Latest Crypto related questions

I have two files ctext0 and ctext1 that are byte files and they are encoded using the same one time pad, so I tried to write a pygame program to allow me to use crib-dragging to figure out some words like so:

import pygame
import sys
import os

file_size1 = os.path.getsize('ctext0')
file_size2 = os.path.getsize('ctext1')

pygame.init()

# Load the byte files
with open('ctext0', 'rb') as f0:
    cte ...

I recently looked into the subject of public key cryptography (especially with X.509 certificates). I am the administrator of a web server using HTTPS which uses 2 levels of certificates (in addition to the end-user certificate for the website). Here is the schema :

The black line is intentional to keep the anonymous. But it corresponds to my end-user certificate.

By looking carefully into the "CA ...

I have a program implementing a function $f$, and want to find a pair of functions $e$ and $h$ such that $h \circ e = f$, but $e^{-1}$ cannot be recovered from $h$.

In other words, given some $e$-encrypted data, $h$ decrypts it and applies $f$. Knowing $h$ doesn't allow me to get back the unencrypted data, but rather only the result of $f$ applied to the unencrypted data.

I have following simple function

uint128_t crypto_aes_prf( ECB_Mode< AES >::Encryption& e, int message)
{
    // Encrypt the input using AES
    unsigned char messageBytes[16]= {0};
    unsigned char ciphertext[16] = {0};
    std::memcpy(messageBytes, &message, sizeof(message));

    e.ProcessData(ciphertext,  messageBytes, sizeof(messageBytes));

    uint128_t result = 0;
    for (si ...

Let's say I want to perform addition on "small" numbers (if it matters, let's say integers between 1-10K) without decrypting the numbers -- i.e. I have E(A) (the encryption of A in a crypto system under a given key) and E(B) and I want to compute E(A+B) without decrypting A or B.

The state of the art would be to use a homomorphic encryption (like in the Pallier Cryptosystem for addition). However, these ...

Given a certificate .p12 I want to extract the public key, the private key and Modulus and Exponent both from the public key and from the private key.

I am using PHP and OpenSSL functions

As I understand it, the Module and Exponent of the public key must be different from the Module and Exponent of the private key.

            // Obtenemos el certificado .p12
            if (!$pfx = file_get_conte ...

It is DTLS 1.2 version question of this question.

I know from 4.1.2.4. of RFC 5246 (DTLS 1.2) AEAD Ciphers can be used in DTLS 1.2 exactly the same with TLS 1.2.

In TLS 1.2

AAD = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length

It makes sense since it is (implicit) sequence number + header of TLSCiphertext. However at DTLS 1.2 new header field epoch is added. Shouldn't I ...

In a similar anonymous PKE based on D-H key exchange, in a many-to-one (one-to-many) case, is there any way to implement authentication without revealing the identity of the sender (receiver)? Could you recommend some papers?

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P = (x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form.

As a result, if software chooses to truncate a hash to its first half, and if the attac ...

By full alternatives I mean things that can do everything RSA can, namely establish secure security without privately sharing information prior. Something which AES can't do.

In other words, I'm looking for quantum-resistant asymmetric encryption.

I am trying to understand which operations are computable by an $\texttt{NC}^1$ circuit. However, I am struggling to understand whether there is such a circuit for multiplying a matrix with a vector or if the circuit will necessarily be in $\texttt{NC}^2$.

I am trying to understand the NIST-submissions for post-quantum cryptography a bit better, and I noticed that the submissions from the CRYSTALS-family in particular is based on Module-LWE. I understand that "normal" LWE has huge parameters, and that they went for Ring-LWE in Ideal Lattices over Rings because of the more compact representation, as n samples require O(n) instead of O(n^2). Though I fail t ...

TLS 1.3 specify two pre-shared key exchange modes, which are psk_ke and psk_dhe_ke. The former is a non-ephemeral key exchange where the master secret is basically derived from the pre-shared key, the client random and the server random; whereas the latter is ephemeral and derives master secret from those same data plus the (EC)DH result. Ephemeral key exchange gives forward secrecy, so it's unarguabl ...

The python code example on Wikipedia uses the 12th Mersenne Prime ($2 ^ {127} - 1$) as the modulus. I'd like to share a 32 byte secret. Is it safe to simply change the modulus to p = $2 ^ {256} + 297$?

Considering that quantum computers (in theory) can break\reverse some of one-way-hashes a lot faster than conventional-computers. Is it technically feasible in any theoritical (but realistic) senarion, to store data "compressed" as in the form of an one-way-hash and reverse\restore\"decompress" it with the help of a quantum system on demand? And if so, could that make it an ideal way of storing data in t ...

I'm working on a Distributed Key Generation protocol. The idea is similar to this.

TLDR: Aggregated Shamir Secret Sharing, each participant acts as a dealer & distributed the secret shares of its secret polynomial to the rest of the participants. Finally, the actual secret can be constructed by aggregating the secret shares of all the participants. I understand how this DKG works & have im ...

Let $F = GF(2^n)$ and $P(x) = x^e, P : F \rightarrow F$ be a monomial of degree $e$. How to write each bit of the output of $P$ as a function of input bits? In other words, how to write it as a system of polynomials over $GF(2)$? One way is to use computer algebra systems such as sage and work as follow:

sage: p = 2
sage: n = 4
sage: F.<a> = GF(p^n)
sage: R = PolynomialRing(F, n, names='c')
s ...

Let $r(b, t)$ denote the bitstring $b$ rotated to the left by $t$ bits: for example, $r(00110101, 5) = 10100110.$

Consider the following game. Player A picks two (different) $n$-bit strings $(T_1, T_2)$ and four arbitrary numbers $(a, b, c, d)$ less than $n$. Then Player A computes $$B_1 = r(T_1, a) \oplus r(T_2, b)$$ and $$B_2 = r(T_1, c) \oplus r(T_2, d),$$ then reveals $B_1$ and $B_2$ to Player B (we  ...

Suppose my server receives a message, the public key, and the signature. The message contains a time stamp.

Is there a way to get the time stamp from the signature to match it with the message time stamp. Or some other way to ensure the message was signed at the time that it says it was signed?

I am using ECDSA P-384 but open to some other algo if needed too.

I'm researching to see if there is an algorithm that encrypts different inputs with different keys to produce the same output.

So let's say I have 2 messages.

var message1 = "My password is: Doggies!1"
var message2 =  "My password is shdhe93-4" 

And two keys.

var key1 = "DummyKey"
var key2 = "RealKey"

I would like to be able to encryption it like so

var encryptedText = encrypt([message1, message2] ...

I have a decentralized coin system that I am trying to develop.

Each coin can be split up into 1,000,000 units.

I've been looking for a quantum-safe and practical (efficient) algorithm to send fractions of a coin between peers, so that other than the two peers that participate in the transaction, nobody could tell the amount of the transaction (i.e. a third party could not tell if it was 0.1, 0.4, 0.55 ...

Consider the following definition. Let $p(n) > n$ be a polynomial, and $G_n: \{0, 1\}^n \rightarrow \{0, 1\}^{p(n)}$ a PRG. Moreover, given $x \leftarrow \{0, 1\}^n$, we say $S$ is a length $n-1$ contiguous substring of $G(x)$ if $S = s_0\cdots s_{n-2}$ with $s_i \in \{0, 1\}$ is a contiguous substring of $G(x)$.

Then we say a PRG $G$ is "$n-1$ subsequence secure" if for all PPT adversaries $\mathca ...

I am using ECDSA P-384 for signing and verifying messages. The messages are basically stringified JSON. After receiving, the recipient verifies the signature using the public key.

Should the public key be included inside the message (aka the JSON which gets stringified)? Or should I send the public key separately along with the stringified JSON and the signature?

Does it make any difference?

The reason ...

I am trying to prove to myself that an identification scheme derived from a digital signature in a challenge/response manner is secure, based on the security of the digital signature scheme. I've found an informal proof in these lecture notes, but I'm struggling to formalize it with a reduction.

Let $\Sigma = (GEN, SIGN, VERIFY)$ be a digital signature scheme, and $\mathcal{ID}^{\Sigma} = (IDGEN, P,  ...

If Bob takes a plaintext and encrypts it with their own public key and hands it to Eve who in turn encrypts it with her public key, we now have a cipher text that requires both Bob and Eve to decrypt it, to get the original plaintext. However once Eve has encrypted it, is there anything Bob can do to confirm that the cipher text successfully decrypts with Bob's private key? My concern is that Eve swaps  ...

I would like to encrypt big files using an authenticated cipher. I am convinced to use approach where file is divided into smaller manageable chunks that fit easily in memory (e.g. 1-10MB size) which are encrypted, authenticated separately. Unfortunately such approach is prone to "reordering" attack at least.

I am looking for some theory behind the streamed protocols that apply best practices in  ...

I am trying to do some calculations with the Paillier Homomorphic encryption scheme. Specifically, given three plain text integers, x1, x2,and x3. I want to first encrypt them, getting their corresponding ciphertexts, say c1, c2 and c3. I want to find the results of (x1+x2+x3)/3 by utilizing c1, c2, c3 and the homomorphic property of Paillier.

I found a post here, which was answered quite a long time a ...

In the document Trapdoors for Lattices, section 5.4 Gaussian Sampling, they introduce the parameter $\sqrt{\Sigma_{\bf G}}$, which is related to the lattice $\Lambda^\perp(\bf G)$. They use it as a bound for the smoothing parameter of this lattice, therefore $\sqrt{\Sigma_{\bf G}}\in\mathbb{R}$. But later on, they do some calculation as if it were a matrx when they write $s_1(\sqrt{\Sigma_{\bf G}} ...

This is from this video - https://www.youtube.com/watch?v=9VuZvdxFZQo

Bob has a list of length $10^6$. Bob wants to convince Alice that every number in the list is between 1 & 10. Alice needs to verify it with just 2 queries & 99% certainty.

This is the protocol given by Ben

• $f$ is polynomial created by interpolating all $10^6$ numbers in the list.

• $g$ is any polynomial of degree $10^7 - 10^6$ ...

In go/src/crypto/internal/nistec/p256_asm_arm64.s Line 448 / 473 / 498 / 524, We can see the code mul Ord with hlp1 but NOT hlp0. According Montgomery Multiplication, shouldn't we mul Ord with hlp0?

    // First reduction step
    MUL acc0, hlp1, hlp0

    MUL const0, hlp1, t0
    ADDS    t0, acc0, acc0
    UMULH   const0, hlp0, t1

    MUL const1, hlp0, t0
    ADCS    t0, acc1, acc1
    UMULH   c ...