Latest Crypto related questions

Score: 1
Kevin Perez avatar
Communication through shared seed in RNG
ge flag

Given that there are two parties, and a process has been conducted by which both parties are knowledgeable of a shared value p, how could two parties communicate with each other over a public channel using the value p as a seed for a random number generator?

Score: 3
Uwe Kohl avatar
Why does FIDO2/WebAuthn really need to generate a separate key-pair for each site?
ch flag

I understand that FIDO2/WebAuthn generates a separate key-pair for each web-site (domain), and only allows a specific key-pair to be used for authentication on the same web-site (domain) who originally generated/registered that key-pair with the browser/authenticator. Also, I'm aware that this is done in order to prevent Man-in-the-Middle and "Phishing" attacks.

This specification defines an API enabling ...

Score: 1
PLONK Prod Check Proof - why does it have to be proven upto the last element of the set? It should be enough to prove it upto last but one element
et flag

I am going through Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=LbpPCN-f_XA&t=952s

At around 19 minutes, he gets to the Prod Check Gadget.

Background:

$\omega \in \mathbb F_p$ is the primitive $k$th root of unity (i.e. $\omega^{k} = 1$)

$\Omega = \{1, \omega, \omega^{2}, ..., \omega^{k-1}\}$

Let $t(1) = f(1)$ and $t(\omega^s) = \prod_{i=0}^s f(\omega^i)$ for $s = 1, ..., k-1$. ...

Score: 10
nialv7 avatar
Prove that what's running inside a black box is code that has been released publicly
in flag

Suppose someone has a black box, which is running some program. This box has some internal states, and we can observe the outputs it produces. Now someone comes along and claims the release the source code of the program running on that black box. Is there a way to verify that claim, without also requiring the disclosure of its internal state? (A practical example of this could be, say, Twitter's recomm ...

Score: 9
Maksym Shcherban avatar
Does this RSA decryption scheme make sense?
sv flag

A custom file format has a header encrypted with a 2048-bit RSA public key. I need to decrypt it using a 2048-bit RSA private key. The header has 48 bytes, and according to the scheme I got for the task, after decryption I should get a 48 bytes of "plaintext" payload.

However, this scheme does not make any sense to me. It is my understanding that if we encrypt something using a 2048-bit RSA key,  ...

Score: 2
gagiuntoli avatar
Chaum-Pedersen protocol adapted to elliptic curves
cg flag

Is it possible to adapt the Chaum-Pedersen protocol for using elliptic curves by simply replacing the exponentiation with scalar products?

zk protocol

For example, if g is a point in the curve, then g^k is the scalar multiplication k*g as defined for elliptic curves. Would that still work?

I took the diagram from here.

Update: In the verification process, there is this: g^s * y1^c, which would be like a product of ...

Score: 1
millie avatar
Plain Text and Cipher Text terminology when double encrypting?
US flag

Say I have some message like "Hello World" that I want to encrypt, I get that Hello World is the Plain Text and the output from the encryption is called Cipher Text.

But, let's say I want to encrypt the data again, so I feed in the cipher Text from first round back into the encryption algorithm and then get the new cipher text out.

Effectively I have.

PlainText1 -> EncryptRun1 -> CipherText1

 ...
Score: 2
PLONK Product Check Proof. Why is the 2nd condition required?
et flag

I am going through Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=LbpPCN-f_XA&t=952s

At around 19 minutes, he gets to the Prod Check Gadget.

Background:

$\omega \in \mathbb F_p$ is the primitive $k$th root of unity (i.e. $\omega^{k} = 1$)

$\Omega = \{1, \omega, \omega^{2}, ..., \omega^{k-1}\}$

Let $t(1) = f(1)$ and $t(\omega^s) = \prod_{i=0}^s f(\omega^i)$ for $s = 1, ..., k-1$. ...

Score: 3
zzazzles avatar
What kind of hashing is GF multiplication in GCM cipher mode and GMAC?
jp flag

In GCM, GMAC, the additional associated data (AAD) (as well as outputs of subsequent blocks) is multiplied by a polynomial H in GF(2^128). This appears to be doing some secure hashing.

Is that what's happening, and if so, is this a general hashing method that's used elsewhere?

Score: 3
Craig Feinstein avatar
Solving subset sum via the LLL algorithm
ru flag

I wrote code that solves the subset sum problem via the LLL algorithm, as given in chapter three of the Handbook of Applied Cryptography https://cacr.uwaterloo.ca/hac/

I ran the code on ten random sets, each with positive integers from one to $2^n$, each with a random subset adding up to a target integer. The code found the solution ten out of ten times when $n=10$.

However when I ran the code on ten ...

Score: 4
Bean Guy avatar
Why pairing domains are subgroups of the r-torsion group?
in flag

In pairing based cryptography (PBC) we restrict the pairing domains to be subgroups of the $r$-torsion group $E[r]$. This arises two questions to me:

  1. Why do we restrict them to subgroups of $E[r]$? Couldn't we use, for instance, the whole group of points $E$? Or a mixture between various torsion groups? (As long as they are sufficiently large to ensure security)
  2. If so, what happens if I evaluate  ...
Score: 1
Dimitri Koshelev avatar
Secure permutation of $E(\mathbb{F}_q)$ as a set for an elliptic curve $E$ over a finite field $\mathbb{F}_q$
id flag

Let $E$ be an elliptic curve over a finite field $\mathbb{F}_q$. For simplicity, let the group $E(\mathbb{F}_q)$ be of prime order.

Assume that I know how to construct an efficiently computable permutation of $E(\mathbb{F}_q)$ as a set, that is, just a bijective map $\phi: E(\mathbb{F}_q) \to E(\mathbb{F}_q)$ rather than a group homomorphism. Moreover, $\phi$ satisfies the property that for every non ...

Score: 1
Zi-Yuan Liu avatar
Is it appropriate to prohibit an adversary from querying a specific input in an algorithm in some situation?
co flag

There are two algorithms in my framework, $E_1(\cdot)$ and $E_2(\cdot)$.

In particular, executing $E_1(\cdot)$ on a specific input $x$ (i.e., $E_1(x)$) is equivalent to executing $E_2(y)$ for some input $y$.

Suppose the security model of this framework allows an adversary $\mathcal{A}$ to query $E_1(\cdot)$ with any input, and resists $\mathcal{A}$ from querying $E_2(\cdot)$ algorithm.

Can I prev ...

Score: 2
Mysterious Shadow avatar
Salts are stored with the hash - so for a single user it's no security advantage?
cn flag

A hacker goes into a database and downloads a bunch of hashes and salts of users with knowledge of the hashing method. Say this is one entry that got downloaded:

cbc0a790b2f28fc72ca43eb749028b9f:21022011 (hash:salt)

Without the salt, the hacker simply computes 100M common passwords and their hashes and find matches. With the salt, the hacker simply computes 100M common passwords + 21022011 and their ...

Score: 1
reticus avatar
Could this be a cipher or not?
ru flag

I am trying to solve a puzzle, and I think have to solve a cipher. But I'm not actually sure what I have to do ... Example :

The diu uff i dve. lleive pi he bl hle f he mi Nw ie d hiie d eve me Biie ide hi i. Ti Bii imli Vili Buei G Bii Ti imli, Gee li bei ipped el be ie EL lvd ie Nvz d ell u h u. lle Re Ve Bl ize W ee m) ull Sp. 5% hii fi d ld ve deh he eul f Bii iible ue f ll vilble ee. hii Th ...

Score: 1
Jarron avatar
Using Self-Generated Random Bits Instead of the Initialization Vector (IV)
yt flag

I think my understanding on initialization vector (IV) might be lacking, but as I understand it, an IV is used to create randomness to an encrypted message so that the message is difficult to crack from an attacker. The randomness part I can see the importance of.

The part I can’t get my head around is why use the IV. For example, say I add 16 random bits to the start of my message and encrypt  ...

Score: 2
zzazzles avatar
Is PAKE more secure than WPA2?
jp flag

As I understand it, in WPA2, the shared key (for encryption) is derived from the password, plus nonces and identities used in the initial 4-way exchange. An attacker who was able to sniff the initial exchange could perform an offline dictionary attack on the AP password.

I've also learned about PAKE protocols that also derive cryptographic keys from a shared, low-entropy password, but are resista ...

Score: 1
WhatIsName avatar
Rule 30 based block cipher
mu flag

So I went ahead an wrote this little program. What it does is it takes a password for a seed and generates a (pseudo-random) bit-pattern using rule 30 from cellular automata. It then XORs our input file with the same-length pattern. In theory this should be secure, given I would start padding the plaintext and only use a password once?

import sys

def rule30(a, b, c):
    return (a ^ (b | c)) & ...
Score: 2
gamarcad avatar
Reduction from Distinguisher to Indishtinguishability
cx flag

Content and Informal Problem

Suppose a protocol $\pi$ doing an arbitrary task between two users A and B. I only know that $\pi$ relies on a IND-CPA symmetric encryption scheme $\mathcal{E} = $(KeyGen, Enc, Dec). In details, A holds a key $k$ in $\pi$ computes encryptions of $n$ messages $m_1, \dots, m_n$, providing to B the ciphertexts $\psi_1, \dots, \psi_n$.

To prove the security of $\pi$, I compute a ...

Score: 5
p_1092131280 avatar
Why is forward secrecy needed at X3DH?
tl flag

In the official documentation of the X3DH Algorithm (link) is made an analysis about the forward secrecy. Forward secrecy would be an uselful property if we would repeat the protocol multiple times. But in the Signal-Protocol it is always used only once, to initialize the Double Ratchet Algorithm (which then on its own leads to forward / backward secrecy and so on). So why do we care about the security f ...

Score: 0
Ole Tange avatar
Does the article "Factoring integers with sublinear resources on a superconducting quantum processor" affect ECC?
fr flag

"Factoring integers with sublinear resources on a superconducting quantum processor" seems to indicate the end is getting closer for RSA - much faster than anticipated earlier:

We proceed by estimating the quantum resources required to factor RSA-2048. We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain syst ...

Score: 0
xrfang avatar
ECDH security vs. type of elliptic curve
in flag

While using ECDH key exchange, we can choose to use different kind of elliptic curve, e.g. P224, P256 or P384 etc. (btw, I am using go).

My question is, what is the criteria to choose different kind of elliptic curve? Is it related to desired security level? If yes, what is the "rule of thumb" to choose between the curves?

Score: 5
Bakudo81 avatar
Encrypting a symmetric key which requires 2 keys to decrypt?
ug flag

Let's say a device has 2 private keys and service has the 2 corresponding public keys. Is there an efficient way to encrypt a symmetric key from the service side utilizing the 2 public keys, such that on the client, it requires both private keys in order to decrypt?

I.e if I only have private key 1, I am unable to decrypt the encrypted symmetric key.

I believe one way could be double encrypting it?  ...

Score: 1
Daniel Chan avatar
How to design a Zero-Knowledge Proof of a message in a certain range?
eh flag

Given a message $m$, how can I prove that $m$ lies between 0 and 31 without revealing the message using a Sigma protocol?

The message is encrypted as:

$$c = a^{\beta} \cdot g^m ,$$

where:

  • $a$ is the public key of the receiver,
  • $\beta$ is the secret key of the sender, and
  • $g$ is a generator of a cyclic group $G$ of prime order $q$.

I know I need to use "OR" composition and the Diffie-Hellman (DH) tri ...

Score: 2
Ali Haktan German avatar
Is there a version of LWEEncrypt in which probability of decryption error is zero?
tg flag

Is there modification to LWE public key crypto-system which makes the decryption process is totally deterministic and does not affect security?

Score: 1
Dimitri Koshelev avatar
Constant-time decompression on an elliptic curve
id flag

Let $E\!: y^2 = f(x)$ be an elliptic curve over a finite field $\mathbb{F}_{q}$ of odd characteristic. Consider an $\mathbb{F}_{q}$-point $P = (x,y)$ on $E$. Suppose that we only have the $x$-coordinate (with one auxiliary bit) and we want to recover $P$, that is, the value $y = \sqrt{f(x)}$.

Assume that the field $\mathbb{F}_{q}$ is highly $2$-adic, i.e., $q-1 = 2^\nu m$ for the large $2$-adicity

Score: 0
alpominth avatar
If I encrypt two plaintexts with different keys, XOR the ciphertexts and send to an adversary, what can he/she do with what I sent?
il flag

Let's suppose I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting ciphertexts and send this XORed block to an adversary. Remembering that the adversary will not have access to resulting ciphertexts, only the XOR of them.

What could he/she do with the XORed block? Can he/she find the keys I used, or even the plaintext of one of the ciphertexts in ...

Score: 1
U. Windl avatar
Role of IV in Perl's Crypt::Rijndael
cn flag

Sorry in advance if I'm asking a stupid question:

I thought the role of "IV" in encryption is to avoid having identical ciphertext for identical plaintext. So one could use some random IV.

Writing some Perl code I'm confused, however. Consider this test code:

use Crypt::Rijndael;
my $cipher = Crypt::Rijndael->new('x' x 16, Crypt::Rijndael::MODE_CBC());
$cipher->set_iv('IV' x 8);
my $data = 'ol ...
Score: 3
fgrieu avatar
Cost of attacking textbook RSA signature of $b$-bit hash of the message
ng flag

A signature system applies textbook RSA to a $b$-bit hash of the message. What's the cost (preferably, as CPU time on common hardware) of existential forgery assuming known signature of $r$ random messages? How much is that reduced if public exponent is very small ($e\le7$)?

We assume

  • Safe RSA public key $(n,e)$ and matching secret private key $(n,d)$ with $n$ of $\ell$ bits and $2048\le\ell\le8192$
Score: 4
AlexVal avatar
Where does signing/decrypting take place on a YubiKey 5 for PGP private key?
cr flag

I have found similar question for PIV (and not PGP)

I assume PIV and OpenPGP would work in similar ways. I also assumes that the GPG private key never leaves the Yubikey.

If these assumptions are correct then:

  • at encryption: a symmetric key is generated and encrypted on the sending computer using the GPG public key, then message is encrypted on the sending computer using symmetric key
  • at decryption: the  ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.