Latest Crypto related questions

I implemented the Pohlig-Hellman algorithm for the general case following Wikipedia but it only seem to work for prime powers (which is what the limited case is meant to solve).

My implementation follows wikipedia exactly: https://gist.github.com/nickponline/2ef6f3456ed6c423239a334c98728324

Some examples where it fails to find a solution are:

39^x = 49 (mod 74) x = 28
19^x = 423 (mod 478) x = 275
71^x ...

I want to compute the multiplicative inverse of 0x2 over $GF(2^{233})$ in hardware.

To do so, I compute $a^{-1} = (a^{2^{m-1}-1})^{2}$. Here's the result of that computation: 0x10000000000000000000000000000000000000002000000000000000000 (where the left-most 1 is bit index 233, not 232).

I verify that I get 1 by multiplying it with the initial number using a binary Karatsuba multiplier.

I'm also able t ...

I want to prove that for every pseudorandom function $F: \{0, 1\}^n \times \{0, 1\}^n \rightarrow \{0, 1\}^n$ and for every polynomial $p$ such that $p(n) > 1$ for every $n$ it is possible to construct, starting from $F$, a pseudorandom generator $G$ having expansion factor equal to $l(n) = p(n) \cdot n$.

I fixed a PRF $F$ and came up with two constructions for $G$ (where || denotes the concatenatio ...

We know that SHA-1 is susceptible to collision attacks, but what about pre-image attacks such as poisoning torrents?

1. I ask because some vendors of HSM try to avoid the export of wrapped secret key from HSM to insecure storage – storage that does not belong to these vendor’s HSM infrastructure.

   For example, Thales prefer to backup keys to another Thales HSM – most of their documentation is about cloning between their devices. But Thales has an option when they send traffic via public networks: Backup HSM Insta ...

I'm reading headlines on the tune of "…bring zero-knowledge encryption to file storage". Googling "zero-knowledge encryption" returns statements like "cloud storage or backup providers know nothing (i.e. have “zero-knowledge”) about the data you store on their servers".

Is there some academic definition of "zero-knowledge encryption" and how is it different from just encryption?

If the Substitution box is 1 to 1 (a specific value can only ever be a specific box value), and the contents of Rijndael S-box is public, how does this offer any additional security?

With AES the frequency of a letter isn't a concern so what other reason is there for this substitution? An explanation fitting for a novice would be very much appreciated!

Additionally, why is Rijndael S-box a multiplic ...

I've been reading for Pohlig-Hellman Algorithm on Elliptic Curve.

My question is, why the simultaneous congruence gives the answer we want, could somebody please provide a proof of it?

i.e., why

\begin{align*} x \equiv x_i \mod p_i^{e_i}, \forall i\in \{1,2,...,n\} \end{align*}

Reference: https://risencrypto.github.io/PohligHellman/

I have seen a few papers on (contributive) group key exchange where users create Keys and broadcast them so they can all contribute to the secret key. In order to protect against active attackers, several schemes use signature primitives.

They generate some sort of hashed session id, sign it with the message (via some method that I did not fully understand) and broadcast the outcome...

What I fail t ...

I know restricting access of a file, is a important measure of security.

If we read the Payment Card Industry's Data Security Standard (aka PCI-DSS), we can see a requirement where control access must be applied to mitigate any risk of a sensitive encrypted data be leaked from the system.

Other important requirement define minimum data to be kept encrypted, again mitigating possible leak.

I would l ...

I'm trying to implement the 1st round attack on RC4 stream cipher according to Attacks on the RC4 stream cipher. For now I am interested in section 4.2 Attack on other key bytes. It works really fine for all the bytes of the random key of length 8, except the 2nd byte. The needed value t is always the second frequent one, whereas the most frequent is 2, which corresponds to the second byte of stream  ...

I'm protecting communication between some microservices using public/private key encryption, where the sending container has a public key and the receiving container has a private key. This both verifies the sender (only sender has the public key via a credential manager), and protects the data in case it may be buffered, e.g. in a Redis.

But for transient communication, I'm wondering if signing  ...

I have been reading about Zero Knowledge Proof (ZKP) protocols for a while now. Among the applications I have seen the most is authentication (https://ethereum.org/en/zero-knowledge-proofs/#authentication). But in practice it is not used; why?

I have also been looking for why these protocols are not used in authentication systems or why they are not used by identity providers (such as Google accoun ...

Is there any PKE scheme that is IND-CPA secure (in a standard model, not RO) under a search problem?

If an attacker has a database of 1,000 users' hashed passwords which are hashed with SHA-256 with a 128-bit salt and all of these users used 10,000 common passwords. How many hashes will the hacker need to do to recover all passwords?

I was thinking it would just be 1,000*10,000 = 10,000,000 hashes but I am not sure how the salt affects the computation in recovering hashes.

I have some doubts regarding AES weakness and AES cryptanalysis. While it is relatively simple to find Cryptanalysis info on previous ciphers, I get confused about understanding various types of Cryptanalysis attacks on AES.

So far, for example, I've found that AES's weakness could be in its algebraic structure. Anyone knows good references where I can find more precise info on AES cryptanalysis ...

The title is a mouthful, allow me to explain my situation.

• I have a SaaS with many users.
• When new users join the platform, I want to create a cryptographic keypair for them (Ed25519).
• But I don't want to have any knowledge about their private key.
• This means the keypair must be generated and stored by a third-party service.

So I'm looking for a service, which has an API endpoint that works as such: ...

I am a Bitcoin enthusiast, but I have never been formally trained in the study of computer science and cryptography.

Recently, I tried a new way to encrypt my private key: I wrote it down on a paper, and used my camera to take a photo of that paper sheet. Then, I encrypted the photo from pgp4win.

Then I noticed that the size of the photo is significantly smaller after encryption.

Can any expert in cryp ...

I can generate a key of any security in bits with any hash function from random source with enough entropy by using the following scheme:

$$H(00||S) || H(01||S) || H(02||S) || H(03||S) || \cdots$$

/\ H is the hash, S the seed and 00, 01, 02 the counters.

BLAKE2X hashes are computed as follows:

$$\operatorname{B2}(0,64,H_0)\mathbin\|\operatorname{B2}(1,64,H_0)\mathbin\|\ldots\mathbin\|\operatorname{B2 ...

I have 3 Pailler encryption p1=E(x1;r1),p2=E(x2;r2);p3=E(x3;r3) such that x1*x2(mod n)=x3. P(Prover) knows (x1,r1);(x2,r2);(x3,r3).

Can I design a ZKP(interactive & non-interactive) for P to convince V(verifier) that values hidden by p1,p2,p3 satisfy x1*x2(mod n)=x3.

Are there examples (in code, or a blog post / writeup) of using Noise and Signal together?

Here is a link to Noise.

For example, using the Double Ratchet per each message to achieve forward secrecy, but leveraging Noise as a foundation for its patterns of initial key exchange. Both Noise and Signal are well-studied and well-known, and so building upon these might be preferred over attempting to c ...

I was looking at the archives for the British national cipher challenge, and a modified version of an ADFGVX cipher came up twice (2003 2011), with block transposition instead of columnar transposition. The question I has is what is this referring to? I tried finding information about block transposition, but there appears to be many different versions of it as per wikipedia. The cipher challenge is ...

I understand that it is easy to compute eth root in Z(P)* but what about with Z(N)? I know that it requires the factorization of N but what does that actually mean? What is an example of calculating the eth root in the set Z(N) (the set of all elements coprime to N)

In this journal paper related to physically unclonable function (PUF) [1], the authors used NIST 800-22 test to check if the bitstreams generated by their PUFs are random, which is described as follows:

NIST tests are performed using 60 sequences of 128 bits each such that 7680 bits (i.e., digitized keys) collected from 30 different PUFs are tested. The chi-squared (χ2) distribution is used to com ...

Can a file encrypted with a hashing algorithm (like SHA-256) be equally secure as a symmetrical algorithm (like AES)?

This is how it could be done using a password (this is the most simple example, please don't suggest optimizations, it's just the concept):

• Generate random looking binary data of the same length as the file contents, using hash(password+counter+seed).
• XOR the file contents with the dat ...

In BLAKE2X paper it is said:

BLAKE2X adds a constant overhead of $\lceil\ell/64\rceil$ (resp. $\lceil\ell/32\rceil$ compression function calls compared to the underlying 64-bit (resp. 32-bit) BLAKE2 hash. For example, to compute a 1056-bit (132-byte) hash as required in Ed521 signatures, BLAKE2X adds† $\lceil132/64\rceil=3$ extra compression function calls compared to BLAKE2b. Note that $\oper ...

I'm trying to understand the implication of the Binder Keys in in a TLS 1.3 resumed handshake. The TLS 1.3 RFC provides an additional RFC with example traces to validate all the math in a TLS 1.3 handshake. I'm using this example trace to try to re-create the binder keys to understand what went into them.

One of the example traces is a Resumed 0-RTT Handshake trace (section 4 in the linked RFC). This is  ...

If I encrypt a 1MiB file with AES-CBC (or any other cipher) and XOR a 128KiB of (truly) unpredictable random data repeating until the end of file, will I have a security of 1048576-bits (128KiB*8)?

This question is a little weird, but I would like to know if this scheme has a security flaw (maybe known-plaintext attacks).

Let's suppose I want to encrypt a 10GiB file but I don't want to use a One Time Pad, just a 1MiB key taken from /dev/random (in Linux).

I know that the key should not be repeated, but is it possible to do a form of pseudo-OTP by using the same key across the entire plaintext?

I thought in a scheme: Hash each 64-byte piece of the key with a hash function (with output size of the same size of the 64-b ...

There seem to be two ways to RSA-encrypt using .Net:

EncryptValue (which doesn't seem to pad the plaintext).

and

Encrypt (which does).

I was wondering, since what I'm encrypting is a cryptographically secure (cough...) AES key, do I need it to be padded by an official padding scheme? Assuming, of course, that the length of the data (the AES key) is exactly the right length, or padded by something simple e ...