Latest Crypto related questions

What are some ways to produce a pre-determined sequence of a large number of dice rolls (on the order of 100-1000 times) using biased dice or a biased human roller given the constraints that multiple dice (more than 2) have to be projected in one go from a height of at least 1 meter onto a transparent (acrylic/glass) platform? I'm looking for potential security concerns for a proposed method to gene ...

I'm developing a custom Authentication Socialite ADFS Provider using OpenID Connect: Authentication Flow.

Since I have a TLS connection between the client App and the Authentication server that issues the token, what is the point of verifying the access token signature? From my perspective, the connection is already authenticated with integrity.

The keys I would use to verify the signature are ex ...

The sequence number should be a 64 bit number in every TLS record, but the record header layer is only 5 bytes long and I am looking at a Wireshark pcap, where the TLS record only includes the header and encrypted application data. There is no sequence number.

Section 2 of RFC 8446 says about the phase "Key Exchange": … Everything after this phase is encrypted.

The "Certificate" message is sent after "Key exchange" as the scheme in that section shows. So it seems to be encrypted.

I am confused that I haven't found a mention of certificate encrypting in the "Certificate" section 4.4.2.

Could you explain to me - Should the certificate be encrypted and (if i ...

What is meant by "supported groups" in the section 4.2.7. "Supported Groups" of RFC 8446:
/* Finite Field Groups (DHE) */
ffdhe2048(0x0100), ffdhe3072(0x0101), etc:

Is the digits - 2048, 3072 (and groups) etc - are simply numbers of bits of the parameter p (module) in DF algorythm or something else ?

I try to understand a oracle Padding Oracle Attack example. I try to solve this question but I didn't figure out the answer.

A 7-byte message is padded per PKCS#5 and encrypted using the CBC mode of operation. The resulting ciphertext is
0x07 06 05 04 03 02 01 01, 0x08 09 0A 0B 0C 0D 0E 0F

Assume an Attacker modified that to
0x07 06 05 04 03 02 00 02, 0x08 09 0A 0B 0C 0D 0E 0F
and observed that the ci ...

In this image, It describes the basic idea of an iterative hash function. I am confused as to why the i value is set to be m+t+1 as default. Specifically, where does the 1 come from as m+t is just the arbitrary output size + t the message chunk size but the 1 im confused about

While exploring secp256k1, I came across what seems like the official definition at https://www.secg.org/, specifically in https://www.secg.org/sec2-v2.pdf. In terms of authorship, the document only contains references to the Standards for Efficient Cryptography group and Certicom (acquired by Blackberry). However, many resources I come across mention "NIST curves" in the context of secp256k1.

I've  ...

From the PLONK paper.

Page 29, Round 3

The paper doesn't explain the need or the use of the quotient challenge $\alpha$.

I understand why each of the polynomials is multiplied by $\frac {1}{Z_H}$ but don't understand why the second is also multiplied by $\alpha$ & the last by $\alpha^2$ - what purpose does the quotient challenge serve & why are different powers used? I can't find this discussed  ...

I have stuck in two problems when understanding the noise management of BFV scheme, and I don't have any idea about the two problem, help me please.

Problem 1:
In the Lemma 3 , the paper demonstrates that the norm of the noise after multiplying two ciphertexts $ct_0$ and $ct_1$ is $\left \|v_{mul}\right\|$=$E\cdot\delta_R\cdot(\delta_R+1.25)+E_{Relin}$, and I think the norm of $v_{mul}$ should be t ...

I am new at cryptography and start to learn some terms. I just saw an question in the book and didn't got a clue about this question. Could someone can explain me the answer of this question? Because all of the questions seems to be fine for me.

Assuming the block length is 8 bytes (L = 8) Which of the following is/are are valid coded messages?

1. 0x01 FF 52 18 04 04 04 04
2. 0x01 FF 04 04 04 04 04 04 ...

I am working on manual decryption of application data in TLS 1.3 by going through example in RFC8448. I successfully derived and expanded key and IV, but the IV in examples is only 12 bytes long instead of 16, which is required for AES-128-GCM.

Passkeys have this complicated QR code + Bluetooth dance to enroll a new device which seems like it ought to be securely creating a key on the device in a TPM.

However the messaging around "sync" seems to suggest that while that is happening, the device key is only used to encrypt a software key which is encrypted and synced to (Google, Amazon, Microsoft's) servers.

It seems like it would be more sec ...

In a previous question, I asked how to implement arbitrary s-box in side-channel-free fashion. The code I posted in the question loops over all 256 values of a byte to avoid timing channel, and I want to change it to loop over the values of a word.

Before getting carried away and lost, I'm considering lazy-initializing the s-box table. Specifically:

1. write byte-for-byte (i.e. 8-bit) sbox table.
2. on the fi ...

From this blog post: https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627

if P = G * p, Q = G * q and R = G * r, you can check whether or not p * q = r, having just P, Q and R as inputs.

How?

It's easy to see p * Q = q * P = R. But I don't see the leap to proving p * q = r.

I am working on MPCs (multi party computation) in crypto, and now I am developing a implementation of GG 18.

In sign phase, algorithm needs MtA (Multiplicative to Additive) and uses a Paillier key pair for this.

Paillier uses modulus $N$ ($N=p_1 * p_2$†, prime numbers drawn at key generation). But we need to consider the order $q$ of the elliptic curve. spec256k1 for example, so the algorithm has ...

I am working with lossy ID-schemes and their security in the QROM. Following the article of Kiltz et al. , I am at a loss of the number 8 appearing in most reductions throughout the article. I know it comes from the Generic Search Problem for Bounded Probabilites, however how?

The Lemma from the article as wee as the game for a quantum adversary is:

With the following proof in the appendix:

Any and al ...

I'm trying to understand some cryptographic properties of the s-box so I can have my own code. Example of balanced properties I read in this document that they say

A boolean function S : $ GF(2^n) $ $ \to $ $ GF(2) $ is called balanced if the output set contains equal number of ones and zeros in the corresponding truth table.

Example 2.2.3 We provide a comparison of balanced and unbalanced functions. Co ...

The PLONK paper uses the term preprocessed polynomial a lot of times.

• For e.g. page 14

The protocol definition includes a set of preprocessed polynomials $g1, . . . , g_l \in F<d[X]$

• Page 20

Preprocessed polynomials: The polynomial $S_{ID} \in F<n[X]$ defined by $S_{ID}(\mathbf g^i) = i$ for each $i \in [n]$ and $S_\sigma \in F<n[X]$ defined by $S\sigma (\mathbf g^i) = \sigma(i)$ f ...

When we take the coin flip in Blum's algorithm in "Coin flipping by telephone a protocol for solving impossible problems", where Alice and Bob both want ownership over the same car, then one party (the adversary / Alice) can abort the protocol. Provided there does exist a powerful third party (e.g. the law), the protocol can be extended, to give the car to Bob in case Alice aborts. This makes the algori ...

Disclaimer: I first posted this question on security.stackexchange some minutes ago but deleted it, this is probably a better place for it.

My goal is to use JWE with hybrid encryption (ECDH+AES) for exchanging sensitive data with another party. However, the example code I can find for various Java libraries doesn't match my understanding of how ECDH or asymmetric encryption with EC works in gener ...

assuming that I have an RSA key of length 4k bit which I'm interested to wrap using AES-GCM, and I have a (limited) AES-GCM cipher which can only encrypt limited input in size (say 256-bit/512-bit input) per invocation. Is there a way/conditions to fulfill when splitting this 4k bit key into smaller keys to fit my (limited) AES-GCM and yet get the same security as when using an unlimited AES-GCM (encryp ...

I'm drafing an RFC for a low computation crypto algorithm, intended for low power bluetooth communication. Likely without a connection using advertisements only.

It's going to include raw C code examples so it should be quite portable.

Is there a good site to post my RFC to, where it will be more visible than say, my dumb website where nobody goes.

Much the same way medium circulates writing. Im not ve ...

I have been researching the best encryption to use in a .NET application for managing a sensitive database field (column). This encryption is on top of e.g. AWS at-rest encryption applied to the whole of the database and is aimed at frustrating use of the sensitive data by anyone other than the application (which knows the encryption key). Defence in-depth!

It seems to me from lots of reading tha ...

I am working on a chat feature to use both post quantum cryptography along with RSA, and want to confirm my thoughts.

As these algorithms haven't been fully battle tested, I have decided to use a combination of both PQE and usual public, secret key cryptography

I decided upon the best algorithms to use for security.

• Signing: ED25519
• PQE KEM: McEliece
• NON-PQE KEM: RSA 4096

We are currently using ...

Summary: The operation of the Enigma Bombe is well documented. I manage to use it and a candidate checking machine to recover the plugboard pairs and the ring setting for the fast rotor. I struggle to recover ring settings for the slow and the middle rotors.

Question: Where can I find out more technical details on the Checking Machine?

Dirk Rijmenants (2022) Enigma Cipher Machine Simulator operation ...

Alice has master EC key pair: $a$ - private key, $A$ - corresponding public key

Bob generates 2 random integers $r_1$ and $r_2$ and wants Alice to derive 2 new key pairs:

$a_1$ = $a$ + $r_1$ and $a_2$ = $a$ + $r_2$ and corresponding public keys $A_1$ and $A_2$

Questions:

1. Is it possible for Alice to prove that she derived $A_1$ and $A_2$ from $a+r_1$ and $a+r_2$ using Schnorr proof?
2. Is it secure for Alice ...

I need to implement a Merkle tree using a 128 bit hash function. In general, any hash function that guarantees pre-image, second pre-image and collission resistance should be fine to implement a Markle tree. Is it correct? Probably, it is not even necessary to have pre-image resistance as long as the other two properties are available. Indeed, if you use the Merkle tree for data integrity, you want it t ...

When using AES-256 (cipher mode CBC and padding mode PKCS7) in combination with HMAC-SHA for authenticated encryption (assuming alternatives like TLS and AES-GCM cannot be used), should we use SHA-256 or SHA-512? This answer seems to indicate SHA512. Is this interpretation correct? I've seen an implementation using SHA256 and cannot figure out, why.

Edit: Since it does not seem to be entirely clear: I'm  ...

I'd like for two machines on a network to be able to prove to each other that they both have knowledge of a pre-shared secret, without revealing the secret to each other. Let's assume that all traffic over the connection between the parties, A and B, is encrypted.

Here are the steps I'm currently imagining:

1. A->B: nonce_A, hash(nonce_A || secret_key)

• B checks that they can produce the same hash u ...