# Latest Crypto related questions

Score: 1
Is the speed of hash functions a disadvantage when storing hashed passwords in a database?

I know one of the advantages of hash functions is that they are fast. However, I read somewhere (I don't know where exactly) that the speed is a disadvantage for password hashes when storing them in databases, but why is this so ? Would someone explain to me if being fast is a disadvantage for password hashing and why is this so ? (If possible could you also write some links to websites/papers describi ...

Score: 0
Is there a strictly Additive Dynamic Universal Cryptographic Accumulator?

Started reading up on Cryptographic Accumulators recently to incorporate them in a project. Using this survey to understand what features the accumulator needs to offer it seems I am looking for a Dynamic Universal Strong Accumulator that only supports addition. This paper lists reference [23] as having the above characteristics in Table 1, but reading the paper it turns out those accumulators also su ...

Score: 6
Small error in security proof on the paper On the Multi-User Security of Short Schnorr Signatures with Preprocessing

I think I found a small error in the security proof Link end of page 37. It states that

$$\sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q +1)q/2+2}{p - (3q +2)^2 /4}$$.

But shouldn't it be

$$\sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q+1)q/2+2q}{p - (3q +2)^2 /4}$$ ?

I think that the proof still works, since we want to show that you need $$\mathcal{O}(\sqrt{q})$$ queries to succe ...

Score: 3
Time Complexity Of Solving DLog When g and P are known

This (https://en.m.wikipedia.org/wiki/Discrete_logarithm) Wikipedia article confuses me. If you have the equation a = g^n (mod P), and g, P and a are all known, then how does a brute force solving for n algorithm run in exponential time, as this article states. Shouldn't it be linear, or am I reading this article wrong?

Score: 2
How to convert plaintext to element of cyclic group in Cramer-Shoup cryptosystem

I am trying to implement a cramer-shoup cryptosystem but I don't understand how to work with the plaintext I want to encrypt.

From what I understand, the plaintext needs to be converted to an element of the cyclic group G, which was generated with the key. I've checked multiple resources, from the wiki to several papers, and none of them seem to take the time to explain how to convert a plaintext ...

Score: 0
Issues generating keys/cyclic group for Cramer-Shoup Cryptosystem with OpenSSL

I'm trying to implement a Cramer Shoup cryptography system in C but I've run into problems with generating the keys.

From what I have found on the wiki and in other papers, to generate keys for Cramer Shoup you must generate a cyclic group G of order q with generators g1 and g2, then take 5 values between 0 and (q-1) and with that you can easily generate the keys.

I initially tried doing this manual ...

Score: 0
Can two parties with a common secret jointy issue a commitment?

Let's say parties A and B have a common secret $$k$$. Is there a protocol where both the parties jointly release a commitment to $$k$$ so that later on, neither A or B can deny what the common secret was?

Edit: Specifically, I am interested in the scenario where one of the parties can be malicious and we need to prove to a third party C that a commitment $$\Phi$$ is actually that of the common secret $$k$$

Score: 4
Unable to understand notation regarding Shannon's theorem

the following equation is used to prove the Shannon's theorem by showing the existence of two messages $$m_0, m_1$$ if $$|K| < |M|$$ but I'm unable to visualize/understand the probabilities. Especially the $$Pr$$ over $$K$$ thing doesn't get into my head. Anyone able to explain it?

• $$\mathcal{K}$$ is the keyspace
• $$\text{Pr}$$ means probability
• $$m_0$$ and $$m_1$$ are messages from the message space $$M$$
• $$c$$ i ...
Score: 28
Why is FIPS 140-2 compliance controversial?

I was reading the comments of an article about a proposed new implementation of /dev/random in Linux today, and someone remarked that it must be bothersome to go through 43 revisions and still not have your patch landed. A few comments down the line and someone seemingly implies that this new implementation would be FIPS 140-2 compliant, and that this is controversial with "a developer of one famous V ...

Score: 5
ZKP: Prove that >18 while hiding age

I am relatively new to cryptography, but I've been programming for a while. Here's a story that sets well the problem I'm trying to solve:

Alice has a digital passport that's signed with her government's private key. Each property is signed separately, and it would still be verifiable that, for example, her first name is "Alice", without saying that her last name is "Smith".

From here, knowing that  ...

Score: 0
What Is The Maximum Value For N In Discrete Logarithm Problems?

I have some code, which can crack a discrete logarithm problem in ~ O(0.5n) time. However, this only works if, in the following, N is less than P:

G^N (mod P). To be clear, my program can figure out the value of N based on G and P as long as N is in between 1 and P (inclusive and exclusive respectively).

This would be helpful for cracking something like Diffie-Hellman, but I have one question: In mo ...

Score: 1
The relationship between root hermite factor and bit-security?

The root hermite factor corresponding to an bit-security level, such as 1.0045 corresponding to 128-bit security. What is the root hermite factor corresponding to 100-bit, 160-bit, 180-bit security?

root hermite factor: 1.0045 ? ? ? bit-security : 128 100 160 180

Score: 1
how high is the possibility of getting a hash collision in text files?

Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save  ...

Score: 3
Are PRNGs Key Derivation Functions?

PRNG is a mechanism to produce randomness from an initial random seed, so basically a way to derive more secrets from one secret.

Looking at the Wikipedia entry for KDF you find

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a main key, a password, or a passphrase.

Which sounds to me like what PRNGS a ...

Score: 0
How is this step being calculated and why is that getting the factors is able to determine private key or universal forgery?

In class I, why (4) implies $$g\equiv 1 \mod q$$

Also even though I get $$p$$ and $$q$$ it still can't get $$ord_n(g)$$ without trying out different possibilities or is there a way to do all forgery?

Score: 0
Modes of operation for public key encryption

Why do we not define modes of operation for public-key encryption just like how they are defined for block ciphers?

Score: 1
Is it safe to store the hash of a plain text?

When encrypting data, I want to verify that the correct key was entered without hashing it. Is it safe to decrypt the ciphertext and compare the hash of it with the stored one or can the plaintext (which could be very long) be read from the hash?

Score: 0
PRG implies OWF Proof

I got the idea of this proof, that since PRG expands from n to 2n, it cannot project to all {0,1}^{2n}, only to a neglible part which we can abuse to make a good distinguisher just by telling if A succeeds finding a preimage in X. A random string from U2n has very likely no preimage in X. Thus we can distinguish U2n from G(Un). But I think I do not understand the construction f well. What's the pur ...

Score: 1
Secure protocols with the dynamic programming solution concept?

Suppose that we have the usual problem of secure communication, where each of the $$I$$ agents have a private signal $$s_1,s_2,\dots,I$$ and they wish to compute any function $$f(s_1,s_1,...,s_I)=(x_1,x_2,...,x_I)$$ in such a way that no party learns more than their input $$s_i$$ and output $$x_i$$.

Although I have seen many cryptographic protocols designed to be secure and in order to solve the problem th ...

Score: 0
How to find iteration exponent in a cycling attack?

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C1 = C49 , C2 = C149, etc. He will find Cj = C for 1,2,5 or 10

I do not understand how they figured out they will have M = Cj-1 in at most 10 steps? They  ...

Score: 3
What are Practical Primitives based on Lattices, LWE and FHE?

Lattice-based cryptography is being used for several primitives and applications.

I know there are newer works for PIR, PSI, ORAM that have seen tremendous improvements due to FHE. In some cases, FHE is the only tool that can be used for practical constructions of these primitives.

My question is which other such primitives have seen improvements (in performance or security)?

Score: 1
THe operation proof part of paper "Why and How zhSNARK works"

I'm reading the paper "Why and How zk-SNARK works" to learn zkSNARK, and I suffered some problem in section 4.4, when prove the ability of single operation.

In this section, it tries to come up with a protocol to verify that the prover have the ability of doing multiplication. It gives two number $$b$$ and $$c$$ and tries to verify the result of multiplication. The prover construct to polynomials $$l(x)$$

Score: 0
How to estimate the parameter of a lattice signature scheme with lossy reduction?

The parameter of a lattice signature scheme DAZ19 with tight reduction can be choosed to make the underlying hardness problem intractable. How to estimate the parameter of a lattice signature scheme ESLL19 with lossy reduction? is there any relation between the reduction and parameter?

Score: 1
Does SSL connection provide integrity?

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

Score: 1
Key Switching Error in CKKS

I believe I am misunderstanding something about the bounds derived for the key switching error in CKKS. I will refer to the initial paper, but similar bounds have been derived in all variants I have looked into.

My particular point of confusion is with $$B_{\mathsf{mult}}(\ell)$$ (on page 12, as part of lemma 3), which is defined to be $$P^{-1}q_\ell B_{\mathsf{ks}}$$, where $$B_{\mathsf{ks}} = O(N\sigma)$$

Score: 0
Does the number of bits in the block nonce influence the security of the blockchain?

I know that Bitcoin uses a 32bit nonce that miners iterate over trying to hit the target number of prefixed 0's in the hash. If they run through all 2^32 combinations they then change something else in the block (either the 32bit extraNonce field, or by adding and removing transactions, changing the timestamp of the block slightly etc.)

I am implementing my own cryptocurrency from scratch and my  ...

Score: 2
How strong if I combine two hash functions, such as MD5(SHA256(input))?

If I try to do MD5(SHA256(input)), what is the strength of this so-called double hashing approach?

Is it as strong as SHA256, or as strong as MD5, or as strong as SHA256 + MD5?

This is not a homework question btw, I am asking because of a real issue in my project. By right, I only need to do SHA256(input) on the input, and store it in a column in one MySQL table. But my practical concern is: SHA256 is o ...

Score: 3
parameter estimating in lattice signature scheme

when reading [BDLOP18], I run the lwe-estimator with the recommended parameters in Table 2 , but the result of hermite factor is 1.007, this result is bigger than the recommended hermite factor 1.0035

Score: 1
In AES-256, what exactly forms the extension field $GF(2^8)$?

My question is a little difficult to describe, so let me first start with an analogy

In an elliptic curve over a finite field, there are 2 groups - the first group is a finite field over which the elliptic curve is defined. The 2nd group is the group which is formed by all the points of the elliptic curve. These are the 2 different groups.

My actual question:

In AES256 we use a polynomial to represen ...

Score: 2
*-LWE equivalent of Diffie-Hellman $g^{x^2}$ vulnerability

In Is Diffie-Hellman less secure when A and B select the same random number? , the possibility of Diffie-Hellman key exchange producing identical peer keys and the vulnerability of it against passive attackes was brought up, again - as a duplicate.

But is there a equivalent in *-LWE family of lattice-based key exchanges? My question being, without considering CCA-hardening such as Fujisaki-Okamoto t ...

### The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.