Latest Crypto related questions

I received two distinct outcomes from a single input using SHA3-256 and KECCAK-256:

input -->   sha3-256 --> output1

input --> keccak-256 --> output2

I want to find input2, which will give me output1 after Keccak-256 hash :

input2 --> keccak-256 -> output1

Is it somewhat possible? I read somewhere that SHA3-256 and keccak-256 have only difference in padding rule. Is it possible that k ...

I need a way to encode a set of information in a way that the result would be as short as possible with a requirement of it being usable as part of URL string.

I don't really care that much about security, the encryption is applied mostly for the plain text to not be visible right away. At the same time, just encoding (like base64) is not enough, there needs to be at least minimal security, meani ...

In PKCS#11 documentation § 2.1.23 is described how to wrap and unwrap a target asymmetric key of any length and type using an RSA key, called CKM_RSA_AES_KEY_WRAP. This mechanism could be easily implemented by hand in case it is not available in HSM.

The counterpart exists for EC, CKM_EC_AES_KEY_WRAP can wrap and unwrap an asymmetric target key of any length and type using an EC key. Unfortunately, th ...

I need to sign a URL to make sure the URL cannot be tampered or forged. The client has limited capabilities and I cannot use a key which is more than 50 characters long.

Generally I use RSA to generate the signature, with keys of the proper size. So I am not sure what technique to use to keep the signature safe enough. The key shared with the client will have a validation of 1 year.

Any suggestion?

In the paper Efficient and Secure Pairing-Free Certificateless Aggregate Signature Scheme for Healthcare Wireless Medical Sensor Networks, on the signature generation part (Page 5), there is an equation $Y_{2i} = [(y_2x_i + h_{2i}d_i)modq]P_{Pub} = (u_i, v_i)$. How is a group element assigned to two integers? $u_i$ is used as an integer in the following steps while $v_i$ is never used again.

I want to wrap a private key out of a HSM, using an external EC key pair (master key) and then verify that I can recover it.
The wrapping occurs as follows:

1. Generate a secret AES key in the HSM, using the public part of the EC master key, the private part of the internal key pair and the derivation mechanism CKM_ECDH1_DERIVE. The derivation parameters for this mechanism are: derivation function CKD ...

The implementation of Shamir secret sharing in this code, only generates the original image if the shares are provided in consecutive order (ex: [2,3,4]) and won't work in any other share order (ex: [2,4,6] or [4,1,3]). However, Shamir secret reconstruction does not require the shares to be in any order, then why does this fail?

import numpy as np
from scipy.interpolate import lagrange as lag
impor ...

I'm trying to understand the exploitability of the padding oracle attack, which enables someone to decrypt and encrypt the contents without knowing the encryption key.

Can encrypted data with the first block, be decrypted by the app that relies on a static IV without knowing the IV?

I want to understand the padding oracle attack's exploitability, especially to decrypt the first block of data using st ...

This is the problem

Let $\mathcal{L}$ be a lattice and $v_1,v_2,\ldots,v_n\notin\mathcal{L}$. Given the values $a_1,\ldots,a_n$ such that

$$a_1=\lfloor v_1\rceil+v_2+\ldots+v_n$$ $$a_2=v_1+\lfloor v_2\rceil+\ldots+v_n$$ $$\vdots$$ $$a_n=v_1+v_2+\ldots+\lfloor v_n\rceil$$

where $\lfloor\cdot\rceil$ means projection to $\mathcal{L}$. Retreive $\Sigma:=\sum_{i=1}^{n}v_i$.

Paraphrasing, say Alice lets Bob kno ...

I have a pytorch model that generates bond trade pairs that have a high probability of reverting to the mean in a 30 day time period.

I want to sell the signals, but I do not want them to be redistributed. Is there a way to encrypt my data signals, if I put them on a marketplace like Amazon Data Exchange or Snowflake?

Should you hash the salt on its own ? Is that possible?

for example being password with salt appended at the end hash(pass || salt) and hash(salt) in a password file?

I am learning about Elliptic curve scalar multiplications and I am on NAF, and I am trying to figure out the concept.

What I understand is if I have K=27 with using NAF the binary looks like this 100-10-1 then the scalar multiplication process like this: 2(2(2(2(2P))-P))-P which is 5DBL and 2ADD.

My questions is if want to scalar K=27 it means the steps like this:

1- 2P (0 bit)

2- 4P (0 bit)

3- 8 ...

The use case here is to deterministically generate a multi-use wallet from a single 12-word BIP39 mnemonic. Currently a standard process for deriving secp256k1 keypairs is implemented, e.g., using a derivation path like m/44'/60'/0'/0/x for an arbitrary x (0, 1...) to derive keypairs, which include a 32 byte/256 bit private key. The use case came up where it would be convenient to also deterministi ...

(Sorry for a newbie question) In ECC the intent is to create a group of a prime order (or prime multiplied by a relatively small cofactor).

I know there's an algorithm for ECC to count the number of elements. My question is: how is it known that the group order is indeed prime? AFAIK there're no known deterministic algorithms to test the primality of a number in polynomial time.

There're examples of ...

I have a theoretical question about the probability of collisions of hashes versus random numbers. I'm not interested in the exact probabilities. The exact hash function is not relevant (we can assume it is perfectly uniform, cryptographically strong, etc.). The implementation of the random number generator is also not relevant (we can assume it is a perfectly random generator).

1. If I have some poo ...

I asked an AI the following question:

Can you provide me with random numbers of 30 digits in length?

And then the AI has generated these numbers for me.

563958422461839604397274590248
743298571529845197630149526734
962345019834590239458293827563
841259630492576302945836184025
129458392650293745092837563945
938475029835820943759284396284
284657492870476502834795836192
937453090283964506295830295830 ...

For a KEM mechanism like RSA, Kyber, etc. is there it usually worth doing key trapping/key encapsulation both directions in a key exchange? By this I mean: Alice wraps a symmetric key and sends it to Bob. Bob wraps a different symmetric key and sends it to Alice. They both then run the concatenation of these two keys in a KDF to produce their shared key.

What are the pros and cons of such an mech ...

Our device comes with a device certificate which was signed with our private registration authority (CA). The private key (type ECC) was generated on the device itself - to be more specific directly on the on-board TPM. The public key is included inside the device certificate.

Now we have a use-case where we want to encrypt some sensitive file to be used on the device and wondered how we could do ...

Ciphertext : UCOWgokwyaqgkqguowgykkg

Alice said Adobe was attacked this year, find the sum of digits of that year. (Alice - a) Bob said i would want to know the month as well, i'm curious. (Bob - b)

Hint : Modular arithmetics, monoalphabetic substituions. can anyone give any hints on which substitution this is ..I am thinking it to be affine but it is not working

my try : i searched that adobe was atta ...

What would be the method of choice to compute the private key from the public key on a baby analog of secp256k1, say with $p$ and $n$ 144-bit?

What would be the pros and cons of Pollard's rho and Pollard's kangaroo ?

How can the special properties of a Koblitz curve be put to use?

When trying to implement ElGamal Public Key Encryption using Hyperelliptic Curves, one needs to map the message that will be encrypted to a valid Divisor (in my case in the Mumford representation, which is the most common).

I have not found any specific methods similar to Koblitz encodings in ECC. Are there any methods out there that can be presented in a more algorithmic way so that they can be  ...

I implemented below algorithm in hardware and it works fine with first point addition.

However, when I continue to perform back-to-back addition, I got the wrong result. The part that I'm not sure here is,

1. The original calculated X3 and Y3 are still in Jacobian coordinate and I do not want to convert them back to affine coordinate due to expensive cost for doing multiplicative inverse for Z-1.

    ...

I understand the only multilinear maps used in cryptography are bilinear maps, and higher arity multilinear maps are not "known." Why does the composition of bilinear maps not yield usable higher-arity maps? I thought the primary feature of multilinear maps in cryptography is simply their multilinearity along with non-degeneracy and efficient computability, so despite restricting to a very small class of ...

I have a program in Python to do the ECDH with the NIST P-256 curve. The program is seemingly working, ie I get the same private key pair at the end. But I want to make sure it's not a coincidence in my code, and that my double-and-add algorithm is working correctly.

TLDR: Is there a strong curve that gives all the details like the NIST P-256 curve and also a tested 2 integers that give a specific p ...

sbverify needs a certificate to verify digital signatures. I wonder why it's needed, since the signer certificate is already included in the digital signature itself ?

I am learning Elliptic Curve cryptography, I have been working on an example from a book:

I don't fully understand the line where the slope is calculated, specifically how 2^(-1) * 9= 13 mod 17? I saw a post here that says to get the inverse with the Extended Euclidean algorithm.

I just don't see what 2^(-1) is the inverse for. What I understand from the EEA is that for gcd(n, a) = (sn + ta) = 1 mod  ...

If we know the value of G*n, the value of n, and the value of p in Zp, is there a way to find out G?

I tried the code below on sage but the value was different from the original G.

# we know nG = (x, y)
Gx = inverse_mod(n, p)*nG[0] % p
Gy = inverse_mod(n, p)*nG[1] % p
G = (Gx, Gy)

I am currently studying the Double Ratchet Algorithm from Signal (link to the documentation). I stepped over a security issue which I was not able to find that it was mentioned anywhere.

I assume that an attacker is able to delay messages at the public channel. Let's say Alice and Bob are having a conversation via double-ratchet encrypted messages.

At double ratchet, if an attacker has compromised a me ...

This question is about adding new data with different proportions to a dataset with equal proportions for each type of data, and determining at what point the added data can be distinguished.

For example, in a hospital with doctors, nurses, cleaners, and security personnel, with proportions of [0.5, 0.2, 0.2, 0.1], there is a table of 1000 encrypted doctors, 1000 encrypted nurses, 1000 encrypted  ...

Is there a known feasible method for determining an unknown public key from a Diffie Helman shared secret and the other public/private key pair?

This would be rarely useful, but I am curious if the DH operation is 'invertible' given the derived secret and private/public key of one party.

So if the shared secret (which is known to the attacker) was directly used to encrypt data, and the local key pai ...