Latest Crypto related questions

Score: 5
Rory avatar
Do we need the quantum random oracle model (QROM)?
mp flag

I am currently studying the proof of the Dilithium signature in the quantum random oracle model (QROM). I am curious to hear if anyone have any thoughts on the importance of having proofs in the QROM or if proofs in the standard random oracle model should be sufficient?

Have been exploring the topic briefly with some mates and considered it along the lines that the ROM has stood the test-of-times ...

Score: 0
glesage avatar
Use Shamir's Secret Sharing Scheme to split a key between a client, a server and multiple 3rd parties
us flag

I'm trying to design an encryption system for a new mobile app and am thinking of using Shamir's Secret Sharing Scheme in a way which I have not seen before. Does this seem possible or does it violate some mathematical concept I'm not understanding in SSS?

I want to split a key generated on the user's mobile device where:

  • n parts are necessary to rebuild it
  • n-1 parts are stored on the user's mobile devic ...
Score: 1
user108520 avatar
How to give a hybrid proof that IND CPA secure implies multiple query IND CPA secure and vice versa?
eh flag

For a public-key encryption scheme (Gen,Enc,Dec), the textbook definition of IND-CPA security is the following:

  1. The challenger runs (pk,sk)←Gen and sends pk to the adversary.
  2. The adversary performs some computation, chooses (m0​,m1​) and sends them to the challenger.
  3. The challenger runs ct←$Enc(pk,mb​) , b←${0,1}, and sends ct to the adversary.
  4. The adversary performs some computation a ...
Score: 0
DP2040 avatar
Is a pseudorandom function (PRF) also a one-way function (OWF)? If yes, how can we proof that a PRF $f_k$ is a OWF? If no, what is the closest work?
cg flag

Let $f_k$ be a PRF. We claim that $f_k$ is a OWF. PROOF let $f_k$ is not a OWF, there exists a $PPT$ algorithm $A$ that can invert $f_k$ with non-negligible advantage. Even if we know the input $x$ for given $f_k(x)$ with a non-negligible advantage, how can we claim that we can distinguish $f_k(x)$ from random with non-negligible advantage? Here, a key $k$ is still secret.

Score: 0
Looking for the proof of the prod check gadget referred to by Boneh in his PLONK video
et flag

I am going through Dan Boneh's video tutorial on PLONK Polynomial IOPs - https://www.youtube.com/watch?v=vxyoPM2m7Yg

He describes 3 type of proof gadgets he will use Proof Gadgets

He gives a proof of the Zero Test which I understood. However, he doesn't cover the proof for the Sum Check & Product Check in his video.

Prod Check

Prove that $\prod_{a \in H} f(a) = c$

He says that has Product Check covered in ...

Score: 4
notatypewriter avatar
What is the impact of leaving a salt used in HKDF open to attacker control?
lu flag

RFC 5869 for HKDF says "an application needs to make sure that salt values are not chosen or manipulated by an attacker".1 Soatok also discusses some nuances in choosing salts for HKDF.2 This question also discusses a situation where it led to a vulnerability.3

While these sources all indicate that salts should not be left to attacker control, I would like to know exactly what is put at risk by doin ...

Score: 3
Prashant Agrawal avatar
Variant of CCA security for Paillier with blinded decryption oracle
ad flag

Consider a variant of the Paillier encryption scheme where the message space is restricted to $\mathbb{Z}_q$ such that the RSA modulus $N$ of the Paillier cryptosystem satisfies $N > q + q^2$. I am interested in the following variant of the CCA security game where the decryption oracle answers with not a complete decryption of the requested ciphertext but with an integer blinding of it:

  • $\mathcal{C}: ...
Score: 1
Wan avatar
Is every pseudorandom generator a one-way function, even if the output length has no extra restrictions?
se flag
Wan

Intuitively, if we can invert a PRG, then we can easily distinguish it with random distribution by checking g(inverse(y)) = y. So every PRG is a OWF?

Unlike the problem "Is every pseudorandom generator a one way function?", i can prove that if the output length is large enough (for example |g(x)| >= 2|x|) then the PRG must be a OWF, but it seems that such a restriction is not necessary.

Score: 1
How to compute a ciphertext length from a cryptographic scheme?
va flag

I am trying to understand how this ciphertext length is calculated from a signcryption scheme to analyze the communication cost. I understand, we consider the key length and the message length to calculate the ciphertext length. But don't understand at what step and what parameters we actually consider. For example, in the given paper "A secure and lightweight certificateless hybrid signcryption s ...

Score: 3
darkFunction avatar
If a trusted entity is required to attest to a user's data accuracy, what is the value-add of ZKP's?
um flag

I think I understand the value of using ZKP's for proving things about data in isolated systems, like for privacy and computation roll-ups in blockchains L2's.

But I hear a lot about real-world use-cases, a classic example is proving your age is above a certain number, or proving your income to a mortgage lender, without revealing exact figures. While this sounds fantastic, in both these scenario ...

Score: 4
user108492 avatar
Reducing exact SVP to exact SIVP
gf flag

In "Efficient reductions among lattice problems" by Micciancio (2007) it is said, that

SVP reduces to SIVP in their exact versions.

I did not found anything about this fact, is a reduction that trivial? Does the same hold for their approximation versions?

Score: 0
Aviril Smith avatar
Finding block mode and key length from encrypted data
au flag

I have an AES encrypted data and the key, but I am not able to tell the block cipher mode [ECB|CBC|CTR] used in encryption or know the key length.

Below is the encrypted data output in java.

{"encrypt_data":"GorwlI4cdifSjaKM0Uu4v24DewQqsaN3VTkZMmtDZkttVdoUEV23mBYlYhbcB/oN","encrypt_aes_key":"VRkSYqtGUBr4Zzt7ET8kMw2dvrQkOBH2cGWYwKhNRUU5fCVP+UhZSDKDpQSwx5aHQNIGApRq9INRzLTlB9uJjUXgbl0yEL0Ztyk5OpBU4pIk1imRF ...

Score: 2
shockedeel avatar
FHE Relinearization
gu flag

I don't understand why relinearization is so significant. I understand the equations in the paper (in this post I'll be using notation from BV but I would it applies to BGV+BFV) but if anything it seems like it would be less efficient. We go from: $$h_0+\sum_ih_ix_i+\sum_{i,j}h_{i,j}x_ix_j$$ to utilizing t and getting: $$h_0+\sum_ih_i(b_i-\langle a_i,t\rangle) + \sum_{i,j}h_{i,j}(b_{i,j}-\langle a_{i, ...

Score: 3
Dor avatar
Fast and secure pseudo random generator with Linux tools
za flag
Dor

The conventional and simple wisdom is to combine head with /dev/urandom to create the amount of pseudo-random data that is needed. But that is slow.

I found a faster method - cryptsetup FAQ suggests to use its mechanism.
See 2.19 at:
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions

But the issue with this method is that root privileges are required for the mapping by cryptsetup ...

Score: 3
Abced Decba avatar
Definition of soundness for interactive proof systems
gq flag

I am reading the Wikipedia page for Interactive proof systems and am having trouble understand the notation in the definition of soundness, many of which is left unspecified.

Given a formal language of strings $L$, a verifier $\mathcal{V}$ for this language satisfies the soundness property if for every prover $(\tilde{\mathcal{P}})$ and every $y \notin \mathcal{L}$,

$$ \operatorname{Pr}[(\bot,(\t ...

Score: 3
riccardo avatar
zerocoin ZKSoK Pedersen commitment process
bq flag

I am studying the zerocoin paper‡. More precisely I am stuck at page 6, on the Spend function (in paragraph "B. Our construction"). I am not understanding how the ZKSoK is computed. Let's consider the Pedersen commitment as $$C\gets g^Sh^r\bmod p$$

I've found a lot of examples online but they all refer to a case where the "secret" is $ω$: $x=g^ω$ And $x$ is public. I understand the steps in  ...

Score: 3
Tarick Welling avatar
Why was A doubled in size
nl flag

Why was the dimension of A doubled in kyber?

LWE encryption uses a public matrix A of dimension K but kyber uses a double matrix A resulting in $A ^{ k * k * n }$

When deriving the results of the definition of gen, enc en dec this results in:

$$ RA_0 S + RA_1 S + RE + E_3 + \frac{q}{2}m - RA_0 S + RA_1 S + ES \\ $$

Which reduces into: $$ RE + E_3 + \frac{q}{2}m - ES $$

Which is equivalent to the

Score: 0
Jeffrey avatar
Security assumption: Where is an assumption from (who provides and formalizes it)?
bo flag

Is there a list of all the (most) assumptions (such as RSA and DDH assumptions) used in cryptography and the corresponding properties?

Score: 2
siba36 avatar
What are the RCons for mini-AES if you want to encrypt more than 2 rounds?
us flag

I'm implementing impossible differential cryptanalysis on mini-AES using Raphael phan's paper.

I've coded mini-AES using Raphael phan's first paper on the structure of mini-AES, where he only mentions 2-round mini-AES.

But in the impossible differential paper we're attacking 5-round mini-AES so I need to extend the key generation algorithm and to do this I need $5\;rcon$ but the paper only mention ...

Score: 0
alpominth avatar
Hashing a seed full of entropy with a cryptographic hash function and emiting a key with the same size as input: can a collision attack occurs?
il flag

I read this in the documentation of HighwayHash:

By contrast, 'strong' hashes such as SipHash or HighwayHash require infeasible attacker effort to find a hash collision (an expected 2^32 guesses of m per the birthday paradox) or recover the seed (2^63 requests). These security claims assume the seed is secret. It is reasonable to suppose s is initially unknown to attackers, e.g. generated on start ...

Score: 1
Champ885 avatar
What does it mean when they say IKEv1 does not support asymmetric authentication?
hn flag

I read somewhere that ike1 does not support asymmetric authentication. Does that mean that it does nit support PKI authentication (digital certs)?

Thanks Champ

Score: 3
Craig Feinstein avatar
One way function candidate based on the Collatz function
ru flag

I am relatively new to cryptography and am curious what cryptographers would say about what I think is a beautiful one-way hash function described in a paper I found here https://arxiv.org/abs/1801.05079

To summarize the hash function, the Collatz function $f: \mathbb N \rightarrow \mathbb N$, is defined as $f(n)=(3n+1)/2$ when $n$ is odd and $f(n)=n/2$ when $n$ is even.

Let $n$ be composed of 512 bits.  ...

Score: 1
ShAr avatar
What is the difference between those two KZG Polynomial Commitment Schemes?
cn flag

In short what are the differences (pros & cons) between multiplying by powers of Tau (from this lecture https://youtu.be/tAdLHQVW) from this lecture https://youtu.be/tAdLHQVWlUY

and raising to powers of Tau (from this lecture https://youtu.be/xuGQYEvytxk) from this lecture https://youtu.be/xuGQYEvytxk

I know pairing is used by the verifier in both, and that they deferred the pairing details to the next lecture to get a better understanding of the idea first, but I don't understand wh ...

Score: 1
securityauditor avatar
How does the plausible deniability used by TrueCrypt work mathematically?
sa flag

I have been unable to find any mathematical explanations on how TrueCrypt's plausible deniability encryption works, when using TC containers.

Would someone be able to provide a mathematical walkthrough of how it works?

Other encryption systems implementing things in a similar way is outside the scope of my question. Also, whilst I have some experience in the theoretical side of cryptography, the sim ...

Score: 1
DivideByZero avatar
Hash Flooding a Randomized Modular Hash Table
ar flag

Assume we have a hash table using the function h(x) = x mod 32. h(x) = x mod 33. Also assume it dynamically resizes by doubling the amount of buckets and rehashing. If I was able to provide inputs for the hash table it would be really easy to flood with colliding entries to slow lookups to O(n).

However, say we were to xor each input with a random pepper before hashing. If the input is ever longer t ...

Score: 0
baro77 avatar
assumption needed to work in Generic Group Model
gd flag

KZG poly-commitment & QAP linear PCP can be proved sound under Knowledge of Exponent assumption or Generic Group Model (I take it for granted from lecture 6 and 9 of ZK-MOOC https://zk-learning.org/), and it seems to me GGM is the preferred one because it permits less trusted setup parameters.

If I have understood correctly, GGM core is about considering opaque the group elements encoding/labelling, r ...

Score: 5
Isopod avatar
Cryptographically obfuscating IP addresses while preserving locality
fm flag

In an online community, you sometimes have to ban certain IP addresses or even entire IP ranges due to abuse. You may hire moderators to help you with this, but you might not trust them enough to show them everybody’s plain IP address.

The question is: Is there a scheme to encrypt or hash IP addresses in a way that preserves prefixes, i.e. such that you can still do range bans, but cannot easily reco ...

Score: 0
MacGyver avatar
Checking encoded strings for a hash collision in Python
in flag

There is a common term used in cryptography called a hash collision. If I am reading the definition correctly on Wikipedia, this can occur if two different data values give rise to the same hash value.

Duplicate hash, different input:

text1 encoded = hash1 
text2 encoded = hash1

The first code block is a binary value with a hash obtained from the digest() function, which I found on a website. The sect ...

Score: 3
Rory avatar
CRYSTALS-Dilithium - How do the supporting algorithms work?
mp flag

I am studying the Dilithium signature from Ducas et al's CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme.

enter image description here

Wanting to understand how the supporting algorithms work together, I am trying to work out and visualize an example by hand. If I understand correctly we have the HighBits and LowBits algorithms calling the Decompose algorithm. For instance, how the $ HighBits $ algorithm is called ...

Score: 0
user108451 avatar
RSA decryption given C (Cipher Text), e, and d
mx flag

I am given C, e, and d to decode an RSA ciphertext (or would it be SRA given this information?), and I am thoroughly confused. I have tried working backward to n by reversing modulo operators and then brute forcing scalars, but nothing is working, is this even possible? Many thanks in advance.

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.