Latest Crypto related questions

I am working on a proof for a secure aggregation protocol in which the server aggregates values from several clients. A challenge in the proof is that the server may lie about which clients have dropped out, requiring the simulator to equivocate the encrypted values it has sent to end up with the correct output on the server side. However, in my protocol the simulator is not able to equivocate its input ...

I am considering using a hybrid approach by combining ECIES (Elliptic Curve Integrated Encryption Scheme) with Kyber KEX (Kyber Key Exchange) for secure communication. Instead of using the traditional Curve25519 key exchange in ECIES, I want to replace it with Kyber KEX, which is post-quantum secure. This way, I would use Kyber KEX for key exchange and ECIES for data encryption. I believe this approach  ...

A $m$-dimentional full-rank integer lattice $\Lambda\in\mathbb{Z}^{m}$ can be defined as the set of all integer linear combinations of $m$ linearly independent over $\mathbb{R}$ basis vectors $\textbf{B}=\{\vec{b}_{1},\ldots,\vec{b}_{m}\}\subset\mathbb{Z}^{m}$: $$\lambda=\mathcal{L}(\textbf{B})=\left\{\textbf{B}\vec{c}=\sum_{i=0}^{i=m} c_{i}\vec{b}_{i}:\vec{c}\in\mathbb{Z}^{m}\right\}$$

Now, we wa ...

My lecture notes state that of the AES operating modes ECB, CBC, CTR, CCM (CTR+CBC MAC) and GCM, only CCM and GCM provide authenticity. In CCM, as I understand it, the authenticity lies in the MAC, i.e. the symmetric key.

AES-GCM calculates the authentication tag (AT) using, among other things, the additional authenticated data (AAD) and the symmetric key. According to the specification, the AAD  ...

From the PLONK paper.

Page 29, Round 3

Why multiply z(x) and z(Xw) in the quotient polynomial? (why does internal wiring have to multiply input permutation) Why the second term have to "shift by w"?

My observation is:

1. These 2 lines seem they have to cancel each other out.
2. z(x) is permutation polynomial and only about input. a(x), b(x), c(x) are about internal wiring.

I want to perform a modular reduction using Solinas prime value as q = 2^383-2^33+1. How can I efficiently compute it taking advantage of q being Solinas prime?

Diffie-Hellman key exchange is sometimes informally said to be hard under the discrete logarithm assumption in the chosen group. But if I am reading literature correctly, it actually uses a stronger assumption on the group and that's the assumption of Decisional Diffie-Hellman. Is there a key exchange whose SK-security is based solely on the hardness of discrete logarithm problem? Are there any other se ...

I am testing my TLS 1.3 server (it does not use openssl library) using openssl s_client utility. I have found out that s_client can not decrypt encrypted extensions of the server. So I need to know parameters of decryption used by s_client.

Could you tell me:

1. How can I force s_client to output (if it is possible) keying material.
2. In which procedures/modules s_client generates keying material - IV, maste ...

I wanna generate a list of numbers based on a unique string. They shouldn't be predicatble and every time to generate they are the same.

Could someone help me pleeease :)?

If we know the RSA encryption of messages m, m+1, m+2 when c=3, how can we compute m in polynomial time?

A HRNG that is NIST 800-90 compliant must use a DRBG in some way regardless of whether it adheres to a RBG1, RBG2 RBG3(XOR), or RBG3(RS) construction. This violates the requirement that the OTP is truly random (since there is a DRBG involved). Therefore, it is true that a NIST 800-90 compliant device cannot be used to generate a OTP since a computationally unbound adversary could break the OTP.

Is  ...

• U= 115792089237316195423570985008687907852598652813156864395638497411212089444244

• a = 20412485227

• E1 = EllipticCurve(GF(p), [0,1]) with order U

• E11 = EllipticCurve(GF(p), [0,1]) with order a

Formula from Coords on E1 to Coords on E11 is

Q11 = (U/a) * (x,y) (x,y) on E1

But, what is the reverse formula from Coords on E11 to Coords on E1

Q1 = ?? * (x,y) (x,y) on E11

I do not know why the intermediate value (for example, W5, W6) should be encrypted??

I think the encryption (random value) only needs in the input process (e.g. w1, w2, w3, w4).

I have pairs of files A and B both of arbitrary size and contents (for any pair of files, A could be significantly larger than B or vice versa). I want to be able to 'encrypt' A in such a way that I can distribute it openly, but so that only people already in possession of the entirety of B can access any part of A regardless of the contents or size of either file (disregarding things like compression ...

I am trying to test my server program which implements TLS 1.3 connection - it should establish TLS 1.3 connection.
My server uses a self-signed certificate, created in openssl.
I am using Firefox v.112 as the client to connect and getting an error - "SSL_ERROR_RX_MALFORMED_HELLO_RETRY_REQUEST". How can I know the specific reason and details of this error ?

NIST 800-90C defines 3 classes of random bit generation (RBG) constructions: RBG1, RBG2 and RBG3. All constructions must include a DRBG from NIST SP 800-90A. The particular construction in question is RBG3, which is "designed to provide output with a security strength equal to the requested length of its output by producing outputs that have full entropy" and is based on a physical entropy source. This  ...

I'm trying to extract a private key from a .PFX file to a .PEM file format. I was able to do it using Aes128Cbc in either .NET or OpenSSL:

.NET:

PbeParameters pbeParams = new PbeParameters(PbeEncryptionAlgorithm.Aes128Cbc, HashAlgorithmName.SHA256, 1);
byte[] privateKey = rsaPrivateKey.ExportEncryptedPkcs8PrivateKey("pass123", pbeParams);

Console.WriteLine("Generating PEM file...\n");
StringWrit ...

I am investigating a PRNG which fails some of NIST tests (FFT, ApproximateEntropy and Serial). If such a generator is used in cryptography for any purpose, what consequences can it has? How this vulnerability affects its safety? What is possible attack?

I want to discuss implications.

My problem is about this paper Efficient k-out-of-n oblivious transfer scheme with the ideal communication cost https://www.sciencedirect.com/science/article/pii/S0304397517309143

I don't know what is the "efficient algorithm" in section 3, paragraph 2, the second sentence of this paper.

Could you give me some explanation or related knowledge about this?

If I have TRNG data as input (A1,A2,B1,B2,C1,C2) - can I xor it to provide more TRNG data A,B,C,D,E,F,G,H ?

A1 = TRNG1
A2 = TRNG2
B1 = TRNG3
B2 = TRNG4
C1 = TRNG5
C2 = TRNG6

A = A1 ⊕ A2
B = B1 ⊕ B2
C = C1 ⊕ C2
D = A2 ⊕ B1
E = B2 ⊕ C1
F = A1 ⊕ B2
G = A2 ⊕ C1
H = B1 ⊕ C2

EDIT:

⊕ is XOR operation, TRNG is true randomness generated from non computational source

I think I understand how asymmetric cryptography works. However I don't really understand why some exchanges use the signature generated by hashing the payload with the private key.

From my understanding, if a public/private key pair is generated for ciphering, the payload is encrypted with the private key by the sender and it's decrypted with the public key by the receiver to ensure the authenti ...

Consider a function $G:\{0,1\}^*\to\{0,1\}^*$ with output size double it's input size, that is $\forall x\in\{0,1\}^n,\ |G(x)|=\ell(n)=2n$. Assume $G$ is a PRG in the sense of Jonathan Katz and Yehuda Lindell's Introduction to Modern Cryptography (3^rd edition); that is meeting the Pseudorandomness criteria:

For any PPT Algorithm $D$, there is a negligible function $\mathsf{negl}$ such that $$\big ...

This question was originally posted in https://ethereum.stackexchange.com/questions/151471/ethereum-signature-as-xml . I post it here aswell because I rarely get any response there.

I am seeking to express an EIP 191 0x45 message signature according to the XML Signature Syntax.

I assume this curve is the correct one: https://en.bitcoin.it/wiki/Secp256k1

For a signature over sha256("foo") signed by

I know how to prove the correct decryption of a (ElGamal) ciphertext.

The above protocol is from the paper: Bootle J, Cerulli A, Chaidos P, et al. Short accountable ring signatures based on DDH[C]//European Symposium on Research in Computer Security. Cham: Springer International Publishing, 2015: 243-265.

But,how to prove the correct decryption of several (ElGamal) ciphertexts in a batch? Performing the  ...

Consider a secure PRG $G:\{0,1\}^\lambda \to \{0,1\}^n$ and a one-way permutation $f:\{0,1\}^{n-\lambda} \to \{0,1\}^{n-\lambda}$. I'm wondering if the following construction $G': \{0,1\}^\lambda \to \{0,1\}^{2n-\lambda}$ is a valid stretch of the PRG output:

1. Apply $G$ to the input $x \in \{0,1\}^\lambda$ to obtain $y \in \{0,1\}^n$.
2. Apply $G$ to the first $\lambda$ bits of $y$ to obtain $z \in \{0 ...

If I run cat my.key, I get:

-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAu+UkIRXNZrdcnuCLsBsz/HiBcYNoAAAhYi2hISKBxkqX165U...

but if I run openssl rsa -in my.key, I get a different content as:

-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC75SQhFc1mt1ye...

why the contents are different, shouldn't they be the same?

I am looking for examples post-quantum secure trapdoor functions. Ideally, the inversion knowing the trapdoor should be "simple" in the sense that it can be computed by a circuit in NC^1.

I am trying to wrap my head around Homomorphic encryption, specifically the HEAAN/CKKS scheme. I am reading through the publication, but I am getting stuck on page 11, namely the KeyGen and Enc functions.

My issue in understanding comes from the generation of the public key: $$ p.k.\leftarrow (b,a) $$ $$ b \leftarrow-as+e(modq_L) $$ $$ q_l = p^l\cdot q_0 $$ where $l$ denotes the multiplicative level ...

Does there exist a semi-prime integer $n$ (e.g., an RSA modulus) such that the order of every element in the multiplicative group modulo $n$ is equal to the order of the full group modulo $n$? If so, would such an integer be more resistant to factorization by Shor’s factorization algorithm (the quantum version) than a semi-prime integer that does not have this property?

What I am thinking here is ...

Ideally, Hashids -: https://pypi.org/project/hashID/ are considered insecure and it is recommended that we should not use them for any sensitive functions. Though, is a HashId considered secure if we pass a very secure random salt to it? Or will it still be vulnerable? Can someone still guess / reverse engineer the original value?