Latest Crypto related questions

In lemma4.5, of PlonK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge they claim that we can construct a polynomial protocol $P^*$ with an $S$-ranged polynomial protocol $P$. However, in my opinion, I think it constructed $P$ using $P^*$ in the proof.

Specifically, in the last step of the construction, the verifier queries the identity of a polynomial(not in a ran ...

I'm not sure if this is a good place to ask, but I have some issues with using plonky2 to make some proof.

In particular, I want to prove that a private element is part of a set (i.e. $x \in X$), and that this same element is the primitive of a hash function (i.e $\operatorname{SHA}256(x) = h$). The set $X$ and the hashed $h$ are public, but I need to keep the value $x$ private.

It was fine to prove ...

Imagine this scenario:

• On a particular PC is a service that provides cryptographic functions -- in particular AES-CBC and ECC (ECIES/ECDSA).
• The service provides access to a single key stored in an HSM -- the key itself is never visible to any software on the PC (including the service itself).
• Copying the service software to another PC will not provide access to the same key, since the HSM doesn't foll ...

I found information, that it is possible to construct a hash and signature that look valid if the hash is not computed within the contract itself (we are talking about ECDSA/ecrecover here).

So, the task is to construct a hash + v, r, s that would resolve to a particular address using ecrecover(). I have access to several signed hashes.

Can anybody provide an additional clue how it would be possi ...

There are two papers that propose oblivious transfer protocols, both claiming to be universally composable (UC). The first protocol is more complex, and I am convinced that it is indeed UC. The second protocol is simple, but reminds me of the so-called "simplest OT protocol" of Chou and Orlandi, which is well-known to be not UC. Is the second paper making a mistake in claiming their protocol is UC?

I'm trying to create a zk-proof of a neural network in https://github.com/berendjan/zk-neural-network using ZoKrates and PyTorch. The steps to reproduce are in the README.md

However, when computing the witness I run into errors

time ./run.sh 
Compiling network.zok

Compiled code written to 'out'
Number of constraints: 12697691
Performing setup...
Verification key written to 'verification.key'
Proving key  ...

I understand that we need 2-to-power cyclotomic ring to show that the solving decision RLWE is as hard as solving search RLWE.

Is there any chance to prove it without 'cyclotomic' property?

For example, in NTRU prime, using Z[x]/(x^p-x-1), can we show worst case reduction from LWE?

I am reading the Lightweight Introduction to Lattices and it is a problem Challenge 8 that makes me quite struggle. Basically, the problem give us an encrypted version of a message using Merkle-Hellman Knapsack Cryptosystem. Each letter, before being encrypted, is converted into ASCII bytes (e.g. c: 01100011). Each number $c_i$ in the encrypted message $C$ has the value: $$ c_i = \sum_{j=1}^{8} m ...

Are you aware of papers proposing secure multiparty computation protocols for stable matching problems such as Stable Roommates and Stable Marriage problems?

Specifically, I would like the ranking of each party to be kept private and either reveal the whole output to everybody (all the pairings) or just reveal each pairing to the involved parties.

I asked this question on StackOverflow but it seems like it's more appropriate for this Crypto community.

I am using the browser built in SubtleCrypto library in javascript to generate public and private keys as such:

let keyPair = await crypto.subtle.generateKey(
    {
        name: "ECDSA",
        namedCurve: "P-521",
    },
    true,
    ['sign', 'verify']
)
console.log(keyPair)
let exportedPu ...

Consider a verification equation $ e(\Delta,\tilde{G}) = e(W_x,x\tilde{G}+pk_{acc})$ from a pairing based accumulator which uses the value $x$ and the corresponding witness $W_x$ to verify that a value $x$ is accumulated in the accumulator $\Delta$.

For anonymous credential system for multishow unlinkability, we often need to present a ZKPoK $\pi_v$ showing that $x$ is accumulated in $\Delta$ without  ...

I'm reading about the lecture of Yevgeniy Dodis. In his lecture 14, section 2.3.2, gives a commitment construction based on CRHF, but the proof of hiding is high-level. I want to know the rigorous proof that why even subject to $u(x)=m$, the still leaves distribution of $u$ look almost uniform to the adversary independent of $m$.

Thanks for any help, hint or reference.

What's more, if we change the ...

I've been navigating through many of StackExchange's history questions about point at infinity, and there's something that still doesn't "click" for me.

Let me share my understanding (and its logic) and maybe become apparent where I fail.

Let's say I have an elliptic curve equation, particularly a Twisted Edwards Curve equation. The first thing to note, contrary to 90% of texts on the internet, the  ...

I want to conduct an anonymous Internet survey (e.g. “What’s your favorite fruit?” with a multiple choice answer) among a given set of people. Double answers by the same participant are not allowed.

I’m looking for a method to conduct this survey using only e-mail and a web page (and maybe trusted software) in a way so that the participants can be sure it is anonymous and that the conduc ...

In previous versions of TLS, the choice of the Diffie-Hellman parameters was up to the participants. This resulted in some implementations choosing incorrectly, resulting in vulnerable implementations being deployed. How does TLS 1.3 takes this choice away?

How are the X(g^x mod p) and Y(g^y mod p) values determined when creating a pre master key in TLS 1.3?

I recently started to learn about Shamir secret sharing and Feldman's VSS Scheme. I know the concepts But I can't figure out how it works. mostly because many of modulates are with "p" and some of them are with "q". I can't find a good sample that helps me understand it better.

here's the example I am working with:

assume that I want to work with $q = 59$ and my prime for Shamir secret sharing, an ...

Can ECDSA signature signing and verification process replaces password hashed based login system?

The title of this question won't be exactly right.

This is a question that I asked long time ago. I would like to ask does the same application or the underlying mechanism still applicable or is still consider secure when using standardized PQC algorithms that have go through a lot of cryptanalysis?

In suc ...

Bit based division property is a great method of Integral attack on block ciphers, which was invented by Y. Todo. According to the paper Bit-Based Division Property and Application to Simon Family (in proceedings of FSE 2016), how does the set $[11110000]$ will propagate bellow sets?

$[11110000]\rightarrow [11110000]; [11000010]; [01110010];$
$[01100001] \rightarrow [01100001]; [01000011];$
$[10110 ...

In Regev's paper(the right link now) in Lemma 3.12, can someone explain to me how we get from Eq. (15) to the next one?

(1) We can only have a superposition of finitely many states, how can we manage to store $x\mod\mathcal{P}(L)$? Isn't this set uncountably large?

(2) Afterwards we measure that register and get a $y \in \mathcal{P}(L)$. Also, after the measurement we obtain $$\sum_{x \in L+y}^{}{\rho_{ ...

Following up this question

There are 4 parties:

• Alice, who needs to prove a posession of some statement $m$, unique to her, say a street address, which is basically a string of some predefined format, to
• Bob, who consumes the proof.
• an Oracle, who "helps" Alice to prove $m$ by performing some external checks and signing a tuple of ("Alice", $m$, timestamp)
• A good Samaritan Sam, who wants to help Alice p ...

I have used the threshold version of Paillier encryption without a trusted dealer in an application. I have tested the key generation phase with different security key sizes such as 80, 512, 1024, and 2048 bits.

With each security size, the key generation time is different and unpredictable due to the randomness involved in it. Let's say, with 80 bits, sometimes it takes 20 seconds and sometimes  ...

In one online crash game website (casino betting game), every game has a hash that is made public after the plane crashes and the crash coefficient is supposed to be random. The coefficient can be retrieved using the game hash (so if you know the game hash you know the crash coefficient).

But what I find unclear is that the hash of the current game is nothing else than the hash of the hash of the ...

I was (trying to) read the following paper: https://eprint.iacr.org/2015/673.pdf

Page 2 says:

A related attack is to replace a point P with P + T, where T lies in a small subgroup. If the user multiplies by a scalar s, they will get sP + sT instead of sP, where the difference sT gives away the low-order bits of s. Therefore, it isn’t always enough to reject points in the small subgroup.

I don't full ...

I was looking at a layman explanation for zero-knowledge proofs in zk-SNARKs here.

The idea there is that if one knows a solution (3) to a question (find a value of x satisfying x^3 + x + 5 = 0), then one can prove this using a circuit to represent the computation and its intermediate variables. Further details on how to do the zero knowledge proof are not important for this question.

Is this a gen ...

I encounter an odd issue when I calculate SHA256 checksums in Javascript. I use the following code:

const hashBuffer = await window.crypto.subtle.digest("SHA-256", arrayBuffer)
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");

Afterwars I transfer the data to a server, that calculates the checksum for  ...

Is there a simple way if counting the number of $S$-Boxes of length $\ell$ over $\mathbb{F}_{2}$? By $S$-box I mean an $S$-box satisfying the avalanche condition.

I mean it is quite easy to see that for $\ell=2$ the answer is $0$ but I want to know if there is a general formula, specifically for $\ell=3$?

While designing a crypto system based on existing standards and specifications i find myself questioning some of the accuracy in the current RFC-8037 and IANA specs around Edwards curves, 25519 and ed25519 notation

In RFC8037, they say that the public key in its compressed form (32 bytes) should be represented by X. But in Edwards curves, unlike Montgomery (Curve25519) shouldn't be Y with a signed bit for ...

I have some issue to understand the verify round of the KZG polynomial commitment scheme. The following diagram is associated to the scheme. I appreciate any help.

To verify, the verifier should compute the pairing of $e(g^{f(\tau)-f(u)}, g)$ and $e(g^{\tau-u}, g^{q(\tau)})$.

However, to compute these pairings, verifier should compute $g^{f(\tau)-f(u)}$ and $g^{\tau-u}$ first. So, we see that $g^ ...

I'm trying to implement AWS Encryption SDK for JavaScript in a browser environment within a React application. When I attempt to construct an instance of the encryption client using buildClient function with CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT policy:

const { encrypt } = buildClient(CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT);

I am met with an error message:

ERROR
Buffer is not ...

With regard to AES encryption on blocks, the next diagram showcase how does a change in one cell in the block (every cell is a byte) creates a change in encryption for ALL cells:

Now I have the next question, from a network security course: Say we change the "Mix Columns" stage to be "Rotate Clockwise", that works as follows:

Is the new AES now more vulnerable to chosen-plaintext attacks? So far, I ...