Dmytrii Korolov. Cheat sheet.

IV - init vector Per-block formulas (enc side, 128-bit blocks, IV = C0)

ECB : Ci = E_k(Pi)
Kerckhoffs' Principle: Security must rely only on secrecy CBC : Ci = E_k(Pi ⊕ Ci-1); decrypt Pi = D_k(Ci) ⊕ Ci-1
of the key, not on hiding the algorithm. CFB : Ci = Pi ⊕ E_k(Ci-1); decrypt Pi = Ci ⊕ E_k(Ci-1)
OFB : Si = E_k(Si-1) , Ci = Pi ⊕ Si (S0 = IV) ; same for
Types of Attacks decrypt
1. Passive: Cipher‑text‑only attack – attacker sees only CTR : Ci = Pi ⊕ E_k( Nonce ∥ ctr_i ) ;
ciphertexts; tries to recover plaintext or key. parallelizable
Known‑plaintext attack – attacker knows some (P,C) GCM : same as CTR for Ci , plus tag = GHASH(H, A, C)
pairs; tries to deduce key or decrypt more ciphertext. (H = E_k(0^128))
2. Active. Chosen‑plaintext attack – attacker can ask the
system to encrypt messages of their choice.
Chosen‑ciphertext attack – attacker can decrypt chosen Mode IV / Pa Aut Parallel Key points
ciphertexts (except the target) to learn the key. Adaptive nonce d h ENC
chosen attack – each query depends on earlier oracle
ECB — Yes No Yes Pattern leak
replies. Replay attack – re‑sending valid data to trick the
system (e.g. duplicate payment). Man‑in‑the‑Middle attack CBC Rand Yes No No Padding-oracle risk
– intercept and possibly alter communication. om
3. Other named attacks. Brute‑force – test every key until CFB IV No No No Self-sync stream
one works. Dictionary – try likely passwords/keys.
Collision – find two inputs with the same hash. Pre‑image OFB IV No No Yes Precomputed
keystream
– given a hash, find a matching input. Length‑extension –
add data to MD hash without the key. Padding‑oracle – CTR Count No No Yes Bit-flip malleable
padding error leaks bytes (CBC, PKCS#1 v1.5). er
Fault‑injection – physical glitch (voltage/laser) leaks key. GCM Nonce No Yes Yes AEAD, GHASH tag,
unique nonce
Bit‑stream Encryption:
Vernam cipher: C = P ⊕ K, P = C ⊕ K. OTP (One‑Time
Pad): K truly random, |K| = |P|, used once, secret ⇒ perfect Hash Functions and MAC:
secrecy. Password storage: always hash with KDF – Merkle‑Damgård: H0 = IV; Hi = f(Hi‑1, Mi)
PBKDF2-HMAC-SHA-256 (≥100k), scrypt, or Argon2id – (length‑extension exists). Birthday attack: about 2^(n/2)
and store salt. attempts for n‑bit hash.
HMAC fixes length‑extension: HMAC(K,M) = H((K′⊕opad)
Shamir Secret Sharing: || H((K′⊕ipad) || M)).
Polynomial of degree t‑1; any t of n shares reconstruct the Compression function (Davies‑Meyer): f(h,m) = E_m(h)
secret s = f(0). ⊕ h.
Sponge hashes (KECCAK/SHA‑3, SHAKE): state b = r +
Symmetric Ciphers:​ c; absorb, permute, squeeze.
DES round details: Rᵢ+1 = Lᵢ ⊕ F(Rᵢ, Kᵢ), Lᵢ+1 = Rᵢ. Merkle tree hashing for large files; Sakura adds domain
F-function = Expansion E-box (32→48) ⊕ round-key → 8 separation.
S-boxes → P-permutation. MACs: CBC‑MAC (fixed length), CMAC (variable),
Known weak & semi-weak keys; 56-bit brute-forced (EFF, Poly1305.
1998).
AES round = SubBytes → ShiftRows → MixColumns → CBC‑MAC example:
AddRoundKey. T = E_K( Mn ⊕ E_K( … ( M2 ⊕ E_K(M1) ) … ) ).
Key/rounds: 128 bit/10, 192 bit/12, 256 bit/14. Fixed‑length only.
MixColumns = matrix × state in GF(2⁸); hardware accel via
AES-NI. Number‑theory Toolkit:
Key schedule expands Nk 32-bit words into Nb·(Nr+1) Euclid gcd(a,b) = gcd(b, a mod b)
round keys. Bézout: ax + by = gcd(a,b)
DES – 56‑bit key (plus 8 parity), 16 Feistel rounds, F = Euler φ(N): count of units mod N; if gcd(a,N)=1 then
Expand ⊕ S‑box → Permute. a^{φ(N)} ≡ 1 (mod N)
3DES – E_k3 D_k2 E_k1, 3×56‑bit keys ⇒ 112‑bit effective Lagrange: |H| divides |G| for finite groups
security. Fermat: a^{p‑1} ≡ 1 (mod p)​
AES – 128/192/256‑bit keys, 128‑bit block, 10/12/14 General CRT — If x ≡ a1 (mod m1), x ≡ a2 (mod m2), … , x
SP‑network rounds. Practical security levels: ≡ ak (mod mk) and the moduli m1…mk are pair-wise
128-bit ≈ AES-128 / RSA-3072 / EC-256 coprime, there is exactly one solution
192-bit ≈ AES-192 / RSA-7680 / EC-384 x modulo M = m1·m2·…·mk. Reconstruct by:
256-bit ≈ AES-256 / RSA-15360 / EC-512​ Pre-compute Mi = M / mi and ti = Mi⁻¹ mod mi (modular
inverse).
Block‑cipher modes: Then x = Σ ai · Mi · ti (sum over i = 1..k) mod M.
 Miller–Rabin: n‑1 = d·2^s primality witness test
Quadratic residue test: a^{(p‑1)/2} = ±1 (mod p)
Discrete logarithm: g^x ≡ h (mod p) is hard

Asymmetric Encryption: ​
RSA setup: 1) choose primes p, q 2) N = pq, φ = (p‑1)(q‑1)
3) choose e with gcd(e,φ)=1 4) d ≡ e^{‑1} (mod φ)
Encrypt c = m^e mod N; Decrypt m = c^d mod N​
RSA CRT speed-up
Instead of m = c^d mod N in one big step:
mp = c^(d mod (p-1)) mod p
mq = c^(d mod (q-1)) mod q
x = (mq − mp) · (p⁻¹ mod q) mod q
m = mp + x · p mod N
≈4× faster decryption/signing, but a single fault in mp or mq
reveals p or q

Useful properties: signature s = m^d ; verify v = s^e ;

multiplicative homomorphism.
Main RSA attacks: short d (Wiener), small e broadcast,
same N diff e, Bleichenbacher, fault‑CRT.
Blind signature: m′ = m·r^e mod N, signer signs m′, user
unblinds s′·r^{‑1}.

Diffie‑Hellman key exchange:

Alice: g^a ; Bob: g^b ⇒ shared g^{ab} ; sign transcript to
stop MITM; safe prime p = 2q + 1 removes small‑subgroup.

ElGamal encryption:
Public (p,g,y=g^x). Cipher (c1=g^k, c2=m·y^k). Decrypt
m = c2 / c1^x.

AEAD and Randomness (extra):

AEAD = encryption plus integrity (GCM,
ChaCha20‑Poly1305, SIV). Nonce reuse breaks security.
Fortuna RNG: 32 entropy pools feed AES‑CTR;
/dev/urandom is non‑blocking interface. GCM tag =
GHASH(H, A, C) ; reusing the same nonce gives identical
counter stream → tag forgery + plaintext recovery.

TLS 1.3 and Signal Double Ratchet (extra):

TLS 1.3: ClientHello → ServerHello+EE → Finished;
records use AEAD, nonce = seq#.​
Record layout: Nonce = seq#(64 bit) ∥ IV(32 bit) ; AEAD
covers type ∥ version ∥ length ∥ plaintext.
Signal: X3DH initial key plus Double Ratchet for forward &
post‑compromise secrecy.

Quick Explanations: CRT in one sentence:

If you know the remainders of x modulo several
pair-wise-coprime numbers, the Chinese Remainder
Theorem guarantees one unique x (mod the product of
those numbers) and lets you reconstruct it with a short
modular-arithmetic formula.

RSA-CRT in one sentence: RSA decryption (or signing)

runs four times faster by first decrypting modulo p and q,
then recombining those two half-size results with CRT—but
a single hardware fault in one half can reveal p or q unless
the implementation verifies the final plaintext.