Latest Crypto related questions

Score: 4
Jeffrey avatar
Secure channel: Is there a assumption in an MPC protocol that the communication between different parties is secure?
bo flag

If we should consider that in an MPC protocol, the confidential messages communicated between two parties can be eavesdropped on by adversaries? If so, should we build a secure channel for that?

Score: 1
MayDen avatar
Stuck on a cryptanalytical research project
hn flag

This is not a technical question, but rather it seeks advice on what to do if cryptanalytical research goes wrong.

I've discovered a new attack that works great in theory, but in practice, it fails.

I don't know why. Haven't figured it out yet. Tried really hard. I work on this thing alone. Not sure If I could do this alone right now.

All the arithmetic of the attack works great with normal numbers, bu ...

Score: 2
Fiono avatar
Pedersen commitments equivalence
us flag

Is there a zero-knowledge proof that proves that two Pedersen commitments commit the same value?

Score: 0
darkflamehxy avatar
Is it secure to do subfield vector oblivious linear evaluation (VOLE) over a Ring $\mathbb{Z}_{2^k}$?
ml flag

In the paper "Efficient Pseudorandom Correlation Generators: Silent OT Extension and More (https://doi.org/10.1007/978-3-030-26954-8)" Boyle et. al. proposed subfield vole.

For standard vector oblivious linear evaluation correlation one has, $\vec{v}+\vec{w}=\vec{u}*x$ ($v_i, w_i, u_i, x \in \mathbb{F}_p$).

And for subfield VOLE correlation, $x \in \mathbb{F}_q$ ($q = p^r$), $v_i, w_i \in \mathbb{F ...

Score: 1
alpominth avatar
Is it safe or reasonable to use the key parameter in a cryptographic hash function as a counter?
il flag

Not all the cryptographic hash functions have the counter parameter for making messages be different for each counter value. But many accept a key parameter.

Is reasonable to use the key parameter as a counter?

Is it safe?

Score: 1
alpominth avatar
Does an increase of message size increase the number of guesses to find a collision?
il flag

If I hash a 256-bit message and generate an output digest of the same size with a cryptographic hash function then the number of guesses to find a collision is expected to be 2^128.

Does increasing the message size also increase the expected number of guesses to find a collision?

If yes, can the hash function internal state have any size or does it always have the same size, regardless of the input? ...

Score: 1
alpominth avatar
How to estimate the collision resistance of a hash function if a secondary key is used (keyed hash function)?
il flag

According to the documentation of HighwayHash, for finding a collision are expected $m \over 2$ guesses, being $m$ the message.

By contrast, 'strong' hashes such as SipHash or HighwayHash require infeasible attacker effort to find a hash collision (an expected $2^{32}$ guesses of $m$ per the birthday paradox) or recover the seed ($2^{63}$ requests). These security claims assume the seed is secret. I ...

Score: 2
A tensor-based Diffie-Hellman exchange
in flag

Below is a description of a "cube" Diffie-Hellman, based on commuting matrix actions on tensor products. Some questions:

  1. References for something similar?
  2. Obvious flaws, is this a terrible idea?
  3. Any other comments?

Definitions

Let $S$ be a finite ring, $n$, $k$, positive integers, and $R=M_k(S)^n$ the $n$-fold product of $k\times k$ matrices over $S$. Let $M$ be the $R$-module $(S^k)^{\otimes n ...

Score: 2
Lee Seungwoo avatar
For what 'rounding constant' exists in Round5?(NIST PQC Round 2 Algorithm)
ke flag

I am reading a paper Round5.

This public key encryption scheme is based on Ring-LWR but I found it is a little bit different from typical LWR-based PKE scheme.

In the key generation algorithm of Round5 (Algorithm 1, Line 3 in the paper), they compute

$$ b= \left< \Bigl \lfloor \frac{p}{q}\left(\left< as \right>_{\Phi_{n+1\ }(x)} +h_1\right) \Bigr\rceil \right>_p$$

where $\left< \cdo ...

Score: 1
Beru avatar
RSA: decipher c when everything except N is known
gb flag

Is it possible to solve this:

If you have the following information about an RSA ecrypted plaintext $m$:

$e = 65537$
$d$, $c$ some very large numbers
$p$ and $q$ are both random 128-bit long prime numbers
$m$ is a string build with 16 random characters of both ascii letters and digits

If $N$ would be known $m \equiv c^d \mod N$ could be computed, however I have no clue how I would get either $m$ ...

Score: 1
Jakub Rogacz avatar
Textbook RSA security for fully random message
ax flag

I am asking this since I can't find definite answer.

Is it secure if I use textbook RSA provided all my data is 2048 bits ( or any N <=2048 for 2048 bit key ) and it is random ( using Secure Random in Java for example) ?

Or should I figure out maximal key length under padding scheme and use padding anyway ?

Score: 1
NIZK Proof of Knowledge of a Standard RSA Signature on a message (without signer participation)
in flag

I'm looking for a protocol in which a Prover transforms a RSA signature $\sigma$ on a message $m$ that verifies under a public key $vk$ into a NIZK proof of knowledge, $\pi$ of that signature. A verifier should then be able to verify that the prover saw a signature for that message and that the signature would have verified under the public key, $vk$.

The protocol has three parties: a signer, a p ...

Score: 0
bd55 avatar
RSA : Is there a way to compute phi(n) or N itself if we only know e, d and a ciphertext?
sz flag

I am trying to solve a problem where private key exponent d, ciphertext c, and public key exponent e (65537) are known. How can I calculate φ(n) or n itself?

An extended version of the problem would be : If we can get many d and ciphers for the same plaintext, where e is always 65537, is there a way to decrypt the cipher?

Score: 1
n-l-i avatar
How to combine the keys in the Triple Diffie-Hellman (3DH) key exchange?
cx flag

I was reading up on the Triple Diffie-Hellman (3-DH) key exchange and noticed that the wikipedia description [1] is different from the the original protocol definition [2] and the modified definition [3] they reference.

Two users have two key pairs each; $a, A$ and $x, X$ for one user and $b, B$ and $y, Y$ for the other. $H$ is a key derivation function. Is there any difference between the follow ...

Score: 3
What is the modern terminology for a digital signature scheme with a shadow?
in flag

In Guillou and Quisquater's 1988 paper "A 'Paradoxical' Indentity-Based Signature Scheme Resulting from Zero-Knowledge", they say that an RSA identity has a shadow and go on to state that this property is being standardized:

Let us mention that ISO is standardizing a “digital signature scheme with shadow (see ISO-DP 9796) in the Working Group JTC1/SC20/WG2 (public-key techniques).

The Guillou-Quis ...

Score: 0
rerouille avatar
Difference between Decryption-failure and Plaintext-checking oracles
dk flag

I am reading this paper, which in the introduction, tells about two main types of key recovery SCAs :

  • Reaction_type SCAs, which uses a decryption failure oracle
  • Message-recovery-type SCAs, which uses a plaintext-checking oracle

I don't understand the difference between these two oracles. In this presentation, the authors categorize three different oracles, including these two.

My understanding is th ...

Score: 2
Mr. McNiki avatar
Why is $d = e^{-1} \mod \phi(N) \equiv e^{\phi(N)-1} \mod \phi(N)$ and not commonly used in RSA key generation?
ao flag

On some lecture slides regarding to RSA-Encryption, the formula for calculation of the private key is given as $d = e^{-1} \equiv e^{\phi(N)-1} \mod \phi(N)$. The second equation is justified by the fact that $gcd(e,\phi(N))=1$.

My questions:

1.How does the second equality come about? I know, that Eulers Theorem shows, that $a^{\phi(b)} \equiv 1 \mod b$ for coprime $a,b$. So why we dont need to write

Score: 2
securityauditor avatar
Recommended puzzles?
sa flag

I am beginning my journey into Cryptography, having studied a theory-heavy master's degree module, and I have also read The Code Book by Simon Singh, among many other online resources.

What puzzle books would the community recommend, just so I can get into the mindset of code-breaking? I noticed that certain newspapers have puzzles that are just like the Playfair Cipher. This is something that sh ...

Score: 3
samuel-lucas6 avatar
CX vs padding fix for AEAD key commitment
bs flag

The padding fix by Albertini et al. for AEAD key commitment (pp. 3292 and 3301-3302) involves prepending a block or two of zeros to the plaintext before encrypting. After decryption, these bytes are checked to be zero to verify that the same key was used for decryption.

The Counter-then-Xor (CX) construction by Bellare and Hoang (pp. 25-26) involves encrypting a nonce padded with zeros concatenate ...

Score: 1
secret-token avatar
How can knowledge of a secret be compared among untrusted entities?
si flag

Lets say entity A sends a secret "token" to anybody that they trust.
The token itself is the proof and its sent equally to everybody and it has or needs to be derived from application specific data.

Entities B, C and D get the same token and want to publish a timestamped event for proof, but they don't trust anybody, each of them separately, salt&hash the secret and publish it to the outer world. ...

Score: 2
Pedro avatar
Clarification on the intractability of the Elliptic Curve Discrete Logarithm Problem
im flag

I'm currently going through the book "Guide to Elliptic Curve Cryptography" by Darrel Hankerson, Scott Vanstone, and Alfred Menezes. In the book, the authors state that

[…] there is no mathematical proof that the ECDLP is intractable. That is, no one has proven that there does not exist an efficient algorithm for solving the ECDLP. Indeed, such a proof would be extremely surprising. For example, the n ...

Score: 7
nitchan avatar
Why is Threefish not widely used?
gr flag

I haven't seen Threefish widely used. For example, I've seen Twofish used in file encryption software, even though it was not standardized, but I've never seen Threefish. Are there security issues?

Score: 1
n-l-i avatar
Can HKDF be used in place of a cryptographic hash function?
cx flag

For context, I'm making a non-production grade reference implementation of the balloon hash function using the Web Crypto API. In order to make it less susceptible to certain attacks on common memory hard KDFs, the number of memory blocks should be reduced, meaning their size should increase. I am however restricted in the choice of cryptographic functions to the functions defined in the SubtleCrypto inte ...

Score: 2
foo avatar
Confusion+Diffusion comparison table? (e.g. with Avalanche Criterion / SAC)
br flag
foo

I'm looking for a general comparison of encryption algorithms in regard to Confusion and Diffusion (as defined by Claude Shannon), and if possible, specifically for their SAC and BIC quality.

For example, xor-streaming ciphers have no (0, zero, zilch) diffusion - you switch 1 bit in the ciphertext, you know which single bit in the plaintext after decryption will be flipped.

Most ciphers, especially blo ...

Score: 1
Rafael Werlang avatar
Is a single 256 bits hash table in which the digests are from mixed cryptographic hashing algorithms still considered collision resistant?
aw flag

Consider a single hash table containing digests from about 10 different 256 bits cryptographic hashing functions, like SHA256, SHA3, KECCACK256, BLAKE2, BLAKE3, etc...

Is such table still considered collision resistant?

I am inclined to think so, but I might be missing something.

Score: 3
infinite-blank- avatar
Quickest way to find MD5 collision
es flag

I'm trying to find a MD5 hash collision between 2 numbers such that one is prime and the other is composite (at most 1024-bit). I'm using fastcoll with random prefixes for each iteration.

For this I wrote this script:

import subprocess
from Crypto.Util.number import bytes_to_long, isPrime
import string
import random

won = False

N = 10

while not won:
    # Run the fastcoll executable to generate ...
Score: 0
SN-Grotesque avatar
How does the public key cryptography algorithm generate a public key based on the private key?
im flag

Because of the need of the project, I want to develop a simple public key cryptography algorithm, but I have doubts when generating the key pair.

I have learned about the key generation process of RSA. It is to prepare two coprime numbers (p, q), multiply them to obtain N, and then calculate L (that is, L=lcm (p-1, q-1)), calculate the public key (pk is a number larger than 1 and smaller than L,  ...

Score: 2
crypt avatar
Paper based OTP and MAC
cn flag

Consider the following paper based OTP

  1. Plaintext has 11 possible symbols 0-10.
  2. $C_i = M_i + K_i\ mod\ 11$.
  3. $K_i$ comes from a pre-shared key material which is never reused.

How to introduce data integrity/ MAC in it which can be calculated using pen & paper.

Score: 0
Bean Guy avatar
Why it is important the notion of equivalent divisors in pairing definitions?
in flag

Following the book Pairing for Beginners, the Tate pairing computation requirements are:

  1. Let $P$ be an point on the $r$-torsion subgroup in $E(\mathbb{F}_q)$.
  2. Let $f$ be a function whose divisor is $(f) = f(P) - r(\mathbb{O})$.
  3. Let $Q$ be a point of $E(\mathbb{F}_{q^k})$.
  4. Let $D_Q$ be a degree zero divisor that is equivalent to $(Q) - (\mathbb{O})$, with disjoint support to the one of $(f)$.

The  ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.