Latest Crypto related questions

Score: 1
Tanjin Alam avatar
Best Practices for Writing Prover and Verifier Circuits for Zero-Knowledge Proof Implementation
tt flag

Considering that I am writing a circuit that will take age as input and return true or false.

For this ZKP system, I guess I don't need a separate prover circuit and verifier circuit.

Consider that I am writing a circuit that will take age as input and generate a proof. Now I will write another circuit for a verifier that will take the proof as input and verify whether it is true or false.

I am seeking ...

Score: 3
Fishy Sticks avatar
Does the plaintext modulus have to be prime in BGV?
gq flag

I'm thinking about storing packed integers $(x_1,x_2,...,x_k)$ into a single ciphertext slot using the Chinese Remainder Theorem (CRT). However, in order for the CRT to work, the plaintext modulus would have to be a product of prime values (the same prime values used in the CRT). So I ask, does the plaintext modulus have to be prime in BGV?

Score: 3
Vincent avatar
Prove DSA signature scheme is EUF-CMA secure
so flag

I want to prove that the DSA signature scheme is EUF-CMA secure in the random oracle model, if the discrete logarithm problem is hard. I know it can be proved by the following two parts:

  1. Discrete logarithm problem is hard $\Rightarrow$ DSA identification scheme is UI-PA security
  2. DSA identification scheme is UI-PA security + $H,F$ are random oracle $\Rightarrow$ DSA signature scheme is EUF-CMA secure
Score: 2
opag avatar
Security of RLWE encryptions of secret keys
us flag

Under which conditions is it secure to publish an encryption of the secret key $s$ under itself in terms of an $RLWE_s(s)$ ciphertext? Because for some schemes this is (repeatedly) used in bootstrapping or key switching, it seems to be secure (or at least it is assumed to be so).

On the other hand, if multiple encryptions $RLWE_{s_i}(s_k)$ are published it seems to be critical that there is no ``cy ...

Score: 2
G Pavithra  avatar
To prove equality/inequality of plaintexts of 2 ciphertexts encypted under different encryption schemes
bv flag

We have 2 ciphertexts, one encrypted using Paillier and another encrypted under Elgamal encryption schemes. Is there a way to design ZK-proof to prove equality of the underlying plaintexts of these 2 ciphertexts.

Score: 2
Chunchi Liu avatar
Is pairing-based crypto post-quantum secure?
tm flag

Bilinear Pairings are widely used in many new schemes like Group Signature and Aggregate Signature. The problem is whether it is post-quantum secure. In other words, does Bilinear Diffie-Hellman intractability assumption stand against a quantum computer?

With a quantum computer, Shor's Algorithm solves Prime Factorization and Discrete Log problem in polynomial time, which nullifies the security of p ...

Score: 5
Maximum entropy of a hash function?
ng flag

Let $H(h,k)$ be the expected entropy of some random oracle $X:\left\{0,1\right\}^h \to \left\{0,1\right\}^k$, where $h$ does not necessarily equal $k$.

  1. Then, is it true that $\lim\limits_{h\to\infty}H(h,k) = k$ ? (for constant $k$)
  2. If so, is the above still true if $h = 2k$? In other words, does $\lim\limits_{h\to\infty} h - H(2h,h) = 0$ ? (for common hash functions like SHA-256/512, the input block siz ...
Score: 5
Why is domain separation required?
tr flag

I understand that domain separation in hashing is important, but I'd like to understand more clearly why and what are the risks involved.

  • What is the theoretical justification for requiring domain separation?
  • What are examples of schemes/protocols that can be broken if domain separation is not used?
  • How can one evaluate whether the lack of domain separation is an issue or not? (e.g. Ed25519 does not us ...
Score: 3
P_Gate avatar
Questions on difference distribution in Kyber
mq flag

I have two elementary questions related to the special distribution $|x'-x \text{ mod}^{\pm} \, q| \leq B_q := \left\lceil \frac{q}{2^{d+1}} \right\rfloor$ in Kyber. The first question is about the paper and the second question is about a section in the specification. I am asking this as one question because I think it fits well thematically.


  1. In the paper on page 4 it says:

  • Unfortunately, there  ...
Score: 0
sunmu avatar
recovering the original secret of secret sharing
pw flag

What is the specific process of recovering the original secret of secret sharing? Is the parties with secret shares communicating with each other and exchanging secret shares, and if the number of secret shares greater than or equal to the threshold is collected, the secret will be recovered, or a third party will collect the secret shares to restore the secret, how is it generally done in the current s ...

Score: 1
Jiawei Wu avatar
How to build a secure multiparty computation protocol using oblivious transfer as a blackbox?
cg flag

The following statements seems to be a consensus in cryptography community.

Oblivious tranfer is a complete primitive for secure multiparty computation (SMC).

But I cannot find any explicit construction. What I want is a general method to construct SMC from OT with as few assumptions as possible, especially without the computational assumption so that it applies to information-theoretical security.

 ...
Score: 1
Rory avatar
Proving the minimal entropy of Dilithium-QROM?
mp flag

I am working with the securit yof CRYSTAL's Dilithium signature in the QROM. I am working with Kiltz et al.'s approach through lossy ID-schemes and looking at the proof of minimal entropy for the $DFS[ID, H, PRF]$ derived Dilithium-QROM signature. Unfortunately, I am not able to see how the proof of the lemma flows, nor understand what is beeing done and why it is "ok" to make the claims that are made... ...

Score: 4
fgrieu avatar
PRF collision search for input smaller than output
ng flag

Assume a given pseudo-random function $H:\{0,1\}^a\mapsto\{0,1\}^b$ with $b\in[104,256]$ and $b/2<a<b$. We want to exhibit a collision if there is one, which has probability $>63\%$.

We are ready to perform $2^{b/2+1}$ evaluations of $H$ or slightly more, distributed among several search units. But we don't have $2^{b/2}b$ bits of memory, especially accessible by each search unit. How can we pra ...

Score: 2
Bean Guy avatar
How do exactly twists interact with pairing and non-pairing computations?
in flag

Say that $\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T$ are cyclic groups of prime order $r$ over which the pairing $e : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T$ is defined. It is well known that $\mathbb{G}_1 \subseteq E(\mathbb{F}_p)$ and $\mathbb{G}_2 \subseteq E(\mathbb{F}_{p^k})$ where $p$ is a prime number and $k$ is the embedding degree of the elliptic curve $E(\mathbb{F}_{p^k})$. It is also kn ...

Score: 3
alpominth avatar
What is the post-quantum security of encryptions schemes based on transpositions?
il flag

I know that if using Grover's algorithm to break a cipher, one would need to perform (2^[key space])^0.5 queries (the square root of the number of all possible keys).

A simple transposition cipher COULD have their security of (transpositions)! (factorial of the number of transpositions), but how would it be in a post-quantum scenario?

Will the classical security of encryption schemes based on transpositi ...

Score: 1
Anantashayana Hegde avatar
Can we reduce the size of the XMSS signature?
sa flag

As XMSS is post-quantum we can use it to secure blockchain. One of the main disadvantage of XMSS is its signature size. If we can reduce the size of the signature then we can use XMSS in the blockchain. XMSS signature contains the Sign on message+ index of OTS + Authentication path. If we can store the OTS index and Authentication path on off-chain such as a wallet, isn't is significantly reduce the  ...

Score: 1
Eugenio Kuri Student avatar
What are the most important parameters when it comes to lattice based cryptography security?
gr flag

When utilizing the closest vector problem for decrypting data, does lattice size matter. For example, is a 1000x1000 grid necessarily more safe than a 100x100 grid? And if so, why would these affect the computations of quantum computers? Also is there a "safest way" of choosing a lattice point that guarantees higher success?

Score: 1
Hasbo avatar
Are Veracrypt, XTS and flash memory attacks feasible?
id flag

Some time ago I had a question here about WinRAR security and probably the most common recommendation I came across was to use Veracrypt.

Veracrypt uses XTS, but according to others, XTS encryption is unnecessarily complicated and does not provide such protection to be considered secure enough. (see Thomas Ptacek; Erin Ptacek (2014-04-30). "You Don't Want XTS", or Evaluation of Some Blockcipher Modes of  ...

Score: 4
Eugenio Kuri Student avatar
In what way, does adding dimensions to lattice based cryptography decrease vulnerability to quantum computers? and why?
gr flag

In RSA encryption, the larger the size of the prime numbers utilized for the creation of the public key, the more computational power is required in order to "Brute force" decryption.

  • Does a similar concept apply when considering lattice-based encryption?
  • Naturally, I would assume so, but how much more safe would a 3d lattice be, rather than a 2D lattice?
  • Would it be exponential? and if so why?
  •  ...
Score: 1
ZhuJerry avatar
Can some cryptographic conclusions in the prime field be applied to the Galois field?
vg flag

Such as integer factorization problem and discrete logarithm problem. Assuming a large polynomial is obtained by multiplying two generated polynomials, is it NP hard to decompose it into these two generated polynomials ? And Assuming that A is the generator of the Galois field and B is a random number, is it NP hard to find an x to make $A^x=B$ hold?

Score: 1
sunmu avatar
Gradient Leakage Attacks in Federated Learning
pw flag

May I ask if I use top-K to compress the gradient, can the attacker recover the original information of the data from the compressed gradient?

Score: 6
RobinLinus avatar
What's wrong with this simple reduction of discrete logarithms to the Diffie-Hellman problem?
cn flag

This recent paper shows that discrete logarithms are solvable if you have an oracle for the Diffie–Hellman problem. However, to me, it seems there is a much simpler reduction and I wonder where I am wrong:

Core idea: A DH oracle allows us to exploit the multiplicative structure of a curve's scalar field, whereas normally, we can work only on its additive structure.

You can use a DH oracle to compute ...

Score: 3
Different-March-5530 avatar
It is correct to concatenate HKDF expand stages?
je flag

I want to derive session keys for many clients from a Master Key. Suppose I derive a key for the client $n$ in the following way:

master_key = HKDF-extract(salt, IKM)

key_client_n = HKDF-expand(master_key, info_client_n, L)

Then, I generate session keys for the client $n$:

key_client_n_session_0 = HKDF-expand(key_client_n, 0, L)

key_client_n_session_1 = HKDF-expand(key_client_n, 1, L)

Is that safe? Is ...

Score: 1
kartti avatar
Can I use a password hash to encrypt the private key of a bigger block size?
cc flag

I have private keys that are close to 2kb big. Now I want to password encrypt them in the following manner.

  1. Generate the private key of an asymmetric encryption algorithm (public key can be derived from private key later) with a random number (I'm using a system PRNG).
  2. Generate a random salt of length 48 bytes (also from system PRNG)
  3. Hash the salt with argon2 and a secret password (arbitrary length, bu ...
Score: 3
Domino avatar
Is it possible to sign in to a website using two different passwords using an MD5 hash collision?
sb flag

I wanna do an experiment. I wanna see if it's possible to sign in to an outdated website that still uses MD5 to store passwords (there are surprisingly still a lot) with two different passwords.

For example "Password123" must have another string that produces the same hash value. I've found a few examples online of two strings that produce the same MD5 hash value, but all of them would exceed the ...

Score: 1
Greg Navis avatar
Secure two-factor authentication app for iOS
rw flag

I'm working on an open source iOS-native (both UX- and implementation-wise) 2FA app. Two of primary goals for the project are ensuring security and simple backups. Addressing these two areas is the last blocker before the release.

I'd like to ask you for your opinion and advice regarding the scheme I devised for the app. I'm not a cryptographer, and the amount of key wrapping in the scheme makes me fe ...

Score: 0
Pi-Turn avatar
Multiplicative Inverse in Point Addition/Point Multiplication
ng flag

Walkthrough the textbook content, understand that we need to compute the slope of 2 points before can compute the new point as the result of addition.

Multiplicative inverse is part of the operation in a process to find the slope, where we know Extended Euclidean Algorithm is one of the best method to be used.

However, in order to realize the Extended Euclidean Algorithm in hardware RTL, we need to  ...

Score: 3
pengu1n avatar
Enigma rotor settings and the notch
kz flag

According to https://www.reddit.com/r/cryptography/comments/v0sw2r/enigma_ring_settings_question/

While the rotor is in the machine, the ring+notch+rotor all rotate in sync. While the rotor is pulled out, the ring+notch can be detached and rotated to a different offset compared to some canonical orientation of the inside rotor wiring.

This makes sense.

The online Engima encoder at https://www.101c ...

Score: 3
Walker avatar
Data type transformation in Rust library
cy flag

I am using some ark libraries, such as ark_ff and ark_bls12_381, to implement some cryptographic algorithms. In these algorithms, random oracles are needed, which gets some group elements in G1,G2,Gt in bls curve, will output a scalar number(ark_bls12_381::Fr). How to do these steps? To be specific, I need to hash group elements and get an 'u8' array, and then generate a Fr from the bytes array. I need  ...

Score: 1
Flan1335 avatar
Does triple ChaCha20 have 256-bit post-quantum security?
tc flag

Experts suggested 3DES when AES wasn't developed yet, since meet-in-the-middle attack, they suggested triple DES. Grover's algorithm, a quantum algorithm, weakens symmetric encryptions, how about triple ChaCha20? Does triple ChaCha20 have 256-bit security against quantum computers?

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.