Latest Crypto related questions

TL;DR: Why is there a static-static diffie hellman in the Noise_IK handshake?

Hi, I am currently trying to understand the WireGuard VPN protocol. As you may know, it uses the Noise_IK handshake from the Noise Protocol Framework.

This handshake uses two ephemeral-static diffie hellman operations (es and se) to authenticate the initiator and the responder. Then why is there a static-static (ss) diff ...

Consider a system in which DES is used to encrypt messages in which the first three plaintext Bytes are known by the attacker. How many encrypted messages is it necessary to intercept in order to be reasonably sure of identifying the key used for encryption?

I thought about this, but I am not sure:

The probability that plaintext starts with the 3 known bytes is favorable cases/total cases so:

$64$

In the preliminaries section of a paper$^\color{magenta}{\star}$ on lattice-based cryptography, the matrix norm $\| \cdot \|_{2}$ is used. Why do we define such norm? What's the purpose of defining such a norm? Is it common in matrix mathematics?

$\color{magenta}{\star}$ Dan Boneh, Craig Gentry, Sergey Gorbunov, Shai Halevi, Valeria Nikolaenko, Gil Segev, Vinod Vaikuntanathan, Dhinakaran Vinayagam ...

Pretty new to ECC Pairings. I am trying to understand KZG Commitments from multiple sources. I found this blog beginner friendly and easier to understand. However, I'm stuck at ECC Pairings and having difficulty in order to completely understand it.

The blog mentioned:

• Input: 2 points ($P$ and $Q$) on 2 subgroups of the same curve ($\mathbb{G}_1$ and $\mathbb{G}_2$).
  • $\mathbb{G}_1$ is a subgroup of  ...

This might be a stupid question, so bear with me. I was wondering if LLM embeddings can be used to anonymize input text. I couldn't find any information online that says that embeddings can be 1:1 decoded back to the original text.

An example: A user wants to check some metadata about a query with an external API, but doesn't want the exact text input to be sent to the API (it might contain perso ...

I have a large file (> 200 Gb), that I encrypted a while ago with AES-256-CBC. The file itself is a tar which I ran through openssl. I've forgotten the exact password, but have a general idea of what it is.

Brute force is the easiest way to crack this from what I've seen (given the circumstances that I have a general theory of what the passwords might be), but the hitch I've run into is the time i ...

I have a compressed WIF private key starting with K but when ever i try to import it gives a different address. What could the issue be. The address generated is correct for the private key as i do have the screenshot as well when it was generated back in 2018 using a well known python script. Everytime i try to convert the Compressed WIF i keep getting a new address but not the old one

An Elgamal-like bit commitment scheme:
Let $\langle g \rangle$ be a group of order $n$, where $n$ is a large prime.
Let $h\in_{R}\langle g \rangle\setminus\{1\}$ denotes a random group element such that $\log_{g} h$ is not know to any party, neither the sender nor the receiver.
$commit(u,x):=(g^{u},h^{u+x})$, where $u\in_{R}\mathbb{Z}_{n}$ and $x$ is the value we want to commit to it.

Elgamal-like bit co ...

I've used OpenSSL to generate an RSA-PSS keypair.

-----BEGIN PRIVATE KEY-----
MIIBUgIBADALBgkqhkiG9w0BAQoEggE+MIIBOgIBAAJBAKjJmhflBebbRJt0JNWe
elk9w32jGxvZrvxO7kdpvNFWCgXIXSU0zC26R2Rca1w81sY4MpKfKl0baIK06Dbp
F6cCAwEAAQJANfamrocJeQKXj7/1WtrdMRT/IHb6XtAdEwvFQM28kYyUU4QuIxGO
cJ90rX99FdhOouUtbeYVXfnR7+I4NL6C+QIhAN6GukudUZqsor+AH/fuVg1Z4cUo
8slDhv5hoHJq1HizAiEAwi1yKT4YeBWc7vxwBwQ5i2DtrhfOxOs1+Mzij7xu1z0 ...

Normally, when computing an EC threshold DKG, I have all parties reveal a commitment to the public key, and only reveal their own public key after verifying the commitments. Otherwise it's trivial to produce a public key that gives one member control. In a 2 party, for example, one can just wait for the other's public key, compute the inverse, and then publish that.

But can you make it noninte ...

In this paper, they shortly introduced how to uniformly sample points from the n-sphere.

The points of n-sphere consist with normal variables. My question is ..

1. If I samlpe coefficients of ring using normal distribution, what is differences between sphere sample and normal sample of ring?

2. How normal variables make uniform distribution in sphere? Can I formally prove it?

3. If Q2 is possible, is it ...

I am reviewing the ZKP course, represented by the university of Berkley (https://zk-learning.org/). In pages 41 and 42 of lecture 6 that is attached below (https://zk-learning.org/assets/lecture6.pdf), the instructor explains the Poly-commitment based on Bulletproofs scheme. He uses an example for a polynomial with degree 3 and then define $f'_0 = rf_0 + f_2$ and $f'_1= rf_1 + f_3$. I think that if

In this question we are dealing with "$q$-ary" lattices. I will give the definition available to me and I'm interested in proving the lemma. As a reference see the PDF on page 2 from Peikert's lectures.

Definition. Let $\mathbb{Z}_q := \{ 0, 1, \dots, q-1\}$. We define $ \Lambda^{\perp}(\mathbf{A}) := \left\{ \mathbf{z} \in \mathbb{Z^m} : \mathbf{Az = 0} \right\} $, where $\mathbf{A} \in \mathbb{Z}_q^{n \ ...

I'm doing vulnerability research and looking at a device that is using some u-boot RSA encryption that they've modified. I've extracted the 4096-bit public key from the flash, it has an exponent of 65537. They simplified the padding to use a hardcoded 480-byte array that's labeled as "PKCS 1.5 paddings as described in the RSA PKCS#1 v2.1 standard"

[ 0x00, 0x01, (458 * 0xFF), 0x00, 0x30, 0x31, 0x30 ...

I'm trying to understand how its represented a ciphertext of CKKS in memory, or the data structure.

Here is what I understand, correct me if I'm wrong. I also add some questions.

1. To start with, given a polynomial degree N and and a coefficient modulus, say {60, 40, 40, 60}. This means that the encoding in the CRT representation there will be 4 polynomials with two of them with coefficients of 60bits and ...

My goal is to enhance by bringing some changes to these techniques and schemes so that any improvements can be brought to them. So I tried to find some of the tools and came up with these:

Secret Sharing Protocol:

Cryptool: Cryptool is an open-source software suite that includes various cryptographic tools and modules. It provides a platform for designing, simulating, and analyzing secret sharing proto ...

In this picture we have a use of a hash function for message authentication.

M is plaintext message. H is hash function. E is encryption block with K symmetric key. || is concatenation of plaintext M with the output of E.

Is it true that this is vulnerable to bit flipping attack? I'm not sure how though.

This is what they said to me:

You do the bit flipping on the encrypted hash in such a way th ...

I have been wondering if sending audio fragments over a phone call would be considered a form of cryptology.

Let's say that you own two mobile phones and say that one of your phones is on the Verizon network and the other is on the AT&T network. You have a friend who also owns two mobile phones. Say that one of his phones is on the T-Mobile network and the other is on the U.S. Cellular networ ...

I am looking for references for the most basic secret sharing and MPC arithmetic algorithms for generic rings or prime fields.

Problem:

Suppose there are $m$ parties $P_1, \ldots, P_m$ which wish to do arithmetic over a ring.

They hold some secret shared values $[x], [y]$ and they wish to compute $[x+y]$ and $[xy]$.

What are the basic algorithms for solving these problems?
What are the basic se ...

I'm learning OQS OpenSSL and I'd like to create a certificate with dilithium in C, using liboqs and OQS OpenSSL. This is my code (based on https://stackoverflow.com/questions/256405/programmatically-create-x509-certificate-using-openssl and a lite bit of chagpt):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/obj_m ...

Let E be an elliptic curve of prime order n. If we assume that Alice and Bob both know a scalar value z, is there a known zero-knowledge protocol (ideally a Sigma protocol) that allows Bob to convince Alice that he knows some point R such that zR satisfies some equation?

The context of this is as follows. I've recently been looking at ZKAttest, which allows a prover to display knowledge of an authenti ...

I encountered a question while reading an article. My understanding is that fully homomorphic encryption supports ciphertext addition and multiplication. Why does the basic protocol given in this article include ciphertext subtracted by plaintext?

Let's start with what got me wondering about this issue: It's a curious construction, that while most digital signature schemes come from public-key encryption (Impagliazzo's cryptomania), there are constructions like SPHINCS that construct secure signature out of a hash function (Impagliazzo's minicrypt).

Now there exists a SNARK construction without trusted setup ala Hyrax. Has there been any w ...

I'm working on solving a encryption task, and I'm a bit stuck. I want to clarify that I'm only seeking hints and not direct answers since I want to solve it myself. The goal is to solve it on my own; otherwise, it wouldn't make sense. Therefore, I'm just looking for hints to help me progress from where I'm stuck or any comments suggesting that I might be missing an aspect or something.

The task s ...

So originally a puzzle was given out to a community i'm a part of and what was given was this.

. .. . ... . . . . . . . ... . .. . . . . . .. . ... . . . . . .... . .. . . . . . .. .. .. . . . . . .. . . . . .. ..... . . . . . .. .. ..... . . . . . .. . . . . . . . .... . . . . . . . . . . . . . .... . . . . . .. . . . . . . . ... .. .... . . . . . ....

https://apeiron.iulm.it/retrieve/handle/108 ...

This is a rather simple question, but answers are nowhere to be found. Are there any variants of Poly-n hashing algorithms which provide bigger outputs (like 32 instead of 16 bytes)? Or, is there any research which discusses the variability of the constant $2^{130}-5$, why this number is special or whether there are other good alternatives? I understand that it would be better if it was a prime nu ...

Let's say there's Alice and Bob.

1. Let Alice and Bob agree on a message $M_1$, a tag $T_1$, and a function $HMAC$.
2. Alice proves to Bob that she knows a key $K$ such that $T_1 = HMAC(M_1, K)$ without revealing what $K$ is, using a zero knowledge proof.
3. Alice sends Bob some cryptographic object $MysteryBox$.
4. Alice dies.
5. When Bob puts $M_2$ and $T_2$, which Alice doesn't know, into $MysteryBox$ she left, he c ...

There is a random scalar seed $s$ which we may call a master secret.

There are 2 public strings or scalars: $m1, m2$ and 2 corresponding EC keypairs: $a, A=a*G$ and $b, B=b*G$

$a$ and $b$ are somehow securely derived from $(s, m1)$ and $(s, m2)$ respectfully.

It might be $a = HKDF(s, m1)$ or $a = s + m1$, or some hash, it does not matter right now.

I need to prove 2 things without disclosing $s$ or

In the NIST 800-56A rev3 "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography" in section 6.1.1.2 "(Cofactor) Full Unified Model, C(2e, 2s, ECC CDH) Scheme" the shared secret is calculated as follows:

Party U Calculates:

1. $Z_s = d_{s,U} Q_{s,V}$
2. $Z_e = d_{e,U} Q_{e,V}$
3. $Z = Z_s || Z_e$

Party V Calculates:

1. $Z_s = d_{s,V} Q_{s,U}$
2. $Z_e = d_{e,V} Q_{e,U}$
3. $Z = Z_ ...

This is a followup to my recent question Discrete Logarithm Challenges and Records.

I am interested in confirming my understandings from the answer to that question, stated below:

1. For a discrete logarithm problem in a generic group of size $N$ with no special algebraic structure, the best known attack is the Pollard's rho method. If memory complexity were not an issue (it is!) then Baby Step Giant Step ...