Latest Crypto related questions

According to FIPS 186-4 § D.1.1.5 Choice of Base Points I should be able to create ECDSA signatures with custom base points on P-256 (secp256r1).

Does standard PKCS#11 support this feature?

This is how far I got building example code, based on org.xipki:ipkcs11wrapper:1.0.4 and SoftHSM 2.6.1:

import org.xipki.pkcs11.wrapper.*
import org.xipki.pkcs11.wrapper.PKCS11Constants.*
import org.xipki.pkcs11.w ...

I would like to investigate if it is possible to introduce Differential Privacy (DP) to a model via both adding Laplacian noise to the training data and then training with DP-SGD updates. Is it a valid way to introduce DP ?

In other words, if we separately applied Laplacian noise to the data the system would be assigned with (ε1,0)-DP per epoch and if we trained with DP-SGD it would be assigned  ...

I'm a dev new to security and cryptography.

I'm writing a password manager and Time-based OTP combo in dart/flutter to use in multiple devices and platform for fun and use it personally for real. I have done some reading over google, stackoverflow.com and crypto.stackexchange.com, came up with following skeleton, and here to ask for some further security advice, for encryption, implementation and ...

I am trying NIST SP 800-22 to test the randomness of 128 bit output in AES, but i always get igamc: UNDERFLOW or Segmentation fault (core dumped) error.

My data file has 128 bit output format, for example as follows:

01101100010001011111011101010011011000000101111001111100010010111011111001010011101101000000111011011100011011101101100011011001
00000000101100000010110001100100101101000010010010110101 ...

Suppose we have a standard $\Sigma$-protocol for proving the knowledge of a witness $x$ for the statement $y$. It has an honest-verifier ZK and special soundness. Now we do an unusual modification to get an interactive $\Sigma'$-protocol in ROM:

1. The prover $\mathcal{P}$ compute $a$ exactly like in $\Sigma$-protocol and sends it to the verifier $\mathcal{V}$.
2. The verifier $\mathcal{V}$ replies with ...

I am trying to understand STARK with not much math. I understand SNARK like this: Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK

From the helpful article: https://z.cash/technology/zksnarks/

We have a computation with many steps that can prove something. We take that and create an arithmetic circuit (in simple words a algebraic equation). Then we have R1CS which is going to valid ...

Finding a cryptography library to implement various application features is not difficult nowadays, thanks to options like NaCl, Google Tink, PyCA, and OpenSSL. However, I've been struggling to find a library that supports group signatures, which is causing confusion. Would anyone be able to provide an explanation or recommend a library that supports this feature? Thanks so much for helping.

This may be a stupid question but I've been stuck on parsing these definitions for a while.

I am reading the paper "On Ideal Lattices and Learning with Errors Over Rings" by Lyubashevsky, Peikert, and Regev. I am trying to understand the error distributions they are proposing. In section 3, they define a set $\mathbb T = K_{\mathbb R}/R^V$ where $K$ is any number field and $K_{\mathbb R}$ is $K \oti ...

We are planning to organize a workshop with the participation of academicians, engineers and graduate students working in the field of cryptology. On the first day, we are planning a fun competition for the participants as an ice-breaking event. Our goal is to organize a quiz on fun, little-known facts about cryptology via the online app. Interesting general culture questions will be more acceptable ins ...

Backgroud: I am reading the paper "Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures". (here is the link). And I got stuck in understanding the computation of moment.

Question statement: In section 4.3 of the paper, It defined: For any $V=[\mathbf{v}_1,\cdots,\mathbf{v}_n] \in GL_n(\mathbb{R})$ and any integer $k \ge 1$, the $k$-th moment of $\mathcal{P}(V)$ over a vector $\mathbf{w}  ...

Is there a lossless compression algorithm that has hashing-like properties where there are multiple solutions to it?

As in for example, when a 1000-bit data-sequence is compressed into a 500-bit data sequence, there are multiple possible 500-bit data sequences that can be generated as outputs. Each of these 500-bit data sequences, once decompressed would all output the original 1000-bit data sequ ...

This is Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=vxyoPM2m7Yg

I went through the video multiple times & also tried to go through the original PLONK paper - https://eprint.iacr.org/2019/953.pdf

Boneh's explanation of PLONK involves the steps

1) Boneh consider's the trace of the equation as the inputs (public & private) & the gates. Let's say there are 3 gates & 3 input ...

I have found myself in a position where I need to encrypt multiple objects (vCards) with AES Counter mode or Galois/Counter Mode using the same key. Now here is the problem the structure of the vCard always starts with predefined values i.e. here is an example from wikipedia

 BEGIN:VCARD
 VERSION:4.0
 FN:Simon Perreault
 N:Perreault;Simon;;;ing. jr,M.Sc.
 BDAY:--0203
 GENDER:M
 EMAIL;TYPE=work:sim ...

I find it hard to fully grasp the whole Pinocchio protocol .

I understand that the $\alpha$ s are for restricting the prover to compute only the corresponding set-up values.

But it's not clear for me to pick up $\gamma$ for the consistent(same) witness check.

From what I can tell, this protocol cleverly embedded different $r_v,r_w,r_y$ s to generators, $g_v,g_w,g_y$. An insightful improvement on

I received two distinct outcomes from a single input using SHA3-256 and KECCAK-256:

input -->   sha3-256 --> output1

input --> keccak-256 --> output2

I want to find input2, which will give me output1 after Keccak-256 hash :

input2 --> keccak-256 -> output1

Is it somewhat possible? I read somewhere that SHA3-256 and keccak-256 have only difference in padding rule. Is it possible that k ...

I need a way to encode a set of information in a way that the result would be as short as possible with a requirement of it being usable as part of URL string.

I don't really care that much about security, the encryption is applied mostly for the plain text to not be visible right away. At the same time, just encoding (like base64) is not enough, there needs to be at least minimal security, meani ...

In PKCS#11 documentation § 2.1.23 is described how to wrap and unwrap a target asymmetric key of any length and type using an RSA key, called CKM_RSA_AES_KEY_WRAP. This mechanism could be easily implemented by hand in case it is not available in HSM.

The counterpart exists for EC, CKM_EC_AES_KEY_WRAP can wrap and unwrap an asymmetric target key of any length and type using an EC key. Unfortunately, th ...

I need to sign a URL to make sure the URL cannot be tampered or forged. The client has limited capabilities and I cannot use a key which is more than 50 characters long.

Generally I use RSA to generate the signature, with keys of the proper size. So I am not sure what technique to use to keep the signature safe enough. The key shared with the client will have a validation of 1 year.

Any suggestion?

In the paper Efficient and Secure Pairing-Free Certificateless Aggregate Signature Scheme for Healthcare Wireless Medical Sensor Networks, on the signature generation part (Page 5), there is an equation $Y_{2i} = [(y_2x_i + h_{2i}d_i)modq]P_{Pub} = (u_i, v_i)$. How is a group element assigned to two integers? $u_i$ is used as an integer in the following steps while $v_i$ is never used again.

I want to wrap a private key out of a HSM, using an external EC key pair (master key) and then verify that I can recover it.
The wrapping occurs as follows:

1. Generate a secret AES key in the HSM, using the public part of the EC master key, the private part of the internal key pair and the derivation mechanism CKM_ECDH1_DERIVE. The derivation parameters for this mechanism are: derivation function CKD ...

The implementation of Shamir secret sharing in this code, only generates the original image if the shares are provided in consecutive order (ex: [2,3,4]) and won't work in any other share order (ex: [2,4,6] or [4,1,3]). However, Shamir secret reconstruction does not require the shares to be in any order, then why does this fail?

import numpy as np
from scipy.interpolate import lagrange as lag
impor ...

I'm trying to understand the exploitability of the padding oracle attack, which enables someone to decrypt and encrypt the contents without knowing the encryption key.

Can encrypted data with the first block, be decrypted by the app that relies on a static IV without knowing the IV?

I want to understand the padding oracle attack's exploitability, especially to decrypt the first block of data using st ...

This is the problem

Let $\mathcal{L}$ be a lattice and $v_1,v_2,\ldots,v_n\notin\mathcal{L}$. Given the values $a_1,\ldots,a_n$ such that

$$a_1=\lfloor v_1\rceil+v_2+\ldots+v_n$$ $$a_2=v_1+\lfloor v_2\rceil+\ldots+v_n$$ $$\vdots$$ $$a_n=v_1+v_2+\ldots+\lfloor v_n\rceil$$

where $\lfloor\cdot\rceil$ means projection to $\mathcal{L}$. Retreive $\Sigma:=\sum_{i=1}^{n}v_i$.

Paraphrasing, say Alice lets Bob kno ...

I have a pytorch model that generates bond trade pairs that have a high probability of reverting to the mean in a 30 day time period.

I want to sell the signals, but I do not want them to be redistributed. Is there a way to encrypt my data signals, if I put them on a marketplace like Amazon Data Exchange or Snowflake?

Should you hash the salt on its own ? Is that possible?

for example being password with salt appended at the end hash(pass || salt) and hash(salt) in a password file?

I am learning about Elliptic curve scalar multiplications and I am on NAF, and I am trying to figure out the concept.

What I understand is if I have K=27 with using NAF the binary looks like this 100-10-1 then the scalar multiplication process like this: 2(2(2(2(2P))-P))-P which is 5DBL and 2ADD.

My questions is if want to scalar K=27 it means the steps like this:

1- 2P (0 bit)

2- 4P (0 bit)

3- 8 ...

The use case here is to deterministically generate a multi-use wallet from a single 12-word BIP39 mnemonic. Currently a standard process for deriving secp256k1 keypairs is implemented, e.g., using a derivation path like m/44'/60'/0'/0/x for an arbitrary x (0, 1...) to derive keypairs, which include a 32 byte/256 bit private key. The use case came up where it would be convenient to also deterministi ...

(Sorry for a newbie question) In ECC the intent is to create a group of a prime order (or prime multiplied by a relatively small cofactor).

I know there's an algorithm for ECC to count the number of elements. My question is: how is it known that the group order is indeed prime? AFAIK there're no known deterministic algorithms to test the primality of a number in polynomial time.

There're examples of ...

I have a theoretical question about the probability of collisions of hashes versus random numbers. I'm not interested in the exact probabilities. The exact hash function is not relevant (we can assume it is perfectly uniform, cryptographically strong, etc.). The implementation of the random number generator is also not relevant (we can assume it is a perfectly random generator).

1. If I have some poo ...

I asked an AI the following question:

Can you provide me with random numbers of 30 digits in length?

And then the AI has generated these numbers for me.

563958422461839604397274590248
743298571529845197630149526734
962345019834590239458293827563
841259630492576302945836184025
129458392650293745092837563945
938475029835820943759284396284
284657492870476502834795836192
937453090283964506295830295830 ...