Latest Crypto related questions

I'm currently trying to understand the Coppersmith's method of finding small integer roots of polynomials modulo some integer. I am reading the original paper Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities by Don Coppersmith. Specifically, in section 6 he claims:

I really can't get the part, where he says that we can compute $c_g$ values. We are given the reduced l ...

In cryptography I am facing the issue to find a generator of some elliptic curve given only the curve over given field and number of elements that the curve has.

The numbers used are enormous so I am struggling to implement any offered scenario how to find generator of an elliptic curve here in stackexchange. If anyone can help I would be thankful.

I'm trying to implement a naive version of CKKS in Python. It was great until I start implementing the modulus.

For this kind of schemes, the modulus $q$ is in the range $(-q/2,q/2]$. How does this work?

In CKKS paper (I think BGV and others do the same) use something like this (a toy example): $c = m (mod$ $q)$. Where $c$ and $m$ are polynomials, so the coefficients of m are mod q. So c and m are congr ...

Background:

TEA uses a 128 bit master key $K_{0\ldots3}$. All odd rounds use $K_0$, $K_1$ as the round subkey, and all even rounds use $K_2$, $K_3$. One cycle of TEA applied to the block $A_i$,$B_i$ is: $A_{i+1} \leftarrow A_i + F_i(B_i, K_0, K_1) \hspace{0.5em};\hspace{0.5em} B_{i+1} \leftarrow B_i + F_i(A_i, K_2, K_3)$. Where the round function $F$ is: $F_i(b,k,k') = (\text{ShiftLeft}(b,4) + k) \oplu ...

I have been reading papers about authentication in VANETS and some of them mention a certificate that a trusted authority generates for a vehicle and has the following form: $${C_{V_i}}=S_{TA}+H(PID_{V_i}|PID_{TA}|P_{TA}|P_{V_I})*x_i$$
Here $S_{TA}$ is a secret that belongs to Trusted Authority.
$H()$ is a hash function.
$PID_{V_i}$ is the pseudo-identity of vehicle $V_i$.
$PID_{TA}$ is the pseudo-ide ...

In the case of RSASSA-PKCS1-v1_5, is it simply that the cryptographic libraries and APIs are designed to only sign if determined superficially that it has a private key, or is the public key mathematically incapable of signing? Or perhaps in asking this way there is some major wrong assumption I'm making about keypairs and how they can be used?

In my usecase, i want to attach a public key to a proof generated by a circom circuit. If my circuit is like follows:

template Example() {
  signal input secret;
  signal input hash;
  signal input salt;

  signal output verified;

  // Hash the secret and the salt, compare it to hash and assign it to the verified output
  // Omitted for brevity
}

component main {public [hash]} = Example();

If i just ...

If I understand correctly (please let me know if any of the following is wrong), a fully homomorphic encryption scheme $\mathcal{E}$ is such that for any messages $x, y$, $$ \mathcal{E}(x + y) = \mathcal{E}(x) + \mathcal{E}(y) \\ \mathcal{E}(x y) = \mathcal{E}(x) \, \mathcal{E}(y), $$ i.e $\mathcal{E}$ is a ring homomorphism. Since the function $\mathcal{E}$ has to be invertible (hence injective), we hav ...

I was experimenting with hashcat and aircrack to test WiFi security. The WiFi AP is a WPA2 encrypted network. The tool I used to capture is bettercap, which captured multiple WPA2 handshakes. The problem is that from those multiple handshakes I get two valid passwords for the same AP.

Question is, did I find a WPA2 hash collision or I am getting something wrong?!

Hashes are converted by hashcat t ...

Having a difficult time wrapping my head around the Blom's key distribution. I found an online resource to understand this but still couldn't get it. I am attaching the screenshot from the book where the author first mentions the algorithm and then he solves an example . A better explanation to the example how values are taken and derived would be better .

How are the different $g$ values and $ ...

Going through the TPM tutorial: https://google.github.io/tpm-js/#pg_keys

The output of KDF would be some pseudo-random bytes. For RSA, the bytes might not be a prime number. For elliptic curves, the bytes would likely not be a co-ordinate on the curve. Even ignoring that output is coming from a KDF I'm unclear on how a "seed" can be used to generate RSA and EC keys deterministically.

How do I calculate the password space of a randomized linked hybrid pasword of 9 images and 10 numbers(0-9)? User allowed to select 4 password

Images=9 Pin= 0-9 Password selection allowed: 4 Every image is linked to a number

Images are randomized at each selection

Is there any generic attack on HMAC SHA 256 ?

I am currently reading up on attacks on Hmac sha-256. However most of the papers I've found are about side channel attacks such as Differential power Analysis.

I have recently understood how we can construct a pseudorandom function from a PRG. However, I would like to prove the reverse - how can I construct a PRG from a PRF?

Could you explain the difference between sigma protocol, Schorr protocol with examples. What is the advantage of using commit-and-prove zero knowledge proof over general zero knowledge proof?

If an attacker wants to hack the passwords of $2^{10}$ users. And all of these users generate a password from the space of $2^{50}$ passwords** and each password is hashed with PBKDF2 with $2^{10}$ iterations**.

How many hashes would an attacker need to do to get all passwords in the worst case?

I was thinking it would be $2^{10} \cdot 2^{50} \cdot 2^{10} = 2^{70}$ since with PBKDF2 each password will ...

Could you please help me? I am reading the paper "Improved Differential Fault Attack on LEA by Algebraic Representation of Modular Addition". I would like to know why there is the claim that the MSBs of A and B lack information in the following phrase "the lower 31 bits of A and B can be determined, excluding MSBs that lack" (page 4 before section B)

To encrypt plaintext $(P_1, P_2, P_3, ... P_n)$ Ciphertext Feedback Mode (CFB) works as follows :- $$ C_0 = IV \\ C_i = E_K (C_{i-1}) \oplus P_i $$

Lets define a modified version of CFB mode as follows :- $$ C_0 = IV \\ SK_i = KMAC(K, C_{i-1})\\ C_i = E_{SK_i} (C_{i-1}) \oplus P_i $$

The modified CFB mode encrypts each block using a new key $(SK)$ and it has a processing overhead.

What security adv ...

If a password is randomly chosen from a space of $2^{64}$ passwords and is stored as an SHA-256-bit hash and a 128-bit salt, how many hashes does an attacker need to perform to recover the password in the worst case?

Would it just be $2^{256}$ hashes because SHA-256 provides $256$ bits of security in a pre-image attack?

As we know, the Schnorr signature enjoys the linearity property, which does not exist in ECDSA. It seems the Schnorr signature is more efficient and can bring more features than ECDSA. What is the advantage of ECDSA over the Schnorr signature? Will ECDSA gradually be replaced by the Schnorr signature (especially after that the Schnorr signature can be used in Bitcoin)?

Let $a_n$, and $b_n$ two sequences generated by two LFSR with connection polynomials $P$, and $Q$. How to show the sequence $(a_n \cdot b_n)$ can be generated by a LFSR wit connection polynomial of degree upper bounded by $\deg(P)\cdot \deg(Q)$?

OU cryptosystem: $N = p^2q$, the secret key is the factorization of $N$, the public key is $g\leftarrow \mathbb{Z}_N$, $g^{p-1} \neq 1\mod p^2$, to encrypt an element $m $ $\in$ $\mathbb{Z}_p$, choose $r\leftarrow \mathbb{Z}_N$, then $Enc(m)= g^m\cdot h^r$, where $h = g^n$

In paper: Paillier's Cryptosystem Revisited [CCS01], is said that

How to factor $N=p^2q$ under CCA model?

I`m solving one crypto problem on rsa.

p^e - q^e = C1 (mod n)
(p-q)^e   = C2 (mod n)

n = p*q*r; p,q,r are prime numbers
e = 2 * 65537

We have e, n, C1, C2.

It's impossible to find p, q, r from this system of equations, since there are 3 unknowns in the system of 2 equations. But is there any way to reduce the possible options?

If a password p is selected from a space of 2^64 passwords, and the server stores this as a hash, h = SHA-256(p||s) where s is a random 128-bit salt. How many maximum hashes would an attacker need to perform to recover "p" given (h,s)?

I was thinking that this is a pre-image attack so the attacker needs to find the same hash as the passwords. SHA-256 provides 256 bits of pre-image resistance. So  ...

In the zero-knowledge cryptography nomenclature, we have multiple representations of arbitrary computation suitable for submission to various proof backends (e.g. Groth16). Two specific examples spring to mind: rank-1 constraint systems (R1CS) and Algebraic Intermediate Representations (AIR).

What are these called?

We call two ensembles $X$ and $Y$ indistinguishable in polynomial time if for every probabilistic polynomial-time algorithm $D$ and for every positive polynomial $p(\cdot)$, and all sufficiently large n's we have $$|Pr[D(X_n,1^n)=1]-Pr[D(Y_n,1^n)=1]| < \frac{1}{p(n)}$$.

One question I didn't confront with at the beginning is, does the definition imply that $|X_n|=|Y_n|$?

After a little bit of thinkin ...

I have a course work for university, the question is:

Consider a symmetric encryption scheme with its encryption operation written as

$$C = E(K, R||P)$$

where $E$ is a block cipher encryption algorithm, $K$ is an encryption key, $R$ is a random nonce (i.e., it is randomly generated for each encryption), $P$ is a plaintext, $C$ is a ciphertext, and "$||$" denotes concatenation.

Let the block size be

So I'm currently working on a past exam paper related to cryptography, this question essentially asks the reader why digital signature schemes are not used today.

Yet, when I did my research on this topic online, I found out that most technologies do in fact use digital signature schemes. In fact I'm even confused by what this question means now and would appreciate if anyone has any input to wha ...

In Zero-Knowledge (ZK) proofs/arguments of knowledge, the ZK knowledge property informally says that it is possible to simulate the output of a (malicious) verifier interacting with a prover knowing a witness $w$ without using $w$ at all:

$$\{OUT_{V^*_\lambda} \langle P(w,x) , V^*_\lambda(s_\lambda, x) \rangle\}_{\lambda,x,w} \approx_c \{Sim(x, V^*_\lambda, s_\lambda)\}_{\lambda,x,w}$$

where $\lambda$

We know that in bitlocker decryption procedure there is an intermediate key after the hash computing phase which used to encrypt nonce using AES-256 and the result (IV) will be used to decrypt VMK. How VMK is decrypted using IV?