Latest Crypto related questions

Score: 1
alpominth avatar
How changing a single byte/word in a substitution box affects the inverse result?
il flag

Let's suppose I have a 8-bit substitution box composed of 256-bytes and invert it.

Does changing one byte in the substitution box will make the inverse result completely different than if I didn't change it?

Or will only the changed byte be different in the inverse S-box?

Score: 2
Walker avatar
Can we pad witness of bulletproof and dory to be exponential size?
cy flag

Bulletproof and dory reduce the witness size by a half during each interaction, until the witness is compressed to be only one element. But what about the witness is not precisely exponential size? Can we still use the two schemes by padding the witness?

Score: 2
heller avatar
How to determine if a bilinear map satisfies XDLIN?
tm flag

Let $\{(q, G_1, G_2, G_T, e: G_1 \times G_2\to G_T)_s\}$ be a family of bilinear groups parameterized by the security parameter $s$. We use $g_1$ (resp. $g_2$) to denote the generator of $G_1$ (resp. $G_2$).

The XDLIN problem is to guess bit $B$ ($B = 0$ or 1), given

$$P_B:= \{g_1^a, g_1^b, g_1^{ac}, g_1^{bd}, g_2^a, g_2^b, g_2^{ac}, g_2^{bd}, Y_B\},$$

where $Y_0 = g_x^{c+d}$, $Y_1 = g_x^r$ ($x =  ...

Score: 1
LWE KEMs and message coding
in flag

In many proposed lattice PKE schemes, the plaintext is encoded or modulated in a simple fashion, e.g. using Kyber-ish notation:

  • key gen: $pk=(A, t=As+e)$, $\quad sk=s\quad$ ($A$ random, $s$, $e$ small random)
  • encrypt: $u=A^tr+e_1$, $\quad v=\langle r,t\rangle +e_2+\tilde{m}\quad$ ($m$ message, $r$, $e_1$, $e_2$ small random)
  • decrypt: $v-\langle s,u\rangle=(\langle r,e\rangle+e_2-\langle s,e_1\rang ...
Score: 2
Cat Dragon avatar
How to calculate Correlation, Difference propagation probability and Algebraic complexity a particular S-box?
it flag

I'm learning about AES. According to the book The Design of Rijndael refers to the design criteria S-box $S_{RD}$ as follows:

Design criteria for $S_{RD}$. We have applied the following design criteria for $S_{RD}$, appearing in order of importance:

  1. Non-linearity.

    a) Correlation. The maximum input-output correlation amplitude must be as small as possible.

    b) Difference propagation probability. The ...

Score: 1
Given the existence of provably-hard-to-solve problems, why do we routinely rely on conjectured-to-be-hard problems for encryption?
br flag

Let $(X, Y, Z)$ be a set of binary strings of length $n$. Let random $X$ be the private key for encoding (or decoding) message random $Y$ as $Z$. Let the encryption algorithm $m$ be a matching function, i.e., for $m(X, Y) = Z$, if $x_i = y_i$, $z_i = 1$, otherwise $z_i = 0$. Now, $m$ is clearly not a one-way function: given output $Z$, it is trivial to define some string pair such that $m(X, Y) = Z$

Score: 1
pXN avatar
Triple DES 1 key to simulate 3 keys
lc flag
pXN

I saw a statement that the probability of finding a key $k'$ to simulate 3 keys $k_1$, $k_2$, $k_3$ is neglectable: $\mathrm{Enc}(k_3,\mathrm{Enc}(k_2,\mathrm{Enc}(k_1,x))) = \mathrm{Enc}(k′,x)$

When not considering MITM attack, the probability of brute forcing triple DES is $1/2^{168}$. According to the statement, does that mean the probability of finding $k'$ is also $1/2^{168}$ so it is negli ...

Score: 3
Ryan B. avatar
Are there "light" versions of cryptographic hash functions?
vn flag

After tinkering with cryptographic hash functions, I started wondering if they do have counterpart functions that would imitate their cryptographic properties but with a lower level of strength in terms of their time/space complexity.

For instance, if I were to test certain collision algorithms in a simplified version of SHA1, which let's call SHA1-light, and it took X minutes to generate a colli ...

Score: 3
Ma Joad avatar
Example situation where an authentication tag can prevent an attack?
hu flag

In Authenticated Encryption, we use an authentication tag to make sure the message is not tampered. The authentication tag can prevent any random bytes sent by the attacker being decrypted by the receiver.

The question is: what sorts of attack (other than sending lots of meaningless random bytes) is the authentication going to prevent? If all the attacker does is to send random bytes, is it possible ...

Score: 3
vimwitch avatar
Analyzing the security of hash approaches
vc flag

Say that I have a random oracle function $H$. This function outputs a value in $\mathbb{F}_{p}$ where $p \approx 2^{256}$. $H$ can accept either one or two inputs (outputting a single value in both cases).

I can hash two elements $x$ and $y$ using either

case 1: $H(x, y)$

case 2: $H(x) + H(y)$ (using modular addition)

How does the security of these approaches differ?

In case 1 there must be collision ...

Score: 5
alainalain avatar
Does any proof exist for the optimal number of primes in a RSA key?
cy flag

My guess is:

  1. Known attack algorithms only work on 2 primes factorization, they don't work on 3+ RSA primes.
  2. More than 3 primes is cpu waste time, better is to increase key length. So 3 primes will be the optimal number.

Example of my program (open source) generating a 30k bits RSA key.:

  • Enter rsa NUMBER of primes: 3
  • Enter rsa (3 primes) key length in bits (0 = defaut = 4096): 30000
  • RSA (N primes) ...
Score: 3
PanosDgs avatar
Compute key size in Hyperelliptic Curve Cryptography
cc flag

I am trying to implement a basic Diffie-Hellman key exchange using ECC and HECC of genus 2 and 3 and compare them. However, I am a bit confused about the concept of key size in HECC.

In ECC, from my understanding so far and considering I am new to the field, the private key size is basically the bit size of the prime that is used to define the prime finite field, where the elliptic curve is defin ...

Score: 1
Jp_ avatar
ZKP vs disposable addresses
sz flag
Jp_

In other words, what does ZKP brings on top of the practice of not reusing addresses?

From my research, ZCash is currently a state of the art example of ZKP application, but what extra benefits does it bring to the scenario where let's say a bitcoin holder created new addresses for each tx it was receiving and not reusing when spending it? Also assuming everyone in the network does the same.

How thi ...

Score: 4
Shivendra Mishra avatar
very smooth hash (VSH) Stepwise examples
kr flag

Can someone please point me to or give me stepwise example of VSH hash function. I couldn't find an example or a reference implementation. I tried to go through original publication but it seems way too cryptic to me.

Score: 3
Manu Bhat avatar
Can using an unknown, non uniform random salt increase difficulty for password attacks?
dz flag

I remember reading a previous stack exchange post (unfortunately was unable to find the link, if someone knows the link that would be great!) about a method to make password checking time for the server be on average less than that for an attacker. Essentially, when the password is first created a random number between, for example, 1 and 100 is added to the salt and plain-text password. This result is  ...

Score: 13
Keen avatar
What can make an implementation of a large integer library unsafe for cryptography
vn flag

Unfortunately, I don't have any references, but I remember people mentioning that some large integer libraries can be unsafe to use for writing cryptographic algorithms such as the RSA.

That made me curious if anyone knows of any examples of vulnerabilities that would be introduced by an unsuitable implementation of a large integer library.

To me, it is somewhat difficult to imagine how that would w ...

Score: 2
vimwitch avatar
Merkle tree alternating hash and polynomial
vc flag

binary tree

I want to get feedback on the security of a modified merkle tree data structure. Using the image above as a reference assume I have a random oracle function $H$. Assume $H$ outputs a value in $\mathbb{F}_p$, and all math is happening in this field too.

The standard approach to calculate $D$ is

$B = H(A, C)$

$F = H(E, G)$

$D = H(B, F)$

The approach I'm considering alternates between hash function and p ...

Score: 2
纪老猴子 avatar
What's the degree of a circuit in homomorphic encryption?
lt flag

In the paper of BGV, I find an interesting sentence as below:

One may view our new scheme as a very powerful SWHE scheme in which this dependence on degree has been replaced with a similar dependence on depth. (Recall the degree of a circuit may be exponential in its depth.)"

The author says that BGV scheme relys on the depth of circuit and previous scheme relys on the degree of circuit, and says t ...

Score: 2
Nigel avatar
Can you make an OCB type AEAD using a stream cipher?
hr flag

This is a hypothetical question. Is it possible to use a stream cipher instead of a block cipher for an OCB type single pass AEAD?

The xor of the plaintext blocks for the authentication tag can't work because a change in the ciphertext doesn't change the plaintext enough so maybe the answer is no.

Score: 0
Khalid avatar
Binary vs Prime field-Elliptic Curve Cryptography
au flag

Binary extension and prime field-based elliptic curves are used in Elliptic curve cryptography (ECC). From the performance point of view, ECC using Binary field are faster and easy to compute on hardware platforms than the prime field. However, ECC using prime field is in use extensively and many standards and many new elliptic curves are in place. Why is that? Does ECC over the prime field more secure  ...

Score: 3
P_Gate avatar
Proof on the bound of Compression and Decompression in CRYSTALS-Kyber
mq flag

I am dealing with the bounding of compression and decompression functions in CRYSTALS-Kyber, see the lemma in this post or the original reference KYBER, section 2.2 topic "Compression and Decompression".

I have not yet found a formal proof of the assertion and have tried to construct my own proof at this point.

As for the proof itself, I must note that I would like a correction. There are one or two ...

Score: 3
How do I construct a recursive polynomial as required in PLONK?
et flag

I am going through Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=LbpPCN-f_XA&t=952s

At around 19 minutes, he gets to the Prod Check Gadget.

Background:

$\omega \in F_p$ is the primitive $k$th root of unity (i.e. $\omega^{k} = 1$)

$\Omega = \{1, \omega, \omega^{2}, ..., \omega^{k-1}\}$

Then he sets $t \in {F_p}^{(\le k)}[X]$ to be the degree-$k$ polynomial such that

$t(1) = f(1)$

Score: 2
Lee Seungwoo avatar
Attacks on Ring-LWE exploiting structure of ideal lattice?
ke flag

Currently every LWE-based cryptographic schemes analyze their security using lattice estimators and lattice estimators analyze the security of standard LWE even though the actual scheme is based on Ring-LWE or Module-LWE. As far as I know, there is no specific attack algorithm on Ring(or Module)-LWE exploiting the ring structure(or, structure of ideal lattice rather than standard lattice) exists.

Score: 2
Bob avatar
What's the fastest way to generate matrix vector Beaver triplets?
cn flag
Bob

$\vec{u_0} + \vec{u_1} = (M_0 + M_1)\cdot (\vec{v_0} + \vec{v_1})$

$P_i$ gets $(\vec{u_i}, M_i, \vec{v_i})$ where $M_i$ is a matrix , $\vec{u_i},\vec{v_i}$ are vectors, with all entries uniformly distributed over $\mathbb{Z}_{2^k}$

Score: 3
Cheng Zhang avatar
Why Pr[C = 1∣M = a] = 1 ≠ 0 = Pr[C = 1∣M = b]?
gi flag

The statement is false. We show this by providing a counter-example.

Define

  • M = {a, b},
  • K = {k1, k2},
  • C = {0, 1}.

Let Enc(k, a) = 0 and Enc(k, b) = 1 for k = k1, k2.

Dec algorithm will return an on input ciphertext 0 and b on input ciphertext 1. Clearly, the scheme is correct.

Pr[C = 1∣M = a] = 1 ≠ 0 = Pr[C = 1∣M = b],
thus showing that the scheme is not perfectly secret.

Why Pr[C = 1∣M = ...

Score: 5
Maloo avatar
How to reveal/prove some personal information later
tr flag

I want to put some personal info like name and email in e.g. some program that I release to the public but I don't want anybody be able to retrieve those personal info and only when I want they can verify that.

The first and simplest way is to hash my personal info and put the hash in the project, like:

sha265('[email protected]')

But that is not very secure because of brute-force and guessing at ...

Score: 2
Homomorphic encryption and program obfuscation
in flag

[Say I want to outsource the computation of $y=f(x)$ without revealing information about $x$, $y$, or $f$. I thought I'd have to combine homomorphic encryption with some obfuscation $\mathcal{O}$, passing along encrypted data $\mathsf{enc}(x)$ and obfuscated program $\mathcal{O}(f)$ to be homomorphically evaluated $\mathsf{eval}(\mathsf{enc}(x),\mathcal{O}(f))$.

However, the following comment from ...

Score: 2
JBaczuk avatar
How to create TLS 1.3 Key Derivation test cases
mx flag

I'm trying to create some test cases for a TLS library for the Key Derivation outlined in RFC 8446 7.1.

I tried to get this information from openssl using the following:

# Generate a ECDH private key

# generate the key to pem format
openssl genpkey -algorithm X25519 -out x25519.pem

# Connect using the private key and log the traffic secrets and display handshake messages
openssl s_client -connect go ...
Score: 3
pintor avatar
Security of modular exponentiation for non-uniform inputs
ng flag

Suppose we have a function $F = f_{s}(x)$ with a key $s \gets \mathbb{Z}_q$ that on input $x$ outputs modular exponentiation $x^s$, where $\mathbb{G}$ is a cyclic group of order $q$ where DDH is hard. If $x$ is selected uniformly at random from $\mathbb{G}$, then modular exponentiation $F$ behaves like a weak PRF (Naor et. al "Distributed Pseudo-Random Functions and KDCs").

However, what happens whe ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.