Cryptography @ Infosec.pub

600 readers

6 users here now

Questions, answers, discussions, and literature on the theory and practice of cryptography

Rules (longer version here)

Stick to cryptography / infosec
Be a good netizen - be kind, act in good faith, maintain high quality, don't mislead
Link directly to original sources
Don't use us to cheat on challenges or tests!
Crypto review requests must show the algorithm
CTF / challenges and puzzles must use modern crypto
Avoid making duplicate posts
All use of AI / LLM and their prompts MUST be disclosed in your submissions and comments

##Related resources;

Reddit cryptography forums 1 & 2; /r/crypto /r/cryptography
Cryptology ePrint archive
Discussion site for ePrint papers
Libera Chat's IRC:s #crypto - (IRC protocol URL)
Metzdowd cryptography mailing list
Randombit cryptography mailing list
StackExchange cryptography community

founded 2 years ago

MODERATORS

SqueamishOssifrage

TrustedThirdParty

Forum rules for !crypto@infosec.pub (self.crypto)

submitted 1 year ago* (last edited 1 year ago) by TrustedThirdParty to c/crypto

2 comments fedilink

Hello all!

Since the forum hasn't had any listed rules until now, I'm going to import the rules which have worked over at the cryptography forum which I've been moderating in on reddit. I'll list the rules here with explanations.

Forum rules

1: Stick to the topic of cryptography

The focus is on modern cryptography (computer security algorithms and protocols and their implementations). We also allow related infosec topics (including phishing, security UX, etc) as well as discussion of notable historical ciphers, but keep in mind that just because cryptography is mentioned in an article it doesn't necessarily mean it's relevant. Analogy: a forum about motors wouldn't let you post about road trips. In this forum, a submitted article should have a substantial security aspect. If you're unsure, ask the mods or ask in a meta thread.

2: Engage in good faith, maintain high quality & accuracy, don't mislead

To keep quality high, first of all, be kind. Behavior which discourage other good faith participants from contributing is not allowed.
Second, modern cryptography implies threat models, public specifications, source code, security proofs, etc. Don't leave out important information. Please cite your sources. Remember that bad advice can be dangerous!

3: Crypto review requests must explain the algorithms

We follow Kerckhoffs' principle and Schneier's Law - posts that asks for security review of custom algorithms or implementations MUST also publish the full algorithm and a description of its use. Otherwise there can be no meaningful security analysis. Sharing just the output is like...

4: Challenges and puzzles must use modern crypto

Simple codes, ciphers, ARGs, and other such "weak crypto" don't belong here. Rule of thumb: If a desktop computer can break a code in less than an hour, or if it can be broken by hand, it's not strong crypto.

5: Don't cheat on challenges or tests!

Don't use this forum to cheat on competitions, challenges or tests! You may ask for help to understand a test question, but you are not allowed to ask others to solve it for you. You must also disclose the source of a problem you're asking for help with.

6: Link directly to original sources (with exceptions)

We prefer original sources of news, source code, academic papers or similar, rather than clickbaity buzzword blogspam. Avoid snake oil and low quality sources.
Do not post link shortener or to link farms or similar low quality sites, avoid mirror sites (unless necessary due to eg. paywall, like archive.org), and link directly to the original (unless you're posting a more readable expert written summary).

7: Avoid making duplicate posts

In low volume forums like this, multiple posts on breaking news will easily flood the forum. Please check if news is already posted. Different sources on the same news should be posted as comments in the existing thread (exceptions may only be made for substantial new information or if the prior thread is old - ask the mods if you're unsure)

8: All use of AI / LLM and their prompts MUST be disclosed in your submissions and comments

Instead of entirely banning LLMs, we require transparency. Due to LLMs so often being confidently wrong, we PROHIBIT all undisclosed use of LLM when posting regardless of the nature of your post. If used, you MUST share the prompt!
No LLM / AI is exempt!
If you're here to ask a question, a major problem is that the LLM output will carry implied INCORRECT context which you will not recognize, but which we will see, increasing the risk of misunderstanding. We will not be able to give you correct advice if we don't know your thought process!

Additional moderator in !crypto@infosec.pub (self.crypto)

submitted 1 year ago by TrustedThirdParty to c/crypto

7 comments fedilink

Hi!

I'm @Natanael@infosec.pub and this account that I'm making this post from is my moderation account, which is now part of the moderators of this cryptography forum. This is the account which I'll be handling removals/bans from, etc.

I've been added as a moderator by @jerry@infosec.pub (server admin)

I also moderate https://reddit.com/r/crypto, and I've been looking for options since the reddit admins decided to make a mess of things with the API and various policies, etc. The community will NOT be forced to migrate so these communities are separate for now, but everybody's encouraged to join here.

If you're a member in both places, feel free to tell us both your handles so we know who you are!

Generate Random Data From Sound Card (infosec.pub)

submitted 2 hours ago by octade@soc.octade.net to c/crypto

0 comments fedilink

Generate Random Data From Sound Card

- a neat hack for the properly paranoid -

Your computer is likely generating random noise on your sound card. On some systems you can harvest this noise as true random entropy. This entropy can be diffused and whitened for use in cryptography.

https://www.metzdowd.com/pipermail/cryptography/2026-March/039388.html

#Random #Entropy #Cryptography #Crypto #Hardware #Hacks #Sound #Audio #Chaos

@cypherpunk@soc.octade.net @cryptography@soc.octade.net @crypto@infosec.pub @cryptography@fed.dyne.org @cryptography@lemmy.ml

-1

@cypherpunk@soc.octade.net graphy@soc.octade.net @infosec.pub graphy@fed.dyne.org (soc.octade.net)

submitted 5 days ago* (last edited 5 days ago) by octade@soc.octade.net to c/crypto

2 comments fedilink

@cypherpunk@soc.octade.net @cryptography@soc.octade.net @crypto@infosec.pub @cryptography@fed.dyne.org

Al Gore Invented the Internet.
Joe Biden invented PGP encryption.
Cypherpunks write code.

Joe Biden gifted humanity with PGP encryption (in a roundabout way). Phil Zimmermann created PGP in response to a anti-privacy bill clause proposed by Senator Joe Biden.

https://www.americanscientist.org/article/cypherpunks-write-code

"In 1990, the FBI launched an over-the-top crackdown on computer hackers, known as Operation Sundevil. This was swiftly followed, in early 1991, by a proposed piece of U.S. Senate legislation that would force electronic communications service providers to hand over people’s personal data. (The key clause, S.266, was pushed by the then chairman of the U.S. Senate Judiciary Committee, Senator Joe Biden.)"

"On learning of Biden’s S.266 clause, Zimmermann feverishly set out to complete the project, almost losing his house in the process. When he finished his software in 1991, he published it all online, free for anyone who wanted to use it. He called it “Pretty Good Privacy,” or PGP for short, and within weeks it had been downloaded and shared by thousands of people around the world. “Before PGP, there was no way for two ordinary people to communicate over long distances without the risk of interception,” said Zimmermann in a later interview. “Not by phone, not by FedEx, not by fax.” It remains the most widely used form of email encryption to this day."

Joe Biden's first panopticon bill:

https://www.congress.gov/bill/102nd-congress/senate-bill/266

"SEC. 2201. COOPERATION OF TELECOMMUNICATIONS PROVIDERS WITH LAW ENFORCEMENT. It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."

As they say in Texas: That dinosaur don't hunt.

#Biden #JoeBiden #PGP #Cypherpunks #Cypherpunk #PhilZimmermann #Privacy #Cybersecurity #Cryptography #GPG #Email #Senate #Law #Government #Panopticon #Hackers #Hacking #Security #Encryption

Chip-processing method could assist cryptography schemes to keep data secure (news.mit.edu)

submitted 1 week ago by NomNom@feddit.uk to c/crypto

0 comments fedilink

AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks (www.ndss-symposium.org)

submitted 1 week ago by Natanael@slrpnk.net to c/crypto

2 comments fedilink

In this paper, we undertake a structured security analysis of Wi-Fi client isolation and uncover new classes of attacks that bypass this protection. We identify several root causes behind these weaknesses. First, Wi-Fi keys that protect broadcast frames are improperly managed and can be abused to bypass client isolation. Second, isolation is often only enforced at the MAC or IP layer, but not both. Third, weak synchronization of a client's identity across the network stack allows one to bypass Wi-Fi client isolation at the network layer instead, enabling the interception of uplink and downlink traffic of other clients as well as internal backend devices. Every tested router and network was vulnerable to at least one attack. More broadly, the lack of standardization leads to inconsistent, ad hoc, and often incomplete implementations of isolation across vendors.

Cryptographic Issues in Matrix’s Rust Library Vodozemac - Dhole Moments (soatok.blog)

submitted 2 weeks ago by Soatok@pawb.social to c/crypto

0 comments fedilink

A History of Cryptography From the Spartans to the FBI (thereader.mitpress.mit.edu)

submitted 3 weeks ago* (last edited 3 weeks ago) by Ondore@lemmy.world to c/crypto

0 comments fedilink

PERFECT PANGRAM HASH : Anagram Hash Function (soc.octade.net)

submitted 1 month ago by octade@soc.octade.net to c/crypto

6 comments fedilink

PERFECT PANGRAM HASH : Anagram Hash Function

#DOI https://doi.org/10.5281/zenodo.18448042

A pangram is a sentence or phrase that contains each letter of an alphabet or character set at least once. A perfect pangram is an anagram of the alphabet which contains each letter exactly once.

Pangram hash generates a perfect pangram hash digest consisting of a anagram permutation of a character set. Each character in the output is unique and non-repeating.

#Hashing #Cryptography #Anagrams #Papers #Preprints

@cryptography@soc.octade.net @crypto@infosec.pub @cryptography@fed.dyne.org

Let’s talk about Layer One X and X_wallet | horrifically bad use of cryptographic primitives (saltysquirrel1759d62f4c-tcyiv.wordpress.com)

submitted 1 month ago by litchralee@sh.itjust.works to c/crypto

3 comments fedilink

I won't spoil the walkthrough of the appalling source code. But it does end like this:

If you’re using X_wallet, you need to move your assets Right. Fucking. Now. to a wallet that isn’t a steaming pile of dogshit.

As always, there's an XKCD to succinctly describe the situation: https://xkcd.com/221

The State of OpenSSL for pyca/cryptography (lwn.net)

submitted 1 month ago by cm0002 to c/crypto

0 comments fedilink

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some strongly worded criticism of OpenSSL. It comes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). The post goes into a lot of detail about the problems with the OpenSSL code base and testing, which has led the cryptography team to reconsider using the library. "The mistakes we see in OpenSSL's development have become so significant that we believe substantial changes are required — either to OpenSSL, or to our reliance on it." They go further in the conclusion:

First, we will no longer require OpenSSL implementations for new functionality. Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL.

Second, we currently statically link a copy of OpenSSL in our wheels (binary artifacts). We are beginning the process of looking into what would be required to change our wheels to link against one of the OpenSSL forks.

If we are able to successfully switch to one of OpenSSL's forks for our binary wheels, we will begin considering the circumstances under which we would drop support for OpenSSL entirely.

Practical Collision Attack Against Long Key IDs in PGP (soatok.blog)

submitted 1 month ago by Soatok@pawb.social to c/crypto

2 comments fedilink

Impersonating Quantum Secrets over Classical Channels (eprint.iacr.org)

submitted 1 month ago* (last edited 1 month ago) by Natanael to c/crypto

0 comments fedilink

Abstract

We show that a simple eavesdropper listening in on classical communication between potentially entangled quantum parties will eventually be able to impersonate any of the parties. Furthermore, the attack is efficient if one-way puzzles do not exist. As a direct consequence, one-way puzzles are implied by reusable authentication schemes over classical channels with quantum pre-shared secrets that are potentially evolving.

As an additional application, we show that any quantum money scheme that can be verified through only classical queries to any oracle cannot be information-theoretically secure. This significantly generalizes the prior work by Ananth, Hu, and Yuen (ASIACRYPT'23) where they showed the same but only for the specific case of random oracles. Therefore, verifying black-box constructions of quantum money inherently requires coherently evaluating the underlying cryptographic tools, which may be difficult for near-term quantum devices.