Latest Crypto related questions

Assume we have message M, key K, and MAC = hmac-256SHA(M, K).

I wonder if an attacker can figure out the Key K if the attacker knows the Message M and MAC

What family of bilinear pairing is recommendable for BLS signature when the overriding criteria is compactness of the signature, as desirable for something to be keyed-in from printout, or embedded in a small QR-code?

Is there something giving signature size lower than ≈384 bit for 128-bit conjectured security, as in this draft RFC, which is no more compact than a more conservative and faster s ...

I'm currently looking into pairing-based cryptography and I stumbled upon the definition of the properties bilinearity, computability and non-degeneracy.

Now I have a problem with understanding the non-degeneracy and how it is important to the security of elliptic curve cryptography. I have not found a paper that goes into detail about it, only from a mathematical standpoint which is a little to  ...

I'm developing a desktop application where the users will login with username and password, which is then verified against a database. After the initial login, the current user should be automatically logged in each time the application is started (until the user logs out or 1 month has passed).

I could encrypt and store the last successful username and password on the computer, but the decryptio ...

I have this password hash: $argon2i$v=19$m=128,t=2411,p=2$hmJvvpH3BZlvb2V1vLm/yf3zANU4qNpKuw5TBnGzo2I$<censored>.

I know the password, and I want to verify if this password will produce the same hash the the above. Using an online argon2 hashing site: https://antelle.net/argon2-browser/

My problem is I don't know how to convert the salt into the right format for hashing.

As part of mitigating side-channel attacks, which is the most efficient? Masked cryptography or differential power analysis-resistant cryptography? Or are they both similar?

I want to implement proxy re-signature on elliptic curve.

I've been thinking about ideas like the one below, but are there any problems?

Key Generate:

• $a = $ alice's secret key
• $aG$ = alice's public key
• $b = $ bob's secret key
• $bG = $bob's secret key
• $rk_{ab} = aP * b^{-1} = a/bG$

First Sign:

• $Pm$ is hashed point
• $k = $ random
• $r = ka^{-1}$
• $z = e(G, G)$
• $s = z^kPm$

Resign:

• $r' = rk_{ab} * r ...

In NIST’s ‘competition’ to obtain new public key crypto which resists Shor’s algorithm (aka ‘post quantum cryptography’), two algorithms to make it into the third and fourth rounds have been catastrophically broken (Rainbow over a weekend on a laptop and SIDH/SIKE in an hour on a single core), while others have been shown to have less security than required by NIST (https://zenodo.org/record/ ...

I have theses output on curve for jacobian coordinates which I made doubling for (3,10,1) to get (17,21,20) then I made addition for all points to get this results:

     1     3    10     1
     2    17    21    20
     3    11    13     7
     4    20    21    14
     5     2     6     6
     6     9     1     8
     7    14    18     8
     8     6    13     2
     9     0    20    11
    10     3    ...

I have a small ARM M0 SoC and a smartphone as actors. Encryption keys used are Elliptic curve.

My current security is implemented such that:

1. the SoC has 128 bit hashes of phone public keys (vs 512 bit - due to storage space constraints)
2. the phone has the SoC's public key
3. the phone sends its own public key during negotiation
4. step 3 establishes grounds for ECDH on both sides. From here encrypted co ...

Recently, I've been working on disk encryption. I started with the AES-XTS mode which is the standard for this purpose and tried to understand the concept of disk encryption in general.

I know that AES-XTS is preferable from many aspects for disk encryption as long as authentication is not requested. You don't need to store additional data for an authentication tag or IV and it is more resistant ag ...

Referring to the AES specification:

https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf

Printed pages 35-37...

The first detailed walkthrough is encryption, the second is decryption.... I don't understand what is the third, "equivalent inverse cipher (decrypt)"?

How can there be two decryption techniques?

I need to use the following scenario: There are 2 keys: AES-key and OTP-key (one-time pad). I encrypt the AES-key (as if it were plaintext) with an OTP key. Then I send the encrypted AES-key to another person who has the same OTP-key on which the AES-key was encrypted. This person decrypts the AES-key. Is it safe for him to use this AES-key to encrypt plaintext on it in CBC mode? And the second question ...

I'm kind of confused about this, I have read that nodes in Merkle Patricia tries are key-value pairs, can someone provide a proof of membership for a data in a Merkle Patricia Trie just as he would with a Merkle tree? That is, providing hash of some nodes and allowing the other party to calculate the rest?

Does Index calculus work on secp256k1?

I did a search but couldn't find answers, Can I use Index calculus to find private key of the elliptic curve secp256k1?

I am new to lattice theory. I hope(will be grateful) that one could explain to me this claim 7 in REGEV course(this claim appears in this file page 6 : https://cims.nyu.edu/~regev/teaching/lattices_fall_2004/ln/introduction.pdf) which states that : The successive minima of a lattice are achieved i.e., for every 1 ≤ i ≤ n, there exists a vector vi ∈ Λ with ‖v_{i}‖ = λi(Λ).

Thank you,

I'm trying to figure out how to convert a circuit into a Square Arithmetic Program (SAP). This is to eventually use it for zk-SNARKs such as Groth16. I do however understand how to convert arithmetic circuits into Quadratic Arithmetic Programs (QAP). As an example if we have the following circuit $c_1 \cdot c_2 = c_3$. Here we would define the following three polynomials: $L_1 = R_2 = O_3 = x$ (where  ...

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary.

However, using the algorithm below can sign and verify without Hasing to Point?

• $a$ is secret key
• $H$ is scalar hash function

Sign:

• $k = random (mod\ r)$
• $r = kG_2$
• $s = a (H(m||r) + k)$ : If don't know k, won't know a. Also hashing both m and r to prevent tamper.

Verify:

The past few weeks I have been trying to solve a difficult problem. I have asked some cryptography experts but unfortunately they had no clue on how to solve the problem.

The situation is as follows, an online casino wants to host an online bet, each bet can have a variable amount of players. For this example we will use four players. Each player wants to be sure that the outcome of the bet is ra ...

Here are some assumptions on which the question is based. If anything is wrong with this, please point this out straight away:

Let's say I have a file I want to encrypt with AES256 symmetric encryption. This requires a 256-bit key. It would be very hard to remember though. In its original form it probably contains characters with no ASCII representation, and base64 encoded is would be over 32 charac ...

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

A quantum attacker obtains the first 32 bytes of each signature. However, the rest of each signature, the messages, the private key and the public key remain conceal ...

RSA mathematics: https://youtu.be/4zahvcJ9glg

I understand how RSA works mathematically.

Can someone explain RSA-OAEP in plain english?

Is it secure to concatenate numbers from an RNG with numbers from a PRNG? I was thinking to throw a dice and use four outcomes to use as real random numbers, one outcome to change to the next permutation, and one outcome to add a pseudo-random number:

I generate a pseudo-random shuffled array from all permutations of the eyes:

shuffle([[1, 2, 3, 4, 5, 6], [1, 2, 3, 4, 6, 5], ...])

I choose the first ...

I'm a newbie that is studying about JWT using RS256 algorithm for signing and verification. I have drawn a diagram that represents my understanding of how RS256 works.

Basically, below is what I have by far:

1. header and payload after being trimmed are both base64url encoded
2. base64url encoded header and payload are hashed using SHA256
3. 2 resulting hashes from above will be joined by a dot "." to p ...

1. The general question is: Why are ABE schemes usually/sometimes proven in the selective-set of attributes model of security? Or even co-selective (both attributes and policy function)? Is it just because of difficulties in security proofs, i.e., reductions?
2. More precisely, what are the limitations of the simulator in answering the adversary's secret key queries? Like generating secret keys by the simula ...

In order to sign message m, m must be mapped to a point in G.1

However, Point can be multiplied. Why can't I simply do $mG$?

Example:

• $pk = [sk]G_1$
• $m = hash(message)$
• Signing: $s = m [sk] G_2$
• Verify: $e(G_1, s) == e(pk, m G_2)$

Oh, if it is possible to convert G1 to G2, it seems possible to multiply the public key by m. then,

• Signing: $k = random, r = kG_2, s = [sk] (m + k)$
• Verify: $e(G_1, sG_2) = ...

In RSA® Adaptive Authentication for eCommerce specification, the below flows are described.

Payload -> Sign (JWS) -> Encrypt (JWE) | Decrypt -> Verify -> Payload

Payload -> Encrypt (JWE) -> Sign (JWS) | Verify -> Encrypt -> Payload

As per my understanding end result is same. Authenticity, Data Integrity and Confidentiality are achieved in both the flows.

Am I missing something?

I was going to encrypt with AES, But I noticed ECB mode is not safe for CPA. So I thought about preventing CPA by padding input text to a multiple of 16 bytes.

First, perform custom padding system: pad input text and secret text for 16bytes "each" like this, so input text will be a multiple of 16 bytes.

For example pad for 8 bytes, pad text is part of "12345678" in ASCII:

AAAAA   -> AAAAA123
A       ...

I am trying to find discrete log over $GF(P)$ using Cado-NFS (https://gitlab.inria.fr/cado-nfs/cado-nfs/-/blob/master/README.dlp). It works well for random primes. But if I take primes that are divisor of numbers of the form $2^n-1$ for some positive integer $n$, it gives error. I use this in terminal:

./cado-nfs.py -dlp -ell factor of P-1 target=a P

I am getting error as follows:

Traceback (mo ...

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

Let's analyze four threat models involving a quantum attacker:

1. They obtain the first 32 bytes of each signature. However, the rest of each signature, the messages, the p ...