Latest Crypto related questions

I must verify an HTTP signature to guarantee the origin and integrity of a webhook data: https://www.blockcypher.com/dev/bitcoin/#webhook-signing

This is their x509 PKIX encoded signing key's public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

I am following this specification to construct the signing string: https: ...

So I understand how one can use Fiat-Shamir to turn a HVZK sigma protocol into a non-interactive zk protocol in the random oracle model. My problem though is I don't understand why is this useful.

If I wanted to use a NIZK in something and I choose a protocol based on Fiat-Shamir, this would mean I have to choose a hash function which surely invalidates the zk proof in the ROM. So do I know anyth ...

What is a good method to generate random numbers between 0 and n from random bits?

For example, I have a one million random bits generated according to NIST SP 800 90 publications. Now I need to generate random numbers between 0 and 100 (inclusive) using these random bits. Few possible methods i could think of are

Read 7 bits, convert these to a number (0 to 127), store the number if its <= 100,  ...

Say a server wants to hash a password $p$. It would use a secure hash function $H$ and a unique salt $s$ to hash the password as $H(p,s)$. If one has access to the salt, each password candidate requires one run of the hash function to be ruled out; the same amount of time it would take for the server to verify a password candidate.

If, on the other hand, the password was hashed as $H'(p,s+r)$, wh ...

I'd like to create a custom type of sortable GUID by concatenating an 8-byte nanosecond timestamp, 6 random bytes, a 1-byte node number, and a 1-byte counter. But, such a precise timestamp can be used to enact very effective side-channel attacks if it can be related to the execution time of other cryptographic operations being done on the same system. It'd be ideal to conceal them in some invertible way ...

I am working on a project for my maths assessment where I research the effect of complexity and length on a given password. Currently, I am working on calculating the probability of guessing a password on the first try. I assumed that I had to start from entropy and go from there but I am kind of stuck on which formula to use in order to find the probability.

I considered 1 / (2^entropy) but I am not su ...

I'm implementing 128-bit AES-GCM (but only the encryption/AES-CTR aspect).

When I set the Secret Key, Plaintext and IV to Test Case 2, page 27 of the GCM spec (see below) I get the wrong value for the output of the cipher block (before we XOR).

https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf

Inputs:

K       00000000000000000000000000000000
P       000000000000 ...

With PHP, I'm trying to setup a HTTP signature verification for webhook requests coming from BlockCypher: https://www.blockcypher.com/dev/bitcoin/?php#webhook-signing

This is their public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

This is an HTTP request that I've collected using RequestCatcher:

POST / HTTP/1.1
Host: 2 ...

I'm following ZK MOOC: https://zk-learning.org/

After some previous readings about these topics, I was believing to have understood that, stated that non-interactivity isn't attainable in standard/plain model, there were to alternatives B-plans:

• Fiat-Shamir heuristic for public coin IPs requiring the acceptance of ROM (Random Oracle Model)
• or CRS (Common Reference/Random String) assuming a trusted setup ...

I am currently studying OFB mode, and one of the vulnerability mentioned for it is that if two different messages have a block at the same position in the ciphertext, and have same plaintext, the attacker can figure out the encryption function output for that particular block. This was brought up to highlight the danger of reusing IV, so this is assuming that same IV and key are used.

I understan ...

Below is part of AES GCM diagram. However, it only shows the behavior of the IV/counter.

The GCM specification examples state both an IV and a Secret Key as two inputs.

Can someone please explain where both are used?

Is the 96 bit IV expanded to 128 bits, incremented (most-significant byte?) and used to create the AES Key Expansion?

And the Secret Key is passed (with the Key Expansion) to E_k for encry ...

Assume we have message M, key K, and MAC = hmac-256SHA(M, K).

I wonder if an attacker can figure out the Key K if the attacker knows the Message M and MAC

What family of bilinear pairing is recommendable for BLS signature when the overriding criteria is compactness of the signature, as desirable for something to be keyed-in from printout, or embedded in a small QR-code?

Is there something giving signature size lower than ≈384 bit for 128-bit conjectured security, as in this draft RFC, which is no more compact than a more conservative and faster s ...

I'm currently looking into pairing-based cryptography and I stumbled upon the definition of the properties bilinearity, computability and non-degeneracy.

Now I have a problem with understanding the non-degeneracy and how it is important to the security of elliptic curve cryptography. I have not found a paper that goes into detail about it, only from a mathematical standpoint which is a little to  ...

I'm developing a desktop application where the users will login with username and password, which is then verified against a database. After the initial login, the current user should be automatically logged in each time the application is started (until the user logs out or 1 month has passed).

I could encrypt and store the last successful username and password on the computer, but the decryptio ...

I have this password hash: $argon2i$v=19$m=128,t=2411,p=2$hmJvvpH3BZlvb2V1vLm/yf3zANU4qNpKuw5TBnGzo2I$<censored>.

I know the password, and I want to verify if this password will produce the same hash the the above. Using an online argon2 hashing site: https://antelle.net/argon2-browser/

My problem is I don't know how to convert the salt into the right format for hashing.

As part of mitigating side-channel attacks, which is the most efficient? Masked cryptography or differential power analysis-resistant cryptography? Or are they both similar?

I want to implement proxy re-signature on elliptic curve.

I've been thinking about ideas like the one below, but are there any problems?

Key Generate:

• $a = $ alice's secret key
• $aG$ = alice's public key
• $b = $ bob's secret key
• $bG = $bob's secret key
• $rk_{ab} = aP * b^{-1} = a/bG$

First Sign:

• $Pm$ is hashed point
• $k = $ random
• $r = ka^{-1}$
• $z = e(G, G)$
• $s = z^kPm$

Resign:

• $r' = rk_{ab} * r ...

In NIST’s ‘competition’ to obtain new public key crypto which resists Shor’s algorithm (aka ‘post quantum cryptography’), two algorithms to make it into the third and fourth rounds have been catastrophically broken (Rainbow over a weekend on a laptop and SIDH/SIKE in an hour on a single core), while others have been shown to have less security than required by NIST (https://zenodo.org/record/ ...

I have theses output on curve for jacobian coordinates which I made doubling for (3,10,1) to get (17,21,20) then I made addition for all points to get this results:

     1     3    10     1
     2    17    21    20
     3    11    13     7
     4    20    21    14
     5     2     6     6
     6     9     1     8
     7    14    18     8
     8     6    13     2
     9     0    20    11
    10     3    ...

I have a small ARM M0 SoC and a smartphone as actors. Encryption keys used are Elliptic curve.

My current security is implemented such that:

1. the SoC has 128 bit hashes of phone public keys (vs 512 bit - due to storage space constraints)
2. the phone has the SoC's public key
3. the phone sends its own public key during negotiation
4. step 3 establishes grounds for ECDH on both sides. From here encrypted co ...

Recently, I've been working on disk encryption. I started with the AES-XTS mode which is the standard for this purpose and tried to understand the concept of disk encryption in general.

I know that AES-XTS is preferable from many aspects for disk encryption as long as authentication is not requested. You don't need to store additional data for an authentication tag or IV and it is more resistant ag ...

Referring to the AES specification:

https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf

Printed pages 35-37...

The first detailed walkthrough is encryption, the second is decryption.... I don't understand what is the third, "equivalent inverse cipher (decrypt)"?

How can there be two decryption techniques?

I need to use the following scenario: There are 2 keys: AES-key and OTP-key (one-time pad). I encrypt the AES-key (as if it were plaintext) with an OTP key. Then I send the encrypted AES-key to another person who has the same OTP-key on which the AES-key was encrypted. This person decrypts the AES-key. Is it safe for him to use this AES-key to encrypt plaintext on it in CBC mode? And the second question ...

I'm kind of confused about this, I have read that nodes in Merkle Patricia tries are key-value pairs, can someone provide a proof of membership for a data in a Merkle Patricia Trie just as he would with a Merkle tree? That is, providing hash of some nodes and allowing the other party to calculate the rest?

Does Index calculus work on secp256k1?

I did a search but couldn't find answers, Can I use Index calculus to find private key of the elliptic curve secp256k1?

I am new to lattice theory. I hope(will be grateful) that one could explain to me this claim 7 in REGEV course(this claim appears in this file page 6 : https://cims.nyu.edu/~regev/teaching/lattices_fall_2004/ln/introduction.pdf) which states that : The successive minima of a lattice are achieved i.e., for every 1 ≤ i ≤ n, there exists a vector vi ∈ Λ with ‖v_{i}‖ = λi(Λ).

Thank you,

I'm trying to figure out how to convert a circuit into a Square Arithmetic Program (SAP). This is to eventually use it for zk-SNARKs such as Groth16. I do however understand how to convert arithmetic circuits into Quadratic Arithmetic Programs (QAP). As an example if we have the following circuit $c_1 \cdot c_2 = c_3$. Here we would define the following three polynomials: $L_1 = R_2 = O_3 = x$ (where  ...

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary.

However, using the algorithm below can sign and verify without Hasing to Point?

• $a$ is secret key
• $H$ is scalar hash function

Sign:

• $k = random (mod\ r)$
• $r = kG_2$
• $s = a (H(m||r) + k)$ : If don't know k, won't know a. Also hashing both m and r to prevent tamper.

Verify:

The past few weeks I have been trying to solve a difficult problem. I have asked some cryptography experts but unfortunately they had no clue on how to solve the problem.

The situation is as follows, an online casino wants to host an online bet, each bet can have a variable amount of players. For this example we will use four players. Each player wants to be sure that the outcome of the bet is ra ...