Latest Crypto related questions

Score: 2
A A avatar
Where can I find a clear diagram of the SPECK algorithm?
uz flag
A A

Where can I find a clear algorithm diagram of SPECK algorithm? I want to follow steps to write ARM assembly code.

Score: 1
INDUKURI MANI VARMA 21911012 avatar
How exactly bilinear pairing multiplication in the exponent of g is used in zk-SNARK polynomial verification step?

I am reading this explanation of zkSnark written by Maksym Petkus - https://arxiv.org/pdf/1906.07221.pdf

In page 24, the zk-SNARK of polynomial is explained. In setup phase, the proving and verification keys are created by a trusted setup. I understood how proof is created using the proving key.

However, if we see the verification key = ${ g^α, g^t(s) }$, I didn't get how it is used in verification  ...

Score: 2
GeorgeT avatar
Is a Pedersen commitment still secure when r is either 0 or 1?
nz flag

Specifically if we know the $r$ takes values from the set $\{0,1\}$and $c=g^r*h^m$ does the hiding property still hold? I think I already managed to prove that the binding property holds due to the difficulty of the Dlog problem and my intuition says that the hiding property is compromised. But I can't seem to figure out a successful probabilistic hiding attack method that runs in polynomial time.

 ...
Score: 0
Houtee avatar
Data structures for linking blockchain accounts
mc flag

I want to use a data structure like merkle tree in a hypothetical blockchain that, if needed, can fast check whether a wallet/account has received directly or indirectly from a specific list of wallets/accounts in the past. And in an ideal case, how much of the current balance of this wallet has been received from the list. Considering that this data structure needs to be optimized in size and computing ...

Score: 0
chargerbottle avatar
Prove a response was received from the particular Tor hidden service
gp flag

Consider a Tor hidden service. I want to retrieve the main page of such website in such a way that I can later prove to a skeptical third party that the website with this certificate (identified by the public key in the address) provided me with this exact HTML page.

Is this possible assuming the website does not install additional software and is just a normal website on the Darknet?

I know this canno ...

Score: 2
Choice of nonce for reproducible encryption
in flag

In my application I have an SQLite database that stores labels for images, like this:

IMAGE ID LABEL
1 foo
1 bar
2 bar
3 foo

The LABEL column is indexed as it is important that I can efficiently find all images with a certain label.

At rest I would like to encrypt those labels so that no one can learn the actual labels. Unfortunately encrypting the whole database seems difficult ...

Score: 1
Wesley Jones avatar
Predicting compromised OpenSSL 3.0 DRBG
is flag

The OpenSSL 3.0 rand function's DRBG uses the getrandom() system call to get 48 bytes of secure entropy from the kernel. It also uses other information like the system uptime, available RAM, and other factors public in user space. So if the getrandom() function is compromised by an adversary using a rootkit, how would that affect OpenSSL DRBG in a practical attack? 48 bytes of entropy would be lost.

 ...
Score: 2
RobinLinus avatar
Can you find a secure curve defined over the scalar field of secp256k1?
cn flag

Is it possible to find a secure curve which's base field is the scalar field of secp256k1?

In general, can you find a secure curve defined over the scalar field of any secure curve? (For example, a secure curve defined over the scalar field of ed25519?)

Edit: Using the same parameters as secp256k1 (in short Weierstrass form), $a = 0$ and $b = 7$, yields a curve of prime order in the scalar field

Score: 0
user109119 avatar
order of Lagrange interpolation in reconstruction of secret key
lt flag

Does the order of Lagrange interpolation have any role in reconstructing the secret key in Shamir's secret share?

Score: 2
Lorenzo avatar
Homomorphic encryption with both algorithm and data encrypted?
ge flag

Is it theoretically possible to use homomorphic encryption to run an encrypted algorithm over encrypted data? If this is not possible, is it at least possible to run an encrypted algorithm over plain data (beyond a plain algorithm over encrypted data)? Ideally, can you cite papers where I can read about it?

Score: 3
Novice Question: Rivest Shamir Wagner 96 Time Lock Puzzles
tc flag

I'm using the Rivest Shamir Wagner Time Lock Puzzle setup in an application, leveraging Pietrzak's algorithm for generating the proof. My question has to do with selecting a proper starting point. In this paper the authors talk about verifying that the starting point is a modular square root. They discuss the choice of groups on page 9 and they provide a proof I don't understand in Appendix 1 on p51.  ...

Score: 1
Angelo avatar
DES attack with known partial plaintext
lk flag

Consider a system where DES is used to encrypt HTTP GET requests. The first three bytes correspond to the character sequence "GET". How many encrypted messages is it necessary to intercept to be sure to guess the key used to encryption ?

Score: 1
sander avatar
In PKCS#11, can I set a custom base point for a secp256r1 ECDSA signature?
cl flag

According to FIPS 186-4 § D.1.1.5 Choice of Base Points I should be able to create ECDSA signatures with custom base points on P-256 (secp256r1).

Does standard PKCS#11 support this feature?

This is how far I got building example code, based on org.xipki:ipkcs11wrapper:1.0.4 and SoftHSM 2.6.1:

import org.xipki.pkcs11.wrapper.*
import org.xipki.pkcs11.wrapper.PKCS11Constants.*
import org.xipki.pkcs11.w ...
Score: 1
batman avatar
Introducing differential privacy in two different ways
li flag

I would like to investigate if it is possible to introduce Differential Privacy (DP) to a model via both adding Laplacian noise to the training data and then training with DP-SGD updates. Is it a valid way to introduce DP ?

In other words, if we separately applied Laplacian noise to the data the system would be assigned with (ε1,0)-DP per epoch and if we trained with DP-SGD it would be assigned  ...

Score: 2
anthonychwong avatar
Best practices on implementing a password manager
lk flag

I'm a dev new to security and cryptography.

I'm writing a password manager and Time-based OTP combo in dart/flutter to use in multiple devices and platform for fun and use it personally for real. I have done some reading over google, stackoverflow.com and crypto.stackexchange.com, came up with following skeleton, and here to ask for some further security advice, for encryption, implementation and ...

Score: 0
Cat Dragon avatar
How to use NIST SP 800-22 to check randomness of 128 bits output in AES?
it flag

I am trying NIST SP 800-22 to test the randomness of 128 bit output in AES, but i always get igamc: UNDERFLOW or Segmentation fault (core dumped) error.

My data file has 128 bit output format, for example as follows:

01101100010001011111011101010011011000000101111001111100010010111011111001010011101101000000111011011100011011101101100011011001
00000000101100000010110001100100101101000010010010110101 ...
Score: 2
pintor avatar
Fiat-Shamir with interactions
ng flag

Suppose we have a standard $\Sigma$-protocol for proving the knowledge of a witness $x$ for the statement $y$. It has an honest-verifier ZK and special soundness. Now we do an unusual modification to get an interactive $\Sigma'$-protocol in ROM:

  1. The prover $\mathcal{P}$ compute $a$ exactly like in $\Sigma$-protocol and sends it to the verifier $\mathcal{V}$.
  2. The verifier $\mathcal{V}$ replies with ...
Score: 1
manu muraleedharan avatar
How can we explain STARK with less math?
gq flag

I am trying to understand STARK with not much math. I understand SNARK like this: Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK

From the helpful article: https://z.cash/technology/zksnarks/

We have a computation with many steps that can prove something. We take that and create an arithmetic circuit (in simple words a algebraic equation). Then we have R1CS which is going to valid ...

Score: 0
American Corn avatar
Where is the cryptography library that support group signature?
it flag

Finding a cryptography library to implement various application features is not difficult nowadays, thanks to options like NaCl, Google Tink, PyCA, and OpenSSL. However, I've been struggling to find a library that supports group signatures, which is causing confusion. Would anyone be able to provide an explanation or recommend a library that supports this feature? Thanks so much for helping.

Score: 1
cryptolearner avatar
Ring LWE distribution definitions
ru flag

This may be a stupid question but I've been stuck on parsing these definitions for a while.

I am reading the paper "On Ideal Lattices and Learning with Errors Over Rings" by Lyubashevsky, Peikert, and Regev. I am trying to understand the error distributions they are proposing. In section 3, they define a set $\mathbb T = K_{\mathbb R}/R^V$ where $K$ is any number field and $K_{\mathbb R}$ is $K \oti ...

Score: 2
NB_1907 avatar
Interesting and fun facts about cryptology
us flag

We are planning to organize a workshop with the participation of academicians, engineers and graduate students working in the field of cryptology. On the first day, we are planning a fun competition for the participants as an ice-breaking event. Our goal is to organize a quiz on fun, little-known facts about cryptology via the online app. Interesting general culture questions will be more acceptable ins ...

Score: 2
zbo avatar
The second moment and fourth moment of $\mathcal{P}(V)$?
br flag
zbo

Backgroud: I am reading the paper "Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures". (here is the link). And I got stuck in understanding the computation of moment.

Question statement: In section 4.3 of the paper, It defined: For any $V=[\mathbf{v}_1,\cdots,\mathbf{v}_n] \in GL_n(\mathbb{R})$ and any integer $k \ge 1$, the $k$-th moment of $\mathcal{P}(V)$ over a vector $\mathbf{w}  ...

Score: 1
Tensor avatar
Compression algorithm with multiple valid same-sized outputs
lb flag

Is there a lossless compression algorithm that has hashing-like properties where there are multiple solutions to it?

As in for example, when a 1000-bit data-sequence is compressed into a 500-bit data sequence, there are multiple possible 500-bit data sequences that can be generated as outputs. Each of these 500-bit data sequences, once decompressed would all output the original 1000-bit data sequ ...

Score: 1
Where can I find 2 of the steps/proofs described in Dan Boneh's video on PLONK in the PLONK Paper? The 2 don't seem to match
et flag

This is Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=vxyoPM2m7Yg

I went through the video multiple times & also tried to go through the original PLONK paper - https://eprint.iacr.org/2019/953.pdf

Boneh's explanation of PLONK involves the steps

1) Boneh consider's the trace of the equation as the inputs (public & private) & the gates. Let's say there are 3 gates & 3 input ...

Score: 1
Tito avatar
decrypting full ciphertext of (AES CTR/GCM) based on partial knowledge of the cleartext
sd flag

I have found myself in a position where I need to encrypt multiple objects (vCards) with AES Counter mode or Galois/Counter Mode using the same key. Now here is the problem the structure of the vCard always starts with predefined values i.e. here is an example from wikipedia

 BEGIN:VCARD
 VERSION:4.0
 FN:Simon Perreault
 N:Perreault;Simon;;;ing. jr,M.Sc.
 BDAY:--0203
 GENDER:M
 EMAIL;TYPE=work:sim ...
Score: 1
Wang Linger avatar
Why do we need the random number in Pinochioo protocol compared with GGPR
my flag

I find it hard to fully grasp the whole Pinocchio protocol .

I understand that the $\alpha$ s are for restricting the prover to compute only the corresponding set-up values.

But it's not clear for me to pick up $\gamma$ for the consistent(same) witness check.

From what I can tell, this protocol cleverly embedded different $r_v,r_w,r_y$ s to generators, $g_v,g_w,g_y$. An insightful improvement on

Score: 1
Ilya avatar
Does information about known input&output for SHA3-256 help to find KECCAK-256 input for the same output?
cc flag

I received two distinct outcomes from a single input using SHA3-256 and KECCAK-256:

input -->   sha3-256 --> output1

input --> keccak-256 --> output2

I want to find input2, which will give me output1 after Keccak-256 hash :

input2 --> keccak-256 -> output1

Is it somewhat possible? I read somewhere that SHA3-256 and keccak-256 have only difference in padding rule. Is it possible that k ...

Score: 0
mnj avatar
Shortest encryption with URL-friendly character set
br flag
mnj

I need a way to encode a set of information in a way that the result would be as short as possible with a requirement of it being usable as part of URL string.

I don't really care that much about security, the encryption is applied mostly for the plain text to not be visible right away. At the same time, just encoding (like base64) is not enough, there needs to be at least minimal security, meani ...

Score: 3
3ric-T avatar
Is it possible to wrap a RSA private key using a EC key pair?
sv flag

In PKCS#11 documentation § 2.1.23 is described how to wrap and unwrap a target asymmetric key of any length and type using an RSA key, called CKM_RSA_AES_KEY_WRAP. This mechanism could be easily implemented by hand in case it is not available in HSM.

The counterpart exists for EC, CKM_EC_AES_KEY_WRAP can wrap and unwrap an asymmetric target key of any length and type using an EC key. Unfortunately, th ...

Score: 0
Norcino avatar
Securely sign URL using a 50 characters long key
eg flag

I need to sign a URL to make sure the URL cannot be tampered or forged. The client has limited capabilities and I cannot use a key which is more than 50 characters long.

Generally I use RSA to generate the signature, with keys of the proper size. So I am not sure what technique to use to keep the signature safe enough. The key shared with the client will have a validation of 1 year.

Any suggestion?

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.