Latest Crypto related questions

The diffusion model, which is used by products like Midjourney and Dall-E, trains AI systems to de-noise (remove added randomness) from data to infer what the original de-noised data is. That would seem to have direct applications to cryptanalysis. As such, I wonder what views security folks have on the following:

1. Is it feasible that such systems, which are trained on the input-output tuples of sp ...

Shamir's Secret Sharing GPL implementation called ssss got removed from Tails OS years back.

• Is Shamir's secret sharing still secure nowadays? Why was it removed from Tails OS?
• Is it true that the technical limit is a maximum of 128 characters?

When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir's Secret Sharing would be an ideal solution I think:

• The secret is never in one spot
• The secret can be encrypted "on top"
• You can place the parts of the secrets on multiple servers with good redundancy
• No one server has all the credentials and you need the network connection

Why can't we use any random elliptic curve? What are the properties that need to be satisfied?

I am interested in the practicality of using generic SNARK techniques to prove the following relation.

Let E and E' be two ElGamal ciphertexts. They have the form E = (E1, E2) = (g^r, M*PK^r) and E' = (E1', E2') = (g^r', M'*PK^r').

There is also a hash function H.

All of these are public: E, E', PK, H.

I want to prove that M' = H(M). I do not hold the secret key associated with the public key PK, but I ...

As far as I understand, compressed public keys of secp256k1 can represent points either above or below the X axis, depending on whether they begin 0x02 or 0x03.

Am I correct in thinking that if you know a secret key for a public key beginning 0x02 you can trivially find the secret key for the identical public key, but beginning 0x03?

If so, is there any security loss in using only keys beginning 0x0 ...

The CLWE problem (and related) talks about the hardness of finding the secret key $\vec{s}$, given polynomially many samples $(\vec{a},t)$, where $\vec{a}$ is sampled from the normal distribution, and $t=\gamma \vec{a}\cdot\vec{s}+e \pmod{1}$, where $e$ is also sampled from the normal distribution.

Is the distribution of $\vec{a}$ key to the hardness of CLWE? For example, what if I chose $\vec{a}$ ...

I have given three points $ P $, $ Q $, $ R $ on Twisted Edwards Curve over prime finite field $ \mathbb{Z}_p $. $$ ax^2 + by^2 = dx^2y^2 + 1 $$ I know about given points that point $ Q $ is doubling of point $ P $ and $ R $ is doubling of $ Q $. But I don't know the coefficient of curve's formula $ a $, $ b $, $ d $ and $ p $

How can I recover the coefficient of curve and $ p $ from these three points ...

If order of the cyclic group on which discrete logarithm is done is $2q$ where $q$ is a prime such that $2q+1$ is a prime, then using square root identification we can get the lsb.

How about if the order is $2^rq$ where $r\in\mathbb Z_{\geq1}$, can we extract the least significant $r$ bits in polynomial time? If so, then what is the procedure?

I'm making a cloud-based service. So, basically, my users will be able to upload files (any type of files) and they will be uploaded to a server. I am aware that I have two options:

• Upload the files first and let the back-end handle the encryption
• Encrypt the files first and upload then to the back-end

I want to use the second one. I think the first one is the more standard and better method. But  ...

We know that we can factor integer $n = pq$ when we know that $p\oplus q$, where $\oplus$ means xor. If we know $\lfloor \sqrt{p} \rfloor \oplus \lfloor \sqrt{q}\rfloor$, can we factor $n$?

I am working on TLS 1.2 Cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, After send the application data server throws an error message Encryption alert (21).

I have mentioned the parameter shard by the server given below.

Decryption key: ab98fbfabe869b008697b9f62b8f59ee7a3165db6a0fdc37e2bac41d73995889
nonce: f53672195e441268b2fedf5d       (hex)
adata: 00000000000000011503030002     (hex)
cipher text: 7a6d     ...

Monoalphabhatic Random Subsitution Cipher is pretty hard to crack compared to Ceasar Cipher especially through brute force but using frequency analysis, provided enough cipher text is easy.

But what if key for the subsitution changes lets say every 16 characters. Then there wouldn't be enough cipher text for frequency analysis. So what should be done to crack such cipher?

Steps of encryption

I'm working on a challenge like this:

def weird_func(FLAG)
    enc_flag = [(a + b*i) % n for i in FLAG]
    return bytes(enc_flag).hex()

Although I know the FLAG prefix which is flag{, without knowing a,b and n, I find it hard to calculate the whole FLAG. Only enc_flag is given in hex. I tried to brute-force but it seems like n is too large, or maybe I'm wrong. Can anyone help me step-by-step wit ...

Imagine a channel where the initial secret for deriving of the actual key is established with ECDH.

First, that shared secret is used to derive a temporary key with some default parameters (salt, iterations) embedded into the software.

Then this channel is used to exchange random parameters specific to each direction (Alice sends to Bob parameters Bob must use to derive the key Bob must use to encry ...

This is about the KZG Polynomial Commitment Scheme

In Section 2, it's written

We use the notation $e : \mathbb G \times \mathbb G \mapsto \mathbb G_T$ to denote a symmetric (type 1) bilinear pairing.The choice of type 1 pairings was made to simplify presentation, however, our constructions can easily be modified to work with pairings of types 2 and 3 as well.

The above uses only one Elliptic Curve Gr ...

Is RFC 6979 guaranteed to prevent the reuse of nonces for different signed hashes?

I use an offline password manager, I want to use a future proof very strong master password and I'm going to choose one of these options from the EFF's large wordlist, a randomly chosen 8 word passphrase (104 bits), or a 10 word (128 bits) or I can even use a 12 word generated passphrase... Which one should I choose?

For password-based key derivation I'm using 5 seconds delay using Argon2id with  ...

I ame reading the paper "Secret-Sharing schemes: A survey" by Amos Beimel. Here there are two definitions of secret sharing. The first one states:\ A distribution scheme $\langle \Pi,\mu \rangle$ with domain of secrets $S$ is a secret-sharing scheme realizing an access structure $\mathscr{A}$ if the following holds:

• Correctness: the secret $s$ can be reconstructed by any authorized set of parties. T ...

If we have a Diffie-Hellman oracle then given $g^x$ and $g^y$ we can construct $g^{xy}$.

Can we construct $g^{x^{-1}}$ given $g^x$?

n, e and modulus of RSA are given and n is very large. p and q are primes generated by pow(7, random_seed, modulus), and the seed that p and q used is very close. How can I get p and q, or is there any other way to decrypt this RSA?

I have a challenge in which I need to decrypt 32(?) bytes of plaintext, which by encryption resulted in 48 (this for sure) bytes of data.

It's a black box challenge, but managed to figure out the above and below.

According to this https://security.stackexchange.com/questions/207633/decrypting-aes-128-cbc-leads-to-first-block-being-correct-the-rest-corrupt?rq=1 my IV is wrong, even though I extract ...

While working with AES 256 in CBC mode, I learned that it requires Key Expansion - forward (for encryption) and reverse (for decryption). Does AES CTR mode also requires such a step ? Or can the 256 bit key be used as is ?

Common PIR schemes only protect the client's privacy, not the server's, while Symmetric PIR(SPIR) can do both.

In many papers, it is mentioned that we can use the Naor and Pinkas method (https://dl.acm.org/doi/pdf/10.1145/301250.301312) to turn a PIR scheme into SPIR one, however when implementing this, I found this method is only useful for one query:

In Protocol 2.1, A use oblivious transfer to pick l  ...

I am using DES encryption when writing a file in an embedded device. When I decrypt the file. I get a partially corrupted file. Kind of randomly some 8-byte blocks are corrupted. Some are not. When I regenerate the file, It shows the same corruption. But If I reset the device, the file is okay.

My DES encryption function resides in RAM. I am suspecting that somehow the DES encryption function get ...

I am using the NIST test suite to test random binary numbers. when I tried it for data.pi, the generated report has some items that can not be interpreted. for example, the coeffecients named C0~C10. I am using 20 bit streams. My question is how do these coefficients relate to the 20 streams? and what do they represent

I have temporal data from experiment and by setting a threshold, I convert them to zeros and ones. I saved these binary bits to txt file (normal txt file from MATLAB) with each line has 32 bits (total number of bits is a little over 20 million).

When running the NIST test suite, I use ./assess 500000 with 40 bit streams. It keeps give me an error of igamc: underflow. Also tried ./assess 1000000 with 20  ...

It's that time of the year - I'm trying to learn how AES-128-CBC encryption works. My key is (since it's AES-128) is 16 bytes, my IV is 16 bytes as well. My implementation of key wrapping does apparently does not help me much to comprehend the concepts behind and neither does reading the RFC. Hence I turn for answers to this great community.

I found out the following:

• If I encrypt (using the methods and ...

$H_k$ is a cryptographic hash function that's keyed using a section of key material $k$ (for whatever definition of "keyed" that's appropriate for the given hash function $H$).

1. Are the following two methods roughly equivalent ways of authenticating that the section of key material $k$ is associated with the section of message material $m$?

$$H_k(k \oplus m) \tag{a}$$ $$H_k(m) \tag{b}$$

2. Is there anythin ...

I have a quick question. How would you decrypt an encryption scheme, involving both Hill and Vernam Cipher. The order of encryption is Hill Cipher then Vernam Cipher. Problem is that only final cipher text and the original plain text is intercepted. Without the cipher text derived from the Hill Cipher, I can't think of any idea of decrypt it or did I miss something crucial here.