Latest Crypto related questions

Score: 1
millie avatar
Plain Text and Cipher Text terminology when double encrypting?
US flag

Say I have some message like "Hello World" that I want to encrypt, I get that Hello World is the Plain Text and the output from the encryption is called Cipher Text.

But, let's say I want to encrypt the data again, so I feed in the cipher Text from first round back into the encryption algorithm and then get the new cipher text out.

Effectively I have.

PlainText1 -> EncryptRun1 -> CipherText1

 ...
Score: 2
PLONK Product Check Proof. Why is the 2nd condition required?
et flag

I am going through Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=LbpPCN-f_XA&t=952s

At around 19 minutes, he gets to the Prod Check Gadget.

Background:

$\omega \in \mathbb F_p$ is the primitive $k$th root of unity (i.e. $\omega^{k} = 1$)

$\Omega = \{1, \omega, \omega^{2}, ..., \omega^{k-1}\}$

Let $t(1) = f(1)$ and $t(\omega^s) = \prod_{i=0}^s f(\omega^i)$ for $s = 1, ..., k-1$. ...

Score: 3
zzazzles avatar
What kind of hashing is GF multiplication in GCM cipher mode and GMAC?
jp flag

In GCM, GMAC, the additional associated data (AAD) (as well as outputs of subsequent blocks) is multiplied by a polynomial H in GF(2^128). This appears to be doing some secure hashing.

Is that what's happening, and if so, is this a general hashing method that's used elsewhere?

Score: 3
Craig Feinstein avatar
Solving subset sum via the LLL algorithm
ru flag

I wrote code that solves the subset sum problem via the LLL algorithm, as given in chapter three of the Handbook of Applied Cryptography https://cacr.uwaterloo.ca/hac/

I ran the code on ten random sets, each with positive integers from one to $2^n$, each with a random subset adding up to a target integer. The code found the solution ten out of ten times when $n=10$.

However when I ran the code on ten ...

Score: 4
Bean Guy avatar
Why pairing domains are subgroups of the r-torsion group?
in flag

In pairing based cryptography (PBC) we restrict the pairing domains to be subgroups of the $r$-torsion group $E[r]$. This arises two questions to me:

  1. Why do we restrict them to subgroups of $E[r]$? Couldn't we use, for instance, the whole group of points $E$? Or a mixture between various torsion groups? (As long as they are sufficiently large to ensure security)
  2. If so, what happens if I evaluate  ...
Score: 1
Dimitri Koshelev avatar
Secure permutation of $E(\mathbb{F}_q)$ as a set for an elliptic curve $E$ over a finite field $\mathbb{F}_q$
id flag

Let $E$ be an elliptic curve over a finite field $\mathbb{F}_q$. For simplicity, let the group $E(\mathbb{F}_q)$ be of prime order.

Assume that I know how to construct an efficiently computable permutation of $E(\mathbb{F}_q)$ as a set, that is, just a bijective map $\phi: E(\mathbb{F}_q) \to E(\mathbb{F}_q)$ rather than a group homomorphism. Moreover, $\phi$ satisfies the property that for every non ...

Score: 1
Zi-Yuan Liu avatar
Is it appropriate to prohibit an adversary from querying a specific input in an algorithm in some situation?
co flag

There are two algorithms in my framework, $E_1(\cdot)$ and $E_2(\cdot)$.

In particular, executing $E_1(\cdot)$ on a specific input $x$ (i.e., $E_1(x)$) is equivalent to executing $E_2(y)$ for some input $y$.

Suppose the security model of this framework allows an adversary $\mathcal{A}$ to query $E_1(\cdot)$ with any input, and resists $\mathcal{A}$ from querying $E_2(\cdot)$ algorithm.

Can I prev ...

Score: 2
Mysterious Shadow avatar
Salts are stored with the hash - so for a single user it's no security advantage?
cn flag

A hacker goes into a database and downloads a bunch of hashes and salts of users with knowledge of the hashing method. Say this is one entry that got downloaded:

cbc0a790b2f28fc72ca43eb749028b9f:21022011 (hash:salt)

Without the salt, the hacker simply computes 100M common passwords and their hashes and find matches. With the salt, the hacker simply computes 100M common passwords + 21022011 and their ...

Score: 1
reticus avatar
Could this be a cipher or not?
ru flag

I am trying to solve a puzzle, and I think have to solve a cipher. But I'm not actually sure what I have to do ... Example :

The diu uff i dve. lleive pi he bl hle f he mi Nw ie d hiie d eve me Biie ide hi i. Ti Bii imli Vili Buei G Bii Ti imli, Gee li bei ipped el be ie EL lvd ie Nvz d ell u h u. lle Re Ve Bl ize W ee m) ull Sp. 5% hii fi d ld ve deh he eul f Bii iible ue f ll vilble ee. hii Th ...

Score: 1
Jarron avatar
Using Self-Generated Random Bits Instead of the Initialization Vector (IV)
yt flag

I think my understanding on initialization vector (IV) might be lacking, but as I understand it, an IV is used to create randomness to an encrypted message so that the message is difficult to crack from an attacker. The randomness part I can see the importance of.

The part I can’t get my head around is why use the IV. For example, say I add 16 random bits to the start of my message and encrypt  ...

Score: 2
zzazzles avatar
Is PAKE more secure than WPA2?
jp flag

As I understand it, in WPA2, the shared key (for encryption) is derived from the password, plus nonces and identities used in the initial 4-way exchange. An attacker who was able to sniff the initial exchange could perform an offline dictionary attack on the AP password.

I've also learned about PAKE protocols that also derive cryptographic keys from a shared, low-entropy password, but are resista ...

Score: 1
WhatIsName avatar
Rule 30 based block cipher
mu flag

So I went ahead an wrote this little program. What it does is it takes a password for a seed and generates a (pseudo-random) bit-pattern using rule 30 from cellular automata. It then XORs our input file with the same-length pattern. In theory this should be secure, given I would start padding the plaintext and only use a password once?

import sys

def rule30(a, b, c):
    return (a ^ (b | c)) & ...
Score: 2
gamarcad avatar
Reduction from Distinguisher to Indishtinguishability
cx flag

Content and Informal Problem

Suppose a protocol $\pi$ doing an arbitrary task between two users A and B. I only know that $\pi$ relies on a IND-CPA symmetric encryption scheme $\mathcal{E} = $(KeyGen, Enc, Dec). In details, A holds a key $k$ in $\pi$ computes encryptions of $n$ messages $m_1, \dots, m_n$, providing to B the ciphertexts $\psi_1, \dots, \psi_n$.

To prove the security of $\pi$, I compute a ...

Score: 5
p_1092131280 avatar
Why is forward secrecy needed at X3DH?
tl flag

In the official documentation of the X3DH Algorithm (link) is made an analysis about the forward secrecy. Forward secrecy would be an uselful property if we would repeat the protocol multiple times. But in the Signal-Protocol it is always used only once, to initialize the Double Ratchet Algorithm (which then on its own leads to forward / backward secrecy and so on). So why do we care about the security f ...

Score: 0
Ole Tange avatar
Does the article "Factoring integers with sublinear resources on a superconducting quantum processor" affect ECC?
fr flag

"Factoring integers with sublinear resources on a superconducting quantum processor" seems to indicate the end is getting closer for RSA - much faster than anticipated earlier:

We proceed by estimating the quantum resources required to factor RSA-2048. We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain syst ...

Score: 0
xrfang avatar
ECDH security vs. type of elliptic curve
in flag

While using ECDH key exchange, we can choose to use different kind of elliptic curve, e.g. P224, P256 or P384 etc. (btw, I am using go).

My question is, what is the criteria to choose different kind of elliptic curve? Is it related to desired security level? If yes, what is the "rule of thumb" to choose between the curves?

Score: 5
Bakudo81 avatar
Encrypting a symmetric key which requires 2 keys to decrypt?
ug flag

Let's say a device has 2 private keys and service has the 2 corresponding public keys. Is there an efficient way to encrypt a symmetric key from the service side utilizing the 2 public keys, such that on the client, it requires both private keys in order to decrypt?

I.e if I only have private key 1, I am unable to decrypt the encrypted symmetric key.

I believe one way could be double encrypting it?  ...

Score: 1
Daniel Chan avatar
How to design a Zero-Knowledge Proof of a message in a certain range?
eh flag

Given a message $m$, how can I prove that $m$ lies between 0 and 31 without revealing the message using a Sigma protocol?

The message is encrypted as:

$$c = a^{\beta} \cdot g^m ,$$

where:

  • $a$ is the public key of the receiver,
  • $\beta$ is the secret key of the sender, and
  • $g$ is a generator of a cyclic group $G$ of prime order $q$.

I know I need to use "OR" composition and the Diffie-Hellman (DH) tri ...

Score: 2
Ali Haktan German avatar
Is there a version of LWEEncrypt in which probability of decryption error is zero?
tg flag

Is there modification to LWE public key crypto-system which makes the decryption process is totally deterministic and does not affect security?

Score: 1
Dimitri Koshelev avatar
Constant-time decompression on an elliptic curve
id flag

Let $E\!: y^2 = f(x)$ be an elliptic curve over a finite field $\mathbb{F}_{q}$ of odd characteristic. Consider an $\mathbb{F}_{q}$-point $P = (x,y)$ on $E$. Suppose that we only have the $x$-coordinate (with one auxiliary bit) and we want to recover $P$, that is, the value $y = \sqrt{f(x)}$.

Assume that the field $\mathbb{F}_{q}$ is highly $2$-adic, i.e., $q-1 = 2^\nu m$ for the large $2$-adicity

Score: 0
alpominth avatar
If I encrypt two plaintexts with different keys, XOR the ciphertexts and send to an adversary, what can he/she do with what I sent?
il flag

Let's suppose I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting ciphertexts and send this XORed block to an adversary. Remembering that the adversary will not have access to resulting ciphertexts, only the XOR of them.

What could he/she do with the XORed block? Can he/she find the keys I used, or even the plaintext of one of the ciphertexts in ...

Score: 1
U. Windl avatar
Role of IV in Perl's Crypt::Rijndael
cn flag

Sorry in advance if I'm asking a stupid question:

I thought the role of "IV" in encryption is to avoid having identical ciphertext for identical plaintext. So one could use some random IV.

Writing some Perl code I'm confused, however. Consider this test code:

use Crypt::Rijndael;
my $cipher = Crypt::Rijndael->new('x' x 16, Crypt::Rijndael::MODE_CBC());
$cipher->set_iv('IV' x 8);
my $data = 'ol ...
Score: 3
fgrieu avatar
Cost of attacking textbook RSA signature of $b$-bit hash of the message
ng flag

A signature system applies textbook RSA to a $b$-bit hash of the message. What's the cost (preferably, as CPU time on common hardware) of existential forgery assuming known signature of $r$ random messages? How much is that reduced if public exponent is very small ($e\le7$)?

We assume

  • Safe RSA public key $(n,e)$ and matching secret private key $(n,d)$ with $n$ of $\ell$ bits and $2048\le\ell\le8192$
Score: 4
AlexVal avatar
Where does signing/decrypting take place on a YubiKey 5 for PGP private key?
cr flag

I have found similar question for PIV (and not PGP)

I assume PIV and OpenPGP would work in similar ways. I also assumes that the GPG private key never leaves the Yubikey.

If these assumptions are correct then:

  • at encryption: a symmetric key is generated and encrypted on the sending computer using the GPG public key, then message is encrypted on the sending computer using symmetric key
  • at decryption: the  ...
Score: 5
Rory avatar
Do we need the quantum random oracle model (QROM)?
mp flag

I am currently studying the proof of the Dilithium signature in the quantum random oracle model (QROM). I am curious to hear if anyone have any thoughts on the importance of having proofs in the QROM or if proofs in the standard random oracle model should be sufficient?

Have been exploring the topic briefly with some mates and considered it along the lines that the ROM has stood the test-of-times ...

Score: 0
glesage avatar
Use Shamir's Secret Sharing Scheme to split a key between a client, a server and multiple 3rd parties
us flag

I'm trying to design an encryption system for a new mobile app and am thinking of using Shamir's Secret Sharing Scheme in a way which I have not seen before. Does this seem possible or does it violate some mathematical concept I'm not understanding in SSS?

I want to split a key generated on the user's mobile device where:

  • n parts are necessary to rebuild it
  • n-1 parts are stored on the user's mobile devic ...
Score: 1
user108520 avatar
How to give a hybrid proof that IND CPA secure implies multiple query IND CPA secure and vice versa?
eh flag

For a public-key encryption scheme (Gen,Enc,Dec), the textbook definition of IND-CPA security is the following:

  1. The challenger runs (pk,sk)←Gen and sends pk to the adversary.
  2. The adversary performs some computation, chooses (m0​,m1​) and sends them to the challenger.
  3. The challenger runs ct←$Enc(pk,mb​) , b←${0,1}, and sends ct to the adversary.
  4. The adversary performs some computation a ...
Score: 0
DP2040 avatar
Is a pseudorandom function (PRF) also a one-way function (OWF)? If yes, how can we proof that a PRF $f_k$ is a OWF? If no, what is the closest work?
cg flag

Let $f_k$ be a PRF. We claim that $f_k$ is a OWF. PROOF let $f_k$ is not a OWF, there exists a $PPT$ algorithm $A$ that can invert $f_k$ with non-negligible advantage. Even if we know the input $x$ for given $f_k(x)$ with a non-negligible advantage, how can we claim that we can distinguish $f_k(x)$ from random with non-negligible advantage? Here, a key $k$ is still secret.

Score: 0
Looking for the proof of the prod check gadget referred to by Boneh in his PLONK video
et flag

I am going through Dan Boneh's video tutorial on PLONK Polynomial IOPs - https://www.youtube.com/watch?v=vxyoPM2m7Yg

He describes 3 type of proof gadgets he will use Proof Gadgets

He gives a proof of the Zero Test which I understood. However, he doesn't cover the proof for the Sum Check & Product Check in his video.

Prod Check

Prove that $\prod_{a \in H} f(a) = c$

He says that has Product Check covered in ...

Score: 4
notatypewriter avatar
What is the impact of leaving a salt used in HKDF open to attacker control?
lu flag

RFC 5869 for HKDF says "an application needs to make sure that salt values are not chosen or manipulated by an attacker".1 Soatok also discusses some nuances in choosing salts for HKDF.2 This question also discusses a situation where it led to a vulnerability.3

While these sources all indicate that salts should not be left to attacker control, I would like to know exactly what is put at risk by doin ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.