11 — Cryptographic Attacks
Complete taxonomy: mathematical cryptanalysis, side-channel, protocol attacks, implementation attacks, physical attacks, quantum attacks. For each: principle, tools, mitigation.
1. Adversary models (recap)
Covered in 02-fundamentals.md §4. Summary:
| Model | The adversary can |
|---|---|
| COA | See ciphertexts |
| KPA | See (P, C) pairs |
| CPA | Request encryption of chosen P |
| CCA1 | Request decryption before the challenge |
| CCA2 | Request decryption adaptively |
| Side-channel | Measure timepowerEM/cache during execution |
| Fault | Inject errors |
| Physical | Direct access to the hardware |
| Multi-target | Attack many keys simultaneously |
2. Mathematical cryptanalysis
Frequency analysis
Al-Kindi (~850). Letters of natural text have a non-uniform distribution. Breaks any monoalphabetic substitution.
Index of Coincidence
William Friedman (1922). Measures how "natural" a distribution is. Detects key length in polyalphabetics (Vigenère).
Kasiski examination
Friedrich Kasiski (1863). Repetitions of plaintext-with-same-keystream produce repetitions in the ciphertext at a distance that is a multiple of the key length.
Linear cryptanalysis
Mitsuru Matsui (1993). Linear approximations of S-boxes. Breaks DES with \(2^{43}\) known plaintexts.
Differential cryptanalysis
Eli Biham + Adi Shamir (published 1990; the NSA already knew it in 1974). Analyzes differences (\(\Delta P, \Delta C\)). DES was designed to resist it (S-box choice).
Algebraic cryptanalysis
Polynomial systems over \(\mathbb{F}_2\) (XL, Gröbner basis). Broke Rainbow (multivariate signature 2022).
Meet-in-the-middle
Diffie-Hellman 1977. Breaks double encryption: instead of \(2^{2k}\) combined keys, \(2^k\) stored attempts + \(2^k\) lookups = \(2^{k+1}\).
Application: 2DES has security ~\(2^{57}\) (not \(2^{112}\)). That is why 3DES uses EDE with 3 different keys (not 2).
Birthday attack
In an \(n\)-bit hash, a collision is expected after ~\(2^{n/2}\) attempts (birthday paradox).
Application: SHA-256 gives 128 bits of collision resistance. SHA-1 broken in 2017 with ~\(2^{63}\) work.
Index calculus / Pollard's rho
Algorithms for DLP in \(\mathbb{Z}_p^*\). Reduce it to subexponential. That is why DH needs a large \(|p|\) (3072+ bits).
Number Field Sieve (NFS)
Subexponential algorithm for IFP and DLP. That is why RSA-2048 is borderline.
Special NFS vs General NFS: SNFS works on primes with special structure. Famous case: Logjam (2015) — DH with precomputed 1024-bit primes breakable with SNFS by the NSA.
Coppersmith's method
Don Coppersmith (1996). Find small roots of polynomials mod \(N\). Breaks RSA when:
- Small message with low exponent + partially known padding.
- Keys with partially leaked bits (boneh-durfee, partial key exposure).
- ROCA: Infineon RSA keys have a structure that Coppersmith attacks in hours.
Lattice reduction (LLL, BKZ)
Lenstra-Lenstra-Lovász (1982). Reduces a lattice basis. Basis of:
- Coppersmith.
- Breaking weak NTRU implementations.
- LWE attacks (PQC analysis).
- Knapsack cryptosystems (broken in the 1980s).
3. Side-channel attacks
Timing attacks
Paul Kocher (1996). Measuring operation time reveals key bits.
Vulnerable:
- Square-and-multiply in RSA (branching on the bit).
- Poorly implemented Montgomery ladder.
- AES with table lookups (cache timing — Bernstein 2005, Tromer-Osvik-Shamir 2005).
- Non-constant-time HMAC compare (timing leak on the number of equal bytes).
Mitigation: constant-time impl. Bernstein evangelist. AES-NI, SHA Extensions, ChaCha/Poly1305 ARX-native.
Power analysis
Paul Kocher, Joshua Jaffe, Benjamin Jun (1998).
- SPA (Simple Power Analysis): visual inspection of the trace.
- DPA (Differential Power Analysis): statistics over many traces.
- CPA (Correlation Power Analysis): Pearson correlation between a model and the trace.
Devastating against smartcards / embedded. Mitigation: masking (split the secret into shares), hiding (constant-power circuits).
Electromagnetic (EM)
TEMPEST (NSA, 1960s+). EM emissions from equipment leak data. Modern: extraction of an RSA key from a laptop with a nearby smartphone (Genkin et al. 2014).
Acoustic
Genkin-Shamir-Tromer 2013: extract an RSA private key from a computer by measuring the sound of capacitors via a microphone.
Cache attacks
- Prime+Probe: the attacker fills the cache; the victim executes; the attacker measures re-access latency → reveals which lines the victim used.
- Flush+Reload: shared memory + clflush. Devastating in the cloud (cross-VM).
- Evict+Reload, Prime+Abort.
Applications: extract AES T-table keys, RSA window, ECDSA nonce bits.
Branch prediction attacks
- Spectre v1 (Bounds Check Bypass): trains the branch predictor, speculation leaks via the cache.
- Spectre v2 (Branch Target Injection): the attacker controls the branch target.
Speculative execution attacks
- Meltdown (2018) — rogue data cache load. Reads the kernel from userspace via OOO. Intel-specific (AMD safe).
- Foreshadow / L1TF (2018) — terminal fault, leak from the L1 including SGX.
- MDS / RIDL / ZombieLoad / Fallout (2019) — leak via microarchitectural buffers (LFB, store buffer, fill buffer).
- PortSmash (2018) — SMT port contention.
- PACMAN (2022) — Apple M1 pointer auth bypass.
- Hertzbleed (2022) — frequency scaling leak.
- Downfall (2023) — Gather instruction Intel.
- Inception / SRSO (2023) — AMD Zen.
Microarchitectural mitigations (Linux/kernel)
mitigations=auto # default
kpti # Kernel page table isolation
retpoline # software call/ret indirection
ibrs # Indirect Branch Restricted Speculation
ssbd # Speculative Store Bypass Disable
mds=full # MDS mitigation
tsx_async_abort # TAACost: 5–30% performance depending on workload.
Frequency / voltage attacks
- Plundervolt (2019): underclock the CPU dynamically; cause SGX computation to fault and leak.
- VoltJockey — variants.
- PlatypusPRD — RAPL power telemetry leak.
4. Fault attacks
Bellcore attack (1997)
Boneh-DeMillo-Lipton. An error in CRT-RSA during decryption reveals \(p, q\) via \(\gcd(N, m - m')\).
Mitigation: verify after sign (compute \(E(D(m)) = m\)).
DFA (Differential Fault Analysis)
Biham-Shamir 1997. An error in the last round of DES/AES reveals the key.
Rowhammer
Kim et al. (2014). Repeatedly accessing DRAM rows rapidly flips bits in adjacent rows. Bypasses memory isolation.
Variants:
- Drammer (2016): Android root via Rowhammer.
- Throwhammer: over the network.
- NetHammer.
- Hammulator, TRRespass — bypass mitigations.
- RAMBleed (2019) — read instead of write.
- SMASH (2022) — JavaScript.
- Half-Double (2021) — Google.
DDR4 is less vulnerable than DDR3; DDR5 with tighter timing.
Glitching attacks
- Voltage glitching: drop Vcc briefly — skips instructions.
- Clock glitching: fast pulse — skip cycles.
- EM glitching: directed electromagnetic pulse — flip a bit.
- Laser fault injection: laboratory.
Devastating on smartcards / embedded. Commercial: ChipWhisperer.
5. TLS/SSL protocol attacks
BEAST (2011)
Browser Exploit Against SSLTLS. Duong-Rizzo. CBC IV chaining in SSL 3.0TLS 1.0: the attacker predicts the next IV, chooses plaintext to reveal bytes.
Mitigated: TLS 1.1+ uses an explicit IV. Browser patch: 1/n-1 split.
CRIME (2012)
Compression Ratio Info-leak Made Easy. The attacker injects chosen plaintext into an HTTPS request together with a cookie; compression (DEFLATE) reveals size info from the match.
Mitigated: disable TLS compression.
BREACH (2013)
CRIME variant — exploits HTTP-level gzip compression in the response. Harder to mitigate.
Lucky 13 (2013)
AlFardan-Paterson. Timing in MAC-then-encrypt CBC (TLS pre-1.2): the verify time reveals padding.
Mitigated: AEAD (GCM/Poly1305), Encrypt-then-MAC (RFC 7366), constant-time MAC.
POODLE (2014)
Padding Oracle On Downgraded Legacy Encryption. Möller-Duong-Kotowicz. Forces a downgrade to SSL 3.0; exploits deterministic non-MACed padding.
Mitigated: disable SSL 3.0. TLSFALLBACKSCSV (RFC 7507) signals on downgrade.
Heartbleed (2014, CVE-2014-0160)
An implementation bug in OpenSSL's Heartbeat extension. Buffer over-read: the client requests 64KB of server memory specifying a large length but a small payload; the server returns 64KB of heap residue.
Leaks:
- Private keys (RSA exponent recovery from the key schedule).
- Session cookies, passwords, recent plaintext.
Estimated: 17% of web servers affected. Reset every TLS cert in the world after the patch.
FREAK (2015)
Factoring RSA Export Keys. Beurdouche et al. State machine bug in OpenSSLAppleMicrosoft TLS stacks: the server accepts a 512-bit RSA "export grade" key even without negotiation. 512-bit RSA breakable in ~7 hours via NFS.
Logjam (2015)
Adrian et al. State machine bug + DH parameter sharing. Servers use the same DH-1024 primes. The NSA (estimated) precomputes NFS for 1024-bit common groups → breaks session keys retroactively.
Mitigated: DH 2048+ or ECDH. RFC 7919 named groups.
DROWN (2016)
Decrypting RSA with Obsolete and Weakened eNcryption. Aviram et al. Cross-protocol attack. A server with SSLv2 enabled (even on another port) shares the RSA key → SSLv2 Bleichenbacher vulnerability → decrypts the TLS handshake.
Mitigated: kill SSLv2 globally.
Sweet32 (2016)
Bhargavan-Leurent. Birthday bound on 64-bit block ciphers (3DES, Blowfish). ~32 GB of CBC/CTR traffic with the same key: block collision reveals the XOR of plaintexts.
Mitigated: AES (128-bit blocks); rekey after volume.
ROBOT (2017)
Return Of Bleichenbacher's Oracle Threat. Böck-Somorovsky-Young. Servers (Cisco, F5, Citrix, Erlang) still vulnerable to the Bleichenbacher 1998 PKCS#1 v1.5 padding oracle, 19 years later. Decrypts RSA-key-transport handshakes or forges signatures.
Mitigated: TLS 1.3 (no RSA key transport), PSS for signing, constant-time padding check.
Raccoon (2020)
Merget-Brinkmann-Aviram. DH timing leak in TLS 1.2: the server unpads the DH shared secret before hashing → timing reveals leading zeros → solving the discrete log easier.
Triple Handshake (2014)
Bhargavan et al. Cross-protocol cross-version. The TLS Renegotiation extension fix didn't fully cover it.
TLS-PSK + Pre-Shared Key issues
CVE-2022-0778 — OpenSSL bug in BNmodsqrt (infinite loop). More of an impl bug than a crypto-break.
6. SSH protocol attacks
CBC Plaintext Recovery (Albrecht et al. 2009)
OpenSSH CBC mode with chained IV: the attacker recovers 14 bits of plaintext per gigabyte of traffic.
Mitigated: AEAD (chacha20-poly1305, AES-GCM); CBC disabled by default.
Terrapin (2023, CVE-2023-48795)
Bäumer-Brinkmann-Schwenk. Truncation attack on SSH BPP (Binary Packet Protocol). A MITM injects messages into the handshake before KEX; cuts extension negotiation; downgrades to weaker ciphers or strips features.
Mitigated: strict KEX (OpenSSH 9.6+, libssh 0.10.6+).
Bleichenbacher's e-Print SSH 1998
SSH-1 non-padded RSA: the Bleichenbacher 1998 variant is applicable.
7. Attacks against hashes
MD5 broken — collisions
Marc Stevens 2007–2008: chosen-prefix collisions in seconds. Forges X.509 certificates (rogue CA, 2008). Flame malware (2012) uses an MD5 collision to forge Microsoft Windows Update signing — state actor.
SHA-1 broken — SHAttered (2017)
Stevens-Bursztein-Karpman-Albertini-Markov. Chosen-prefix collision cost ~110 GPU-years. Demo: two PDFs with the same SHA-1.
SHA-1 Shambles (2020)
Leurent-Peyrin. ~US$45k cloud. Forges arbitrary GPG/X.509 identity.
Length extension
An attacker with \(H(\text{secret} \\\| m)\) and \(|\text{secret}|\) can compute \(H(\text{secret} \\\| m \\\| pad \\\| m')\). Affects MD5, SHA-1, SHA-2 (not SHA-3, BLAKE2, ChaCha).
Mitigation: use HMAC or a hash with structural defense (SHA-3 sponge).
Hash flooding (DoS)
An internal hashmap with a deterministic hash → the adversary forces collisions → degrades to O(\(n^2\)) lookup.
Mitigated: SipHash keyed (random key per process).
8. RSA attacks
Bleichenbacher (1998)
Padding oracle in RSA PKCS#1 v1.5. The server leaks "padding valid" vs "invalid" → adaptive CCA recovers the plaintext in ~\(10^6\) queries.
Revived in ROBOT (2017), variants to this day.
Bleichenbacher signature forgery (2006)
In lax implementations of PKCS#1 v1.5 signature verification, the attacker forges a signature without the private key.
Coppersmith / Hastad
Small messages, low exponent (\(e = 3\)): if the same message is encrypted to several public keys, CRT + Coppersmith recovers the plaintext.
Wiener's attack
Small \(d\) (private exponent): continued fraction expansion of \(e/N\) reveals \(d\) if \(d < N^{1/4}/3\).
Boneh-Durfee (1999)
Small \(d < N^{0.292}\) — improvement on Wiener.
Partial key exposure
Bleeding bits of \(d\) via side channel + Coppersmith → reconstructs it.
ROCA (2017, CVE-2017-15361)
Nemec-Sys-Svenda-Klinec-Matyas. Infineon chip RSA keygen: \(p, q\) have the structure \(a + (65537^c \mod \text{primorial})\) for small \(c\). Coppersmith attacks in hours (1024-bit) or days (2048-bit).
Affected: smartcards (Estonia eID, Slovakia eID, Spain), TPMs (Yubikey, Microsoft), millions of keys. Massive rotation campaign.
Mining your Ps and Qs (2012)
Heninger-Durumeric-Wustrow-Halderman. Scan the internet: 0.5% of TLS, SSH keys have shared primes (entropy starvation on embedded boot). \(\gcd(N_1, N_2) = p\) → breaks both.
9. ECC attacks
Invalid curve attacks
The server accepts a point not-on-the-curve → ECDH in a weak subgroup. Mitigation: validate that the point belongs to the curve.
Twist attacks
A curve with an insecure twist: the attacker sends a point on the twist; ECDH operations leak the key.
Mitigation: a curve with twist-security (Curve25519 has it; P-* are not twist-secure but have cofactor 1, which mitigates in other ways).
Small subgroup confinement
Cofactor not 1: some points have small order; forces the result into a small subgroup → trivial enumeration.
Nonce reuse / leakage in ECDSA
Like Bitcoin Android 2013, Sony PS3 2010: \(k\) repeated → solve a linear system → private key.
Mitigated: RFC 6979 deterministic, or EdDSA (built-in deterministic).
Lattice attacks on ECDSA
Even with a "quasi-random" \(k\): a few high-bits leaked across many signatures → Bleichenbacher lattice attack → key.
Demonstrated against SGX (Galauschka et al.), Yubikey FIDO (Roche-Lomné 2021 - Minerva attack).
10. Attacks against key generation
DualECDRBG (2007–2014)
NIST SP 800-90A RNG with an NSA backdoor suspected by Shumow-Ferguson 2007; confirmed via the Snowden documents (2013); removed in 2014.
Affected:
- RSA BSAFE — default in some products. RSA was paid US$10M from the NSA (confirmed post-Snowden).
- Juniper ScreenOS NetScreen firewalls (2008–2013).
- Fortinet, McAfee in some versions.
Debian OpenSSL RNG bug (2008, CVE-2008-0166)
A maintainer commented out the line adding entropy (by accident). Result: \(\sim 32k\) unique SSHSSL keys across all of DebianUbuntu 2006–2008.
Heninger's "Mining your Ps and Qs" (2012)
(see §8) — entropy starvation at boot causes shared primes.
ROCA (2017)
(see §8) — Infineon library bug in prime generation.
Bytom (2018)
Curve confusion: the programmer swapped points between curves. Bug in wallet code.
Wintermute (2022, US$160M lost)
The vanity-address wallet tool profanity (ECCKey grinding) had an entropy weakness: a 32-bit seed, so the attacker brute-forces 2^32 → recovers the private key by grinding the same curve.
11. Physical attacks
Cold boot
Halderman et al. (2008). DRAM retains its contents for seconds after power; chilled with a can of compressed air, minutes.
Boot from USB with a minimal payload (does not overwrite critical RAM) and dump via another USB or the network. Offline analysis with aeskeyfind, rsakeyfind, Volatility.
DMA attacks (PCILeech)
An FPGA-based PCIe card: direct reading of RAM bypassing the kernel. Inserted in a free slot. PCILeech tool (Ulf Frisk).
Mitigation: IOMMU enforce + iommu=strict.
Thunderbolt / USB4
Same DMA principle via Thunderbolt adapters. Inception tool (legacy). Modern: Thunderclap (USB-C laptops).
Mitigation: disable Thunderbolt on a server; trust levels on modern laptops.
JTAG / debug ports
Hardware debug interfaces. In production they must be disabled (fuse blow); many boards still expose them.
Bus analyzer / DIMM transplant
State-actor lab: an interposer between the DIMM and the slot reads all DDR traffic. DDR4 with data scrambling is difficult; DDR3 is trivial.
Mitigation: AMD SME / Intel TME (encrypted RAM).
Hardware implants
NSA TAO catalog (Snowden): COTTONMOUTH (USB connector), HOWLERMONKEY (rf), GOPHERSET, MONKEYCALENDAR. Modified hardware implants.
Detection: difficult; requires X-ray, mass spectrometry, or boot-chain anomaly detection.
12. Implementation attacks
Buffer overflows (Heartbleed)
CVE-2014-0160. Memcpy size from the attacker without bounds check.
Use-after-free / double-free
GnuTLS bugs, OpenSSL bugs.
Integer overflow
Bitcoin overflow CVE-2010-5139.
Padding oracle (Vaudenay 2002)
Eric Vaudenay generic attack on CBC-MAC. Vary the ciphertext, observe the error: "padding invalid" vs "MAC invalid". Recovers the plaintext.
Applications: ASP.NET (2010), TLS Lucky 13, POODLE.
MAC truncation / forgery
Old protocols truncated the MAC; the attacker forces a collision in the tag space.
Replay attacks
The same ciphertext re-sent: TLS 1.3 0-RTT vulnerable; sessions without a nonce vulnerable.
Downgrade attacks
Cross-protocol (DROWN), version (POODLE), cipher (FREAK), feature (Terrapin).
Algorithm confusion
JWT: alg: none accepted by careless libs → unsigned tokens pass. CVE-2015-9235 (jwt-simple Node), multiple libs.
Path traversal in kid
JWT kid header used as a filename → ../../etc/passwd.
Timing on string compare
Passwords / MACs / API keys compared with strcmp/== → first differing byte, returns. The attacker measures time, byte-by-byte recovery.
Mitigation: constant-time compare (crypto.timingSafeEqual, subtle.ConstantTimeCompare, CRYPTO_memcmp).
13. Quantum attacks
Shor (1994)
Polynomial-time quantum algorithm for IFP, DLP. Breaks:
- RSA (any size).
- DH (any group).
- ECDSA, ECDH (any curve).
Grover (1996)
Quadratic speedup search. Reduces:
- AES-128 → 64-bit effective security.
- SHA-256 preimage → 128-bit.
- SHA-256 collision → ~85-bit (BHT, Brassard-Høyer-Tapp).
Hardware status (2026)
There is no quantum computer with enough logical qubits for Shor RSA-2048. An estimated ~20M physical qubits with error correction. Possibly 2030–2040.
HNDL (Harvest Now Decrypt Later)
Collect encrypted TLS/VPN today, store it until a quantum computer is available. That is why PQC migration is now.
14. Attacks against blockchain
51% attack
Majority mining → rewrites recent blocks. Bitcoin never; ETH Classic 2019, Bitcoin Gold 2018.
Selfish mining
Eyal-Sirer 2014. Hide a block while continuing to mine — wastes other miners' work, profits even with <50%.
Eclipse attack
Isolate a node, feed it only adversary blocks. Heilman et al. 2015.
Replay across forks
Hard fork without chain ID protection (Bitcoin Cash early days) → tx replayed on both.
Smart contract attacks
Not crypto per se:
- Reentrancy (The DAO 2016, US$60M).
- Integer overflow (BeautyChain).
- Front-running / MEV (sandwich attacks, arbitrage).
- Flash loan attacks (bZx, Harvest, Cream).
- Bridge hacks (Ronin, Wormhole, Nomad — US$ billions).
15. Attacks against randomness
Predictable PRNG seeds
- Netscape 1995: seeded from time + PID; only ~\(10^4\) possibilities.
- Bitcoin wallets with
Math.random(). - VMs cloned with the same entropy state.
Reuse of nonce
ECDSA, GCM, ChaCha20-Poly1305 — nonce reuse = catastrophic.
Weak entropy on boot
Embedded devices, IoT, just-booted VMs.
TRNG manipulation
Voltage/temp affects ring oscillators. Some implementations vulnerable.
Backdoored DRBGs
DualECDRBG (NIST/NSA). Possibly others.
16. Attacks against CAs and PKI
Comodo (2011)
Reseller compromise, fraudulent certs for Google, Microsoft, Yahoo, Skype, Mozilla. Affected Iranian users.
DigiNotar (2011)
An entire CA hacked (Iranian state actor). 500+ fraudulent certs including *.google.com. CA distrusted globally — DigiNotar went bankrupt.
TURKTRUST (2013)
The CA issued an intermediate cert to a company that used it to MITM its own traffic.
Symantec (2017)
Historically misissued certs discovered. Google/Mozilla distrusted Symantec roots; sold to DigiCert.
Let's Encrypt CAA bug (2020)
15M certs misissued (CAA check timing). Revoked.
Mitigation: Certificate Transparency
RFC 6962. CT logs append-only public. Browsers require SCTs. Fast detection of mis-issuance.
17. Table of memorable attacks by category
| Category | Notable attacks |
|---|---|
| Cipher cryptanalysis | Linear/Diff DES, AES related-key (theoretical), RC4 biases, DES Deep Crack |
| Hash | MD5 chosen-prefix, SHA-1 SHAttered/Shambles |
| RSA | Bleichenbacher 98/ROBOT 17, Coppersmith, ROCA, Mining Ps&Qs |
| ECC | Sony PS3, Bitcoin Android, Minerva (Yubikey FIDO) |
| Side-channel | SpectreMeltdownMDS/Foreshadow family, Plundervolt, Hertzbleed |
| Protocol | BEAST, CRIME, BREACH, Lucky 13, POODLE, FREAK, Logjam, DROWN, Sweet32, Heartbleed, Terrapin |
| Impl | OpenSSL Heartbleed, Debian RNG, DualECDRBG |
| Physical | Cold boot, PCILeech, Rowhammer, EM, acoustic |
| PKI | DigiNotar, Comodo, TURKTRUST, Symantec |
| Crypto-currency | Sony PS3 wallet, Bitcoin Android wallets, Wintermute |
| Quantum | Shor (theoretical pending hardware), SIKE killed 2022 |
18. Tools / labs / CTF
- OWASP, PortSwigger Crypto Academy.
- Cryptopals (cryptopals.com) — a famous set of exercises for learning attacks.
- CryptoHack — gamified.
- PicoCTF, HackTheBox, Tryhackme — crypto categories.
- Black Hat / DEF CON / RWC talks.
- ChipWhisperer (NewAE) — physical SCA lab.
19. Hardening recommendations 2026
For implementers:
- Use TLS 1.3 only; never legacy.
- Use AEAD; never CBC without MAC.
- Constant-time everything that touches a secret.
- Randomness via the OS API; never a custom PRNG.
- RFC 6979 for ECDSA or move to Ed25519/EdDSA.
- IOMMU enforce.
- Memory encryption (SME/TME) enabled in BIOS.
- PQC hybrid on any long-retention traffic.
- Microcode updates applied quickly after disclosures.
- SMT disabled on side-channel-sensitive workloads.
20. Cross-reference
- Attacked algorithms:
04-symmetric.md,05-asymmetric.md,06-hash-and-mac.md. - Attacked protocols:
07-protocols.md. - Confidential computing as a defense:
09-confidential-computing.md. - Contextualized incidents:
13-incidents.md. - People (Kocher, Bleichenbacher, Coppersmith, Wang, Stevens, Marc...):
12-people.md.