Latest Crypto related questions

I've been thinking about creating strong and unique passwords for my online accounts, but I also want them to be memorable. I've come across the idea of using a memorable passphrase as the basis for a complex password generation. Specifically, I'm considering hashing the passphrase to generate the complex password, such as hash function like SHA-256 or bcrypt to convert the passphrase into a fixed-lengt ...

Obsidian.md claims

End-to-end encryption means that the data is encrypted from the moment it leaves your device, and can only be decrypted using your encryption key once it's back on one of your devices.

We can't read your data. Neither can any potential eavesdroppers, such as your internet service provider.

In the rare case of a complete server breach, your data remains encrypted—no one can de ...

I'm trying to implement X25519 for a little game I'm working on. I knew nothing about this stuff a week ago so it's been a bit of a learning curve (that was really funny).

Most of the resources I found online were easy to follow, so I have a seemingly working implementation. While looking around I saw that apparently you only need to send the x-coord over as a public value, and this kinda made sen ...

I have many questions about the details of using zk-SNARK technology in zk-rollup：

1. How can the validity of signatures in layer-2 transactions be proven in zk-rollup?
2. In zk-rollup, is a single large zero-knowledge proof circuit used to prove the validity of signatures for a batch of transactions, or is it separately proving the validity of each signature and then aggregating these proofs?
3. Are there an ...

I had an idea for safely transmitting sensitive data online, and I wanted an expert opinion.

Would it be safe to encrypt data (for simplicity at this point just use plain text) with a ruleset (an array with specific instructions on how each letter should be encrypted by any means).

Of course, you can guess the ruleset. So my idea is that you keep on changing this ruleset.

The server controlling the dat ...

I have a question regarding the operations performed on an elliptic curve, specifically related to point doubling and point addition. I am trying to understand whether it is possible to determine the order in which these calculations were performed in order to obtain the x and y values of a public key.

To provide some context, in elliptic curve cryptography, point doubling refers to the operation ...

I just wanted to know for sure that TLS 1.3 does not support DHE_EXPORT cipher suits.

In yet another twist that is the terminology around key establishment I found out that ECIES is often denoted as key encapsulation followed by data encapsulation. I'm wondering how the term "key encapsulation" can be applied to ECIES.

ECIES consists of the following:

1. key agreement using ECDH, giving the master secret;
2. key derivation using a KBKDF which results in the symmetric data key being estab ...

In TLS 1.2 and TLS 1.3, does the EC curve used to generate the ephemeral keys at the client side, does it need to be the same as that on the and server sides?

For example can I use secp521r1 at the client side and secp256r1 at the server side, and visa-versa?

I am asking this question, since in TLS 1.2 you can use finite state DHE ciphers to generate the ephemeral keys on the client side and DHE_Exp ...

In TLS 1.2 and TLS 1.3, does the EC curve used in ECDHE calculation of the premaster secret, does it need to be the same curve as that used to generate the ephemeral keys at the client and server sides?

For example can I use secp521r1 for ECDHE calculations and secp256r1 for ephemeral key generation?

Hello I am new to lattice cryptography I am reading the paper More Efficient Commitments from Structured Lattice Assumptions
They define bound B in page 3

Then In figure 1 in page 9

Consider a BLS signature verification using BLS12-381 where signatures are in $G_1$ and public keys are in $G_2$. Verification is performed by checking that

$e(sig, G2) = e(H(m), pk)$

or equivalently (by taking advantage of the bilinearity property to avoid one of the final exponentiations) that

$e(sig, -G2) * e(H(m), pk)$ is the $G_t$ identity element.

If an implementation fails to check that $s ...

What would be an easy way to use the hexadecimal output of a hash function (like md5) to generate n unique numbers from, say 0 to 15. Of course I could generate n numbers by using each digit of the digest, but I need those numbers to be unique.

I am inquiring about the feasibility of calculating the point difference between two distinct secp256k1 elliptic curve points. Given the nature of secp256k1, which is widely used in cryptographic applications such as blockchain technology, I am interested in understanding the process and potential challenges involved in determining the point difference between these specific curve points.

Could y ...

There is a JSON array like this:

[
  {
    "date": "28.08.23 10:52",
    "type": "text",
    "data": "card number including expiration date and CVC"
  },
  {
    "date": "29.08.23 10:52",
    "type": "text",
    "data": "bank password in the form admin:password"
  },
  {
    "date": "30.08.23 10:52",
    "type": "text",
    "data": "coordinates where I buried the corpse."
  }
]

This array is then subj ...

Let's say I have the following equation to be arithmetised in PLONK

$x^3 + x + 5 = 35$ and the witness is $x = 3$

$3 * 3 = 9$

$9 * 3 = 27$

$27 + 3 = 30$

$30 + 5 = 35$

Now the 4th gate can be expressed as

1. $Q_l\cdot 30 + Q_r\cdot 5 + Q_m(30\cdot 5) + Q_c + Q_o\cdot(35)$

with $Q_l = 1, Q_r = 1, Q_m = 0, Q_c = 0, Q_o = -1$

Or as

2. $Q_l\cdot 30 + Q_r\cdot ? + Q_m(30\cdot ?) + Q_c + Q_o\cdot(35)$

with

I am currently trying to understand and implement the design of post quantum algorithm signature algorithm Dilithium. I have read the document several times and they have just used uniform random sampling for s1 and s2 and they have not provided any algorithm regarding its calculation. Viewing the reference code, doesn't help because I am still unable to understand why have they:

1. used 205 for multipl ...

Let H be a pairwise independent hash function family with key space K, input space {0, 1}ℓ and output space {0, 1}ℓ. Use H to construct an encryption scheme with message space {0, 1}ℓ such that the scheme satisfies O(2−ℓ)-perfect two-time security. (Note: your encryption scheme must be stateless.) You must provide a detailed proof of security, including appropriate hybrid experiments. 1-3

Setting: Shamir secret-sharing over the field $GF(p)$, $p$ a prime.

For $a\in GF(p)$, I would like a protocol that takes a sharing $[a]$ as input, and outputs: $[a^{-1}]$ if $a\neq 0$, and $[0]$ if $a=0$.

I cannot think of an easy way to modify the well-known protocol that computes $a^{-1}$ using a multiplicative mask, and cannot think of another approach.

Any ideas are welcome!

I'm writing a paper for uni about password security, specifically about cracking passwords in the context of a password manager. I've coded a password encryption scheme which uses PBKDF2(SHA512) to hash a master password into a key that AES256 uses to encrypt a password database or vault.

I'm trying to estimate the time to crack a password with this encryption scheme via a brute force attack gues ...

I read that to mitigrate BEAST attack openSSL tried to inject empty TLS record before each real TLS record. and by doing that there is no opportunity to execute an attack but i dont understand way? what the diffrence between normal TLS? the attacker can still xor the block he want to guess with the last block to disable the iv affect.

If I have three integers $x,y,z\in \mathbb{F}_{2^n}$,

How do I convert the modulo addition operation into conjunctive normal form (CNF)? $$ (x+y)\pmod{2^n-1}=z $$

I am currently reading "A Decade of Lattice Cryptography" At page 30, section 4.3.2, it descrip left multiplication by any fixed ring element a

It mention something about curcilant matrix whose first column is the coefficient vector a. I am confused why multiply a circulant matrix will yield a SIS instance? Can someone kindly explain it?
Thanks a lot

I'm making a peer-to-peer game client using an already existing protocol where messages are broadcasted to all people on the network, and messages are already proven to be from a given user. One of the games I want to add is UNO, and I found this paper from the same authors of RSA that describes an algorithm that perfectly suits my needs:

• Will allow a shared state of a shuffled deck without any of th ...

I have a question on how to interpret test results of NIST test suite. First, when the asterisk mark appear on the report, what does it mean? I thought it means the random sequence fails the test. However, some p-values are more than 0.01 and it appears

second, some tests have p-value lower than 0.01. However, the asterisk mark did not appear. why is that (like the RUN test in the report below.)

What is the name of the UUID scheme that prints the UUID using 8-4-4-16 instead of the more common 8-4-4-4-12?

I have NEO in my NEON wallet and want to know how I can sell this and cash it out as a person living in Canada. I had no luck finding a Canadian exchange that supports NEO.

I have a vector of $n$ elements where each entry is a non-negative integer. Neighboring vectors differ in one element where the absolute value difference between the elements that differ is $1$. I want to release the entire vector differentially privately. We can do this easily using the Laplace mechanism with sensitivity $1$, which results in the expected maximum noise added to any value to be $ ...

I want to construct a non-interactive ZK proof that in a set of pairs of group (where the DDH-assumption holds true) elements:

$(g_1, Y_1), (g_2, Y_2), ..., (g_n, Y_n)$

, the prover knows at least one private key $x_i$ such that $g_i^{x_i} = Y_i$. The proof should also not reveal $i$.

The protocol would be based on $\Sigma$-protocols and the Fiat-Shamir protocol. The steps are:

(Assume WLOG that i = 1, i. ...

In the paper: "Universal One-Way Hash Functions and their Cryptographic Applications". The following is proven: "If 1-1 one-way functions exist, then the one-way based signature scheme described above is secure." For a signature scheme defined in the paper, where by secure they mean "existentially unforgeable under an adaptive chosen plaintext attack", if I understand correctly this is EU-CMA.

Now SPH ...