Latest Crypto related questions

Score: 3
How big of a threat are *diffusion model* based AIs to cryptographic systems?
in flag

The diffusion model, which is used by products like Midjourney and Dall-E, trains AI systems to de-noise (remove added randomness) from data to infer what the original de-noised data is. That would seem to have direct applications to cryptanalysis. As such, I wonder what views security folks have on the following:

  1. Is it feasible that such systems, which are trained on the input-output tuples of sp ...

Score: 1
Sir Muffington avatar
The state of Shamir's Secret Sharing in 2023
cw flag

Shamir's Secret Sharing GPL implementation called ssss got removed from Tails OS years back.

  • Is Shamir's secret sharing still secure nowadays? Why was it removed from Tails OS?
  • Is it true that the technical limit is a maximum of 128 characters?
Score: 1
Sir Muffington avatar
Why don't basically all "clusters" and similar distributed systems use Shamir's secret sharing method?
cw flag

When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir's Secret Sharing would be an ideal solution I think:

  • The secret is never in one spot
  • The secret can be encrypted "on top"
  • You can place the parts of the secrets on multiple servers with good redundancy
  • No one server has all the credentials and you need the network connection
Score: 1
tend0pain avatar
How are elliptic curves designed for encryption purpose?
gf flag

Why can't we use any random elliptic curve? What are the properties that need to be satisfied?

Score: 0
884d88baaa avatar
Practical feasibility of proving a plaintext hash relationship with a zk-SNARK
gl flag

I am interested in the practicality of using generic SNARK techniques to prove the following relation.

Let E and E' be two ElGamal ciphertexts. They have the form E = (E1, E2) = (g^r, M*PK^r) and E' = (E1', E2') = (g^r', M'*PK^r').

There is also a hash function H.

All of these are public: E, E', PK, H.

I want to prove that M' = H(M). I do not hold the secret key associated with the public key PK, but I ...

Score: 2
fadedbee avatar
Does using only one sign of secp256k1 publc keys weaken security?
br flag

As far as I understand, compressed public keys of secp256k1 can represent points either above or below the X axis, depending on whether they begin 0x02 or 0x03.

Am I correct in thinking that if you know a secret key for a public key beginning 0x02 you can trivially find the secret key for the identical public key, but beginning 0x03?

If so, is there any security loss in using only keys beginning 0x0 ...

Score: 1
Jim Haddocc avatar
Non-Gaussian distribution in continuous learning with error
US flag

The CLWE problem (and related) talks about the hardness of finding the secret key $\vec{s}$, given polynomially many samples $(\vec{a},t)$, where $\vec{a}$ is sampled from the normal distribution, and $t=\gamma \vec{a}\cdot\vec{s}+e \pmod{1}$, where $e$ is also sampled from the normal distribution.

Is the distribution of $\vec{a}$ key to the hardness of CLWE? For example, what if I chose $\vec{a}$ ...

Score: 0
B.W. avatar
How to get equation from given three points(with doubling) on twisted edwards curve over finite field?
ky flag

I have given three points $ P $, $ Q $, $ R $ on Twisted Edwards Curve over prime finite field $ \mathbb{Z}_p $. $$ ax^2 + by^2 = dx^2y^2 + 1 $$ I know about given points that point $ Q $ is doubling of point $ P $ and $ R $ is doubling of $ Q $. But I don't know the coefficient of curve's formula $ a $, $ b $, $ d $ and $ p $

How can I recover the coefficient of curve and $ p $ from these three points ...

Score: 0
Turbo avatar
Higher least significant bits with larger multiple of 2 order
ru flag

If order of the cyclic group on which discrete logarithm is done is $2q$ where $q$ is a prime such that $2q+1$ is a prime, then using square root identification we can get the lsb.

How about if the order is $2^rq$ where $r\in\mathbb Z_{\geq1}$, can we extract the least significant $r$ bits in polynomial time? If so, then what is the procedure?

Score: -1
Gaurav Mall avatar
What's the best encryption algorithm for storing files on a server?
cn flag

I'm making a cloud-based service. So, basically, my users will be able to upload files (any type of files) and they will be uploaded to a server. I am aware that I have two options:

  • Upload the files first and let the back-end handle the encryption
  • Encrypt the files first and upload then to the back-end

I want to use the second one. I think the first one is the more standard and better method. But  ...

Score: 1
vfenux avatar
Integer factorization $n = pq$ with additional knowledge of $\lfloor \sqrt{p} \rfloor \oplus \lfloor \sqrt{q}\rfloor$
tr flag

We know that we can factor integer $n = pq$ when we know that $p\oplus q$, where $\oplus$ means xor. If we know $\lfloor \sqrt{p} \rfloor \oplus \lfloor \sqrt{q}\rfloor$, can we factor $n$?

Score: 0
Ahamed Fayaz. avatar
Encrypted Alert21- Error code 214
hu flag

I am working on TLS 1.2 Cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, After send the application data server throws an error message Encryption alert (21).

I have mentioned the parameter shard by the server given below.

Decryption key: ab98fbfabe869b008697b9f62b8f59ee7a3165db6a0fdc37e2bac41d73995889
nonce: f53672195e441268b2fedf5d       (hex)
adata: 00000000000000011503030002     (hex)
cipher text: 7a6d     ...
Score: 0
Sprax avatar
How to break Random Subsitution Cipher that changes key every 16 characters?
lb flag

Monoalphabhatic Random Subsitution Cipher is pretty hard to crack compared to Ceasar Cipher especially through brute force but using frequency analysis, provided enough cipher text is easy.

But what if key for the subsitution changes lets say every 16 characters. Then there wouldn't be enough cipher text for frequency analysis. So what should be done to crack such cipher?

Steps of encryption

Score: 1
LilLee avatar
Finding Inverse Modulo
jp flag

I'm working on a challenge like this:

def weird_func(FLAG)
    enc_flag = [(a + b*i) % n for i in FLAG]
    return bytes(enc_flag).hex()

Although I know the FLAG prefix which is flag{, without knowing a,b and n, I find it hard to calculate the whole FLAG. Only enc_flag is given in hex. I tried to brute-force but it seems like n is too large, or maybe I'm wrong. Can anyone help me step-by-step wit ...

Score: 1
Kote Isaev avatar
Newbie question about AES-GCM and IV
si flag

Imagine a channel where the initial secret for deriving of the actual key is established with ECDH.

First, that shared secret is used to derive a temporary key with some default parameters (salt, iterations) embedded into the software.

Then this channel is used to exchange random parameters specific to each direction (Alice sends to Bob parameters Bob must use to derive the key Bob must use to encry ...

Score: 1
Where & how is the 2nd group used in the KZG Commitment Scheme in case the 2 groups are not the same?
et flag

This is about the KZG Polynomial Commitment Scheme

In Section 2, it's written

We use the notation $e : \mathbb G \times \mathbb G \mapsto \mathbb G_T$ to denote a symmetric (type 1) bilinear pairing.The choice of type 1 pairings was made to simplify presentation, however, our constructions can easily be modified to work with pairings of types 2 and 3 as well.

The above uses only one Elliptic Curve Gr ...

Score: 2
Melab avatar
Does RFC 6979 unconditionally prevent nonce-reuse attacks?
nz flag

Is RFC 6979 guaranteed to prevent the reuse of nonces for different signed hashes?

Score: 1
Echo avatar
How strong should my password manager's master password be?
pn flag

I use an offline password manager, I want to use a future proof very strong master password and I'm going to choose one of these options from the EFF's large wordlist, a randomly chosen 8 word passphrase (104 bits), or a 10 word (128 bits) or I can even use a 12 word generated passphrase... Which one should I choose?

For password-based key derivation I'm using 5 seconds delay using Argon2id with  ...

Score: 1
Cristie avatar
Alternative definition of secret sharing using entropy
hm flag

I ame reading the paper "Secret-Sharing schemes: A survey" by Amos Beimel. Here there are two definitions of secret sharing. The first one states:\ A distribution scheme $\langle \Pi,\mu \rangle$ with domain of secrets $S$ is a secret-sharing scheme realizing an access structure $\mathscr{A}$ if the following holds:

  • Correctness: the secret $s$ can be reconstructed by any authorized set of parties. T ...
Score: 0
Turbo avatar
On a problem assuming Diffie-Hellman oracle
ru flag

If we have a Diffie-Hellman oracle then given $g^x$ and $g^y$ we can construct $g^{xy}$.

Can we construct $g^{x^{-1}}$ given $g^x$?

Score: 0
Imanity avatar
RSA with p and q being generated by pow expression of weak random seed
kw flag

n, e and modulus of RSA are given and n is very large. p and q are primes generated by pow(7, random_seed, modulus), and the seed that p and q used is very close. How can I get p and q, or is there any other way to decrypt this RSA?

Score: 0
Sir Muffington avatar
How to get the rest of 10 bytes (from total 32 bytes plaintext) of plaintext from a 48 byte ciphertext using AES-128 when knowing 22B of plaintext?
cw flag

I have a challenge in which I need to decrypt 32(?) bytes of plaintext, which by encryption resulted in 48 (this for sure) bytes of data.

It's a black box challenge, but managed to figure out the above and below.

According to this https://security.stackexchange.com/questions/207633/decrypting-aes-128-cbc-leads-to-first-block-being-correct-the-rest-corrupt?rq=1 my IV is wrong, even though I extract ...

Score: 0
shaiko avatar
Key expansion in AES CTR mode
ls flag

While working with AES 256 in CBC mode, I learned that it requires Key Expansion - forward (for encryption) and reverse (for decryption). Does AES CTR mode also requires such a step ? Or can the 256 bit key be used as is ?

Score: 0
vince.h avatar
Transfering PIR to Symmetric PIR
vn flag

Common PIR schemes only protect the client's privacy, not the server's, while Symmetric PIR(SPIR) can do both.

In many papers, it is mentioned that we can use the Naor and Pinkas method (https://dl.acm.org/doi/pdf/10.1145/301250.301312) to turn a PIR scheme into SPIR one, however when implementing this, I found this method is only useful for one query:

In Protocol 2.1, A use oblivious transfer to pick l  ...

Score: 0
Monem Ahmed avatar
Finding out corrupted S Box value in DES implementation?
ca flag

I am using DES encryption when writing a file in an embedded device. When I decrypt the file. I get a partially corrupted file. Kind of randomly some 8-byte blocks are corrupted. Some are not. When I regenerate the file, It shows the same corruption. But If I reset the device, the file is okay.

My DES encryption function resides in RAM. I am suspecting that somehow the DES encryption function get ...

Score: 2
O. Nawwar avatar
NIST random number tests report
la flag

I am using the NIST test suite to test random binary numbers. when I tried it for data.pi, the generated report has some items that can not be interpreted. for example, the coeffecients named C0~C10. I am using 20 bit streams. My question is how do these coefficients relate to the 20 streams? and what do they represent enter image description here

Score: 2
O. Nawwar avatar
NIST random number generators ASCII input file format problem
la flag

I have temporal data from experiment and by setting a threshold, I convert them to zeros and ones. I saved these binary bits to txt file (normal txt file from MATLAB) with each line has 32 bits (total number of bits is a little over 20 million).

When running the NIST test suite, I use ./assess 500000 with 40 bit streams. It keeps give me an error of igamc: underflow. Also tried ./assess 1000000 with 20  ...

Score: 0
Sir Muffington avatar
Some questions about AES-128 key wrapping using RFC3394
cw flag

It's that time of the year - I'm trying to learn how AES-128-CBC encryption works. My key is (since it's AES-128) is 16 bytes, my IV is 16 bytes as well. My implementation of key wrapping does apparently does not help me much to comprehend the concepts behind and neither does reading the RFC. Hence I turn for answers to this great community.

I found out the following:

  • If I encrypt (using the methods and ...
Score: 0
Safe implicit value validation: $H_k(k \oplus m) \sim H_k(m)$?
in flag

$H_k$ is a cryptographic hash function that's keyed using a section of key material $k$ (for whatever definition of "keyed" that's appropriate for the given hash function $H$).

  1. Are the following two methods roughly equivalent ways of authenticating that the section of key material $k$ is associated with the section of message material $m$?

$$H_k(k \oplus m) \tag{a}$$ $$H_k(m) \tag{b}$$

  1. Is there anythin ...
Score: 1
Kelvin Li avatar
How to uncover keys from using double encryption schemes such as Hill and Vernam Cipher
gl flag

I have a quick question. How would you decrypt an encryption scheme, involving both Hill and Vernam Cipher. The order of encryption is Hill Cipher then Vernam Cipher. Problem is that only final cipher text and the original plain text is intercepted. Without the cipher text derived from the Hill Cipher, I can't think of any idea of decrypt it or did I miss something crucial here.

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.