when I was going through the CryptoPals challenges, there were quite a few times where I needed a pointer in the right direction, but all I would find online would be coded solutions. this is a curated list of resources that don't give away the solutions, but help you understand what you need to understand to write the solution yourself.
if you're looking for a pointer on a particular challenge and what's below isn't helpful, please file an issue so we can make these more helpful.
contributions welcome!
-
- challenge 9: implement pkcs#7 padding
- challenge 10: implement cbc mode
- challenge 11: an ecb/cbc detection oracle
- challenge 12: byte-at-a-time ecb decryption (simple)
- challenge 13: ecb cut-and-paste
- challenge 14: byte-at-a-time ecb decryption (harder)
- challenge 15: pkcs#7 padding validation
- challenge 16: cbc bitflipping attacks
-
- challenge 17: the cbc padding oracle
- challenge 18: implement ctr, the stream cipher mode
- challenge 19: break fixed-nonce ctr mode using substitutions
- challenge 20: break fixed-nonce ctr statistically
- challenge 21: implement the mt19937 mersenne twister rng
- challenge 22: crack an mt19937 seed
- challenge 23: clone an mt19937 rng from its output
- challenge 24: create the mt19937 stream cipher and break it
-
set 4: stream crypto and randomness
- challenge 25: break "random access read/write" aes ctr
- challenge 26: ctr bitflipping
- challenge 27: recover the key from cbc with iv=key
- challenge 28: implement a sha-1 keyed mac
- challenge 29: break a sha-1 keyed mac using length extension
- challenge 30: break an md4 keyed mac using length extension
- challenge 31: implement and break hmac-sha1 with an artificial timing leak
- challenge 32: break hmac-sha1 with a slightly less artificial timing leak
-
set 5: diffie-hellman and friends
- challenge 33: implement diffie-hellman
- challenge 34: implement a mitm key-fixing attack on diffie-hellman with parameter injection
- challenge 35: implement dh with negotiated groups, and break with malicious "g" parameters
- challenge 36: implement secure remote password (srp)
- challenge 37: break srp with a zero key
- challenge 38: offline dictionary attack on simplified srp
- challenge 39: implement rsa
- challenge 40: implement an e=3 rsa broadcast attack
-
- challenge 41: implement unpadded message recovery oracle
- challenge 42: bleichenbacher's e=3 rsa attack
- challenge 43: dsa key recovery from nonce
- challenge 44: dsa nonce recovery from repeated nonce
- challenge 45: dsa parameter tampering
- challenge 46: rsa parity oracle
- challenge 47: bleichenbacher's pkcs 1.5 padding oracle (simple-case)
- challenge 48: bleichenbacher's pkcs 1.5 padding oracle (complete-case)
-
- challenge 49: cbc-mac message forgery
- challenge 50: hashing with cbc-mac
- challenge 51: compression ratio side-channel attacks
- challenge 52: iterated hash function multicollisions
- challenge 53: kelsey and schneier's expandable messages
- challenge 54: kelsey and kohno's nostradamus attack
- challenge 55: md4 collisions
- challenge 56: rc4 single-byte biases
- Letter frequency (Wikipedia)
- Note: Be prepared to revisit this challenge to fine tune your algorithm as you progress through the other challenges. Your first shot at the algorithm may work for this challenge, but we've found that it usually needs improvement to pass 4, 5, and 6.
- Note: This challenge is really just more testing of your Challenge 3 algorithm to make sure it's shipshape.
- Note: The provided plaintext has a line break after
nimbleand no spaces at the end of lines. It is 74 bytes long, and the last byte of the plaintext is0x6C(ascii letterl). Here it is "unrendered":
Burning 'em, if you ain't quick and nimble\nI go crazy when I hear a cymbal
- Note: The provided hex-encoded ciphertext does not have any line breaks, so when comparing your output to the provided output, strip out any line breaks and spaces. Spaces/line breaks are not part of the Base64 or Hex character set, so those characters ought to be removed before processing. (
/\s/g). Likewise for other encodings that do not have those characters.
- Hamming Distance (Wikipedia)
- Note: Step 4 of the process allows for a lot of experimentation, so if you aren't getting results play around with that step. Also try breaking something you encrypted yourself with your Challenge 5 code for testing.
- Advanced Encryption Standard (Wikipedia)
- ECB Mode (Wikipedia)
- Note: The challenge is not asking you to implement AES from scratch. Find your language's implementation (or a reputable module for your language) and use that.
- CBC Mode (Wikipedia)
- Initialization Vector (Wikipedia)
- Note: The provided ciphertext is Base64 encoded, so treat it as such before attempting to decrypt it.
- Note: Besides some useful setup to familiarize yourself with AES in these two modes, this challenge is pretty much a repeat of Challenge 8.
- Note: I think it's helpful to think of this challenge in a server/client type scenario. Part 1 is "creating a function", which is kind of like designing an API which takes arbitrary input from a client, appends an unknown string, encrypts it using a consistent but unknown key, and returns the ciphertext to the client. Part 2 is designing a malicious client that can determine the unknown string with carefully crafted inputs sent to the "server".
- Note: Similar to Challenge 12, I think it's helpful to think of this challenge in a server/client type scenario. See above note for more intuition.
- Note: The "random count of random bytes" should be consistent across multiple encryptions.
- PKCS#5 and PKCS#7 (Wikipedia)
- RFC 5652
- Note: Plaintext that is already evenly divisible by the block size does get padded. Read the RFC carefully.
MIT