Latest Crypto related questions

Such as integer factorization problem and discrete logarithm problem. Assuming a large polynomial is obtained by multiplying two generated polynomials, is it NP hard to decompose it into these two generated polynomials ? And Assuming that A is the generator of the Galois field and B is a random number, is it NP hard to find an x to make $A^x=B$ hold?

May I ask if I use top-K to compress the gradient, can the attacker recover the original information of the data from the compressed gradient?

This recent paper shows that discrete logarithms are solvable if you have an oracle for the Diffie–Hellman problem. However, to me, it seems there is a much simpler reduction and I wonder where I am wrong:

Core idea: A DH oracle allows us to exploit the multiplicative structure of a curve's scalar field, whereas normally, we can work only on its additive structure.

You can use a DH oracle to compute ...

I want to derive session keys for many clients from a Master Key. Suppose I derive a key for the client $n$ in the following way:

master_key = HKDF-extract(salt, IKM)

key_client_n = HKDF-expand(master_key, info_client_n, L)

Then, I generate session keys for the client $n$:

key_client_n_session_0 = HKDF-expand(key_client_n, 0, L)

key_client_n_session_1 = HKDF-expand(key_client_n, 1, L)

Is that safe? Is ...

I have private keys that are close to 2kb big. Now I want to password encrypt them in the following manner.

1. Generate the private key of an asymmetric encryption algorithm (public key can be derived from private key later) with a random number (I'm using a system PRNG).
2. Generate a random salt of length 48 bytes (also from system PRNG)
3. Hash the salt with argon2 and a secret password (arbitrary length, bu ...

I wanna do an experiment. I wanna see if it's possible to sign in to an outdated website that still uses MD5 to store passwords (there are surprisingly still a lot) with two different passwords.

For example "Password123" must have another string that produces the same hash value. I've found a few examples online of two strings that produce the same MD5 hash value, but all of them would exceed the ...

I'm working on an open source iOS-native (both UX- and implementation-wise) 2FA app. Two of primary goals for the project are ensuring security and simple backups. Addressing these two areas is the last blocker before the release.

I'd like to ask you for your opinion and advice regarding the scheme I devised for the app. I'm not a cryptographer, and the amount of key wrapping in the scheme makes me fe ...

Walkthrough the textbook content, understand that we need to compute the slope of 2 points before can compute the new point as the result of addition.

Multiplicative inverse is part of the operation in a process to find the slope, where we know Extended Euclidean Algorithm is one of the best method to be used.

However, in order to realize the Extended Euclidean Algorithm in hardware RTL, we need to  ...

According to https://www.reddit.com/r/cryptography/comments/v0sw2r/enigma_ring_settings_question/

While the rotor is in the machine, the ring+notch+rotor all rotate in sync. While the rotor is pulled out, the ring+notch can be detached and rotated to a different offset compared to some canonical orientation of the inside rotor wiring.

This makes sense.

The online Engima encoder at https://www.101c ...

I am using some ark libraries, such as ark_ff and ark_bls12_381, to implement some cryptographic algorithms. In these algorithms, random oracles are needed, which gets some group elements in G1,G2,Gt in bls curve, will output a scalar number(ark_bls12_381::Fr). How to do these steps? To be specific, I need to hash group elements and get an 'u8' array, and then generate a Fr from the bytes array. I need  ...

Experts suggested 3DES when AES wasn't developed yet, since meet-in-the-middle attack, they suggested triple DES. Grover's algorithm, a quantum algorithm, weakens symmetric encryptions, how about triple ChaCha20? Does triple ChaCha20 have 256-bit security against quantum computers?

​I have been thinking about this question: if I directly replace the hash function with the message in the BLS signature, does the security of the BLS degenerate from existential unforgeability(EUF) to selective unforgeability(SUF) under the known message attack(KMA)?

The modified BLS signature scheme is defined as below. $\cdot BilinearGen\to pp:=(G_1,G_2,G_T,e,p,g_1,g_2)$ where the paring type i ...

In federated learning using homomorphic encryption, all participants in most schemes share the same pair of keys, which can easily cause key leaks and lead to data privacy leaks.

After research, I found that someone proposed to use a multi-key homomorphic encryption algorithm to solve the above problems. But I wonder why no one has added a key management scheme, such as secret sharing, to the exi ...

I wonder if there is any scheme or algorithm to generate HMACs that verify with multiple keys.

Suppose I have the secret keys K1, K2 and K3 and I have a message M1. Is the following possible?

• Generate an HMAC1 with M1 that can be verified with K1 and K2 but not with K3

• Generate a HMAC2 with M1 that can be verified with K2 and K3 but no longer with K1

• Generate an HMAC3 with M1 that that can be ver ...

What is there to say about using a power basis or a tensor basis or some combination of them for the RSIS problem in lattice cryptography? Restricting to dimension 3 for illustration, usually the basis is $(1,x,y)$ for uniform $x,y\in R$. I'm instead wondering about power basis $(1,x,x^2)$, and tensor basis $(1,x,x^2)\bigotimes(1,y,y^2)$. More generally, I'm wondering about higher powers and higher  ...

How long time does quantum computers take per operation when search the key of Kyber? Grover's algorithm weakens 256-bit AES to 128-bit security, quantum computers at most take 2^128 operations to find AES key, but it must take some time per operation; as mentioned https://www.ambit.inc/pdf/KyberDrive.pdf : Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum securit ...

In adversarial context of MPC, the corruption behavior refers to the assumptions about the corrupted parties’ deviation level from the protocol specification. Three main types of corruption behaviors are: semi-honest, malicious, and covert.

In practice, dealing with semi-honest corruption behavior is considered more feasible while malicious and covert corruption behavior are more challenging be ...

Hi everyone I am trying to implement the Basic skeleton of the PQC Kyber Algorithm. Until now I have obtained t=As+e and s after performing point-wise multiplication (Frequency to Time domain). Now I got stuck at encode12 algorithm which is required to obtain pk(12xnxk/8+32 bytes) and secret key(12xnxk/8 bytes). Can you please help me out with this?

So basically we have designed Kyber768 variant  ...

I have a question about the decryption in Kyber [1]. I will first give important statements of the paper and then ask my actual question with an example.

In the paper it is stated:

... decrypt to a 1 if $v-s^Tu$ is closer to $\lceil \frac{q}{2} \rfloor$ then to 0, and decrypt to a 0 otherwise.

On the other hand, when decrypting, it is stated in Algorithm 3:

retrun $Compress_q(v-s^Tu,1)$

And note th ...

Suppose $N$ many messages has been sent from $A$ to $B$ in this format:

• $\operatorname{HMAC}(K, C(i)) \mathbin\| C(i)$.

Where

• $C(i)$ is some cipher-text encrypted with some secure algorithm using some key
• $K(i) \ne K$ for any $i$ in range $[0, N-1]$.

There is no implication whether $K(i) = K(j)$ for any $i \ne j$.

Thus, it is just "some" encryption algorithm but encryption key used to encrypt  ...

As stated in RFC8032 and FIPS 186-5, Ed25519 signatures uses the following encoding method:

A curve point (x,y), with coordinates in the range 0 <= x,y < p, is coded as follows. First, encode the y-coordinate as a little-endian string of 32 octets. The most significant bit of the final octet is always zero. To form the encoding of the point, copy the least significant bit of the x-coordi ...

Let me start by saying that I have a mathematical background, and have very little experience with cryptography. I only know the very basics.

With that said, I recently read about Homomorphic Encryption (HE), and thought that it was a very interesting concept. What one really cares about, though, is Fully Homomorphic Encryption (FHE), which allows you to (essentially) perform an unlimited amount of ...

Consider following simple RBG where SHA-256 of random noise (more than 200Bytes of 4 bits entropy per byte) is computed to produce 256 output bits

$\text{output} = \operatorname{SHA-256}(\text{randomNoise})$

Is security strength of collision resistance or pre-image resistance applicable to it i.e it provides 128 or 256 bit security?

According to NIST SP 800-90A section 10.1

The maximum security s ...

Hypothetically,

1. IF we were to create a SSL/TLS or QUIC ciphersuite from a single (unkeyed) permutation operating in sponge mode to provide hashing and duplex mode to provide AEAD cipher,

2. AND IF the permutation is wide enough, and the capacity in both modes are large enough,

3. THEN, to what extent can capacity make-up for mathematical weakness in the permutation? AND by how much?

The inspiration w ...

I'm relatively new to the field of security.

I'm working on an IoT system with WiFi-connected nodes (Bio-sensing devices) communicating with a server for centralized monitoring.

I need to authenticate each device when connecting to the server. So, each device has a unique certificate with a signature (ECDSA).

However, I'm unsure how the server selects which certificate to present for each device.

Is SHA-3 normally used with a LUT or hash table?

Let us consider a hypothetical situation.

What would be the implications if there is a method by which one can calculate the public keys for incremental private keys, with the help of only the public key?

For instance, one is given a public key only. (that public key has the private key as 1001) and he is asked to calculate the public key of the next private key or the 10th one or any incremental pr ...

If we do not encrypt a message, we can use a checksum to check data integrity. For authenticated encryption, we no longer need the checksum because we use the authentication tag to verify data integrity.

The above is about error-checking. Now, for error correcting (like Hamming code), is there an encryption scheme that

1. Can check for integrity,
2. Can correct one or two bit flips of the ciphered text, and

on the wiki page of Rustdesk, it states "the connection is unecrypted, please do not send us issue about this." for local direct IP.

BUT, Rustdesk is intended "Virtual / remote desktop infrastructure for everyone! ", (so not localdesktop)

While Rustdesk claims Rustdesk is encrypted between client and server, which seems to be a more complicated task has completed, BUT they can not do local p2p conne ...

Certain number-theoretic cryptographic hash functions, such as $x^2\bmod N$, are known to be broken by a quantum computer. For example, one could use Shor's algorithm to factor $N$ into its product of two primes $(p_1,p_2)$, and use these primes to find collisions at-will. It's also been a long-open problem to find a hash that satisfies a version of Simon's promise; if such a hash could be found, th ...