Latest Crypto related questions

How to determine the homomorphic encryption CKKS scheme's parameter bounds for correctness and 128-bit security using some specific floating-point numbers and specific computation metrics like summation or variance?

Any formal proof and theoretical process to decide the parameters like polynomial degree and so on?

I need to generate a key and IV that will be used to encrypt multiple things over a period of time with AES in CFB mode. The decision to use AES in CFB mode is not mine to change and the key will only ever be stored in a secure way or transmitted out-of-band (i.e., not over any network where it could be intercepted)

What's the best tool for generating such a key and IV on Windows in a way that en ...

Assume there are multiple secure elements, and also multiple man-in-the-middle or malwares. How can any two secure elements authenticate each other without a third party and hard coding something in all elements? Since a hard coded code is vulnerable and can be attacked by brute force.

I'm currently working with an undocumented crypto offload processor that is capable of accelerating modular multiplication in some fashion. I need to figure out what operation it is implementing exactly in order to emulate it in software.

The hardware has four big integer inputs:

• Multiplicand $a$
• Multiplier $b$
• Modulus $p$
• Unknown value, let's call it $q$

The output is a single big integer $r$ of the s ...

I can see that True Random Number Generators can produce some null bytes, after some megabytes of data, even 2 consecutive null bytes are produced:

$ timeout 0.5 /usr/sbin/haveged -n 0 -f - | xxd -p | grep "^0000"
haveged: command socket is listening at fd 3
Writing unlimited bytes to stdout
000010aa8070250869b3727f3f30cf87ae9554207180928e3e638bb58efe
0000677b49156973346bd9d9e358ca920755a519230a0e2 ...

Suppose that a prover holds two secret values $x,y\in\mathbb{F}$ and both the prover and verifier have $z\in\mathbb{F}$. The prover wishes to prove that $z=x+y$ without revealing $x,y$ to the verifier.
We can further assume that the verifier has access to some oracle which confirms whether commitments $X,Y$ to $x,y$ are honestly generated.

One way of doing it is the following: The prover sends $X  ...

Recently, I read here on Crypto SE that $2^{60}$ doesn't provide enough resistance to current adversaries. Could someone please provide me with good references related to that threshold, or any updated versions of it, say, $2^{70}$ or $2^{80}$?

I made an effort to find the exact discussion, but, unfortunately, I was unable to locate it.

I would like to understand how Keccak's permutation function is reversible. The difficulty I have is with the $\chi$ step that uses the and operator which is not revertible. All the other suboperations are using xor and rotations which can be reversed.

Let's say we embed a text using steganography by modifying an existing cover object. What would be the steps needed to be done on the message?

I can think of

• source coding (compression)
• channel coding (adding redundancy)
• encryption

Do I forget anything? What methods would you use for each step? And how the efficiency of the steps differ when I change the message size?

Assume the following:

• $E: \{0, 1\}^k \times \{0, 1\}^b \rightarrow \{0, 1\}^b$ is a block cipher with a $k$-bit key size and a $b$-bit block size.
• $T$ is a $b$-bit authentication tag that is guaranteed to be untampered with (e.g., by being calculated abd stored by a trusted system).
• $X_i$ represents the $i$^th of a string of data blocks that $T$ is calculated against.
• $X_i \in \{0, 1\}^b$.
• $K_1$ and

Rust and NodeJS implementations of ECDH on secp256k1 produce different shared secrets, when using identical keypairs:

NodeJS:

sk1 <Buffer 71 17 9b 99 1d 76 93 de 81 3a ea a5 bf a2 41 a2 ac 9e 05 35 86 7e bf 8f 6b 1b 08 84 47 2e f4 a7>
pk1 02de4cba976ab77795c46c1c3b95afc077b17afe1bca02d28963a3bcdd9c082168
sk2 <Buffer 1e 11 4f 23 7e 3c 59 ba 2b 92 ae df 21 3f 11 27 c9 16 9c 03 97 52 49 5c 1f fb 64  ...

I've been reading "Misuse Attacks on Post-Quantum Cryptosystems" (https://eprint.iacr.org/2019/525). In what scenarios are the attacks described in the paper applicable? Is it specifically if a key is reused to generate more than one encapsulated key? Or is it more general? Does it apply to all 'unfailing' reconciliation mechanisms?

Consider two data streams $a_1,\cdots, a_n \in [a_{min}, a_{max}]$ and $b_1,\cdots, b_n \in [b_{min}, b_{max}]$, Such that $[a_{min}, a_{max}]$ and $[b_{min}, b_{max}]$ do not overlap.

A Differential private mechanism (Laplacian with privacy budget $\epsilon$) with zero mean and scale parameter $\beta$ is applied to these streams with different ranges to generate the DP-induced output streams $a^{\pri ...

In round 4, protocol evaluates a(zeta), b(zeta), c(zeta), Sσ1(zeta), Sσ2(zeta). I know linearisation trick in round 5 implies the identity of other terms. Can we evaluate other term e.g. Sσ1(zeta), Sσ3(zeta) instead? Is there any consideration behind these selected terms in paper?

ref:

1. PLONK paper: https://eprint.iacr.org/2019/953.pdf
2. https://hackmd.io/@aztec-network/ByiUK_Plt

I am currently trying to solve a training challenge based on AES with CBC. This is the infos I'm given:

KEY = "yn9RB3Lr43xJK2██".encode()
IV  = "████████████████".encode()
msg = "AES with CBC is very unbreakable".encode()

Those spaces are unknown characters, and I also have the output:

c5████████████████████████■...

The Windows RNG infrastructure is specified in this article. On page 4, it states that the PRNG called AES_CTR_DRBG is used (with 256-bit security strength).

According to Wikipedia, this PRNG has security problems when used with certain parameters.

Specifically:

When AES is used as the underlying block cipher and more than 128 bits are taken from this pseudorandom number generator, then the resultin ...

so recently I've been exploring zk-SNARKs algorithm, and I have a maybe stupid question. For example, let's take $x^2+x+1$ and make an algebraic circuit from it:

1. $y=x*x$
2. $sum=x+1$
3. $out=sum+y$

(First question: are finite fields needed here?)

Now we need to construct a R1CS to each gate. Our variables and one: ${1, x, y, sum, out}$

So we have:

1. $A_1 = [0, 1, 0, 0, 0]$, $B_1 = [0, 1, 0, 0, 0]$, and

I have a congruential generator where $$ r_{n+1} = r_n^2 - c\;(mod\;p) $$ known $r_0$, $c$ and $p$ can i get $r_n$ without having to compute all the previous values?

Let's suppose I have two 2GiB files and I want to encrypt them using One-time pad (Vernam cipher), but I don't want to store two big keys.

May I use only one key for the two files if I encrypt the One-time pad key two times with a block cipher with two different keys for block cipher? I mean, take the One-time pad key, encrypt with a block cipher and XOR file 1, and repeat with the file 2 but usi ...

print(tan(int.from_bytes(open("plain.txt", "rb").read().strip(), "big")).n(1024))

Its sage code. How difficult or easy is it to recover the plaintext from the output of this code? I don't think the hash collision, or second preimage attack will be usefully unless we know the length of the plaintext.

Is there any possible way to recover the plaintext efficiently or is there no other way?

We (collectively) salt passwords, then hash them; maybe even run them through something like PBKDF2 first (depending on how the password will be used).

The end result is that we have a string $p$ and map it to a fixed-length string $p'$ using a surjective transformation with the property that it is difficult to find any particular $p$ that maps to a given $p'$.

The fact that there are $\aleph_0$ pos ...

Good morning,

I've been struggling with this protocol for the last few days and I'm out of ideas now. The goal is to impersonate Bob by just modifying or dropping packages. The attacker(me) is a Proxy that is between the clients and the servers so any messages are first sent to me and I send relay them to the servers.

I have thought about setting up two sessions and do a Reflection but then the sess ...

I'm working on a system where I need to sign some data using an ECC private key and share the data and signature over a BLE ADV packet. Since an ADV packet is limited in space, I can't use a full ECDSA signature as the output is too large. As far as I understand, you can't readily truncate an ECDSA signature as you can with AES.

As an alternative, I am considering simply encrypting the data I nee ...

After reading that about "37% of the 256-bit outputs" of SHA-256 are unreachable when fed only 256-bit inputs [1] I'm curious & confused. The formula from the proof here considers a fixed "h-bit" input & output. How does this translate to the maximum number of internal states that are reachable within SHA3?

Does this mean ~37% of the internal states of SHA3 are unreachable after each of it ...

For the Substitution Cipher, for functions such as $$f(x) = x^k \pmod{26}$$ or $$f(x) = x^k + k \pmod{26}$$ (functions that consist of x^k), why do the values of k=5 or k=7 or k > 10 have one-to-one mapping? I know 5 and 7 are relatively prime to 26, however, what about 3 or 9? Also why do it map when k > 10?

I've been experimenting in python with different approaches to cryptographically secure pseudo random number generators, comparing them using the NIST testsuite implemented by https://github.com/InsaneMonster/NistRng/tree/master. My requirements are:

• must be cryptographically secure, so its output is suitable as encryption key
• only a relatively low number of outputs need to be produced (possibly ...

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P = (x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form or −P=(−x,y) in the twisted Edwards form like the case here with BabyJubJub.

But in ...

0

I have two questions:

1. Can someone point me to some solution providing multi-party {t,n}-threshold ECDSA?
2. I imagine that such a scheme works first by creating an ECDSA private key then sharding it to n subkeys, t of which subkeys are required to generate the initial ECDSA private key. Am I right?

I would appreciate any feedback on this topic as I am trying to wrap my head around such systems.

From the PLONK paper.

Page 18

We describe an optimization by Mary Maller to reduce the number of $F$-elements in the proof from $M$. We begin with an illustrating example. Suppose $V$ wishes to check the identity $h1(X) \cdot h2(X) − h3(X) \equiv 0$. The compilation described above would have $P$ send the values of $h1$, $h2$, $h3$ at a random $x \in F$; and $V$ would check if $h1(x)h2(x)−h3(x) = 0$

It seems to have something to do with their bootstrapping technique, that is build on blind rotations, but I fail to see why less than $8$ bits are used.