# Latest Crypto related questions

Score: 1
Proof that exchanged variable was not modified with MITM

If I understand correctly, the core of man in the middle attack is in being able to replace an exchanged variable (public key) with another.

Hence to detect a MITM one needs to check if the exchanged public key is truly same for both A and B, and to defend against MITM one needs to be able to exchange a variable without it being modified.

I'd imagine it should be possible to detect a change in varia ...

Score: 0
SHA-256 doesn't follow a uniform distribution?

I have been playing with SHA-2-256 in Julia and I noticed that the hashes produced don't appear to follow a uniform distribution. My understanding of secure hashing algorithms is that they should approximate a uniform distribution well, so they are not predictable.

Here is the Julia code I'm using:

using BitIntegers, Distributions, HypothesisTests, Random, SHA

function sha256_rounds()
rounds::Arr ...
Score: 1
What if the other user generate the Session Key rather than KDC for Key Establishment

I m studying for the Key Establishment Using a Key Distribution Center From my understanding, KDC contains all the users' private keys. For example, If Alice wants to talk with Bob, Alice requests to the KDC by using Request(IDAlice,IDBob) and KDC generates the random session key and encrypts the session key with Alice's Key and Bob's key. Alice receives the encryptwithAliceKey(SessionKey),encryptwithBo ...

Score: 0
QKD measuring qubit with wrong bases

I'm trying to end the research work for my master thesis about BB84 QKD (and QBC) and a basic problem of quantum mechanics is blocking me.

I'm trying to do a probability calculus of the action of measuring a qubit in a wrong bases. In bibliography, I've always found the statement:

When Bob chooses the wrong bases for measuring a qubit then the result will be completely random.

But what exactly d ...

Score: 2
Difference between fuzzy vault and fuzzy commitment?

https://dl.acm.org/doi/10.1145/2905055.2905118

Quoting the above paper's abstract, "Biometric cryptosystem can apply fuzzy vault, fuzzy commitment, helper data and secure sketch, whereas, cancelable biometrics uses distorting transforms, Bio-Hashing, and Bio-Encoding techniques."

It differentiates between a fuzzy vault and a fuzzy commitment scheme. How are the two different? Where does fuzzy ext ...

Score: 2
What is the global resource expense (financial, energy, computing power & time) due to the need for cryptography?

Classic disclaimer: there may be a better place to ask this question, if so comment and I will be happy to move it.

An example I'm looking for is related to recent scrutiny over energy consumption of bitcoin, such as here although there is no math in this example.

An example similar in nature is the math behind the question, "how long would it take to crack 128 AES"? -- Example 1 -- Example 2- from this  ...

Score: 2
Designated verifier signature from Diffie–Hellman and a MAC

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the M ...

Score: 1
Where to store salt for PBKDF2 and initialization vector for AES via WebCrypto

I would like to build secure notes via javascript and webcrypto.

I have found the possibilities to generate strong key via PBKDF2 and encrypt data via AES.

Here is a sample how to generate key via PBKDF2 in webcrypto, where is required salt:

function getKey(keyMaterial, salt) {
return window.crypto.subtle.deriveKey(
{
"name": "PBKDF2",
salt: salt,
"iterations": 10 ...
Score: 1
How secure is it to use a 128-bit random seed to derive a 256-bit key for seeding key-pair generation?

We are developing an open-source peer-to-peer app, Mapeo, designed for users with low technical experience (and no email or phone) to collect data in offline environments. We are generating their identity on the device for each project as a public-private keypair using libsodium crypto_sign_keypair.

To support identity recovery in the case of device loss or switching to a new device, we want to use  ...

Score: 1
Is it okay to avoid a plaintext IV in AES?

### The scenario

Using AES 256 with CBC mode. (Authentication is done separately. Ignored here.)

### The goal (explained more later)

To avoid sending an unencrypted IV.

But since this is being done using .NET whose function forces us to use an IV, we can't just prepend 16 random bytes and then toss away the first 16 bytes after decryption.

### The plan

Prepend 16 random bytes ("IV1"), and besides that use 16 b ...

Score: 0
Teaching AI a cryptogram and asking it to solve a similar cryptogram on its own

Say that 1 cipher and another are known to hold some form of correlation. Would it be possible to teach an AI one language through the training of a model and allow it to make make predictions on another?

If so, how? Has this been done before?

Score: 1
Convert secp256k1 private key to sr25519 private key

Is it possible to convert secp256k1 private key to valid sr25519 key?

Score: 0
Key exchange with a property as certificate

I am searching for a key exchange protocol that makes use of certificates. I already came across protocols like Authenticated Diffie-Hellman key exchange, but this protocol use public/private key pairs that are discussed beforehand. To solve this they have a CA with can sign the authenticity of the public key.

However, the protocol I am looking for would only be able to send a signed certificate  ...

Score: 5
Is qTesla Secure?

qTesla is a signature scheme and a submission to the NIST post-quantum standardization process, which made it to the second round. It is based on the hardness of RLWE. The NIST round 2 status report says that it didn't make it to round 3 because:

the performance of the remaining parameter sets of qTESLA is not strong enough to remain competitive. In particular, the public key sizes of q-TESLA-p-I  ...

Score: 5
What is the definition of function index

I'm reading through Indistinguishability Obfuscation from Well-Founded Assumptions and in Definition 3.1 describing sPRG, it mentions "samples a function index I." Can someone explain what a function index is in this context?

Score: 4
Is there any result which states that if the output of these two functions is XOR'd, the XOR'd output is pseudorandom

Let $$\mathbb{G}$$ be a group of prime order $$p$$ with generator $$g$$. Suppose that I randomly pick $$r_1,z_1 \leftarrow \mathbb{Z}_p$$ and $$r_2, z_2 \leftarrow \mathbb{Z}_p$$ and $$c \leftarrow \mathbb{G}$$. Let $$\alpha = g^{r_1z_1}g^{c}$$ and $$\beta = g^{r_2z_2}g^c$$. By the semantic security of El-Gamal encryption, both $$\alpha$$ and $$\beta$$ are indistinguishable from random numbers ... Suppose that $$\alpha$$

Score: 1
Is it safe to use the same password for both VeraCrypt volume and Windows Login?

I encrypted my entire volume with Veracrypt which prompts on start up and asks for a password, great.

Now after every startup is finished or everytime I leave the computer unattended (after a quick Windows key+L) there is only the Windows password to protect my computer so is it safe to use the same password for both vera and windows considering how full of glitches and backdoors windows is?

Thanks

Score: 1
conflicting definitions for dP / dQ and exponent1 / exponent2 in PKCS 1?

In Section 2 dP and dQ are defined thusly:

      dP             p's CRT exponent, a positive integer such that

e * dP == 1 (mod (p-1))

dQ             q's CRT exponent, a positive integer such that

e * dQ == 1 (mod (q-1))


In Appendix A.1.2 we have this:

   o  exponent1 is d mod (p - 1).

o  exponent2 is d mod (q - 1).


I believe exponent1 = dP a ...

Score: 4
Groth16 simulate zero-knowledge proof for invalid statement

The zero-knowledge property of the Groth16 (https://eprint.iacr.org/2016/260, page 8) non-interactive zero-knowledge argument is based on the existence of a simulator $$\text{Sim}$$ generating "fake" proofs for valid statements $$(\phi, w) \in R$$ without knowledge of the witness $$w$$ for statement $$\phi$$.

My question is whether for Groth16 there also exists a simulator $$\text{Sim}'$$ to generate "fake" ...

Score: 4
A question about performing quantum computations on uniform superpositions

Let us consider the following situation. Let $$U_f$$ be a gate computing $$f$$ mapping $$\{0,1\}^n$$ to $$\{0,1\}^n$$. That is, $$U_f\left\vert x,0^n\right\rangle=\left\vert x,f(x)\right\rangle$$. Let $$\left\vert\phi\right\rangle$$ be the uniform superposition on $$\{0,1\}^n$$. By performing $$U_f$$ on $$\left\vert\phi\right\rangle\left\vert0^n\right\rangle$$, we have $$\left\vert\phi'\right\rangle=\sum_{x\in\{0,1\}^n ...$$

Score: 0
Security of ElGamal signature scheme with generator of small order

For $$p$$ a 1024-bit prime, we have a 1021-bit element $$g \in \mathbb{Z}_p^*$$, where the order of $$g$$ is much smaller than the order of $$\mathbb{Z}_p^*$$. How does this small-order $$g$$ affect the security of the signature?

Score: -1
How expensive is it to migrate from AES-128 to AES-256

How feasible would it be to migrate from AES-128 to AES-256?

Score: 0
Eavesdropping attack on text-book RSA encryption with public nonce

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $$\text{sk}$$ and $$\text{pk}$$ respectively). Bob has an authentic copy of $$\text{pk}$$. The adversary has an authentic copy of $$\text{pk}$$.

Now, Bob wants to send his $$\text{PIN}$$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $$N_0$$ (a number chosen randomly  ...

Score: 0
Two Elliptic Curve Points having the Same X coordinate

Suppose in a elliptic curve (say the curve equation is: $$y^2 = x^3 -17$$) with prime order $$q$$, we have $$(x,y_1) = nP$$, where $$P$$ is a generator and $$n<\lceil{q/2}\rceil$$. Can we claim that there does not exist $$n' < \lceil{q/2}\rceil$$, such that $$(x,y_2)=n'P$$ is a valid curve point where $$y_2 \neq y_1$$?

Score: 2
What is the difference between the [1]forking lemma(David Pointcheval) and the [2]general forking lemma(Mihir Bellare)?

My course teacher mentioned that the two forking lemmas have different prerequisites for use. The former article (Security Arguments for Digital Signatures and Blind Signature) is more limited, but I did not find it in the second article I read, and the article did not describe the difference between the two in detail (for example, the article mentioned that article 1 is not applicable to multi-s ...

Score: 3
Construction of S-Box in PRESENT

I'm currently working on an hardware implementation (with verilog) of PRESENT-80 for research purposes. Due to our goal to strengthen the security of PRESENT-80 with Masking and Error Detection I need to understand how the S-Box is designed.

In PRESENT: An Ultra-Lightweight Block Cipher the 4x4 S-Box is simply stated as a lookup table:

x 0 1 2 3 4 5 6 7 8 9 A B C D E F
S[x] C 5 6 B 9 0 A
Score: 1
Is $H:\mathbb{Z} \rightarrow \mathbb{Z}_{p}^{*}$ and $a \mapsto g^a\bmod p$ with $p$ prime (strongly) collision-free?

Let $$H:\mathbb{Z} \rightarrow \mathbb{Z}_{p}^{*}$$ and $$a \mapsto g^a\bmod p$$ for $$g \in \mathbb{Z}_{p}^{*}$$ where $$p$$ is prime. Is this function (strongly) collision-free meaning we cannot find practically $$x_1$$,$$x_2$$ such that $$H(x_1)=H(x_2)$$?

I argue no with the following reasoning: Let $$A$$ be an Algorithm which generates $$x_1 \neq x_2$$ such that $$H(x_1)=H(x_2)$$ and define $$A: \mathbb{N} \rightarro ...$$

Score: 3
Prove that $x$ is the sum of digitally signed numbers without revealing the summands

Imagine this:

• Charlie chooses two integers $$x_1$$ and $$x_2$$ and signs each of these integers with the same private key.
• Charlie sends the following to Alice:
• $$x_1$$ and $$x_2$$,
• the two signatures, and
• his public key.
• Alice computes $$x = x_1 + x_2$$ and sends the following to Bob:
• $$x$$ and
• Charlie's public key.

Can Alice prove to Bob (without involving Charlie) that $$x$$ is the sum of two numbers ...

Score: 1
Provable security: impossible reduction when messages are encrypted/semantic security with function depending on the output of adversary

I've a problem with a protocol for which I can prove the security if the messages sent by the adversary are sent in clear, but I can't prove the security anymore if the messages sent by the adversary are encrypted... and this is a bit strange since I expect the protocol to also be secure in that second case.

More precisely, I'm considering a protocol for which a server Bob receives a message $$k$$ from ...

### The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.