Link: https://cryptopals.com/

Done: 66/66

• PyCryptodome
• IACR Publications DB
• NIST Projects (US gov. approved standards)

• 1.7: AES / ECB
• 2.9: PKSC #7 - RFC 5652
• 2.10: CBC
• 3.17: CBC padding oracle
  • Vaudenay, Security Flaws Induced by CBC Padding, 2002
• 3.18-20: CTR
• 3.21-24: Mersenne Twister (pseudocode)
  • Makoto Matsumoto's MT page
• 4.28-29: SHA-1 (pseudocode)
  • 4.29: Duong–Rizzo, Flickr's API Signature Forgery Vulnerability, 2009
• 4.30: MD4
  • RFC 1186, 1320, 6150
• 4.31-32: HMAC
  • RFC 2104
• 5.33-35: Diffie–Hellman
  • RFC 3526
• 5.36-38: SRP
  • Tom Wu's SRP page
  • RFC 2945
• 5.39-40: RSA
  • PKSC #1 - RFC 8017
• 6.42: Bleichenbacher's attack (2006)
  • Hal Finney's writeup
• 6.43-45: DSA
  • 6.45: Vaudenay, The Security of DSA and ECDSA, 2003
• 6.46-48: Bleichenbacher's attack (1998)
  • Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, 1998
  • See also: Fujisaki et al., RSA-OAEP Is Secure under the RSA Assumption, 2004
• 7.49-50: CBC-MAC
  • 7.50: Matthew Green's blog post
• 7.51:
  • Duong–Rizzo, The CRIME attack, 2012
• 7.52: Merkle–Damgård
  • Joux, Multicollisions in iterated hash functions, 2004
• 7.53:
  • Kelsey–Schneier, Second Preimages on n-bit Hash Functions for Much Less than 2ⁿ Work, 2004
• 7.54:
  • Kelsey–Kohno, Herding Hash Functions and the Nostradamus Attack, 2006
• 7.55:
  • Wang et al., Cryptanalysis of the Hash Functions MD4 and RIPEMD, 2005
  • Improved by: Sasaki et al., New Message Difference for MD4, 2007
• 7.56: RC4
  • On the Security of RC4 in TLS and WPA: paper, biases
  • See also (attack implemented in aircrack-ng): Klein, Attacks on the RC4 stream cipher, 2006

• os: contains urandom()
• secrets: secure (strongly non predictable and reproducible) alternative to the random module (Mersenne Twister-based pseudo-random number generator, reproducible)
• hashlib: secure hash functions
• hmac: keyed-hashing for authentication
• base64: common binary-to-text encodings

bytes   -> int             int.from_bytes(b, 'big')
int     -> bytes           i.to_bytes(length, 'big')
                           i.to_bytes((i.bit_length()+7)//8, 'big')
bytes   -> hex str         b.hex()
hex str -> bytes           bytes.fromhex(h)

int -> hex repr (0x..)     hex(i)
int -> bin repr (0b..)     bin(i)

• 3.17 (CBC padding oracle): A simple padding oracle leak allows easy decryption.
• 7.51 (CRIME): Analog to timing-leak attacks but taking advantage of compression. Not that surprising in theory, but performs amazingly well in practice.
• 8.62 (ECDSA biased nonces): A minor bias of a few bits in the DSA temporary keys reveals the private key after only capturing a handful of signatures. Unbelievably powerful reduction to an LLL problem.
• 8.64 (GCM short tags): When GCM is used with short truncated MACs, a single captured message + an available auth. oracle spectacularly snowball to revealing the auth. key.

• 4.29 (Merkle–Damgård secret-prefix MAC): On why one should not consider a hash function as an inviolable black box when building a MAC (and use HMAC instead).
• 7.50 (CBC-MAC hashing): On why (conversely) a MAC with a fixed key does not make a proper hash function (it is only true for HMAC by design).
• 8.61 (RSA sig. dup.): On using discrete log techniques to build RSA keys to validate a given signature (or decrypt a given message to a target plaintext).
• 8.63 (GCM repeated nonce): Repeating a GCM nonce once already (almost) reveals the auth. key. Interesting for the maths it involves, not that surprising though.