writeups
wycheproof
Our great sponsors
writeups | wycheproof | |
---|---|---|
8 | 12 | |
122 | 2,587 | |
5.7% | - | |
6.6 | 0.0 | |
21 days ago | about 4 years ago | |
Python | Java | |
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
writeups
- Question about ECDSA
-
Reduced Round AES CTR Attacks
See: https://github.com/p4-team/ctf/tree/master/2016-03-12-0ctf/peoples_square and also https://github.com/TFNS/writeups/tree/master/2020-06-05-DefenitCTF/spn (this one is not AES but some toy SPN, but the idea is exactly the same and maybe easier to understand)
-
Supersingular Isogeny Key Exchange in Python
Not exactly purely in Python because with sage and also the goal was breaking SIDH, but: https://github.com/TFNS/writeups/tree/master/2020-04-17-PlaidCTF/sidhe
-
What are some real-world security issues in cryptography?
I'm not even mentioning big stuff like https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/ which interestingly enough is actually a vulnerability very similar to what exists in Java since the dawn of time -> https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/DSA.java#L358 (see: https://github.com/TFNS/writeups/tree/master/2020-10-03-TastelessCTF/petition )
-
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries
The same issue exists in Java JDK for quite a while (see: https://github.com/TFNS/writeups/tree/master/2020-10-03-TastelessCTF/petition ) ;) I suspect there are many more libraries with similar problem.
Seems like the same problem as exists in Java JDK in DSA -> https://github.com/TFNS/writeups/tree/master/2020-10-03-TastelessCTF/petition
-
How did this person manage to extract all the RSA prime numbers in this writeup?
Check my writeup https://github.com/TFNS/writeups/tree/master/2021-10-23-ASIS-quals/madras if you need to understand where this come from.
-
Using compromised algorithms.
See an example: https://github.com/TFNS/writeups/tree/master/2021-03-13-UTCTF/sleeves
wycheproof
- Google's Project Wycheproof
- SHA-3 Buffer Overflow - CVE-2022-37454
-
When To Roll Your Own X
I failed to notice the relevant Wycheproof test vectors because they weren’t listed on the front page (they still aren’t).
-
Automated Tests Are the Safety Net that Saves You
When I wrote the Monocypher cryptographic library, I didn't really know how to write serous tests. With some help, I eventually got something pretty good, with 100% code and path coverage, that test every possible input lengths as well as obscure corner cases I stole from various places (most notably Whycheproof).
- Project Wycheproof
- Psychic Signatures in Java
- What are some real-world security issues in cryptography?
-
How to verify ECC double and add algorithm implementation
"GitHub - google/wycheproof: Project Wycheproof tests crypto libraries against known attacks." https://github.com/google/wycheproof
-
An Illustrated Guide to Elliptic Curve Cryptography Validation
Thankfully, Curve25519 is much easier to implement, with much fewer death traps than short Weierstraß curves. For X25519, just follow DJB’s advice from ECC Hacks https://www.youtube.com/watch?v=vEt-D8xZmgE and make sure your arithmetic is up to snuff (constant time arithmetic is actually the hard part, by default I strongly suggest you steal it from the ref10 implementation).
For EdDSA, just follow the relevant explicit formulas, avoid clever (but dangerous) tricks such as converting to Montgomery form and back, and test with Wycheproof’s Ed25519 test vectors. https://github.com/google/wycheproof/blob/master/testvectors...
-
Is AES 256-bit good enough for files.
Have you tested all your applicable components against the Wycheproof test vectors and passed?
What are some alternatives?
tweetable-polyglot-png - Pack up to 3MB of data into a tweetable PNG polyglot file.
ejbca-ce - EJBCA® – Open-source public key infrastructure (PKI) and certificate authority (CA) software.
squarectf - The "code" for squarectf.com
kyberJCE - Pure Java implementation of the Kyber (version 3) post-quantum IND-CCA2 KEM.
svachal - Automate writeup for vulnerable machines.
cryptofuzz - Fuzzing cryptographic libraries. Magic bug printer go brrrr.
Monocypher - An easy to use, easy to deploy crypto library
HiddenWave - Hide Your Secret Message in any Wave Audio File.
jdk17u - https://wiki.openjdk.org/display/JDKUpdates/JDK+17u
hackingtool - ALL IN ONE Hacking Tool For Hackers
noise_spec - Noise Specification