This was a comment I posted on (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 232 candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 232 online queries to search through all of my candidate passwords. Here's the attack:

  1. Using my knowledge of the salt, I hash ~216 random preimages until I find one for every possible 2-byte prefix of the hash.
  2. Now I send each of those 216 preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*216 online queries I learn the first 2 bytes of the hash.
  3. Now that I know the first 2 bytes of the hash, I do 232 offline work to hash all of my candidate passwords a
# -- @DefuseSec
echo -n >/tmp/primes.txt
# Generate 1000 primes.
for i in {1..500}; do
# Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
openssl genrsa 192 2>/dev/null | \
openssl rsa -text 2>/dev/null |\

Plain-Language Research Description

Computers are machines that do math really fast. We program them to solve calculation problems that are useful to us, like predicting tomorrow's weather or telling you how to avoid all of the construction on your way to work so that you get there fast. You can think of using a computer as giving it some information as an input (a list of construction sites), running the computer, and then getting some information back out (the best route to work). Computers are good at solving a lot of useful calculation problems, but there are other important problems that computers seem really bad at solving.

Quantum computers are a hypothetical kind of computer based on the laws of quantum mechanics. They can solve some of the problems that seem hard for regular computers by using a different kind of information: "quantum information." Quantum information is stored in tiny particles like electrons and photons; you can't write it down on paper. So f

View simulation.rb
#!/usr/bin/env ruby
# This is a simulation of the advantage an attacker can get by following
# a particular selfish mining strategy that works when the sequential PoW
# running time is of the same order as the block target time. The simulation
# assumes instant block propagation, so the advantage this simulation computes
# is *on top of* the advantage gained by doing regular selfish mining.
# The network is made up of Equihash Machines. Equihash Machines are either
# Attacker Machines or Normal Machines. Normal Machines and Attacker Machines

You trust t notaries. Suppose at some point in time,

  • s of them are secure (not compromised),
  • a of them are available.

We can choose m, the maximum number of notaries to query before giving up, and r, the minimum number of required root matches. Select a random m-size subset of the trusted notaries. Then:

  • The probability of an attack happening in this update attempt* is the probability that at r or more compromised notaries are contained in that set.
  • The probability of availability (assuming no attack) is the probability that at least r notaries in that set aren't down.

In this document I try to answer the question: Are PRFs secure commitment schemes?

Note: This document is just a sketch of my thoughts. Please interpret the notation and reasoning charitably!

Definition: Strong Computational Hiding

  1. Alice selects a random b in {0, 1}
  2. Adversary sends oracle queries of the form (m0, m1), and gets back Commitr(mb) for a random r.
  3. Adversary outputs a guess b' for b.
View finger.txt
Finger in the Middle Contest
Defender - Tries to send a fingerprint over an insecure channel and wins iff
they (1) detect every attack, or (2) successfully transfer the
Attacker - Tries to modify the fingerprint sent over the channel.
View attack.php
* This code is copied from
* to demonstrate an attack against it. Specifically, we simulate a timing leak
* in the MAC comparison which, in a Mac-then-Encrypt (MtA) design, we show
* breaks confidentiality.
* Slight modifications such as making it not serialize/unserialize and removing
View attack.php
* Padding oracle attack against
* By: Taylor Hornby.
* Date: March 14, 2014.
/* Download the two files and place in the same folder. */
View infoleak.php
// Broken crypto code from
function validateKeyLength($key, $module)
$keySize = strlen($key);
$keySizeMin = 1;
$keySizeMax = mcrypt_enc_get_key_size($module);
$validKeySizes = mcrypt_enc_get_supported_key_sizes($module);
if ($validKeySizes) {
if (!in_array($keySize, $validKeySizes)) {