defuse

let KEY = new Uint8Array(16);
  
function generate_key() {
    let KEY = new Uint8Array(16);
    window.crypto.getRandomValues(KEY);
    return KEY;
}
  
KEY = generate_key();
document.body.innerText = KEY;

defuse

For a 512-bit input x, the 256-bit hash of x, H(x) is defined as follows. Simulate a frictionless table on which disks may slide around and collide with the sides of the table as well as other disks according to Newton's laws (elastic collisions). The simulated box is 32m by 32m subdivided into a 16x16 grid of squares. At the center of each square place a 1m-radius disk with unit mass and 1m/s velocity in a direction that encodes the next two bits of x: 00=up, 01=down, 10=left, 11=right. Simulate this state's evolution for T=1024 seconds. Now generate the output as follows. Starting with an empty output, enumerate all of the disks (in the same order they were generated) and append a 0 to the output if the velocity vector has a positive upwards component or a 1 otherwise. The simulation must be as precise as necessary for the output to be correct.

Is H collision-resistant? Can you break it? If you can't, what's the largest value of T for which you can?

See breaks and patches in the comments below.

defuse

This was a comment I posted on bcrypt-ruby/bcrypt-ruby#43 (before I realized that issue was 5 years old!) which got deleted so I moved it here.

Let's make the attack concrete to see if it works. I have a dictionary of 2³² candidate passwords I want to try against a user account. I know the user's salt. There is no rate limiting. Ideally, it should take 2³² online queries to search through all of my candidate passwords. Here's the attack:

1. Using my knowledge of the salt, I hash ~2¹⁶ random preimages until I find one for every possible 2-byte prefix of the hash.
2. Now I send each of those 2¹⁶ preimages in turn to the server and observe the side-channel. I may have to repeat this a few times in order to improve the SNR, let's say 100 times. So in 100*2¹⁶ online queries I learn the first 2 bytes of the hash.
3. Now that I know the first 2 bytes of the hash, I do 2³² offline work to hash all of my candidate passwords a

defuse

#!/bin/bash
# primes.sh -- @DefuseSec

echo -n >/tmp/primes.txt

# Generate 1000 primes.
for i in {1..500}; do
    # Use 192-bit keys for speed (could potentially mask RNG bugs that only affect bigger keys)
    openssl genrsa 192 2>/dev/null | \
        openssl rsa -text 2>/dev/null |\

defuse

Plain-Language Research Description

Computers are machines that do math really fast. We program them to solve calculation problems that are useful to us, like predicting tomorrow's weather or telling you how to avoid all of the construction on your way to work so that you get there fast. You can think of using a computer as giving it some information as an input (a list of construction sites), running the computer, and then getting some information back out (the best route to work). Computers are good at solving a lot of useful calculation problems, but there are other important problems that computers seem really bad at solving.

Quantum computers are a hypothetical kind of computer based on the laws of quantum mechanics. They can solve some of the problems that seem hard for regular computers by using a different kind of information: "quantum information." Quantum information is stored in tiny particles like electrons and photons; you can't write it down on paper. So f

defuse

#!/usr/bin/env ruby

# This is a simulation of the advantage an attacker can get by following
# a particular selfish mining strategy that works when the sequential PoW
# running time is of the same order as the block target time. The simulation
# assumes instant block propagation, so the advantage this simulation computes
# is *on top of* the advantage gained by doing regular selfish mining.

# The network is made up of Equihash Machines. Equihash Machines are either
# Attacker Machines or Normal Machines. Normal Machines and Attacker Machines

defuse

You trust t notaries. Suppose at some point in time,

• s of them are secure (not compromised),
• a of them are available.

We can choose m, the maximum number of notaries to query before giving up, and r, the minimum number of required root matches. Select a random m-size subset of the trusted notaries. Then:

• The probability of an attack happening in this update attempt* is the probability that at r or more compromised notaries are contained in that set.
• The probability of availability (assuming no attack) is the probability that at least r notaries in that set aren't down.

defuse

In this document I try to answer the question: Are PRFs secure commitment schemes?

Note: This document is just a sketch of my thoughts. Please interpret the notation and reasoning charitably!

Definition: Strong Computational Hiding

1. Alice selects a random b in {0, 1}
2. Adversary sends oracle queries of the form (m₀, m₁), and gets back Commit_r(m_b) for a random r.
3. Adversary outputs a guess b' for b.

defuse

Finger in the Middle Contest
=================================

Players:

    Defender - Tries to send a fingerprint over an insecure channel and wins iff
               they (1) detect every attack, or (2) successfully transfer the
               fingerprint.

    Attacker - Tries to modify the fingerprint sent over the channel.

defuse

<?php

/*
 * This code is copied from 
 * http://www.warpconduit.net/2013/04/14/highly-secure-data-encryption-decryption-made-easy-with-php-mcrypt-rijndael-256-and-cbc/
 * to demonstrate an attack against it. Specifically, we simulate a timing leak
 * in the MAC comparison which, in a Mac-then-Encrypt (MtA) design, we show
 * breaks confidentiality.
 *
 * Slight modifications such as making it not serialize/unserialize and removing