Latest Crypto related questions

Score: 1
Walker avatar
Which Rust library is recommended if I would like to implement PLONK?
cy flag

I think it should have APIs for polynomials, FFT and bilinear mapping if KZG commitment scheme is used.

Score: 1
Judge Rhadamanthus avatar
Does CCA security imply perfect secrecy?
sc flag

Can any encryption scheme that is CCA (Chosen Ciphertext Attack) secure be considered to achieve perfect secrecy?

Score: 0
js wang avatar
About learning with error rings with only constant coefficient
cn flag

I am new to RLWE, would like to ask whether what I am thinking make sense
Suppose I have a message e.g.: x=5
And I have a lattice based encryption scheme, e.g.: BGV
could I encrypt x with BGV by treating x as a polynomial ring with constant coefficient=5, and other coefficient =0?

Score: 0
Turbo avatar
PKC (non Diffie-Hellman) from Graph Isomorphism
ru flag

A Diffie Hellman style approach is proposed in but is broken easily.

Two graphs are isomorphic iff there adjacency matrices can be permuted to each other. GI has only quasipolynomial algorithms.

I wonder if there is a toy scheme (I know GI is not known to be average case secure) to illustrate with PK and SK ...

Score: -2
Turbo avatar
What is the critical importance of SHA and other hash families?
ru flag

Assume integer factoring, discrete log are classical safe and LWE, McEliece etc are quantum safe. This question is only about SHA and hash families in general on why we need them if we have pkc primitives.

  1. What role does SHA256 or other hash families play? Why are they needed when we have LWE, McEliece etc?

  2. What happens if only SHA2 family including SHA256 is broken? Will we still have online finance ...

Score: 0
user1936752 avatar
Does quantum-sourced randomness allow a potential random oracle instantiation?
fr flag

My question is essentially the same as this one.

The random oracle is a black box that does two things.

  1. Maintain a lookup table for any query that has already been asked.
  2. For all new queries, toss a bunch of coins to obtain a sufficiently long uniformly random bitstring.

As far as I can tell, 1. sounds straightforward. For 2., why not use randomness from a quantum measurement outcome to achieve the coi ...

Score: 0
tesoke avatar
Verification in Bulletproof commitment scheme
hu flag

I am reviewing the ZKP course, represented by the university of Berkley ( In pages 44 of lecture 6 that is attached below (, the instructor explains the Poly-commitment based on Bulletproofs scheme.

I am a little confused that why the verifier compute com', g', and v' when it just checks v=v_L+v_R u^(d/2). Does the verifer need com' and ...

Score: 0
KRWTS avatar
Utility Guarantee of Small Data Base Mechanism in Differential Privacy
vi flag

I am reading Section 4.1 (An offline algorithm: SmallDB) of The Algorithmic Foundations of Differential Privacy by Dwork and Roth. I am stuck at the proof of Proposition 4.4, which is about the utility guarantee of the small database mechanism (Algorithm 4 in page 70).

Proposition 4.4. Let $\mathcal{Q}$ be any class of linear queries. Let $y$ be the database output by SmallDB($x,\mathcal{Q},\epsilon,\ ...

Score: 0
morro avatar
Ephemeral anonymous identities that can be slashed once forever with a single nullifier
au flag

Consider a ZKP anonymous credential scheme where each tuple of (x, identity_secret, merkle_root) corresponds to a unique nullifier computed as Hash(x|identity_secret). The prover can use this tuple repeatedly along with proving other statements.

x is designated on a per-session/app basis. And for a specific triple, a user can be blacklisted with the nullifier, and can not generate any new proofs w ...

Score: 0
LUN avatar
How I can force the openssl "s_client" utility to generate predefined random bytes in it's ClientHello?
kw flag

I'm testing my server application (TLS 1.3) using s_client program from the openssl library and I need to force the s_client generating my "random" values in it's ClientHello. Could you tell me, how can I do it using command line options - where I should point my random sequence to be generated ?

Score: 1
WINTERSDORFF Raphael avatar
Are modes like CBC, OFB, CFB subject to chosen plaintext attacks?
nr flag

I haven't found much info on the internet about the weakness of modes to chosen plaintext attacks, but from what I understand of them, there seem to be some trivial attacks, so I'm a bit confused. For example, let's encrypt 2 blocks of plaintext with value 0 with CBC:



But then we have a double encryption of IV, which should be subject to a Meet in the Middle  ...

Score: 0
Turbo avatar
Is $0/1$ error ok in LWE?
ru flag

Can the error in LWE or ringLWE schemes be from $\{0,1\}$? If not why and what is the best attack in this case?

Score: 0
Mohammadsadeq Borjiyan avatar
AES S-Box design goal
at flag

First layer of each AES round is the Byte Substitution layer. It is the only nonlinear element of AES. What would happen if this layer was not in the path? And the lack of it would create a problem in the design goals?

Score: 2
Ngo Chú avatar
Good entropy from entropy test (90B) but still fail NIST800-22
sa flag

I designed my TRNG with FPGA. My TRNG has a good entropy performance with a value of 0.99x over several test times. But for the NIST800-22, during several run times, sometimes my sequence passes all the tests, and sometimes it fails one or two tests. (my sequence length is 100.000.000 with the number of run-time for each test is 100). I check the failed sequence result, mostly my sequence failed at Nono ...

Score: 1
Turbo avatar
Challenges like RSA factoring challenge
ru flag

RSA factoring challenge is a famous one and is still not completely solved.

Are there similar challenges for

  1. Discrete log over $\mathbb Z_p^*$?
  2. Discrete log over Elliptic curves?
  3. LWE?
  4. LPN?
Score: 1
faust avatar
How does big Galois groups yield better security in NTRU Prime?
tc flag

I'm still kinda new to Galois theory so I apologize if this question is very obvious to some people.

Basically I'm reading this paper by the NTRU Prime team and in section 2.5 it's explaining how cyclotomic fields should be replaced with prime degree fields with "big Galois group", namely because how structures within cyclotomic fields (e.g. subfields and automorphism) can potentially lead to an a ...

Score: 0
Hern avatar
Academic papers for the pros and cons of password based system and digital signature with challenge and response system
is flag

I don't really know what should be the correct title for this and the community can correct it after reading.

I was the author of PKDSA (Searchable on github).

I have the idea to do it because I feel like shifting from a password based scheme to challenge and respond with digital signature as much as possible might be good in the long run.

I would like to ask for help from the community in providing un ...

Score: 0
bhuff36 avatar
is it safe to reuse the public key in NTRUEncrypt?
sz flag

Looking at, there are some functions that deal with having multiple public keys with the same private key. I don't believe I need such functionality but it makes me suspect that it might be required. Basically, I want to know if it is OK to reuse the same keypair in NTRUEncrypt for a number of different key exchange operations.

Score: 1
d186 avatar
getting wrong rsa private exponent (d) for this particular test vector from nist cavp
sj flag


n = bb5784794f27bfab90a19bcc20bb10ac3d1d432d90651dace6235e34560abd733a0c3b693ea3802707c0e22e81603a6e2b82812a0027ece2d974a5a5190df89d636f7ab200849065fe412fe85e41aceb0d68b10cdd07e42ea16184c974f58c10c560aa444f64b41e932ab25355648b510b1feedca780cfb68f11ac9fc98ab15b

p = bda227ead8dc178121176abe07d036b3615a14e2badf195deba2082bf086c5eef4d40dc3ae3b57827359e90564fe4b ...
Score: 1
joemelsha avatar
State recovery algorithm for Xorshift128 given modular outputs
cn flag

I am researching the Xorshift128 PRNG. I am particularly interested in recovering the state given a set of outputs that have the remainder taken with different values.

A common way to take a unsigned 32-bit output from Xorshift128 and produce a value that ranges from 0<=n<50 is to take the remainder of the output and 50.

Say I have been given 25 consecutive outputs which have modulos in the ra ...

Score: 1
Kevin Stefanov avatar
Rabin-Miller Primality Test - Elaboration needed
pa flag

In short, my question is:

What exactly do people mean when they say that "The more you apply the Rabin-Miller test to a number, the more certain you can be that the number you're testing is prime."?

To clarify what I'm asking, let's look at an example I was working through:

Testing if N = 78007 is prime or not (spoiler, it is).

Rabin-Miller procedure:

  1. Find N - 1 = 2K * M

In this case, 78007 - 1 = 2 ...

Score: 0
RikiD avatar
DES encryption Key from a passphrase
bv flag

I have been given a DES encryption assignment. I was given the Cipher text, the Plain text and the "passphrase". The passphrase consist of a 4 byte hex string. I have studied several different tutorials on you-tube about the workings of DES but I still can't seem to be able to figure out the key. I have tried to add nulls between each character to create a 64 bit key and I have reversed the characte ...

Score: 10
Paul Uszak avatar
Are one time pads still used, perhaps for military or diplomatic purposes?
cn flag

The ME-600 key generator was developed in the early 1990s for generating truly random one time key streams. That's not exactly World War 1 or 2. I don't know how long it was used, or whether it still is.

Now with quantum computing on the horizon, people are looking at post-quantum cryptography. We also don't yet know the cryptographic dangers of artificial intelligence. (See "Silicon Valley" comedy

Score: 1
kodlu avatar
Impact of New Secret Sharing Paper with $O(n)$ additions for recovery
sa flag

I hope this question is not too speculative.

Applebaum, Nir and Pinkas have a new paper which has an $n-$party secret sharing scheme with:

  • reconstruction complexity of $O(n)$ additions
  • constant share size
  • sharing complexity of $O(n)$ additions
  • is a blackbox secret sharing scheme

The shamir scheme has complexity $n \log |F|$ where $F$ is the domain of the private key which is the exponent of some group ...

Score: 0
How can I have a message signed by other shares of a private key without revealing it?
nl flag

I am looking for guidance on implementing a protocol where a BLS private key is split into 2 out of 3 shares using Shamir's Secret Sharing, and signatures must be obtained without revealing the original message to the other parties.

Here's my current approach:

Alice has a BLS private key. She splits this private key into 3 shares, $s_a$, $s_b$, and $s_c$, using Shamir's Secret Sharing. Alice then send ...

Score: 0
Z123 avatar
Why is the Montgomery ladder algorithm safe against timing side-channel attacks?
kz flag

I'm trying to understand the security of the Montgomery ladder algorithm in the context of timing side-channel attacks. I'm looking at the algorithm from wikipedia

While I know that the algorithm ensures a constant number of operations in each branch of the if statement, I'm unsure about its overall safety. The Montgomery ladder iterates over all bits of a secret scalar, which makes me question i ...

Score: 1
Gregory Khvatsky avatar
Are RSA-KEM key exchange material cyphertexts indistinguishable from random noise?
ng flag

First of all, I know that I should not be using RSA in 2023, and that I'm better off with Elligator2 + ECIES for a variety of reasons.

However, I am thinking about whether RSA-KEM can be used for PURB-like constructions with long lived public keys. For it to be viable, the RSA ciphertexts should not be distinguishable from random noise. I think that it can be formulated like this: given 2 sets of ...

Score: 0
user1035648 avatar
Can homomorphic property of a commitment scheme be harmful?
pt flag

Homomorphic properties turn out to be very useful, e.g., for achieving secure multiparty computation.
As a concrete example, homomorphic commitments can be used as a building block for secure election schemes: very roughly, during the voting stage, voters put their votes into homomorphic commitments, and during the tallying stage, the votes are counted in a verifiable manner by taking the product o ...

Score: 0
Juan avatar
Are asymmetric encryption and decryption same function?
tl flag

In asymmetric key encryption, we have 2 functions, encrypt(m,k) and decrypt(m,k), and 2 keys, public_key and private_key.

And it must hold true that decrypt(encrypt(msg, public_key), private_key)) = msg.

Question 1: Are the encrypt(m,k) and decrypt(m,k) functions different, or are they the same function?

Question 2: Must it also hold true that encrypt(decrypt(msg, private_key), public_key)) = msg?

Score: 1
user1035648 avatar
Hiding and binding property of Goldwasser-Micali like bit commitment scheme
pt flag

Let $N=pq$ be an RSA modulus, that is, $p$ and $q$ are large, distinct primes.
Let $J_{N}=\{y\in\mathbb{Z}^{*}_{N}:(\frac{y}{N})_{J}=1\}$ denote the set of all integers in $\mathbb{Z}^{*}_{N}$ with Jacobi symbol $1$.
The Quadratic Residuosity (QR) problem is to decide whether a given $y\in J_{N}$ is a quadratic residue modulo $N$ or not, that is, whether $y\in QR_{N}$, where $QR_{N}=\{y\in\mathbb{Z}^{* ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.