Latest Crypto related questions

Score: 0
Unequaled Density avatar
Outside of use in microchips and FPGAs does SHA-3 have a lookup table?
mg flag

Is SHA-3 normally used with a LUT or hash table?

Score: 1
UnpluggedTrio avatar
Implications of generating public keys for incremental private keys?
ug flag

Let us consider a hypothetical situation.

What would be the implications if there is a method by which one can calculate the public keys for incremental private keys, with the help of only the public key?

For instance, one is given a public key only. (that public key has the private key as 1001) and he is asked to calculate the public key of the next private key or the 10th one or any incremental pr ...

Score: 3
Ma Joad avatar
Error-correcting as part of an encryption scheme?
hu flag

If we do not encrypt a message, we can use a checksum to check data integrity. For authenticated encryption, we no longer need the checksum because we use the authentication tag to verify data integrity.

The above is about error-checking. Now, for error correcting (like Hamming code), is there an encryption scheme that

  1. Can check for integrity,
  2. Can correct one or two bit flips of the ciphered text, and
Score: 0
BenjaminC avatar
Is that possible for local p2p connection with encryption and remote p2p connection with encryption within the same application?
tv flag

on the wiki page of Rustdesk, it states "the connection is unecrypted, please do not send us issue about this." for local direct IP.

BUT, Rustdesk is intended "Virtual / remote desktop infrastructure for everyone! ", (so not localdesktop)

While Rustdesk claims Rustdesk is encrypted between client and server, which seems to be a more complicated task has completed, BUT they can not do local p2p conne ...

Score: 2
Mark S avatar
Is there a family of cryptographic hash functions that can be realized with a smallish depth quantum circuit?
bo flag

Certain number-theoretic cryptographic hash functions, such as $x^2\bmod N$, are known to be broken by a quantum computer. For example, one could use Shor's algorithm to factor $N$ into its product of two primes $(p_1,p_2)$, and use these primes to find collisions at-will. It's also been a long-open problem to find a hash that satisfies a version of Simon's promise; if such a hash could be found, th ...

Score: 5
Dani Vilardell avatar
Is there a way to calculate a hash with two people so that no one knows the pre-image but if they get together they do?
pw flag

I'm trying to find a way to have multi party hash computation, more specifically for SHA256. I want for two people to be able to compute a hash so that none of them knows the pre-image but when they get together they can reconstruct the pre-image.

Is there any known way to do it in general or any hack that can be used in the SHA25 specific case?

Score: 2
j123b567 avatar
Exploit 3DES-CBC with known checksum of plaintext and repeated IV
ca flag

I came across the following enterprise encryption scheme. I laughed when I first saw it, but I'm not a specialist and I'd like to know how bad it really is.

  • 3DES-CBC
  • k1=k2=k3 for 3DES
  • IV for CBC is repeated every 256 messages. Every communication party has a different set of 256 IVs but they are all predictable and similar in many places. IV has a fixed part unique for each communication party and an 8 ...
Score: 2
CryptoLover avatar
How to choose the value of state width of Plonk with lookup?
ph flag

I noticed that it seems the original Plonk paper introduced that there were two extensions with state width = 3 or 4 (as described in I recently reviewed some code and they set the state width = 5 and set the verification key as follows.

uint256 constant STATE_WIDTH = 5;

    struct VerificationKey {
        uint128 dom ...
Score: 2
leonero avatar
Lagrange interpolation in the exponent
ng flag

I am going over the paper and on page 5, it says the following:

Suppose I have a t-out-of-n threshold sharing scheme for the secret $\sigma=H(m)^\alpha$. The first $t-1$ shares are defined as $\sigma_i = H(m)^{\alpha_i}$, where $\alpha_i$ are sampled randomly in the field.

Then, for $i \in \{ t, t+1, \dots, n \}$, we defined the s ...

Score: 3
Doğukan Karakaya avatar
What is the result of not connecting the 1st register to the xor gate in LFSR?
sv flag

I designed 8 bit lfsr in vhdl. According to mathematical theory, I xor processed the outputs of registers 1, 4, 5, 6 and 8 and connected them to the input of register 1. theory says that if I give the inputs the polynomial "10111000", I get the repetition of (2^8)-1.

I tried some more. And I tried the circuit without connecting the output of the 1st register to the xor gate. interestingly I got t ...

Score: 1
Nicholas Cousar avatar
Manually deriving asymmetric key pairs with Openssl
cw flag

In Openssl, is there a way to systematically generate a private key such that every time you perform this key derivation, you produce the same private key?

It seems like every openssl command that generates private keys does so randomly. So, if you lose your private key file for whatever reason, there's no practical method of recovering it. I know you can control some parameters of RSA key generatio ...

Score: 1
Iain Ballard avatar
What is the name of this kind of cipher? (algorithm and description provided)
gb flag

I have a cipher algorithm that doesn't seem to be one of the "well known" ones I could find. I expect someone has already come up with this and I just don't know the name. Hoping one of you can point me in the right direction.

I don't think this falls foul of Should we allow questions about amateur ciphers? - but happy to be corrected.


Difficulty in recovering the original document from a com ...

Score: 1
js wang avatar
Looking for efficient implementations for Pedersen commitment
cn flag

Hi I am currently developing a research project, but it seems that my implementation of Pedersen commitment is not efficient.
I wonder if there are any efficient implementation of Pedersen commitment in c++?
Or if using things like ECC would boost the efficiency(seems number of bits could be smaller), or does anyone try the NTL(number theory library)?

EDIT: What I am using now is based on the mpz_p ...

Score: 2
Pithikos avatar
Storing length of encrypted data
bt flag

I need to encrypt some user's data. However to make it more apparent to the user what data is stored in each key, I was thinking to also store the length of the actual data along the cipher.


user_1_secrets = [
    "key": "mysecret"
    "encrypted_data": b"abf4c2",
    "length": "10",
    "key": "myothersecret"
    "encrypted_data": b"g3d532",
    "length": "24",

Is this safe from ...

Score: 1
user108810 avatar
DES in cipher feedback mode CFB
sl flag

We use DES in cipher feedback mode (CFB) to encrypt a plaintext $m = m_1\mathbin\|m_2\mathbin\|\ldots\mathbin\|m_{100}$ into a ciphertext $c_1\mathbin\|c_2\mathbin\|\ldots\mathbin\|c_{100}$, where each $m_i$ is 8-bit long. The ciphertext is sent to Bob. If $c_{15}$ and $c_{25}$ are missing and $c_8$ and $c_{88}$ are received as $c_8'$ and $c_{88}'$ wrongly, what $m_i$s can B compute correctly from the r ...

Score: 2
Mathpdegeek497 avatar
How to find linear complexity of non binary prime fields using berlekamp_massey algorithm in Sagemath?
cn flag

I am having a prime field of large size (assume it of the type GF(2**18)) and I need to find linear complexity of a sequence (of some specified length) defined on this field. I am using the inbuilt berlekamp_massey function to get the linear complexity (the degree of minimal polynomial) of the sequence. Current Work:

from sage.matrix.berlekamp_massey import berlekamp_massey
F = GF(2**18)

#Function ...
Score: 1
alpominth avatar
How changing a single byte/word in a substitution box affects the inverse result?
il flag

Let's suppose I have a 8-bit substitution box composed of 256-bytes and invert it.

Does changing one byte in the substitution box will make the inverse result completely different than if I didn't change it?

Or will only the changed byte be different in the inverse S-box?

Score: 2
Walker avatar
Can we pad witness of bulletproof and dory to be exponential size?
cy flag

Bulletproof and dory reduce the witness size by a half during each interaction, until the witness is compressed to be only one element. But what about the witness is not precisely exponential size? Can we still use the two schemes by padding the witness?

Score: 2
heller avatar
How to determine if a bilinear map satisfies XDLIN?
tm flag

Let $\{(q, G_1, G_2, G_T, e: G_1 \times G_2\to G_T)_s\}$ be a family of bilinear groups parameterized by the security parameter $s$. We use $g_1$ (resp. $g_2$) to denote the generator of $G_1$ (resp. $G_2$).

The XDLIN problem is to guess bit $B$ ($B = 0$ or 1), given

$$P_B:= \{g_1^a, g_1^b, g_1^{ac}, g_1^{bd}, g_2^a, g_2^b, g_2^{ac}, g_2^{bd}, Y_B\},$$

where $Y_0 = g_x^{c+d}$, $Y_1 = g_x^r$ ($x =  ...

Score: 1
LWE KEMs and message coding
in flag

In many proposed lattice PKE schemes, the plaintext is encoded or modulated in a simple fashion, e.g. using Kyber-ish notation:

  • key gen: $pk=(A, t=As+e)$, $\quad sk=s\quad$ ($A$ random, $s$, $e$ small random)
  • encrypt: $u=A^tr+e_1$, $\quad v=\langle r,t\rangle +e_2+\tilde{m}\quad$ ($m$ message, $r$, $e_1$, $e_2$ small random)
  • decrypt: $v-\langle s,u\rangle=(\langle r,e\rangle+e_2-\langle s,e_1\rang ...
Score: 2
Cat Dragon avatar
How to calculate Correlation, Difference propagation probability and Algebraic complexity a particular S-box?
it flag

I'm learning about AES. According to the book The Design of Rijndael refers to the design criteria S-box $S_{RD}$ as follows:

Design criteria for $S_{RD}$. We have applied the following design criteria for $S_{RD}$, appearing in order of importance:

  1. Non-linearity.

    a) Correlation. The maximum input-output correlation amplitude must be as small as possible.

    b) Difference propagation probability. The ...

Score: 1
Given the existence of provably-hard-to-solve problems, why do we routinely rely on conjectured-to-be-hard problems for encryption?
br flag

Let $(X, Y, Z)$ be a set of binary strings of length $n$. Let random $X$ be the private key for encoding (or decoding) message random $Y$ as $Z$. Let the encryption algorithm $m$ be a matching function, i.e., for $m(X, Y) = Z$, if $x_i = y_i$, $z_i = 1$, otherwise $z_i = 0$. Now, $m$ is clearly not a one-way function: given output $Z$, it is trivial to define some string pair such that $m(X, Y) = Z$

Score: 1
pXN avatar
Triple DES 1 key to simulate 3 keys
lc flag

I saw a statement that the probability of finding a key $k'$ to simulate 3 keys $k_1$, $k_2$, $k_3$ is neglectable: $\mathrm{Enc}(k_3,\mathrm{Enc}(k_2,\mathrm{Enc}(k_1,x))) = \mathrm{Enc}(k′,x)$

When not considering MITM attack, the probability of brute forcing triple DES is $1/2^{168}$. According to the statement, does that mean the probability of finding $k'$ is also $1/2^{168}$ so it is negli ...

Score: 3
Ryan B. avatar
Are there "light" versions of cryptographic hash functions?
vn flag

After tinkering with cryptographic hash functions, I started wondering if they do have counterpart functions that would imitate their cryptographic properties but with a lower level of strength in terms of their time/space complexity.

For instance, if I were to test certain collision algorithms in a simplified version of SHA1, which let's call SHA1-light, and it took X minutes to generate a colli ...

Score: 3
Ma Joad avatar
Example situation where an authentication tag can prevent an attack?
hu flag

In Authenticated Encryption, we use an authentication tag to make sure the message is not tampered. The authentication tag can prevent any random bytes sent by the attacker being decrypted by the receiver.

The question is: what sorts of attack (other than sending lots of meaningless random bytes) is the authentication going to prevent? If all the attacker does is to send random bytes, is it possible ...

Score: 3
vimwitch avatar
Analyzing the security of hash approaches
vc flag

Say that I have a random oracle function $H$. This function outputs a value in $\mathbb{F}_{p}$ where $p \approx 2^{256}$. $H$ can accept either one or two inputs (outputting a single value in both cases).

I can hash two elements $x$ and $y$ using either

case 1: $H(x, y)$

case 2: $H(x) + H(y)$ (using modular addition)

How does the security of these approaches differ?

In case 1 there must be collision ...

Score: 5
alainalain avatar
Does any proof exist for the optimal number of primes in a RSA key?
cy flag

My guess is:

  1. Known attack algorithms only work on 2 primes factorization, they don't work on 3+ RSA primes.
  2. More than 3 primes is cpu waste time, better is to increase key length. So 3 primes will be the optimal number.

Example of my program (open source) generating a 30k bits RSA key.:

  • Enter rsa NUMBER of primes: 3
  • Enter rsa (3 primes) key length in bits (0 = defaut = 4096): 30000
  • RSA (N primes) ...
Score: 3
PanosDgs avatar
Compute key size in Hyperelliptic Curve Cryptography
cc flag

I am trying to implement a basic Diffie-Hellman key exchange using ECC and HECC of genus 2 and 3 and compare them. However, I am a bit confused about the concept of key size in HECC.

In ECC, from my understanding so far and considering I am new to the field, the private key size is basically the bit size of the prime that is used to define the prime finite field, where the elliptic curve is defin ...

Score: 1
Jp_ avatar
ZKP vs disposable addresses
sz flag

In other words, what does ZKP brings on top of the practice of not reusing addresses?

From my research, ZCash is currently a state of the art example of ZKP application, but what extra benefits does it bring to the scenario where let's say a bitcoin holder created new addresses for each tx it was receiving and not reusing when spending it? Also assuming everyone in the network does the same.

How thi ...

Score: 4
Shivendra Mishra avatar
very smooth hash (VSH) Stepwise examples
kr flag

Can someone please point me to or give me stepwise example of VSH hash function. I couldn't find an example or a reference implementation. I tried to go through original publication but it seems way too cryptic to me.

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.