Latest Crypto related questions

I'm having difficulty decrypting a secret message as a part of a CTF and I was wondering how could I decrypt an encrypted text that has been encrypted with pycrypto RC4 and when the first 8 characters of the plain text secret are know. Here is the secret that is in the code:

secret = b'Sff3az11oTAChXcnaCvx2i/P7pZWLMPWX7xV0zxFY2XYRhqbik8bS6kQOymHYi3j0ZoP4NFLTtJHR8iXFtljDcDpoFeEnZU0KqQNYPR+ovQ9eQ2iNE ...

I try to understand invalid curve attack and small subgroup attack. The lower 3 bits of a ed25519 private key are cleared to be a multiple by 8.

So an attacker is unable to gain any information using a public key of a smaller subgroup or on a invalid curve.

Does this mean a check that a public key is on the curve before a ECDH is unneccessary?

Th

My question is kind of related to this topic: Can we prove possession of an AES-256 key without showing it?

But I couldn't figure out how to apply it to my problem.

Description:
Lets say I have a hardware chip, and I want to prove it has not been copied. The chip can store a AES-128 key and can do some encryption with it - it can for example output a ciphered text and plain text. This key cannot be ...

I just designed my own padding function and came up with a potential problem that could harm the security of encryption. After I fixed that flaw, I found out that the PKCS7 standard padding should be also vulnerable to a known-plaintext attack. Please correct me if I am wrong at any point.

PKCS7 is filling each padded byte with the number of total bytes padded. Every time, at least one byte of pa ...

Consider a pairing $\mathbb{e}: \mathbb{G}_1\times \mathbb{G}_2\longrightarrow \mathbb{G}_T$ with generators $g_1$, $g_2$ for $\mathbb{G}_1$, $\mathbb{G}_2$ respectively. The groups $\mathbb{G}_1$, $\mathbb{G}_2$, $\mathbb{G}_T$ are of some prime order $p$.

For a trapdoor $s$, let $[g_1,g_1^s,\cdots,g_1^{s^N}], [g_2,g_2^s,\cdots,g_2^{s^N}]$ be the common reference string (although for some Snarks and ...

As I understand it from web conference hearsay, the Kyber and Saber entries to the NIST post quantum cryptography competition have been subject to a patent claim from the CNRS. The creators of the schemes wanted their cryptosystems to be public domain and opposed the legal claims based on mathematical grounds, which was apparently ignored by the lawyers.

Does anyone know what the exact extent of  ...

I am reading this explanation of zkSnarks written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

In section 4.5, the pdf explains how to represent the following operations

$a$ x $b = r1$
$r1$ x $c = r2$

as $l(x)r(x) - o(x)$ where $l(x)$ is the left operand polynomial, $r(x)$ is the right operand polynomial & $o(x)$ is the output polynomial.

Here if you see that

Assuming the alphabet of capital letters, if an affine linear cipher $v\to Av+b \bmod 26$ with block length $3$ maps plaintext ENCRYPTAGAIN to ciphertext BLOCKCIPHERS, what are $A$ and $v$?

I referred a paper, there it is given as like this, *As an example, suppose we want to take our block-length to be 4. This means that we divide our message into blocks of 4 letters and encrypt each block separately ...

My question is little bit general. A stream cipher uses a $5$-bit key $(k_0, k_1, k_2, k_3, k_4)$, $k_i \in \{0,1\}$ for $i = 0,1,2,3,4,5$. Now the design contains $3$ generators $G_1, G_2, G_3$ which generates sequences of $0$'s and $1$'s viz., $\{z^{G_1}_i\}$, $\{z^{G_2}_i\}$ and $\{z^{G_3}_i\}$ respectively. The final output is the keystream $z_i = z^{G_1}_i z^{G_2}_i \oplus z^{G_2}_iz^{G_3}_i \ ...

Let's say I have a master key and want to use it to derive new keys to use for encryption, using HKDF. I'm a bit confused regarding the use of salt though. I have seen other posts about it here but I still don't fully understand when/if I should use it.

Scenario: A creates a MasterKey and shares it with B, C, D. A derives different keys for B, C, and D and encrypts some data (for each of them). N ...

What are the time and space complexity of the AES S-boxes? Could someone please explain how these are determined?

Lets say you had a distributed storage system like bittorrent or ipfs and you wanted to track the upload/download (or response/request) ratios of the peers. However, you don’t want to use a centralized tracker and keep everything peer to peer? Can you estimate the u/d ratio securely in a distributed way without overwhelming the system?

One thought I had was to modify HyperLogLog (HLL) with a combi ...

A fast alternative to conventional multiplication is the carry-less product. It works exactly in the same way as the multiplication on the countable set of binary polynomials $\mathbb{Z}_2[x]$. We can identify any non-negative integer with a binary polynomial using the integer's binary representation (e.g. $13_{10} = 1101_2$ is identified with $x^3 + x^2 + 1 \in \mathbb{Z}_2[x]$).

In 2004, the seminal p ...

I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

The example used here is that there is a polynomial of degree 3 which the verifier knows has roots 1 & 2.

• The whole polynomial is $p(x)$

• The target polynomial $t(x) = (x-1)(x-2)$.

• The 3rd root comes from $h(x)$, i.e. if 3rd root is 3, then $h(x) = (x-3)$.

• And $p(x) = h ...

When we use a secret sharing scheme we usually want to reconstruct the polynomial function $p(x)\in\mathbb{Z}_q[X]$ with the Lagrange interpolation method and then compute $s=p(0)=a_0$. However, the secret $s$ is just a number and usually what we have as a secret could represent a private information that is a whole statement. For example, let's suppose that player $i$ knows a secret that every othe ...