_        _     _ _     _       
                       | |      | |   (_) |   | |      
   ___ _ __ _   _ _ __ | |_ ___ | |__  _| |__ | | ___  
  / __| '__| | | | '_ \| __/ _ \| '_ \| | '_ \| |/ _ \ 
 | (__| |  | |_| | |_) | || (_) | |_) | | |_) | |  __/ 
  \___|_|   \__, | .__/ \__\___/|_.__/|_|_.__/|_|\___| 
             __/ | |                                   
            |___/|_|                                   

---

• refer to bread-and-butter.md for absolute basic stuff
• refer to notes.md for modular arithematic theorems and other core math stuff

---

Attacks Implemented

• AES

  • CBC

    • Padding Oracle
    • Bit Flipping (reference)
    • IV Recovery
    • CBC-MAC: Length Extension
    • CBC-MAC: Key-reuse
    • Side-Channel: Cache-Timing

  • ECB

    • Encryption Oracle
    • Append Secret Block

• RSA

  • Common-modulus - same $m, n$, different $e, d$
  • Hastad's broadcast - same message, small $e$
  • Coppersmith's small $e$
  • Weiner's - small $d$
  • Extended Weiner's
  • Boneh-Durfee - upgrade to Weiner's
  • Cherkaoui-Semmouni - primes sharing most of MSBs
  • Non-coprime public exponent - $e$ and $φ(N)$ not coprime

  • Padding & Oracle attacks

    • Bleichenbacher - chosen ciphertext, padding
    • Marvin's - upgrade to Bleichenbacher
    • Bleichenbacher signature forgery - flawed PKCS v1.5, low public exponent
    • LSB Oracle - chosen ciphertext, padding
    • Manger's - flawed PKCS v2.1
    • Multiplicative property - decryption oracle, chosen ciphertext

  • Chinese Remainder Theorem (CRT), Fault & Partial-Key attacks

    • CTF Fault - fault injection, RSA-CRT
    • d fault - bit flip, signature attack
    • Known CRT Exponents - Recover $p$ or $q$ from $d_p$ and $d_q$
    • Partial Known CRT Exponents - upgrade to Known CRT Exponents, partial $d_p$ and $d_q$
    • Nitaj's CRT [ ]RSA - Recover $p$ and $q$ for small $d_p$ or $d_q$
    • Partial key exposure - partial $d$

  • Message & Forgery ttacks

    • Franklin-Reiter Related Message - related $m$'s
    • Coppersmith's partial known message (stereotyped message attack)
    • Desmedt-Odlyzko - selective forgery

  • Side-channel attacks

    • Timing - time taken to decrypt
    • Power
    • Branch Prediction Analysis (BPA)
    • Electromagnetic (EM)

  • Non-attacks

    • Known private exponent - $p$ and $q$ from $d$
    • Attacks on phi - $φ(N)$ from primes

• ECC

• ECDH

  • Small Order
  • Smooth Order
  • Almost Smooth Order, Small Private Key
  • Non-Verfication - point not on curve
  • Singular Curve
  • Supersingular Curve
  • Anomalous Curve

• ECDSA

  • No Message Hashing
  • Reused $k$
  • Insecure $k$ generation
  • Invalid generator

• Prime Factoring

  • Shared Primes - Multiple moduli with same prime factors
  • Fermat factorisation
  • Pollard's p-1
  • William's p+1
  • Elliptic Curve Method
  • Cyclotomic Polynomials
  • Close Primes
  • Implicit - primes sharing few MSBs or LSBs
  • Multiple Small Primes
  • Base Conversion
  • Ghafar-Ariffin-Asbullah
  • ROCA - primes generated by primorial
  • Shor's (classical)
  • Twin Primes

    • Partial known

      • Branch-and-Prune
      • Coppersmith's method
      • Unbalanced modulus

• RNG

  • Merseinne Twister

    • Predict Outputs with Full State (reference)
    • Predict Outputs with Partial State (reference)
    • Full State to Seed (reference)
    • Partial State to Seed (reference)

• Lattices (Post-Quantum)

  • Gaussian Lattice Reduction
  • Merkle-Hellman (knapsack cryptography)

  • LWE

    • No Noise (only message)
    • Low Noise (LLL/BKZ cracking)
    • Fixed Noise (Aurora-Ge)

• MLDSA

  • Fault injection

• MLDSA: Dilithium

  • Fault injection
  • Side-Channel: Power (ML/DL)

• MLDSA: Kyber

  • Side-Channel: Power
  • Low-Density Parity-Check - side-channel
  • Roulette: fault-injection
  • Error-Tolerant Key Recovery: belief-propagation, lattice-reduction