Latest Crypto related questions

I have seen various papers discussing the security of the Learning with Errors problem with very small uniform secrets and errors but I have not found any papers on the general LWE problem with uniform secrets and errors within (-b,b) range where b < the LWE modulus q but not so small as to be binary or ternary. Is there a costing for the LWE problem for bounded secrets and errors when they are chos ...

When recovering the public key from ECDSA signature (r, s), the first step is recovering the point R.

You do this by plugging in (r + xn) into the curve equation where n is the order of the basepoint and x is some integer

my question is how do you find this x value, say for secp256k1 but also the general case

I have a vauge notion that this may be related to the cofactor of the curve (usually working w ...

I am currently working on Side Channel Attacks (SCA) on Kyber and Dilithium. I have found myself quite confused with side channel, because so much is mentionned all the time.

For instance, I don't understand when to use distinguishers, when to use tools like the t-test, when you need to work with key guesses, etc... In the articles I am reading, they sometimes describe the attacks, which I unders ...

Some interpretations say "By masking a secret value with a uniformly random zero sharing, the masked value appears to be a random value drawn from a uniform distribution. This randomness helps protect the privacy of the original secret value, as it becomes indistinguishable from other random values. Using zero sharings to mask secret values helps maintain both privacy and correctness in MPC protocols".  ...

JSON Web Tokens (JWTs) (RFC, introduction) are digitally signed using a secret key (which can be symmetric, but for distributed use cases will typically be asymmetric). The signature forms the third and final part of the JWT, and can be verified from the JWT recipient side using the same secret key (for symmetric signing), or the private key's corresponding public key (for asymmetric signing). This  ...

I'm learning about RSA, and one of the textbooks I'm studying from talks about the security implications of various parts of an RSA key pair being leaked. It talks about what happens when an attacker knowns only n and e, only n and d, etc.

One of the combinations it did not cover was one that I was thinking about: what happens when an attacker knows only d, e, and tries to decrypt a given ciphertext  ...

Since all evaluation in BGV scheme is on polynomials it seems that it does not really matter if the coefficients of the polynomials are within $q$ range or not. All must be okay for the congruent values.

I have the following questions:

1. If there are no specific optimizations (e.g. RNS) for BGV, can we work in modulo $Kq$, where $K$ is some arbitrary number? Let us ignore encryption/decryption and focus  ...

Let's suppose I encrypt a plaintext with one key and a nonce in CTR block cipher mode of operation.

Can I reuse the nonce with another key in another plaintext if I start the block counting with different counters than those used in the first plaintext? I mean (for example), encrypt the first plaintext stopping at the counter 999 and start in the next plaintext with the same key and nonce with co ...

I want to understand how the hardness of Learning With Errors problem varies as size of the error term changes.

For example, assuming that the other parameters are the same,

1. LWE with errors sampled from centered binomial distribution of $\{-1, 0, 1\}$
2. LWE with errors sampled from centered binomial distribution of $\{-2, -1, 0, 1, 2\}$

Which is the more difficult problem, in terms of complexity?

The rainbow signature was not seen in round 4 of the NIST PQC standardization process. Was Rainbow not shortlisted?

I'm new to cryptography, so please don't bash me.

I'm trying to learn to recover a RSA private key. As you can see from my profile I'm a cybersecurity professional, which is only now trying to learn some cryptography..

Let's assume we have 5 message and public keys derived from the same string message. It is short (the string content and keys), 1024-bit public key and a public exponent of either 5 o ...

Suppose one has a password manager, based on symmetric cryptography, that requires a master passphrase to be unlocked. Argon2 is used for deriving a secret key from the master passphrase.

I need several secret keys to encrypt different components, so I'm faced with a choice:

1. Output more material using Argon2. For example, If I need four secret keys, tell Argon2 to output $4 \cdot 32 \cdot 8 = 1024$

Is it possible to decipher a ciphertext, in RSA with small primes (two 128-bit factors) when we only have ciphertext $c$, private exponent $d$ and public exponent $e=65537$ to crack it? I try hard on this question but I couldn't find $N$.

First try, I write the code to find factors of $ed-1$ and find it on factordb and try to find out $p$ and $q$ but it doesn't help at all

from itertools import chai ...

The BC should look like this $$BC(m,k,n) = (c,n')$$ $$BC^{-1}(c,k,n') = (m,n)$$ with the additional variable $n$ not symmetric, so in almost all cases: $$n \not= n'$$

$m$... plaintext
$c$... encrypted value of $m$
$k$... key

$n$ would have the same block size as $m,c$
Given now a fixed $m,k$ we assume to calculate the BC for every possible $n$. Doing this we should also get that many different

I would like to implement domain separation in encryption/decryption along with MAC.

The encryption algorithms consists of XChaCha20,XSalsa20,SM4 From China and MAC algorithms consist of HMAC-SHA512 and Poly1305.

Some proposed the following for domain separation encryption and decryption.

1. Have 2 variables, EKey and MKey.
2. Create 2 new variables, NewEKey and NewMKey.
3. NewEKey = Blake2B(EKey,MKey) [Key ...

If we should consider that in an MPC protocol, the confidential messages communicated between two parties can be eavesdropped on by adversaries? If so, should we build a secure channel for that?

This is not a technical question, but rather it seeks advice on what to do if cryptanalytical research goes wrong.

I've discovered a new attack that works great in theory, but in practice, it fails.

I don't know why. Haven't figured it out yet. Tried really hard. I work on this thing alone. Not sure If I could do this alone right now.

All the arithmetic of the attack works great with normal numbers, bu ...

Is there a zero-knowledge proof that proves that two Pedersen commitments commit the same value?

In the paper "Efficient Pseudorandom Correlation Generators: Silent OT Extension and More (https://doi.org/10.1007/978-3-030-26954-8)" Boyle et. al. proposed subfield vole.

For standard vector oblivious linear evaluation correlation one has, $\vec{v}+\vec{w}=\vec{u}*x$ ($v_i, w_i, u_i, x \in \mathbb{F}_p$).

And for subfield VOLE correlation, $x \in \mathbb{F}_q$ ($q = p^r$), $v_i, w_i \in \mathbb{F ...

Not all the cryptographic hash functions have the counter parameter for making messages be different for each counter value. But many accept a key parameter.

Is reasonable to use the key parameter as a counter?

Is it safe?

If I hash a 256-bit message and generate an output digest of the same size with a cryptographic hash function then the number of guesses to find a collision is expected to be 2^128.

Does increasing the message size also increase the expected number of guesses to find a collision?

If yes, can the hash function internal state have any size or does it always have the same size, regardless of the input? ...

According to the documentation of HighwayHash, for finding a collision are expected $m \over 2$ guesses, being $m$ the message.

By contrast, 'strong' hashes such as SipHash or HighwayHash require infeasible attacker effort to find a hash collision (an expected $2^{32}$ guesses of $m$ per the birthday paradox) or recover the seed ($2^{63}$ requests). These security claims assume the seed is secret. I ...

Below is a description of a "cube" Diffie-Hellman, based on commuting matrix actions on tensor products. Some questions:

1. References for something similar?
2. Obvious flaws, is this a terrible idea?
3. Any other comments?

Definitions

Let $S$ be a finite ring, $n$, $k$, positive integers, and $R=M_k(S)^n$ the $n$-fold product of $k\times k$ matrices over $S$. Let $M$ be the $R$-module $(S^k)^{\otimes n ...

I am reading a paper Round5.

This public key encryption scheme is based on Ring-LWR but I found it is a little bit different from typical LWR-based PKE scheme.

In the key generation algorithm of Round5 (Algorithm 1, Line 3 in the paper), they compute

$$ b= \left< \Bigl \lfloor \frac{p}{q}\left(\left< as \right>_{\Phi_{n+1\ }(x)} +h_1\right) \Bigr\rceil \right>_p$$

where $\left< \cdo ...

Is it possible to solve this:

If you have the following information about an RSA ecrypted plaintext $m$:

$e = 65537$
$d$, $c$ some very large numbers
$p$ and $q$ are both random 128-bit long prime numbers
$m$ is a string build with 16 random characters of both ascii letters and digits

If $N$ would be known $m \equiv c^d \mod N$ could be computed, however I have no clue how I would get either $m$ ...

I am asking this since I can't find definite answer.

Is it secure if I use textbook RSA provided all my data is 2048 bits ( or any N <=2048 for 2048 bit key ) and it is random ( using Secure Random in Java for example) ?

Or should I figure out maximal key length under padding scheme and use padding anyway ?

I'm looking for a protocol in which a Prover transforms a RSA signature $\sigma$ on a message $m$ that verifies under a public key $vk$ into a NIZK proof of knowledge, $\pi$ of that signature. A verifier should then be able to verify that the prover saw a signature for that message and that the signature would have verified under the public key, $vk$.

The protocol has three parties: a signer, a p ...

I am trying to solve a problem where private key exponent d, ciphertext c, and public key exponent e (65537) are known. How can I calculate φ(n) or n itself?

An extended version of the problem would be : If we can get many d and ciphers for the same plaintext, where e is always 65537, is there a way to decrypt the cipher?

I was reading up on the Triple Diffie-Hellman (3-DH) key exchange and noticed that the wikipedia description [1] is different from the the original protocol definition [2] and the modified definition [3] they reference.

Two users have two key pairs each; $a, A$ and $x, X$ for one user and $b, B$ and $y, Y$ for the other. $H$ is a key derivation function. Is there any difference between the follow ...

In Guillou and Quisquater's 1988 paper "A 'Paradoxical' Indentity-Based Signature Scheme Resulting from Zero-Knowledge", they say that an RSA identity has a shadow and go on to state that this property is being standardized:

Let us mention that ISO is standardizing a “digital signature scheme with shadow (see ISO-DP 9796) in the Working Group JTC1/SC20/WG2 (public-key techniques).

The Guillou-Quis ...