Latest Crypto related questions

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

A quantum attacker obtains the first 32 bytes of each signature. However, the rest of each signature, the messages, the private key and the public key remain conceal ...

RSA mathematics: https://youtu.be/4zahvcJ9glg

I understand how RSA works mathematically.

Can someone explain RSA-OAEP in plain english?

Is it secure to concatenate numbers from an RNG with numbers from a PRNG? I was thinking to throw a dice and use four outcomes to use as real random numbers, one outcome to change to the next permutation, and one outcome to add a pseudo-random number:

I generate a pseudo-random shuffled array from all permutations of the eyes:

shuffle([[1, 2, 3, 4, 5, 6], [1, 2, 3, 4, 6, 5], ...])

I choose the first ...

I'm a newbie that is studying about JWT using RS256 algorithm for signing and verification. I have drawn a diagram that represents my understanding of how RS256 works.

Basically, below is what I have by far:

1. header and payload after being trimmed are both base64url encoded
2. base64url encoded header and payload are hashed using SHA256
3. 2 resulting hashes from above will be joined by a dot "." to p ...

1. The general question is: Why are ABE schemes usually/sometimes proven in the selective-set of attributes model of security? Or even co-selective (both attributes and policy function)? Is it just because of difficulties in security proofs, i.e., reductions?
2. More precisely, what are the limitations of the simulator in answering the adversary's secret key queries? Like generating secret keys by the simula ...

In order to sign message m, m must be mapped to a point in G.1

However, Point can be multiplied. Why can't I simply do $mG$?

Example:

• $pk = [sk]G_1$
• $m = hash(message)$
• Signing: $s = m [sk] G_2$
• Verify: $e(G_1, s) == e(pk, m G_2)$

Oh, if it is possible to convert G1 to G2, it seems possible to multiply the public key by m. then,

• Signing: $k = random, r = kG_2, s = [sk] (m + k)$
• Verify: $e(G_1, sG_2) = ...

In RSA® Adaptive Authentication for eCommerce specification, the below flows are described.

Payload -> Sign (JWS) -> Encrypt (JWE) | Decrypt -> Verify -> Payload

Payload -> Encrypt (JWE) -> Sign (JWS) | Verify -> Encrypt -> Payload

As per my understanding end result is same. Authenticity, Data Integrity and Confidentiality are achieved in both the flows.

Am I missing something?

I was going to encrypt with AES, But I noticed ECB mode is not safe for CPA. So I thought about preventing CPA by padding input text to a multiple of 16 bytes.

First, perform custom padding system: pad input text and secret text for 16bytes "each" like this, so input text will be a multiple of 16 bytes.

For example pad for 8 bytes, pad text is part of "12345678" in ASCII:

AAAAA   -> AAAAA123
A       ...

I am trying to find discrete log over $GF(P)$ using Cado-NFS (https://gitlab.inria.fr/cado-nfs/cado-nfs/-/blob/master/README.dlp). It works well for random primes. But if I take primes that are divisor of numbers of the form $2^n-1$ for some positive integer $n$, it gives error. I use this in terminal:

./cado-nfs.py -dlp -ell factor of P-1 target=a P

I am getting error as follows:

Traceback (mo ...

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

Let's analyze four threat models involving a quantum attacker:

1. They obtain the first 32 bytes of each signature. However, the rest of each signature, the messages, the p ...

I have this message "Hello from another world"

1. Can you explain how to encrypt it with CBC step by step?

2. Are the message characters H, E, L, L, O .. converted to binary first, then every 8 bits or 16 bits XORed with IV and passed to the encryption function to be encrypted with a secret key?

Consider a scenario where a company wants to release a microdata of their employees total annual compensation for the following year to an analyst in a recruiting firm in order to provide an indication of relative employee importance so that the recruiting firm could suggest similar candidates for hiring to the company. An employee's total offered compensation for year X is made up of 3 components:

Shannon's theorem for perfect secrecy states that $$\forall x \in M, y \in C:\quad P[x|y]=P[x] $$ I know we need $|M|\leq |C| \leq |K|$. If $|Μ|=|C|=|K|$ all keys should have equal probs.
If $|Μ|<|Κ|$ is it still necessary? I think not because : $$P[x|c_i]=P[x|c_j] \implies \sum_{k_i: E_{k_i}(m_i)=c_i}P[K=k_i]=\sum_{k_i:E_{k_i}(m_i)=c_i}P[k=k_j]$$ The difference is that when $|Μ|=|C|=|K|$  ...

I'm not into cryptography, but I read a bit about it. I wonder:

AFAIK all encryption (decryption) and hashing routines are built using some very primitive functions (let's name them "atoms" for now) with specific properties.

As the set of atoms is probably rather small, a suitable algorithm consists of "combining" such "atoms" to (let's name them) "molecules" in a way that produces "suitable" molecu ...

Let the modified NTRU be $h=f/g$ such that $f$ is not necessarily a short polynomial, is the NTRU problem still hard in this case?

Intuitively I think not because assuming the bit string $x_1,x_2 \sim \{0,1\}^{n/2}$, $x_1 \wedge x_2$ is not uniformly random so if $g$ were still a one-way function then the fact that the definition of one way function requires the input string $x$ to be uniformly random seems unneeded.

But I'm not sure how to construct the $f$ required. I tried the usual $f(x) = 0^{n/2}||f(x_{[1:n/2]})$ but got st ...

I created a CSR using ES256(ecdsa). I want to verify it. How do I verify a CSR using ES256?

-----BEGIN CERTIFICATE REQUEST-----
MIIBCzCBsAIBADAfMQ0wCwYDVQQDDAR0ZXN0MQ4wDAYDVQQEDAVvdGhlcjBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABAJA4hRnXwSydejyKYgB349JX/MKueTl6qei
Ge7s6Leny05ze4oQWaLS7qsQfJGt/8RPCoymGypU12iakhIUfE+gLzAtBgkqhkiG
9w0BCQ4xIDAeMA0GBGgAAAAMBWF0dHIwMA0GBGgAAQAMBWF0dHIyMBMGByqGSM49
AgEGCCqGSM49 ...

Following up on my previous post, I thought I might get a more concrete answer if I gave a more concrete question.

I require 128-bit security so I choose a 3072-bit RSA modulus ($\ell_n=3072$). Specifically I choose $n=pq=(2p'+1)(2q'+1)$ that is a product of safe primes $p$ and $q$.

Now, I want to choose $\ell_\Lambda$ such that finding DL with $\ell_\Lambda$-bit exponents is hard in $QR_n$, for an ad ...

Have a look at the Twitter conversation below in the screenshots.

1. @theveveshow asks if @trader1sz has sent ETH to the girl in question? @trader1sz responds that the girl in question has indeed sent him ETH. @theveveshow asks for proof.
2. @trader1sz asks if @theveveshow can prove @trader1sz is not his father?

How can we prove the above statements with zero-knowledge proof?

Let the following game be given:

G^IND-CCA':

1. Prepare a key k <- KeyGen(1^Kappa)
2. Choose a hidden bit h <- {0, 1} uniformly random
3. Prepare a decryption oracle O_Dec. Given a cipher text c, it returns the decryption m
4. Prepare a one-time oracle O_Test. When called with m_0, m_1, it will return the encryption of m_h. Call it c*
5. Call the attacker with input 1^Kappa, O_Dec, O_Test and await a guess ...

Does higher encryption mean that my password could be shorter? If the time to decrypt is longer, then the chance to bruteforce gets lower too, right?

I've created a KeePass database, and at the creation you get to choose the decryption time (to 100 ms to 5 seconds). I was wondering if this implies a more secure way to use a short password, since the time to decrypt trying with each password would ...

I am getting started with Homomorphic Encryption libraries. I am trying to port a codebase written in Python to Haskell. I see that there is a re-encryption operation happening in one part of the code. Something like this:

  def re_encrypt(self, values):
    n = values.shape[1]
    values = values.flatten()
    ret = []
    for i in range(n):
      pt = self.pri_key.decrypt(values[i])
      ret.app ...

refer to this paper Khabbazian Paper I am trying to use double point compression in scalar for example double-and-add with k=27 which need to reduce the multiplications process for example scalar double-and-add algo consumes 4 doubling and 3 addition for P1(3,10) based on this example example

I am thinking to take two points P1(3,10) P2(7,12) and compress to get P3(x1,x2,y1+y2) P3(3,7,22)which will be ...

I am doing research about Non-interactive Secure Multi-party Computation and encounter a dilemma that I am not quite sure if it is possible and wonder if there are better thoughts that could help.

Situation:

There are $n$ parties ($i \in [n]$) and a dealer. The dealer has a number $U$ and weights $w_i (i \in [n])$ and parties have their inputs $x_i$. Now the parties would like to calculate $U - \su ...

I have an idea but I don't know if it will work. For the appropriate $p$ it is easy to find $n$ linearly independent $x_i$. Then we compute the inner product between the $x_i$. I think the information is enough to recover the $\boldsymbol{v_1},...,\boldsymbol{v_n}$, because, by matrix it can be written as $\boldsymbol{X}=\boldsymbol{T}*\boldsymbol{V}$, where $\boldsymbol{T}\in \{-1,1\}^{n \times  ...

I am a developer trying to follow best practice guidance as established by the IETF for my applications. I was researching standards for ECDSA key generation for some work that I have to do in the blockchain industry.

I am tasked with creating a unique, less complex zero-knowledge based scheme.

RFC Draft Indicating Deterministic ECDSA + EDDSA Signatures Were Still Insecure Without Supplemental Acti ...

I have been working through a book on cryptography and have recently come across elliptic curves. This particular question has me stumped and the book isn't much help, unfortunately. I was wondering if someone was able to talk me through the process a little better. The question is:

Alice and bob use

• the prime p=83,
• an elliptic curve E: y^2 = x^3 + 5x + c (mod 83),
• and point P=(3,11) on E.

Alice chose ...

Encrypting text with a computer has problems: we need to worry about hardware backdoors in processors, motherboards, and extension cards, software backdoors in OS, vulnerabilities in software, and viruses.

Computers are so complex that no single person knows every detail of how they work. It makes it impossible to examine every single part of hardware and software, so we can only hope that the co ...

I am using AES-GCM-256 to encrypt data in a database, and am using a single key that I salt with a unique random value for each user to encrypt their information. I am using the same IV for all of this.

Is this secure so long as I change the key each time?

I have a very important string it's of around 20-40 words. I want to encrypt this string and store it online . Which encryption algorithm will be useful for me.