
The Matasano Crypto Challenges - sweis
http://cryptopals.com/
======
fasteo
Out of context, but I couldn´t resist.

"Matasano" is one of my favorite words in Spanish, not for its meaning, but
for how it sounds. Anyway, here is the meaning:

mata=kill

sano=healthy

So, literally it means to "kill the healthy" and it is used to refer to
doctors, usually in colloquially, rather than pejorative, terms.

Sorry for the interlude.

~~~
tptacek
[https://news.ycombinator.com/item?id=4684599#up_4684845](https://news.ycombinator.com/item?id=4684599#up_4684845)

~~~
fasteo
Thinking about this, Matasano turns out to be a rather good name for your
company. After all, your services are about trying to "kill the healthy"
system, so to speak.

~~~
tptacek
That's how we rationalized it. :)

------
csdrane
Also by Matasano, and tons of fun:
[https://microcorruption.com](https://microcorruption.com)

In-browser reverse engineering game.

~~~
tptacek
Thank you! That was Hans, me, Daniel, Andy, and (especially) Nicholas the
intern. The followup we're planning to it is going to be pretty intense.

~~~
aparadja
Oh dear.

I already wrote an emulator for the MSP430 from scratch just to try out an
approach for the current challenge's final level.

And now you tell me the _next one_ is going to be pretty intense.

------
Vivtek
Incredibly good news! I emailed earlier this year and got no response, and I
was afraid the whole thing had gone away. It's like Christmas in August!

~~~
weavie
I think they were massively overwhelmed with the response to the challenges.
They were handling all the responses manually. It's great to see that they
have made things more scalable and just put them up for everyone.

It gives me a lot of faith in humanity when people share their knowledge and
expertise so altruistically. Really looking forward to going through these.

Thanks guys.

------
andrewparker
A good complement to this set of challenges is Dan Boneh's Crypto class on
Coursera. The coursera class is more theory-driven, whereas these challenges
are more practical... they mix well.
[https://www.coursera.org/course/crypto](https://www.coursera.org/course/crypto)

~~~
bradleyjg
I just finished Cryto I and immediately signed up for Cryto II. Very well done
online class.

------
cpach
Great that the challenges are up!

Feel free to join #cryptopals on Freenode :)

------
showdead
Glad to see that this was not dropped! I did notice that
matasano.com/articles/crypto-challenges/ has been returning a 404 for the past
month or two.

Will there be a way to automatically submit / advance, for those of us that
would like to do them without encountering spoilers?

------
Rangi42
I'm stuck on set 1 challenge 4, detecting single-character XOR. I know how the
cipher works, having solved challenge 3, but when I brute-forced all 327 hex
strings in their challenge data with each of the 256 possible one-byte keys,
none of them deciphered to anything like English. I suspect a typo in their
data, since one line --
1c3df1135321a8e9241a5607f8305d571aa546001e3254555a11511924 -- actually has 58
hex digits, not 60. Has anyone else run into this problem?

Edit: Of course I would solve this right after a post saying I can't. I was
only looking at the (string, key) pairs which deciphered to all-printable
plain text, but forgot that \r, \n, and \t count as printable ASCII
characters.

------
candeira
What textbook would be recommended for someone wanting not only to accept the
challenge, but also to get some theory under their belt at the same time?

~~~
cryptbe
If you want to learn the math, check out [http://www.amazon.com/Introduction-
Mathematical-Cryptography...](http://www.amazon.com/Introduction-Mathematical-
Cryptography-Undergraduate-Mathematics/dp/0387779930).

~~~
tptacek
I like this book a lot, but you won't need any of this math until set 8. I
spent a lot of term learning things like lattice basis reduction algorithms (I
used Strang's linear algebra book and MIT lectures) only to discover that
there really isn't a whole lot that requires you to break out linear algebra
in day-to-day cryptography.

In particular: virtually all of block cipher crypto and message authentication
relies on straightforward math. (It would be different if our challenges
covered poly MACs, but we don't have good examples of common flaws in poly MAC
implementations).

~~~
pbsd
Nonce reuse? It usually gets you at least forgeries, and in GCM's case it even
gets you key recovery.

I agree that the published sets of challenges don't really need much theory.

~~~
tptacek
Are you referring to Joux here? Is the math for that really complicated? (I
haven't tried to implement it.)

 _Later: I just read Ferguson, with the linear algebra._

~~~
pbsd
Yeah. Joux's attack is conceptually simple. You have 2 tags T_0, T_1, obtained
with distinct messages and the same IV. This means T_0 = S_0 ^ X and T_1 = S_1
^ X, where X is the same value for both. So you have T_0 ^ T_1 = S_0 ^ S_1.
S_0 and S_1 are the polynomial evaluation of the ciphertext at H, the
authentication key (which is also the same).

Now, via a simple polynomial evaluation property, you have f(x) + g(x) = (f +
g)(x). We know f and g --- those are the two ciphertexts being authenticated
here, interpreted as polynomials --- and we know that the polynomial f + g -
S_0 - S_1 must be 0 at H. From there it's a matter of finding the roots of
this polynomial, one of which is H, and this is the mathematically complicated
part of the attack. Though you can treat root-finding as a black-box, the
keywords here are Berlekamp or Cantor-Zassenhaus.

(Hopefully I didn't get this too wrong, I'm handwaving here)

~~~
tptacek
Can you imagine how much more insufferable I'm going to be once I have worked
examples of these attacks? ;)

------
Osmium
I only did the first two, which I hear are pretty trivial in comparison to the
later ones, but I still had a great time and learned a hell of a lot in the
process. Definitely highly recommended even if it's just for fun or out of
idle curiosity, and no prior knowledge required. Looking forward to reading
some 'proper' solutions now...

------
wtbob
I'll probably always regret not getting further into these than I did (life
intruded, and then the psychic debt of being late disincentivised me from
returning to them). One of these days I really do intend to finish 'em.

Thanks for crafting them, and thanks for posing them. Hopefully you guys got
some great new hires out of it!

------
yuhong
On
[http://cryptopals.com/sets/4/challenges/31](http://cryptopals.com/sets/4/challenges/31)
, I'd just make it return the offset of the first byte that don't match to
simulate the information that a timing leak would reveal.

~~~
Coincoin
Oh, I made it return the whole thing since the timing attack would have leaked
it anyway.

------
sweis
These are great challenges for learning crypto. They've provided solutions in
10 different languages.

~~~
sgdread
It was a really nice adventure to complete all the 6 sets. Learned lots of
useful stuff. My great thanks to tptacek and the team who prepared such a nice
hands-on crypto class. P.S. 7th set is insane (in a good way).

~~~
tptacek
The 8th set ends in an elliptic curve attack that (a) is useful in the real
world and (b) only one person I know has been able to implement. It is
amazing.

------
lelf
Will it be some more than implement & compare with the provided solution?

~~~
mostafah
A more comprehensive test data would be awesome.

------
elwell
Would like to see real-world-ish _Clojure_ crypto concerns.

~~~
tptacek
You mean solutions in Clojure? We got 'em. Or do you mean "crypto issues
specific to Clojure"? What would those be?

~~~
elwell
> You mean solutions in Clojure? We got 'em.

Great, I'm interested.

> Or do you mean "crypto issues specific to Clojure"? What would those be?

Ah, I see now that these challenges are more of the _language-agnostic_ type,
rather than a demo of platform quirks. I suppose that negates my previous
comment. Thanks for posting the challenges!

------
fierycatnet
Something isn't right.

Not Found

[http://cryptopals.com/sets/1/challenges/1/ruby](http://cryptopals.com/sets/1/challenges/1/ruby)

~~~
tptacek
The solutions aren't up yet, so you have a very little bit of time in which to
solve them before they're spoiled for you.

Ruby should go up Wednesday. Tomorrow I know Python and C++ go up, and
hopefully Haskell.

~~~
peteretep
Random meditation: I worked through a lot of the early exercises in Haskell,
and partly to learn Haskell. I did a lot of things a "silly" way - didn't use
the Vector libraries at all, for example. I learned a lot from doing that, and
I wonder if a shiny set of Haskell examples using half of Hackage would
provide the same learning experience.

Also: do you have a set of Perl examples? If not, I'd be happy to put them
together.

------
jonahx
Once solutions are up, will there a be a way to test your answer against
solution without actually viewing the solution, as there is on project euler?

~~~
nialo
I would expect probably not, but my experience with these is that it's
generally pretty obvious when one has a correct solution.

(except for the one problem in set 5 where they computed the hash of the ascii
string representing the solution and I computed the hash of the actual number)

------
aye
Thanks for bringing this back! I've been wanting to study crypto, and I
usually enjoy @tpacek's comments on this site.

~~~
elwell
This is cool, but it's one of those things I sign up for and then I never
'have time'; the emails fade away in the deep abyss of gmail account.

~~~
elwell
... just realized they are posting the challenges on the site this year,
rather than via email.

------
mostlybadfly
Got through the first 4 of set 1. This was emailed challenges though from a
while ago. I'll check this out now.

------
hobs
Easter egg spooked me: "I'm killing your brain like a poisonous mushroom"

~~~
georgemcbay
That's a line from the song "Ice, Ice, Baby" by Vanilla Ice. So it is no
wonder it spooked you.

I did a couple of the matasano challenges in the past and there were a lot of
music lyrics strewn all over the place.

------
wnevets
I still havent finished the first email

------
goodvibes
All cryptography is broken before implementation so, it really only looks like
a compression mechanism for now.

------
juanuys
404 on
[http://cryptopals.com/sets/1/challenges/1/python](http://cryptopals.com/sets/1/challenges/1/python)

~~~
kelnos
If you actually read the big red warning on the main page, it notes that many
pages are incomplete and some stuff isn't up yet.

