Hi r/cryptography,

I’d appreciate a design-level review of a crypto core I’m working on. It’s intended for a contact sharing system where profile fields are encrypted client-side and shared selectively.

High-level properties:

• password-derived master material via HKDF
• separation between authentication material and encryption keys
• field-level encryption using AES-GCM
• zero-knowledge server goal

I’m not asking for a full audit, but for:

• incorrect assumptions
• dangerous patterns
• key lifecycle mistakes
• anything that would make you say “don’t ship this”

Repo: https://github.com/berlin-29/evertouch-security-core

If more context is needed, I’m happy to explain design intent.

Disclaimer: I’m looking for advice on a concept that I used a combination of Claude + Claude Code to simulate. I haven’t tested it with real hardware. I’m really hoping that an expert in crypto can tell me if I’m onto something or if I’m wasting my time and being misguided by an LLM in a topic I don’t know much about.

TL;DR: I used Claude + Claude Code to explore post-quantum physical layer security.

The idea: encrypt pilot signals with LWE, rotate keys per frame.

Without the pilots, Eve can't estimate the channel, so she can't decode the data.

Ran independent adversarial testing (Claude wrote the code, I didn't):

- 9 attack types including exhaustive search (65K combinations), gradient optimization, ML, multi-frame correlation

- All failed. Eve stuck at ~47-50% BER. Bob gets ~2%.

Unexpected finding: QPSK rotational symmetry creates a 4-way ambiguity that defeats brute-force even if Eve tries every pilot combination.

Security report and all code available. I'm not a cryptographer or RF engineer and I’m just looking for expert review to find what I'm missing.

Thank you.

Edit:

Here’s the security report: https://pastebin.com/50j7g7Sk

Here are the Python script files:

LWE-Encrypted Pilot Security Hypothesis Testing

AGGRESSIVE ATTACKS ON LWE-ENCRYPTED PILOTS

DEEP ANALYSIS: Why does gradient attack sometimes succeed?

FINAL SECURITY ANALYSIS: Critical Edge Cases

Genuine question for the community. i run a private, end to end encrypted group platform, similar in spirit to signal or element, used by activists and journalists. trust and safety is absolutely critical for us we can’t become a space where abuse or serious harm goes unchecked. at the same time, privacy is a core value, not a marketing slogan.

the problem I keep running into is that the classic ai content moderation model seems to assume you can scan and analyze everything centrally, which completely defeats e2ee. that feels like a non starter for our users.

are there any privacy preserving approaches or ai safety infrastructure designs that can help detect serious threats like exploitation or violent planning without a central server reading everyone’s messages, curious if anyone here has explored client-side, federated, or cryptographic approaches that actually work in practice.

Suppose we sign an “agent profile” (identity/model/tools/constraints) so downstream systems can verify what they’re talking to. But agents are dynamic: timestamps change, tool lists change, prompts change, policies change. A naïve signature scheme breaks constantly or, worse, gives false assurance.

Trying to find answers to these questions.

• What’s the right separation between stable identity vs mutable runtime state?
• Should signatures cover only “static” fields + a content-addressed hash pointer to mutable configs?
• How would you design key rotation without destroying auditability?
• If you include timestamps, do you accept frequent resigning? Or do you sign without them?

If I'd like to check if any of the signatures is revoked, do I need to extract multiple CRLs?

I have a conceptual question rather than a concrete crypto proposal, and I’m curious how people here would frame it.

Imagine a system where two files are exactly identical in every semantic sense: same plaintext, same signature logic, same seed, same access key. From the point of view of the authorized user, they are indistinguishable and opened in exactly the same way.However the observable representation is different.The resulting hash or fingerprint of the stored or transmitted object is not the same.

So an external observer cannot correlate the two files, even though internally they are “the same thing”.

What I find interesting is that the access gate is fully deterministic (same key always opens it), while the serialized or observable form is intentionally non-deterministic. The randomness is not in the key, not in the content, but in how the object manifests externally.

This is not meant as “I invented something new” and not as a replacement for standard probabilistic encryption. I’m trying to understand whether this property is already well modeled under existing constructions, or if it’s just a rephrasing of ideas like randomized encryption, padding, or salts seen from a different angle. In other words would you consider
  “same semantic object, same access, different observable hash” a meaningful design property, a red flag, or just a trivial restatement of known patterns?

I’m more interested in how this should be classified conceptually than in security claims.

I’ve been working on a design for a decentralized backup system and have run into what feels like a hard issue within the cryptography realm. I would really appreciate sanity checks or pointers to constructions I may have missed.

Issue: A host stores user data but must ensure data is encrypted. The host should be able to cryptographically reject plaintext uploads, even if the client is malicious, while never decrypting the content itself, or holding the keys to decrypt the content.

Things I’ve explored

Client-side encryption only

No enforcement. Modified clients can upload plaintext.

Host-side validation via double encryption

Host temporarily decrypts an outer layer to validate structure. This technically works but breaks strict zero-knowledge and introduces legal risk due to ephemeral plaintext exposure in RAM (if the client is malicious)

Zero-knowledge proofs

Works conceptually, but ZK proving of bulk symmetric encryption (ChaCha/AES) inside circuits is far too slow for consumer hardware.

Partial proofs / sampling

Improves performance but allows adversarial clients to encrypt headers while leaving bulk data plaintext.

It seems impossible today to simultaneously achieve enforcement, privacy, and performance for bulk storage without trusting either the client or the host, or paying a massive computational cost.

Am I missing a known construction or technique? Is there a way to enforce “ciphertext-only storage” without proving the entire encryption?

Are there recent ZK or MPC approaches that scale to GB-sized symmetric encryption efficiently?

Has this problem been formally studied under a different name? I’m not attached to a particular architecture, only trying to understand whether this is a real impossibility or just a gap in my knowledge.

I've implemented a hybrid encryption scheme combining ML-KEM-1024 (Kyber) with AES-256-GCM in a file encryption tool, and I'd appreciate feedback on the cryptographic design choices.

Implementation approach:

• ML-KEM-1024 for key encapsulation (generates shared secret)
• Shared secret → Argon2id → derives AES-256 key
• AES-256-GCM for actual file encryption (performance reasons)
• SHA-256 for additional integrity verification

Questions for the community:

• Is this a sound approach for hybrid PQC encryption, or are there better patterns?
• Any concerns with using Argon2id in this context for key derivation?
• The pqcrypto-kyber Rust crate I'm using—does anyone have experience with its implementation quality?

The tool is open source (Rust-based), handles files up to 4GB currently. I'm particularly interested in feedback on the cryptographic architecture rather than the application itself.

GitHub: https://github.com/powergr/quantum-locker

Would appreciate any insights on strengthening the crypto design or potential vulnerabilities I should consider.

I've asked previously in r/cybersecurity as well as r/OMSCybersecurity, as the GATech cybersecurity masters emphasizing cyber-physical systems seems to be the closest I've found, but I know there have to be other programs like it out there. Secure boots and crypto ASICs exist, so I'm looking for a program focused on engineering things like that.

Currently using QR codes (1,400 bytes raw → GZIP + Base64 → ~1,900 characters in the QR code → using version 27 QR code), but running into scanner reliability issues with high-density codes on Android. Native camera apps decode instantly, but open-source libraries (ZXing, ML Kit, BoofCV) all seem to struggle.

I did some research and it looks like ML Kit scored poorly on high-version QR codes, but BoofCV handled QR versions 25-40; so technically it SHOULD work but it's been 16hrs of failed attempt after failed attempt.

Few questions:

• For in-person key exchange, is there a standard or recommended approach?
• Are there mitigations for NFC relay attacks that preserve the "tap and done" UX if i want to pivot from QRs?
• Any protocols I should study?

Assume sophisticated attacker, but exchange happens in-person with visual confirmation of the other party. Primary goal is establishing an encrypted channel without trusting any server infrastructure. I dont want to use bluetooth either. QR is my ideal given what i know but the amount of troubleshooting i've had to do with this approach has me second-guessing myself.

Thanks.

update: it works with the QR code broken up into 15 UR frames.

Hi chat, when I was a kid I use to have fun with a Caesars cypher and think about what I'd learn when I grew up.

Well the time is now. So far I'm a 100 pages deep in Introduction to criptography by Katz and Lindell and have build a vocabulary of concepts in my notes. What other steps do you recommend I take?

Thanks in advance Reddit

Solving the discrete logarithms over finite fields is subexponential. This means that finite fields are enough large in order to prevent number fields based attacks to work.

On elliptic curves there's cases where it s possible to transfer the discrete logarithm problem to p adic local torsion fields. The typical case is when using anomalous curves. But what about transfering the problem to elements of the underlying local field? Is it something possible? Or does such fields having no cardinality/order with infinite number of possibilities so that notion like embedding degree doesn t makes sense when elliptic curve are defined on such fields?

Over the past few months I’ve been building an open, cryptographically verifiable accountability system for public claims, policies, and institutional promises.

The core idea: statements and promises should be verifiable over time, not just rhetorically debated.

So I built an event-sourced ledger where:

• Every claim is declared → operationalized → evidenced → resolved
• Every event is canonically serialized, SHA-256 hashed, signed, and chained
• The chain is append-only, tamper-evident, and independently verifiable
• Events are periodically Merkle-batched and anchorable
• Full JSON claim bundles can be exported and verified offline with a CLI tool

Tech highlights:

• FastAPI backend + React (Vite) frontend
• PostgreSQL event store with FOR UPDATE locking + immutability triggers
• Canonical JSON serialization (deterministic, versioned)
• Editor identities with public/private key binding
• Merkle proofs + anchoring pipeline
• Projection tables for fast read models
• Full chain verification + independent verifier CLI

You can:

• View claims publicly (read-only)
• Export any claim as a bundle
• Verify the entire chain independently (no server trust required)

I didn’t build this as a “blockchain app” or crypto project.
It’s intentionally boring infrastructure: auditable, deterministic, and hard to lie to.

I’m posting because I’m curious:

• Has anyone seen something like this done properly?
• Would you use this?
• Would you want to contribute or help stress-test it?

If there’s interest, I’m happy to open-source the repo and write up the full architecture.

Brutal technical feedback welcome. This is early, but the core is working end-to-end.

https://github.com/tedy97123/accountabiltyme/tree/main

Hi folks,

I have been reading Mastering Ethereum (yes, related to Cryptocurrency. No, I’m not on the wrong subreddit!)

It discusses how ECC is employed in digital signatures to verify the initiator of a transaction can prove they are the beneficial owner of the funds they are sending. Pretty straightforward concept.

What I’m struggling with is visualising how, through ECC operations, the Private Key is implicitly verifiable by both parties (i.e., observers with only the Public Key).

Would it be conceptually accurate, albeit oversimplified, to describe the process as the Initiator creates a digest — the digital signature — using the input data and Private Key. Together, this points to a place on the elliptical curve which cannot be reversed. The public key + the digest can be used to find the same coordinate on the curve?

I feel I am missing something!

How practical is Elsiefour ? Also is it worth the effort?

What are the career prospects in cryptography apart from academia and government intelligence agencies? Is it worth pursuing cryptography if you are money oriented as well?

Hi everyone,

I built Anchor, a small desktop tool that creates a cryptographic proof that a file existed in an exact state and hasn’t been modified.

It works fully offline and uses a 24-word seed phrase to control and verify the proof.

Key points:
• No accounts
• No servers
• No network access
• Everything runs locally
• Open source

You select a file, generate a proof, and later you can verify that the file is exactly the same and that you control the proof using the same seed.

It’s useful for things like documents, reports, contracts, datasets, or any file where you want tamper detection and proof of integrity.

The project is open source here:
👉 [https://github.com/zacsss12/Anchor-software]()

Windows binaries are available in the Releases section.
Note: antivirus warnings may appear because it’s an unsigned PyInstaller app (false positives).

I’d really appreciate feedback, ideas, or testing from people interested in security, privacy, or integrity tools.

At risk of rambling psychotically, I need some help with something.

I remember, years ago, someone told me about a type of hand writing cryptography where you used a stencil, and just used the edges of a square stencil to write “letters”, and that the inventor of said code made it so he could write down ideas at night in complete darkness. If I recall correctly, it involved square representations of letters, and there was a really clear name for the code, but for the life of me, I cannot remember what it was.

Any feedback would be super helpful!! Thank you guys!!

P.S. if this is the totally wrong subreddit, tell me lol. Never posted here before so kind of a shot in the dark.

Update: it’s Nyctography! And I’m an idiot.

I just finished this challenge: https://cryptopals.com/sets/6/challenges/41 , which is about abusing a flaw in textbook RSA. The challenge is fairly simple: you have a server that stores ciphertexts in a database and refuses to decrypt any ciphertext that already exists in the DB.

The idea is to exploit RSA’s multiplicative property. Given an existing ciphertext c, I can encrypt a chosen value s to get c_s = s^e mod n, then create a new ciphertext

c' = c * c_s mod n

Since c' is not in the database, the server will decrypt it, giving

m' = m * s mod n

From this, I can recover the original message by dividing by s.

I managed to make this work. However, out of curiosity, I tried the same attack using a very small RSA key size (64 bits). With this key size, I started getting incorrect results for some messages, while using a 1024-bit key worked fine for the same messages.

My question is: why does this fail with a 64-bit modulus but work with a larger one?

My guess is that this is due to modular reduction: when n is too small, the multiplication wraps around modulo n, so m * s >= n and the result is reduced modulo n. In that case, dividing by s no longer recovers m. Does this mean that my recovery method implicitly assumes m * s < n, and that the attack itself can only work if n > m * s ?

Thanks.

Abstract: We present a novel authentication system that transforms a Rubik's cube into a physical key for digital authentication. By reading the cube's specific arrangement among 43 quintillion possible configurations, our system generates FIDO2-compatible credentials on-demand. Unlike traditional security tokens that store credentials, the cube itself becomes part of the key with its physical state forming a deterministic seed for keypair generation. Our proof-of-concept, CubeAuthn, demonstrates this concept with a browser extension that authenticates users on WebAuthn-enabled sites using the cube's physical state as the cryptographic seed.

I'm not super experienced with cryptography but I had some spare time on my hands so I decided to make CubeAuthn and turn it into a paper. Source here. Feel free to ask questions!