Latest Crypto related questions

Assuming there is a lattice basis $B=\{b_1,...,b_n\}$, we use $B^*=\{b_1^*,...,b_n^*\}$ to denote the Gram-Schmidt orthogonal basis, where $b_i^*=\pi_i(b_i)$ and $\pi_i(b_i)$ denotes the projection of $b_i$ on the orthogonal complement of the space $span(b_1,...,b_{i-1})$. We use $\|b_i^*\|$ to denote the Euclidean norm of $b_i^*$. I want to know how $\min_{1\leq i \leq n}{\|b_i^*\|}$ changes after  ...

I read in an introduction to a paper that if $e$ is small enough and we were given secret key $d$ in RSA, then there is an efficient deterministic algorithm to factorize $n$. I've searched about that and I've found the probabilistic one: Algorithm to factorize $N$ given $N$, $e$, $d$

I guess, the fact that $e$ is small must play some role here. But I was able to come up with something. Do you kno ...

What's the difference between UOWHF and CRHF and why are UOWHF useful?

As far as I understand, Universal One-Way Hash Functions are an alternative to CRHF. While for CRHF it is hard, given randomly chosen hash function parameters, to find any collision of the hash function; for UOWHF it's hard to find a collision where one preimage is chosen independently of the hash function parameters.

How does th ...

I hope this is not offtopic.

Since NIST has rather recently announced the winners of its PQC competition I was wondering how significant this development is. Does that mean that CRYSTALS-Kyber will become the new standard for general encryption?

Im creating a super increasing knapsack encryption scheme. Im supposed to ask the user to key in the size of the super-increasing knapsack. My question is - is there a minimum number of elements that the user need to key in?

Based on my research, because ASCII is using 7bit encoding, I need to have at least 8 elements. I would like to understand why this is? or is it correct at all?

Thank you.

I am learning about various digital signatures and came across DSA. In DSA, the $s$ part of the signature has a hash of the message $H(m)$. I was wondering, why can't we just use the message $m$ instead of using the hash? I understand that performance might be a part of it since the hash will ensure a certain fixed length. But any other security issues?

I'm working on a protocol that uses zero-knowledge proofs. I'm looking at systems of polynomial equations as cheap solutions for checksumming data. Note, I'm not looking for trapdoor functionality here; I don't care if an adversary can determine the pre-image from the output.

In a zk proof I can compute $m$ multivariate quadratic equations (in $\mathbb{F}_p$ where $p \approx 2^{254}$) with $n$ variable ...

Related to this question. I'm trying to find a way to use this fingerprint system without a second pre-image attack.

Assume I have a set of elements $V = [v_0, v_1, v_2]$ in $\mathbb{F}_p$. Assume the elements of $V$ are randomly distributed over the field.

I have two random values in the field, $R_0$ and $R_1$, both non-zero.

I consider the fingerprint to be two points in the field defined by:

$P_0(V)  ...

For example, Threefish has a key length of 1024 and a very long number of rounds (80). but, I have not heard much about Threefish-1024 being particularly secure, so what symmetric key ciphers are there that are secure not because of their large number of rounds or long key length, but because of their intrinsic cryptographic operations? And why is that symmetric key cipher secure?

translator user ...

I am very interested in encryption algorithms, especially AES encryption algorithm in symmetric encryption. To this end, I have studied a lot of theoretical knowledge about AES encryption algorithm and the code samples I can obtain.

I wrote a 512-bit encryption algorithm after referring to AES-CBC-256 mode in detail.

I named this mode SZQ-CBC-512, but the output result is almost the same as that of  ...

I have seen multiple sources claim that the Merkle-Damgård transform is able to build a collision-resistant Hash-function $H$ for arbitrary-length inputs from a compression function $h : \{0,1\}^n \to \{0,1\}^\ell$ (with constant-length inputs). See, e.g., [1].

However, the construction relies on suitably padding the input $x$ to $H$ in order to:

• Ensure that the length of the string $x_{\text{pad}}$

I am looking for some cryptographic algorithms suit to the below usage scenario.

$A$ has a set of data, e.g., $\{x_1,x_2,...,x_n\}$. $A$ publish those data in ciphertext (maybe that they are encrypted by different public key, I do not know).

Then participants $\{P_1,P_2,...,P_m\}$ come to pick the data belonging to them from ciphertext list, but without decrypting all the encrypted data. "belonging to the ...

I have been recently studying LLL-reduction. I get from the size condition and Lovasz condition that the basis are guaranteed to be somewhat orthogonal. But I couldn't figure out how orthogonal the LLL-reduced basis has to be in the geometric or intuitionistic sense. For example,

1. How small can an angle be between two LLL-reduced basis?
2. How long can the "diagonal" of the fundamental parallelepiped of t ...

I'll get straight to the point here.

There are two different programs I'm looking at. They both use secp256k1 to deterministically sign data (RFC6979) & provide the results online in-browser. However, both programs produce different DER-encoded signatures and I'm honestly baffled at this point as to why.

Program #1: https://paulmillr.com/noble/

Program #2: https://asecuritysite.com/encryption/sigs2 ...

As far as I understand, the biggest problem of requesting authentication in disk encryption is that the plaintext and ciphertext are not having the same size -because of tag-. The XTS mode is already designed with this issue in mind (length preserved). However, as far as I know, it is not possible to preserve the size with authentication. Is it possible to solve this problem with disk type? Advan ...

What combination of public key cryptography (DH) and symmetric key cryptography is currently available that is (subjectively) as secure as possible over other ciphers (AES,curve448) when security is prioritized over efficiency?

translator user

Edited: changing the notation according request by fgrieu.

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

properties of secp256k1:

p = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141   # order of curve

It is according to: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces- link here: https://billatnapier.medium.com/ecdsa ...

In FIPS 186-5 (Digital Signature Standard or DSS) there is a Table B.1 which specifies the minimum number of rounds of Miller-Rabin testing for 1024, 1536 and 2048 bit keys, used for digital signatures. That's already an update to FIPS 186-4 which specified these numbers up to 1536 bits. However there doesn't seem to be a table for any other values over 2048 bit keys.

Table B.1. Minimum number of rounds ...

I have an application that needs to communicate with the bank for online transactions. I am using OpenSSL 3.0.8.7 in Windows 11. I generated a private key using:

openssl genrsa -out rsa_key.pem 2048

Then a Certifate Signing Request using:

openssl req -new -key rsa_key.pem -out csr.pem -subj "[REDACTED]"

I sent the CSR to the bank and received back a signed certificate (signed_cert.pem) and the bank  ...

I must verify an HTTP signature to guarantee the origin and integrity of a webhook data: https://www.blockcypher.com/dev/bitcoin/#webhook-signing

This is their x509 PKIX encoded signing key's public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

I am following this specification to construct the signing string: https: ...

So I understand how one can use Fiat-Shamir to turn a HVZK sigma protocol into a non-interactive zk protocol in the random oracle model. My problem though is I don't understand why is this useful.

If I wanted to use a NIZK in something and I choose a protocol based on Fiat-Shamir, this would mean I have to choose a hash function which surely invalidates the zk proof in the ROM. So do I know anyth ...

What is a good method to generate random numbers between 0 and n from random bits?

For example, I have a one million random bits generated according to NIST SP 800 90 publications. Now I need to generate random numbers between 0 and 100 (inclusive) using these random bits. Few possible methods i could think of are

Read 7 bits, convert these to a number (0 to 127), store the number if its <= 100,  ...

Say a server wants to hash a password $p$. It would use a secure hash function $H$ and a unique salt $s$ to hash the password as $H(p,s)$. If one has access to the salt, each password candidate requires one run of the hash function to be ruled out; the same amount of time it would take for the server to verify a password candidate.

If, on the other hand, the password was hashed as $H'(p,s+r)$, wh ...

I'd like to create a custom type of sortable GUID by concatenating an 8-byte nanosecond timestamp, 6 random bytes, a 1-byte node number, and a 1-byte counter. But, such a precise timestamp can be used to enact very effective side-channel attacks if it can be related to the execution time of other cryptographic operations being done on the same system. It'd be ideal to conceal them in some invertible way ...

I am working on a project for my maths assessment where I research the effect of complexity and length on a given password. Currently, I am working on calculating the probability of guessing a password on the first try. I assumed that I had to start from entropy and go from there but I am kind of stuck on which formula to use in order to find the probability.

I considered 1 / (2^entropy) but I am not su ...

I'm implementing 128-bit AES-GCM (but only the encryption/AES-CTR aspect).

When I set the Secret Key, Plaintext and IV to Test Case 2, page 27 of the GCM spec (see below) I get the wrong value for the output of the cipher block (before we XOR).

https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf

Inputs:

K       00000000000000000000000000000000
P       000000000000 ...

With PHP, I'm trying to setup a HTTP signature verification for webhook requests coming from BlockCypher: https://www.blockcypher.com/dev/bitcoin/?php#webhook-signing

This is their public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

This is an HTTP request that I've collected using RequestCatcher:

POST / HTTP/1.1
Host: 2 ...

I'm following ZK MOOC: https://zk-learning.org/

After some previous readings about these topics, I was believing to have understood that, stated that non-interactivity isn't attainable in standard/plain model, there were to alternatives B-plans:

• Fiat-Shamir heuristic for public coin IPs requiring the acceptance of ROM (Random Oracle Model)
• or CRS (Common Reference/Random String) assuming a trusted setup ...

I am currently studying OFB mode, and one of the vulnerability mentioned for it is that if two different messages have a block at the same position in the ciphertext, and have same plaintext, the attacker can figure out the encryption function output for that particular block. This was brought up to highlight the danger of reusing IV, so this is assuming that same IV and key are used.

I understan ...

Below is part of AES GCM diagram. However, it only shows the behavior of the IV/counter.

The GCM specification examples state both an IV and a Secret Key as two inputs.

Can someone please explain where both are used?

Is the 96 bit IV expanded to 128 bits, incremented (most-significant byte?) and used to create the AES Key Expansion?

And the Secret Key is passed (with the Key Expansion) to E_k for encry ...