Latest Crypto related questions

When we take the coin flip in Blum's algorithm in "Coin flipping by telephone a protocol for solving impossible problems", where Alice and Bob both want ownership over the same car, then one party (the adversary / Alice) can abort the protocol. Provided there does exist a powerful third party (e.g. the law), the protocol can be extended, to give the car to Bob in case Alice aborts. This makes the algori ...

Disclaimer: I first posted this question on security.stackexchange some minutes ago but deleted it, this is probably a better place for it.

My goal is to use JWE with hybrid encryption (ECDH+AES) for exchanging sensitive data with another party. However, the example code I can find for various Java libraries doesn't match my understanding of how ECDH or asymmetric encryption with EC works in gener ...

assuming that I have an RSA key of length 4k bit which I'm interested to wrap using AES-GCM, and I have a (limited) AES-GCM cipher which can only encrypt limited input in size (say 256-bit/512-bit input) per invocation. Is there a way/conditions to fulfill when splitting this 4k bit key into smaller keys to fit my (limited) AES-GCM and yet get the same security as when using an unlimited AES-GCM (encryp ...

I'm drafing an RFC for a low computation crypto algorithm, intended for low power bluetooth communication. Likely without a connection using advertisements only.

It's going to include raw C code examples so it should be quite portable.

Is there a good site to post my RFC to, where it will be more visible than say, my dumb website where nobody goes.

Much the same way medium circulates writing. Im not ve ...

I have been researching the best encryption to use in a .NET application for managing a sensitive database field (column). This encryption is on top of e.g. AWS at-rest encryption applied to the whole of the database and is aimed at frustrating use of the sensitive data by anyone other than the application (which knows the encryption key). Defence in-depth!

It seems to me from lots of reading tha ...

I am working on a chat feature to use both post quantum cryptography along with RSA, and want to confirm my thoughts.

As these algorithms haven't been fully battle tested, I have decided to use a combination of both PQE and usual public, secret key cryptography

I decided upon the best algorithms to use for security.

• Signing: ED25519
• PQE KEM: McEliece
• NON-PQE KEM: RSA 4096

We are currently using ...

Summary: The operation of the Enigma Bombe is well documented. I manage to use it and a candidate checking machine to recover the plugboard pairs and the ring setting for the fast rotor. I struggle to recover ring settings for the slow and the middle rotors.

Question: Where can I find out more technical details on the Checking Machine?

Dirk Rijmenants (2022) Enigma Cipher Machine Simulator operation ...

Alice has master EC key pair: $a$ - private key, $A$ - corresponding public key

Bob generates 2 random integers $r_1$ and $r_2$ and wants Alice to derive 2 new key pairs:

$a_1$ = $a$ + $r_1$ and $a_2$ = $a$ + $r_2$ and corresponding public keys $A_1$ and $A_2$

Questions:

1. Is it possible for Alice to prove that she derived $A_1$ and $A_2$ from $a+r_1$ and $a+r_2$ using Schnorr proof?
2. Is it secure for Alice ...

I need to implement a Merkle tree using a 128 bit hash function. In general, any hash function that guarantees pre-image, second pre-image and collission resistance should be fine to implement a Markle tree. Is it correct? Probably, it is not even necessary to have pre-image resistance as long as the other two properties are available. Indeed, if you use the Merkle tree for data integrity, you want it t ...

When using AES-256 (cipher mode CBC and padding mode PKCS7) in combination with HMAC-SHA for authenticated encryption (assuming alternatives like TLS and AES-GCM cannot be used), should we use SHA-256 or SHA-512? This answer seems to indicate SHA512. Is this interpretation correct? I've seen an implementation using SHA256 and cannot figure out, why.

Edit: Since it does not seem to be entirely clear: I'm  ...

I'd like for two machines on a network to be able to prove to each other that they both have knowledge of a pre-shared secret, without revealing the secret to each other. Let's assume that all traffic over the connection between the parties, A and B, is encrypted.

Here are the steps I'm currently imagining:

1. A->B: nonce_A, hash(nonce_A || secret_key)

• B checks that they can produce the same hash u ...

For example is it harder to break one 256 bit encryption than two 255 bit encryption for RSA and AES?

For example, I understand that 256 bit RSA can be cracked in one minute according to this article [1] So would two independent 255 bit RSA message take thirty seconds each, and four 254 bit messages take 15 seconds each, etc... or would two 255 bit messages take 1 minute total on average?

[1] htt ...

When I want to encrypt a 16 byte long message with AES-128-CBC using int TLS 1.2 do I need to add a 16 byte block of padding or can I just encrypt the message without padding ?

From the PLONK paper.

On pages 19 & 20, the paper describes the prescribed permutation check in PLONK.

---------------------------------------------

My question is about the Step 3 in the protocol which I have marked in red

I am interpreting $1 \le j < i$ as $j =1$ to $j = i-1$

So the $\prod$ equation becomes $Z(\mathbf{g}^i) = \prod_{j=1}^{j=i-1} f'(\mathbf{g}^j)/g'(\mathbf{g}^j)$

I think th ...

Could anyone explain me the difference between "key_share" extension and "server_key_exchange" message in TLS (1.3) ? If I understood right, these "packets" of data are used to send a key material to generate premaster keys. But what's the difference ? In which case a server must use one or another

I have some questions about the setting of the one-way authenticated key exchange of Kyber.AKE as defined in section 5 of the paper.

1. How does $P_2$ authenticate itself to $P_1$? It is not obvious to me in the paper how it is ensured that $P_1$ really communicates with $P_2$. So how does $P_1$ know that it can actually trust $P_2$? I would have expected something like a certificate authority here.

    ...

When attacking RSA with Square&Multiply, one can figure out the secret key by looking at the exponentiation algorithm itself. To prevent this in software, we could use dummy multiplications after each square.

Yet, there are attacks like correlation power analysis on AES, which is vulnerable to it by definition. How can such attacks be prevented on a software level, without using any noise mas ...

Here is a CTF crypto challenge likes(its write up is public on https://ctftime.org/writeup/15438): $$N = p*q\\ c1 = (2*p + 3*q)^{e_{1}} mod N\\ c2 = (5*p + 7*q)^{e_{2}} mod N$$ After i transform these: $$(c^{e_2}_1)\equiv (2p)^{e_1e_2}+(3q)^{e_1e_2}\pmod{N}\\ (c^{e_1}_2)\equiv (5p)^{e_1e_2}+(7q)^{e_1e_2}\pmod{N}$$ After product $5^{e_1e_2},2^{e_1e_2}$ to cancel p from two equations,I can solve this proble ...

Suppose that Peggy(prover) and Victor(verifier) are running some zero knowledge proof protocol that does not rely on hidden verifier secrets. The verifier generates randomly chosen challenge values only. Such protocols can be Fiat-Shamir transformed into NI(non-interactive)ZKPs.

There is significant work on NIZKPs. Using them as-is in contexts where deniability is necessary would be nice, but as- ...

I am constructing a two-party OR gate and trying to do this with oblivious transfer. Yet I am very new to oblivious transfer, wishing to know whether the following construction makes sense.

Goal: Alice inputs a random bit $a$, Bob inputs a random bit $b$, and Bob outputs the logical OR bit $a\oplus b$.

Construction via 1-out-of-2 OT: Alice inputs $m_0 = a, m_1 = 1$, Bob inputs $c = b$, and finally B ...

How do we know that hash functions cannot be reversed? An example is often given of two primes and their product, but any composite number that is the product of two primes has, by definition, exactly 2 natural factors. In the case of hash functions, things are different.

Have there been attempts to reverse hash functions, and if so, how many have been successful? Are there any theoretical works  ...

Given some group in which both discrete logarithms and the computational Diffie-Hellman problem are hard. Furthermore, two random, unrelated group generators $G_1, G_2$, and a third generator defined by $H = G_1 + G_2$. Can you compute $xG_1$ if you know only $G_1$, $G_2$, and $xH$?

My guess: I would assume it's hard, because otherwise it would be easy to compute $xG$ knowing only $xH$ for any two unr ...

The CEO of the organization XYZ decides to hold a vote to decide whether employees should be allowed to work from home (WFH) either one, two or three days a week.

All 4 employees of XYZ (excluding the CEO), need to vote either “WFH one”, “WFH two” or “WFH three”. To ensure privacy, the CEO asks employees to send their votes by emailing them to the CEO. Furthermore, the CEO tells them  ...

Do you know a blockchain that does not use at all cryptographic primitives standardized by USA or other countries? It is strange to me that the security of many cryptocurrencies is based on ciphers, hash functions, elliptic curves, etc. from American standards.

It is normal when a cryptographic product contains standardized primitives of a certain country to be sold in this country. However, cryp ...

From the PLONK paper.

On pages 19 & 20, the paper describes the prescribed permutation check in PLONK.

In the last step of the proof, these are the checks

a) $L_1(a)(Z(a) - 1) = 0$
b) $Z(a)f'(a) = g'(a)Z(a \cdot g)$

In (a), I think checking $Z(a) - 1 = 0$ & doing the (b) check as written is enough. What purpose does multiplying this by the first Lagrange Polynomial ($L_1(a)$) serve?

Can  ...

It is a bit stupid question, but I am so confused. Please examine my explanation. What is the space that exponents the generator $g$ of a cyclic group $G$ of prime order $p$?

I think it is $\mathbb{Z}_p$ since $|G|=p$, so that $G=\{g^0, g^1, \ldots, g^{p-1}\}$. Thus the space that the exponents live is $\mathbb{Z}_p$, which is a field.

But here is what I am confused. By Fermat's little theorem, $\f ...

I store the ciphertext and the nonce in a SQL database.

If I decrypt the ciphertext change it and encrypt it again I generate a new nonce, so that I do not encrypt two different plaintexts with the same nonce. After encrypting the updated plaintext I store the ciphertext and the new nonce back to the database.

My question is: Should I keep track of the expired nonces so that no other plaintext is ev ...

I was wondering whether quantum-computers really break Schnorr's signature scheme. Schor's algorithm works via the quantum Fourier transform, which reveals the cycle time and thus phi. However, with a multiplicative group mod $q$, a prime, everyone knows the cycle time, but that isn't the problem (unlike RSA). The problem is in finding a specific value.

Unlike in RSA, where you must FACTOR a number,  ...

Use Case:

Web application accessed in browser. Registered users can store personal notes in the application, these notes are stored in a SQL database on a online server. The user can store unencrypted notes and encrypted notes. For unencrypted notes the process is trivial, just store the notes in the database. For encrypted notes the storage gets complicated (for me).

Frameworks:

• scrypt: https://github.c ...

I have built a small password manager desktop app using python. This app falls under the master-password model.The app connects to two databases stored locally. The first database stores the users username for my app and the hashed (sha256+salt) master password it also stores an email for password recovery puprpose. The second database stores username,password and optionaly email for the app the user wa ...