Password storage: Practically store $has{h}^N(password||salt)$ i.e. concat password and random salt and perform hash several times (to slow attacker brute force attack)
  2. Second Preimage resistance: Given both $y=h(x)$ and $x$ it is computationally infeasible to find $x^{\prime }$ s.t. $h(x^{\prime })=y$
     • Brute force attack requires $2^n$ operations
  3. Collision resistance: Given $h(.)$ the hash function, it should be computationally infeasible to find $(x_1,x_2)$ s.t. $h(x_1)=h(x_2)$
     • Brute force attack requires $2^{n/2}$ operations due to birthday paradox
     • Practical Use Case: Hacker produces software executables $s_1$ and $s_2$ and sends $s_1$ to Microsoft who approve and store $h(s_1)$ on Windows OS to allow $s_1$ to run, but hacker distributes $s_2$ with exploit which is cleared for execution by kernel since $h(s_1)=h(s_2)$
       • Flame malware used such a bug in MD5: Flame malware collision attack explained MSRC Blog Microsoft Security Response Center
     • Why SHA-256 is called 128-bit security because 256/2 = 128 due to the birthday paradox
  • Hashing in Blockchains and Cryptocurrencies by Cihangir Tezcan
• Birthday Paradox: How many people should be in a room before it is more likely than not that two people share a birthday? (i.e. $P(\text{share birthday})>1/2$
  • Birthday problem - Wikipedia
• Merkle–Damgård construction - Wikipedia
  • SHA-1, SHA-2
• Sponge Construction: Sponge function - Wikipedia
  • SHA-3 (Keccak)
• Merkle-Damgard and Sponge Constructions for Hashing - Cihangir Tezcan
• MD4, MD5, RIPEMD, SHA1, SHA2 in Cryptocurrencies - Cihangir Tezcan
• Password Hashing Competition - there wasn’t an established standard to fulfill the needs of modern applications and to best protect against attackers. We started the Password Hashing Competition (PHC) to solve this problem.
  • PHC ran from 2013 to 2015 as an open competition—the same kind of process as NIST’s AES and SHA-3 competitions, and the most effective way to develop a crypto standard. We received 24 candidates, including many excellent designs, and selected one winner, Argon2, an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg.

Message Authentication Codes (MAC) and Hash-based MAC (HMAC)

• MAC and Key Derivation (clipped)
• Length Extension Attacks from Cry.College
• KMAC KECCAK Message Authentication Code

Asymmetric (Public-Private Key) Cryptography

• RSA a simple and easy-to-read implementation « Python recipes « ActiveState Code (link)
• The RSA Encryption Algorithm (2 of 2: Generating the Keys) (and Part 1 of 2: Computing an Example) by Eddie Woo
• How does RSA Cryptography work? on Tom Rocks Maths

Digital Signatures

• Digital Signature Algorithm - Wikipedia
• ElGamal signature scheme - Wikipedia
• Schnorr signature - Wikipedia
• EdDSA - Wikipedia $\leftarrow$ this is what’s used e.g. when you follow GitHub’s guide to create a new SSH key
  • introduced in High-speed high-security signatures
  • based on twisted Edwards curves, which were introduced “Twisted Edwards Curves” in 2008 and are named after Harold M. Edwards
  • are high performance

Elliptic Curve Cryptography

• A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography
• Elliptic Curve Cryptography a gentle introduction (link)
  • HTML5/JavaScript visual tool for computing sums on elliptic curves - built by Andrea Corbellini
• Elliptic-curve cryptography - Wikipedia
• RSA vs ECC which one is better, and why? - Reddit thread, maybe spurious but still interesting
• Elliptic-curve Diffie–Hellman - Wikipedia
• Elliptic Curve Digital Signature Algorithm - Wikipedia

Notes on Motivations for use of Elliptic Curve Cryptography from National Security AgencyCentral Security Service Web Site

The two noteworthy first generation public key algorithms used to secure the Internet today are known as RSA and Diffie-Hellman (DH). The security of the first is based on the difficulty of factoring the product of two large primes. The second is related to a problem known as the discrete logarithm problem for finite groups. Both are based on the use of elementary number theory. Interestingly, the security of the two schemes, though formulated differently, is closely related.

…elliptic curve cryptography has remained at its full strength since it was first presented in 1985…

…The length of a key, in bits, for a conventional encryption algorithm is a common measure of security. To attack an algorithm with a k-bit key it will generally require roughly 2k-1 operations. Hence, to secure a public key system one would generally want to use parameters that require at least 2k-1 operations to attack. The following table gives the key sizes recommended by the National Institute of Standards and Technology to protect keys used in conventional encryption algorithms like the (DES) and (AES) together with the key sizes for RSA, Diffie-Hellman and elliptic curves that are needed to provide equivalent security.

Symmetric Key Size (bits)	RSA and Diffie-Hellman Key Size (bits)	Elliptic Curve Key Size (bits)
80	1024	160
112	2048	224
128	3072	256
192	7680	384
256	15360	521
Table 1: NIST Recommended Key Sizes

To use RSA or Diffie-Hellman to protect 128-bit AES keys one should use 3072-bit parameters: three times the size in use throughout the Internet today. The equivalent key size for elliptic curves is only 256 bits.

One can see that as symmetric key sizes increase the required key sizes for RSA and Diffie-Hellman increase at a much faster rate than the required key sizes for elliptic curve cryptosystems.

Post-Quantum Cryptography

• Prepping for post-quantum a beginner’s guide to lattice cryptography

Blockchains and Cryptocurrencies

• Smart contract - Wikipedia
• Airdrop (cryptocurrency) - Wikipedia
• The great chain of being sure about things The Economist

Bitcoin

• Bitcoin Block Reward Halving Countdown (clipped) - has very useful Stats section including total Bitcoins in circulation, to mine, price per coin (in USD), time to next block halving (reward payout to miners), hash rate, block generation time (and blocks generated per day), Bitcoin inflation per day/annum, total blocks etc.
• bitcoin/bitcoin repo - Bitcoin Core integration/staging tree
• Bitcoin Core is an open source project which maintains and releases Bitcoin client software called “Bitcoin Core”.
  • It is a direct descendant of the original Bitcoin software client released by Satoshi Nakamoto after he published the famous Bitcoin whitepaper.
  • Bitcoin Core consists of both “full-node” software for fully validating the blockchain as well as a bitcoin wallet. The project also currently maintains related software such as the cryptography library libsecp256k1 and others located at GitHub.
• Transaction size calculator from the Bitcoin Operations Technology Group (“Bitcoin Optech”)
• Weight units - Bitcoin Wiki
• Bitcoin Dust & Dusting attack - Wikipedia
  • What is meant by Bitcoin dust? from bitcoin.stackexchange.com
  • Bitcoin Dust Overview, Disadvantages, and Example
  • Understanding Dust Limits Magic Eden Help Center
  • Crypto Dust and Dusting Attacks Explained
• Coinbase transaction is the transaction contained in the newly forged block which contains the reward payment to the miner → acts as an incentive for the miner to broadcast the block a.s.a.p.

Ethereum

• Ethereum - Wikipedia was proposed in a 2013 white paper by Vitalik Buterin - Wikipedia
• In September 2022, Ethereum moved from Proof of Work (PoW) to Proof of Stake (PoS)
  • Prior to September 2022 In its proof of work algorithm ethash, Ethereum uses Keccak but it should be noted that it is slightly different than the standardized version of Keccak, namely SHA-3. A late change in the standardization process of SHA-3 resulted in a different padding than the one used in ethash.
    • Thus, sometimes the used hash algorithms in ethash are referred to as Keccak-256 and Keccak-512, instead of SHA3-256 and SHA3-512.

Mining Puzzles with SHA-3 Competition Algorithms

Some cryptocurrencies use multiple hash functions for their hash puzzles. This complexity is expected to prevent efficient ASIC development:

1. X11: Blake, BMW, Groestl, JH, Keccak, Skein, Luffa, Cubehash, Shavite, Simd, Echo
2. X13: BLAKE, BMW, Groestl, JH, Keccak, Skein, Luffa, Cubehash, Shavite, Simd, Echo, Hamsi and Fugue
3. X15: Blake, BMW, Groestl, JH, Keccak, Skein, Luffa, Cubehash, Shavite, Simd, Echo, Hamsi, Fugue, Shabal, and Whirlpool
4. X16: the same 15 algorithms used in X15 model + SHA512
5. X16r: rotates through 16 different algorithms in random
6. X17: Blake, BMW, Groestl, JH, Keccak, Skein, Luffa, Cubehash, Shavite, Simd, Echo, Hamsi, Fugue, Shabal, Whirlpool, Loselosei, and Dib2

Blockchain & Cryptocurrency Technologies - Cihangir Tezcan

1. Intro to Blockchain and Cryptocurrency Technologies
2. Why You Do NOT Need a Blockchain
3. Hashing in Blockchains and Cryptocurrencies
4. Merkle-Damgard and Sponge Constructions for Hashing
5. MD4, MD5, RIPEMD, SHA1, SHA2 in Cryptocurrencies
6. SHA3 in Cryptocurrency Mining
7. Public Key Cryptography for Blockchains
8. Algebra for Blockchains & Cryptocurrencies
9. Elliptic Curve Cryptography for Blockchains & Cryptocurrencies
10. Discrete Logarithm Problem for Blockchains & Cryptocurrencies
11. Digital Signatures for Blockchains & Cryptocurrencies
12. Elliptic Curve Digital Signature Algorithm for Blockchains & Cryptocurrencies
13. Bitcoin Signature Verification
14. Blockchain Technology Introduction
15. Blocks in Blockchains
16. Consensus Models
17. BITCOIN
18. BITCOIN Blocks
19. BITCOIN Wallets
20. BITCOIN Transactions
21. BITCOIN Pay to Public-key Hash
22. BITCOIN Pay to Script Hash
23. Soft and Hard BITCOIN Forks
24. BITCOIN Mining
25. Multi-Signatures in BITCOIN
26. MuSig: Schnorr Multi-Signatures for BITCOIN
27. How to Find Hidden Messages in Bitcoin Blockchain
28. Alternative COINS
29. ETH Ethereum
30. NFT Non-Fungible Token
31. NFT Non-Fungible Token Security Issues
32. Stellar: Connecting the World’s Financial Infrastructure
33. Ben Kriptocu Gördüm! - Aydaki Adam: İlker Canikligil - Konuk: Cihangir Tezcan - B48

Randomness

• Random number generation (on macOS; from Apple Platform Security)

Attack Types

Clickjacking

Clickjacking or formally UI Redressing: attacker “redresses” the interface seen by the user with an invisible frame that tricks them into doing things they wouldn’t ordinarily do

• Clickjacking Attacks How to Detect and Prevent Ping Identity
• Testing for Clickjacking
• X-Frame-Options - HTTP MDN - The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

SSH

• SSH login without password (link)

Password managers

• Google Password Manager vs. 1Password r1Password
• Password Managers. from Tavis Ormandy (vulnerability researcher at Google)
• Is Google Password Manager Safe in 2024 from the LastPass blog - didn’t get much from this; doesn’t identify clear failures/vulnerabilities of Google Password Manager (GPM); at one point say that if the Google account is compromised, passwords are too, but this is equally true of the LasPass account 🙄; comparison paragraph mentions cross-platform advantage of LastPass. In Google Password Manager vs. 1Password r1Password on Reddit there’s a good point about LP being useful for family / industry setting for a team which needs joint access to passwords (inconvenient in GPM setting if tied to personal account)

Miscellaneous

• Crowdstrike failure in July 2024 write up Tavis Ormandy (vulnerability researcher at Google)
• Extracting Clear-Text Credentials Directly From Chromium’s Memory
  • memory chunk, the password is stored inside a memory section of type Private: Commit. One could think that data stored in such memory pages is not accessible to any other process. Surprisingly, such pages cannot be part of a “shared memory,” but other processes have no problem reading the data in them (via ReadProcessMemory API).
  • Chromium.org stated they will not fix issues related to physical local attacks since “there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you” (here). While this statement is probably true in general (especially if you assume the attacker can get administrator privileges), I believe it should not be so easy to steal sensitive credentials as it is today.
  • Chromium Docs - Chrome Security FAQ - see Threat Model therein

---

👉 See Also

• Privacy - Staying Secure Online