# Latest Crypto related questions

Score: 2
self-decryption paradox in identity based encryption

In the paper Dual system encryption: realizing fully secure IBE and HIBE under simple assumption (free PDF), the authors said "there is an apparent paradox in this strategy since it seems that the reduction algorithm could simply answer the challenge ciphertext". In the paper An efficient IBE scheme with tight security reduction in the random oracle model, the authors said "Nevertheless, a private k ...

Score: 3
KYBER.CPAPKE: IND-CCA Security of Lyubashevsky, Peikert, Regev (LPR) Encryption

The NIST Kyber KEM spec. defines an encryption scheme, KYBER.CPAPKE, that's a variant of the so called Lyubashevsky, Peikert, Regev ("LPR") encryption scheme [1]. While LPR encryption is typically defined over subrings of cyclotomic number fields, KYBER.CPAPKE is instantiated over an $$R_q$$-Module where the base commutative ring is $$R_q := \mathbb{Z}_q[X]/ \langle \Phi_{512}(x)\rangle$$ and $$q = 3329$$

Score: 7
Noisy Quantum Gates Spoil Shor's Factorization Attack

Update:

In Lipton and Regan's blog, Scott Aaranson and Craig Gidney have commented that the results are not unexpected and also not a deal-breaker in that dealing with this type of noise is already part of the way QC is implemented, including the use of physical measures as well as error correction for making quantum computing work.

Original Question:

An interesting recent paper by Jin-Yi Cai is sug ...

Score: 2
ECDSA simpler formula?

In ECDSA, if Alice wants to send a message to Bob, she computes $$s=k^{-1}(z+rd_A)$$.

I was thinking that the formula could simply be $$s=k^{-1}zrd_A$$ and the algorithm would work just as well, and the verification would be simpler, because the recipient would just have to calculate $$X=s^{-1}zrQ_A$$ instead of a sum $$X=s^{-1}zG+s^{-1}rQ_A$$.

Is there something I'm missing?

Score: 1
Is it a bad idea to swap modes/encryption primitives?

I was wondering if changing modes or primitives could affect security. For example, let's say you have encrypted data with AES-128 with CBC mode and you want to change it to AES-128 GCM, or to ASCON. What I mean by that is that you decrypt the messages then encrypt them again with the new scheme. Does that affect security in any way?

From what I've read, sometimes it affects security: if you go f ...

Score: 0
AES Ciphertext as key to another AES operation

I've this requirement to 'derive' a session key from an AES key that is stored inside a HSM. I don't want to mention which HSM since what I intended to do is to make the system HSM neutral.

The initial idea is to use any existing KDF algorithms but since the AES key is in hardware, the KDF is only possible if the HSM supports it. But again I don't want to tie down to particular HSM.

Therefore the id ...

Score: 1
Is it undesirable for authentication to require decrypting a ciphertext?

A couple years ago, I devised some primitives for block ciphers and block cipher modes of operation; I was partly inspired by CAESAR. What these designs all had in common is that the encryption/decryption process would produce a bit string $$T_i$$ for each block and all of these bit strings would be combined together to make the authentication tag $$T$$.

Today I remembered some of the reasons why encrypt-the ...

Score: 0
Well-known public key with non-interactive deniable encryption

Alice wants to send Bob a message. Both have well known public/private EC keys (PA, b, PB, b). Both have well known public keys tied to an identity.

Alice computes a shared secret with Bob (PBa), and uses the x coordinate to tweak her private key, creating a new public/private keypair (PAx, ax).

Alice computes a shared secret between ax and PB, and encrypts a message for Bob this way (using ECIES, ...

Score: 1
Which Rust library is recommended if I would like to implement PLONK?

I think it should have APIs for polynomials, FFT and bilinear mapping if KZG commitment scheme is used.

Score: 1
Does CCA security imply perfect secrecy?

Can any encryption scheme that is CCA (Chosen Ciphertext Attack) secure be considered to achieve perfect secrecy?

Score: 0
About learning with error rings with only constant coefficient

I am new to RLWE, would like to ask whether what I am thinking make sense
Suppose I have a message e.g.: x=5
And I have a lattice based encryption scheme, e.g.: BGV
could I encrypt x with BGV by treating x as a polynomial ring with constant coefficient=5, and other coefficient =0?
Thanks

Score: 0
PKC (non Diffie-Hellman) from Graph Isomorphism

A Diffie Hellman style approach is proposed in https://mathoverflow.net/questions/408757/diffie-hellman-cryptography-based-on-graph-isomorphism but is broken easily.

Two graphs are isomorphic iff there adjacency matrices can be permuted to each other. GI has only quasipolynomial algorithms.

I wonder if there is a toy scheme (I know GI is not known to be average case secure) to illustrate with PK and SK ...

Score: -2
What is the critical importance of SHA and other hash families?

Assume integer factoring, discrete log are classical safe and LWE, McEliece etc are quantum safe. This question is only about SHA and hash families in general on why we need them if we have pkc primitives.

1. What role does SHA256 or other hash families play? Why are they needed when we have LWE, McEliece etc?

2. What happens if only SHA2 family including SHA256 is broken? Will we still have online finance ...

Score: 0
Does quantum-sourced randomness allow a potential random oracle instantiation?

My question is essentially the same as this one.

The random oracle is a black box that does two things.

1. Maintain a lookup table for any query that has already been asked.
2. For all new queries, toss a bunch of coins to obtain a sufficiently long uniformly random bitstring.

As far as I can tell, 1. sounds straightforward. For 2., why not use randomness from a quantum measurement outcome to achieve the coi ...

Score: 0
Verification in Bulletproof commitment scheme

I am reviewing the ZKP course, represented by the university of Berkley (https://zk-learning.org/). In pages 44 of lecture 6 that is attached below (https://zk-learning.org/assets/lecture6.pdf), the instructor explains the Poly-commitment based on Bulletproofs scheme.

I am a little confused that why the verifier compute com', g', and v' when it just checks v=v_L+v_R u^(d/2). Does the verifer need com' and ...

Score: 0
Utility Guarantee of Small Data Base Mechanism in Differential Privacy

I am reading Section 4.1 (An offline algorithm: SmallDB) of The Algorithmic Foundations of Differential Privacy by Dwork and Roth. I am stuck at the proof of Proposition 4.4, which is about the utility guarantee of the small database mechanism (Algorithm 4 in page 70).

Proposition 4.4. Let $$\mathcal{Q}$$ be any class of linear queries. Let $$y$$ be the database output by SmallDB($$x,\mathcal{Q},\epsilon,\ ...$$

Score: 0
Ephemeral anonymous identities that can be slashed once forever with a single nullifier

Consider a ZKP anonymous credential scheme where each tuple of (x, identity_secret, merkle_root) corresponds to a unique nullifier computed as Hash(x|identity_secret). The prover can use this tuple repeatedly along with proving other statements.

x is designated on a per-session/app basis. And for a specific triple, a user can be blacklisted with the nullifier, and can not generate any new proofs w ...

Score: 0
How I can force the openssl "s_client" utility to generate predefined random bytes in it's ClientHello?

I'm testing my server application (TLS 1.3) using s_client program from the openssl library and I need to force the s_client generating my "random" values in it's ClientHello. Could you tell me, how can I do it using command line options - where I should point my random sequence to be generated ?

Score: 1
Are modes like CBC, OFB, CFB subject to chosen plaintext attacks?

I haven't found much info on the internet about the weakness of modes to chosen plaintext attacks, but from what I understand of them, there seem to be some trivial attacks, so I'm a bit confused. For example, let's encrypt 2 blocks of plaintext with value 0 with CBC:

C0=Ek(P0+IV)=Ek(IV)

C1=Ek(P1+C0)=Ek(Ek(IV))

But then we have a double encryption of IV, which should be subject to a Meet in the Middle  ...

Score: 0
Is $0/1$ error ok in LWE?

Can the error in LWE or ringLWE schemes be from $$\{0,1\}$$? If not why and what is the best attack in this case?

Score: 0
AES S-Box design goal

First layer of each AES round is the Byte Substitution layer. It is the only nonlinear element of AES. What would happen if this layer was not in the path? And the lack of it would create a problem in the design goals?

Score: 2
Good entropy from entropy test (90B) but still fail NIST800-22

I designed my TRNG with FPGA. My TRNG has a good entropy performance with a value of 0.99x over several test times. But for the NIST800-22, during several run times, sometimes my sequence passes all the tests, and sometimes it fails one or two tests. (my sequence length is 100.000.000 with the number of run-time for each test is 100). I check the failed sequence result, mostly my sequence failed at Nono ...

Score: 1
Challenges like RSA factoring challenge

RSA factoring challenge is a famous one and is still not completely solved.

Are there similar challenges for

1. Discrete log over $$\mathbb Z_p^*$$?
2. Discrete log over Elliptic curves?
3. LWE?
4. LPN?
Score: 1
How does big Galois groups yield better security in NTRU Prime?

I'm still kinda new to Galois theory so I apologize if this question is very obvious to some people.

Basically I'm reading this paper by the NTRU Prime team and in section 2.5 it's explaining how cyclotomic fields should be replaced with prime degree fields with "big Galois group", namely because how structures within cyclotomic fields (e.g. subfields and automorphism) can potentially lead to an a ...

Score: 0
Academic papers for the pros and cons of password based system and digital signature with challenge and response system

I don't really know what should be the correct title for this and the community can correct it after reading.

I was the author of PKDSA (Searchable on github).

I have the idea to do it because I feel like shifting from a password based scheme to challenge and respond with digital signature as much as possible might be good in the long run.

I would like to ask for help from the community in providing un ...

Score: 0
is it safe to reuse the public key in NTRUEncrypt?

Looking at https://github.com/tbuktu/libntru/blob/master/src/ntru.h, there are some functions that deal with having multiple public keys with the same private key. I don't believe I need such functionality but it makes me suspect that it might be required. Basically, I want to know if it is OK to reuse the same keypair in NTRUEncrypt for a number of different key exchange operations.

Score: 1
getting wrong rsa private exponent (d) for this particular test vector from nist cavp

In 186-2rsatestvectors.zip/SigVerRSA.rsp

n = bb5784794f27bfab90a19bcc20bb10ac3d1d432d90651dace6235e34560abd733a0c3b693ea3802707c0e22e81603a6e2b82812a0027ece2d974a5a5190df89d636f7ab200849065fe412fe85e41aceb0d68b10cdd07e42ea16184c974f58c10c560aa444f64b41e932ab25355648b510b1feedca780cfb68f11ac9fc98ab15b

p = bda227ead8dc178121176abe07d036b3615a14e2badf195deba2082bf086c5eef4d40dc3ae3b57827359e90564fe4b ...
Score: 1
State recovery algorithm for Xorshift128 given modular outputs

I am researching the Xorshift128 PRNG. I am particularly interested in recovering the state given a set of outputs that have the remainder taken with different values.

A common way to take a unsigned 32-bit output from Xorshift128 and produce a value that ranges from 0<=n<50 is to take the remainder of the output and 50.

Say I have been given 25 consecutive outputs which have modulos in the ra ...

Score: 1
Rabin-Miller Primality Test - Elaboration needed

In short, my question is:

What exactly do people mean when they say that "The more you apply the Rabin-Miller test to a number, the more certain you can be that the number you're testing is prime."?

To clarify what I'm asking, let's look at an example I was working through:

Testing if N = 78007 is prime or not (spoiler, it is).

Rabin-Miller procedure:

1. Find N - 1 = 2K * M

In this case, 78007 - 1 = 2 ...

Score: 0
DES encryption Key from a passphrase

I have been given a DES encryption assignment. I was given the Cipher text, the Plain text and the "passphrase". The passphrase consist of a 4 byte hex string. I have studied several different tutorials on you-tube about the workings of DES but I still can't seem to be able to figure out the key. I have tried to add nulls between each character to create a 64 bit key and I have reversed the characte ...

### The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.