Skip to content

Instantly share code, notes, and snippets.


Taylor Hornby defuse

View GitHub Profile
defuse / example.js
Created May 12, 2018
Insecure code that's visually identical to secure code.
View example.js
let KEY = new Uint8Array(16);
function generate_key() {
let KEY = new Uint8Array(16);
return KEY;
KEY = generate_key();
document.body.innerText = KEY;
defuse /
Last active May 26, 2018
Hash Function

For a 512-bit input x, the 256-bit hash of x, H(x) is defined as follows. Simulate a frictionless table on which disks may slide around and collide with the sides of the table as well as other disks according to Newton's laws (elastic collisions). The simulated box is 32m by 32m subdivided into a 16x16 grid of squares. At the center of each square place a 1m-radius disk with unit mass and 1m/s velocity in a direction that encodes the next two bits of x: 00=up, 01=down, 10=left, 11=right. Simulate this state's evolution for T=1024 seconds. Now generate the output as follows. Starting with an empty output, enumerate all of the disks (in the same order they were generated) and append a 0 to the output if the velocity vector has a positive upwards component or a 1 otherwise. The simulation must be as precise as necessary for the output to be correct.

Is H collision-resistant? Can you break it? If you can't, what's the largest value of T for which you can?

See breaks and patches in the comments below.


This was a comment I posted on (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 232 candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 232 online queries to search through all of my candidate passwords. Here's the attack:

  1. Using my knowledge of the salt, I hash ~216 random preimages until I find one for every possible 2-byte prefix of the hash.
  2. Now I send each of those 216 preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*216 online queries I learn the first 2 bytes of the hash.
  3. Now that I know the first 2 bytes of the hash, I do 232 offline work to hash all of my candidate passwords a
defuse /
Created Mar 20, 2017
Test OpenSSL RSA Random Number Generator
# -- @DefuseSec
echo -n >/tmp/primes.txt
# Generate 1000 primes.
for i in {1..500}; do
# Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
openssl genrsa 192 2>/dev/null | \
openssl rsa -text 2>/dev/null |\
defuse /
Last active Nov 26, 2016
Plain-Language Research Description

Plain-Language Research Description

Computers are machines that do math really fast. We program them to solve calculation problems that are useful to us, like predicting tomorrow's weather or telling you how to avoid all of the construction on your way to work so that you get there fast. You can think of using a computer as giving it some information as an input (a list of construction sites), running the computer, and then getting some information back out (the best route to work). Computers are good at solving a lot of useful calculation problems, but there are other important problems that computers seem really bad at solving.

Quantum computers are a hypothetical kind of computer based on the laws of quantum mechanics. They can solve some of the problems that seem hard for regular computers by using a different kind of information: "quantum information." Quantum information is stored in tiny particles like electrons and photons; you can't write it down on paper. So f

defuse / simulation.rb
Last active Aug 17, 2016
Equihash Block Witholding Simulation
View simulation.rb
#!/usr/bin/env ruby
# This is a simulation of the advantage an attacker can get by following
# a particular selfish mining strategy that works when the sequential PoW
# running time is of the same order as the block target time. The simulation
# assumes instant block propagation, so the advantage this simulation computes
# is *on top of* the advantage gained by doing regular selfish mining.
# The network is made up of Equihash Machines. Equihash Machines are either
# Attacker Machines or Normal Machines. Normal Machines and Attacker Machines

You trust t notaries. Suppose at some point in time,

  • s of them are secure (not compromised),
  • a of them are available.

We can choose m, the maximum number of notaries to query before giving up, and r, the minimum number of required root matches. Select a random m-size subset of the trusted notaries. Then:

  • The probability of an attack happening in this update attempt* is the probability that at r or more compromised notaries are contained in that set.
  • The probability of availability (assuming no attack) is the probability that at least r notaries in that set aren't down.
defuse /
Last active Apr 7, 2016
Are PRFs secure as commitments?

In this document I try to answer the question: Are PRFs secure commitment schemes?

Note: This document is just a sketch of my thoughts. Please interpret the notation and reasoning charitably!

Definition: Strong Computational Hiding

  1. Alice selects a random b in {0, 1}
  2. Adversary sends oracle queries of the form (m0, m1), and gets back Commitr(mb) for a random r.
  3. Adversary outputs a guess b' for b.
View finger.txt
Finger in the Middle Contest
Defender - Tries to send a fingerprint over an insecure channel and wins iff
they (1) detect every attack, or (2) successfully transfer the
Attacker - Tries to modify the fingerprint sent over the channel.
defuse / attack.php
Last active Oct 8, 2020
PoC: Attack Against PHP Crypto
View attack.php
* This code is copied from
* to demonstrate an attack against it. Specifically, we simulate a timing leak
* in the MAC comparison which, in a Mac-then-Encrypt (MtA) design, we show
* breaks confidentiality.
* Slight modifications such as making it not serialize/unserialize and removing