Latest Crypto related questions

Score: 0
Flan1335 avatar
Do multiple keys mitigate Grover algorithm?
tc flag

Grover, a quantum algorithm, weakens AES and ChaCha20. Is it possible to use multiple symmetric keys to encrypt a message multiple times to achieve 256-bit security for quantum computers?

Score: 0
yijie avatar
SPKI Public Key to Compressed Public Key
lt flag

I currently have a DER-encoded X.509 ECC SECP256K1 public key, also known as SubjectPublicKeyInfo (SPKI) from AWS KMS. How do I convert it to a 66 hexadecimal compressed public key string?

Score: 3
Panos avatar
Proof of Lemma 1 paper " Provably Secure Partially Blind Signatures Masayuki ABE and Tatsuaki OKAMOTO"
ie flag

I'm troubled by a system of equations presented in the paper "Provably Secure Partially Blind Signatures" Masayuki ABE and Tatsuaki OKAMOTO.

Proof part 1

proof part 2

In lemma 1 the authors define $t_2=w_j-c_i$ however $c_i$ following the signature protocol creates a feed back loop as $t_2$ is defined and used as input in a secure hash function. Signature protocol

Why is it true that the equations always have a solution?

Score: 1
itabline avatar
How to compute the absolute value of a float number using only addition and multiplication (or using an and-xor circuit)?
ck flag

Hi I am trying to calculate the abs or a float number $x$, however, I want to apply this operation when $x$ is under fully homomorphic encryption (typically CKKS Scheme). So I come up with the idea that if we can use only addition and multiplication (some constant value like $2^k$ could be involved) to get abs, then we can just encrypt the whole operation and thus get an abs for encrypted data.

Note ...

Score: 1
Panos avatar
ABE and OKAMOTO definition of partially blind signature scheme
ie flag

I'm trying to understand the definition of a partially blind scheme that is described with Game A presented in

Abe and Okamoto paper

Game A part 1

Game A prt 2

  1. In line 5 is $msg_0$ correct or should it be replaced by $(info_0,msg_b,sig_b)$? similarly for $U_1$. I'm confused since if $msg_0$ is always on the private tape of $U_0$ then S can always guess b correctly by checking if $sig_b$ verifies $msg_0$.

I'm missing the p ...

Score: 3
How does the lengths of the Gram-Schmidt orthogonal basis of a lattice basis change after lll reduction?
in flag

Assuming there is a lattice basis $B=\{b_1,...,b_n\}$, we use $B^*=\{b_1^*,...,b_n^*\}$ to denote the Gram-Schmidt orthogonal basis, where $b_i^*=\pi_i(b_i)$ and $\pi_i(b_i)$ denotes the projection of $b_i$ on the orthogonal complement of the space $span(b_1,...,b_{i-1})$. We use $\|b_i^*\|$ to denote the Euclidean norm of $b_i^*$. I want to know how $\min_{1\leq i \leq n}{\|b_i^*\|}$ changes after  ...

Score: 1
tonythestark avatar
Non probabilistic algorithm : Given secret key $d$ we can factorize $n$ assuming $e$ is small
vi flag

I read in an introduction to a paper that if $e$ is small enough and we were given secret key $d$ in RSA, then there is an efficient deterministic algorithm to factorize $n$. I've searched about that and I've found the probabilistic one: Algorithm to factorize $N$ given $N$, $e$, $d$

I guess, the fact that $e$ is small must play some role here. But I was able to come up with something. Do you kno ...

Score: 3
sbluff avatar
UOWHF vs CRHF / Relevance of UOWHF
pe flag

What's the difference between UOWHF and CRHF and why are UOWHF useful?

As far as I understand, Universal One-Way Hash Functions are an alternative to CRHF. While for CRHF it is hard, given randomly chosen hash function parameters, to find any collision of the hash function; for UOWHF it's hard to find a collision where one preimage is chosen independently of the hash function parameters.

How does th ...

Score: 5
3nondatur avatar
What is the significance of the results of the NIST PQC competition?
ae flag

I hope this is not offtopic.

Since NIST has rather recently announced the winners of its PQC competition I was wondering how significant this development is. Does that mean that CRYSTALS-Kyber will become the new standard for general encryption?

Score: 0
jillatik avatar
Super increasing knapsack encryption programme
US flag

Im creating a super increasing knapsack encryption scheme. Im supposed to ask the user to key in the size of the super-increasing knapsack. My question is - is there a minimum number of elements that the user need to key in?

Based on my research, because ASCII is using 7bit encoding, I need to have at least 8 elements. I would like to understand why this is? or is it correct at all?

Thank you.

Score: 0
Ujjwal Maheshwari avatar
Digital Signature Algorithm(DSA) without hashing the message?
ck flag

I am learning about various digital signatures and came across DSA. In DSA, the $s$ part of the signature has a hash of the message $H(m)$. I was wondering, why can't we just use the message $m$ instead of using the hash? I understand that performance might be a part of it since the hash will ensure a certain fixed length. But any other security issues?

Score: 1
vimwitch avatar
Checksum algorithm using system of multivariate polynomials
vc flag

I'm working on a protocol that uses zero-knowledge proofs. I'm looking at systems of polynomial equations as cheap solutions for checksumming data. Note, I'm not looking for trapdoor functionality here; I don't care if an adversary can determine the pre-image from the output.

In a zk proof I can compute $m$ multivariate quadratic equations (in $\mathbb{F}_p$ where $p \approx 2^{254}$) with $n$ variable ...

Score: 1
vimwitch avatar
Data fingerprint using multiple multilinear polynomials
vc flag

Related to this question. I'm trying to find a way to use this fingerprint system without a second pre-image attack.

Assume I have a set of elements $V = [v_0, v_1, v_2]$ in $\mathbb{F}_p$. Assume the elements of $V$ are randomly distributed over the field.

I have two random values in the field, $R_0$ and $R_1$, both non-zero.

I consider the fingerprint to be two points in the field defined by:

$P_0(V)  ...

Score: 1
nitchan avatar
What kind of symmetric key ciphers are secure thanks to the intrinsic cryptographic method instead of making the key length very long and secure?
gr flag

For example, Threefish has a key length of 1024 and a very long number of rounds (80). but, I have not heard much about Threefish-1024 being particularly secure, so what symmetric key ciphers are there that are secure not because of their large number of rounds or long key length, but because of their intrinsic cryptographic operations? And why is that symmetric key cipher secure?

translator user ...

Score: 0
SN-Grotesque avatar
How does AES-CBC encryption achieve non-repeating blocks of ciphertext?
im flag

I am very interested in encryption algorithms, especially AES encryption algorithm in symmetric encryption. To this end, I have studied a lot of theoretical knowledge about AES encryption algorithm and the code samples I can obtain.

I wrote a 512-bit encryption algorithm after referring to AES-CBC-256 mode in detail.

I named this mode SZQ-CBC-512, but the output result is almost the same as that of  ...

Score: 2
Steven avatar
Is there any standard extension of the Merkle-Damgård transform that handles arbitrary-length inputs?
ws flag

I have seen multiple sources claim that the Merkle-Damgård transform is able to build a collision-resistant Hash-function $H$ for arbitrary-length inputs from a compression function $h : \{0,1\}^n \to \{0,1\}^\ell$ (with constant-length inputs). See, e.g., [1].

However, the construction relies on suitably padding the input $x$ to $H$ in order to:

  • Ensure that the length of the string $x_{\text{pad}}$
Score: 1
Tsiao Wang avatar
Do there exist cryptographic algorithm where secret key holder can distinguish ciphertext corresponding to without decrypting?
cn flag

I am looking for some cryptographic algorithms suit to the below usage scenario.

$A$ has a set of data, e.g., $\{x_1,x_2,...,x_n\}$. $A$ publish those data in ciphertext (maybe that they are encrypted by different public key, I do not know).

Then participants $\{P_1,P_2,...,P_m\}$ come to pick the data belonging to them from ciphertext list, but without decrypting all the encrypted data. "belonging to the ...

Score: 1
haoyu avatar
How "unorthogonal" can a LLL-reduced basis be?
va flag

I have been recently studying LLL-reduction. I get from the size condition and Lovasz condition that the basis are guaranteed to be somewhat orthogonal. But I couldn't figure out how orthogonal the LLL-reduced basis has to be in the geometric or intuitionistic sense. For example,

  1. How small can an angle be between two LLL-reduced basis?
  2. How long can the "diagonal" of the fundamental parallelepiped of t ...
Score: 1
librehash avatar
Discrepancy in secp256k1 signature generation
us flag

I'll get straight to the point here.

There are two different programs I'm looking at. They both use secp256k1 to deterministically sign data (RFC6979) & provide the results online in-browser. However, both programs produce different DER-encoded signatures and I'm honestly baffled at this point as to why.

Program #1:

Program #2: ...

Score: 0
NB_1907 avatar
Disk encryption and advanced format
us flag

As far as I understand, the biggest problem of requesting authentication in disk encryption is that the plaintext and ciphertext are not having the same size -because of tag-. The XTS mode is already designed with this issue in mind (length preserved). However, as far as I know, it is not possible to preserve the size with authentication. Is it possible to solve this problem with disk type? Advan ...

Score: 1
nitchan avatar
What is the most secure hybrid cipher suite(Library) possible today?
gr flag

What combination of public key cryptography (DH) and symmetric key cryptography is currently available that is (subjectively) as secure as possible over other ciphers (AES,curve448) when security is prioritized over efficiency?

translator user

Score: 1
Ironic avatar
ECDSA SECP256k1 curve - same-r-value-is-used-for-two-different-addresses
bq flag

Edited: changing the notation according request by fgrieu.

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

properties of secp256k1:

p = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141   # order of curve

It is according to: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces- link here: ...

Score: 2
Maarten Bodewes avatar
Iteration count for (enhanced) Miller-Rabin
in flag

In FIPS 186-5 (Digital Signature Standard or DSS) there is a Table B.1 which specifies the minimum number of rounds of Miller-Rabin testing for 1024, 1536 and 2048 bit keys, used for digital signatures. That's already an update to FIPS 186-4 which specified these numbers up to 1536 bits. However there doesn't seem to be a table for any other values over 2048 bit keys.

Table B.1. Minimum number of rounds ...

Score: 1
objecttothis avatar
How do I properly generate pkcs#12 keystore?
tc flag

I have an application that needs to communicate with the bank for online transactions. I am using OpenSSL in Windows 11. I generated a private key using:

openssl genrsa -out rsa_key.pem 2048

Then a Certifate Signing Request using:

openssl req -new -key rsa_key.pem -out csr.pem -subj "[REDACTED]"

I sent the CSR to the bank and received back a signed certificate (signed_cert.pem) and the bank  ...

Score: 2
Carlos avatar
ECDSA-SHA256 HTTP Signature String Construction
zw flag

I must verify an HTTP signature to guarantee the origin and integrity of a webhook data:

This is their x509 PKIX encoded signing key's public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

I am following this specification to construct the signing string: https: ...

Score: 1
Proliferate309 avatar
Real-world instantiation of NIZK protocol from Fiat-Shamir
vi flag

So I understand how one can use Fiat-Shamir to turn a HVZK sigma protocol into a non-interactive zk protocol in the random oracle model. My problem though is I don't understand why is this useful.

If I wanted to use a NIZK in something and I choose a protocol based on Fiat-Shamir, this would mean I have to choose a hash function which surely invalidates the zk proof in the ROM. So do I know anyth ...

Score: 7
crypt avatar
How to generate random numbers within a range (0,n) from random bits?
cn flag

What is a good method to generate random numbers between 0 and n from random bits?

For example, I have a one million random bits generated according to NIST SP 800 90 publications. Now I need to generate random numbers between 0 and 100 (inclusive) using these random bits. Few possible methods i could think of are

Read 7 bits, convert these to a number (0 to 127), store the number if its <= 100,  ...

Score: 28
n-l-i avatar
Is there a hash function that's more expensive for an attacker than for the server?
cx flag

Say a server wants to hash a password $p$. It would use a secure hash function $H$ and a unique salt $s$ to hash the password as $H(p,s)$. If one has access to the salt, each password candidate requires one run of the hash function to be ruled out; the same amount of time it would take for the server to verify a password candidate.

If, on the other hand, the password was hashed as $H'(p,s+r)$, wh ...

Score: 2
Conceal time-based GUIDs with an affine-cipher?
in flag

I'd like to create a custom type of sortable GUID by concatenating an 8-byte nanosecond timestamp, 6 random bytes, a 1-byte node number, and a 1-byte counter. But, such a precise timestamp can be used to enact very effective side-channel attacks if it can be related to the execution time of other cryptographic operations being done on the same system. It'd be ideal to conceal them in some invertible way ...

Score: 3
Ember avatar
How to calculate probability of cracking a password from entropy?
pr flag

I am working on a project for my maths assessment where I research the effect of complexity and length on a given password. Currently, I am working on calculating the probability of guessing a password on the first try. I assumed that I had to start from entropy and go from there but I am kind of stuck on which formula to use in order to find the probability.

I considered 1 / (2^entropy) but I am not su ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.