Latest Crypto related questions

I have been recently studying LLL-reduction. I get from the size condition and Lovasz condition that the basis are guaranteed to be somewhat orthogonal. But I couldn't figure out how orthogonal the LLL-reduced basis has to be in the geometric or intuitionistic sense. For example,

1. How small can an angle be between two LLL-reduced basis?
2. How long can the "diagonal" of the fundamental parallelepiped of t ...

I'll get straight to the point here.

There are two different programs I'm looking at. They both use secp256k1 to deterministically sign data (RFC6979) & provide the results online in-browser. However, both programs produce different DER-encoded signatures and I'm honestly baffled at this point as to why.

Program #1: https://paulmillr.com/noble/

Program #2: https://asecuritysite.com/encryption/sigs2 ...

As far as I understand, the biggest problem of requesting authentication in disk encryption is that the plaintext and ciphertext are not having the same size -because of tag-. The XTS mode is already designed with this issue in mind (length preserved). However, as far as I know, it is not possible to preserve the size with authentication. Is it possible to solve this problem with disk type? Advan ...

What combination of public key cryptography (DH) and symmetric key cryptography is currently available that is (subjectively) as secure as possible over other ciphers (AES,curve448) when security is prioritized over efficiency?

translator user

Edited: changing the notation according request by fgrieu.

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

properties of secp256k1:

p = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141   # order of curve

It is according to: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces- link here: https://billatnapier.medium.com/ecdsa ...

In FIPS 186-5 (Digital Signature Standard or DSS) there is a Table B.1 which specifies the minimum number of rounds of Miller-Rabin testing for 1024, 1536 and 2048 bit keys, used for digital signatures. That's already an update to FIPS 186-4 which specified these numbers up to 1536 bits. However there doesn't seem to be a table for any other values over 2048 bit keys.

Table B.1. Minimum number of rounds ...

I have an application that needs to communicate with the bank for online transactions. I am using OpenSSL 3.0.8.7 in Windows 11. I generated a private key using:

openssl genrsa -out rsa_key.pem 2048

Then a Certifate Signing Request using:

openssl req -new -key rsa_key.pem -out csr.pem -subj "[REDACTED]"

I sent the CSR to the bank and received back a signed certificate (signed_cert.pem) and the bank  ...

I must verify an HTTP signature to guarantee the origin and integrity of a webhook data: https://www.blockcypher.com/dev/bitcoin/#webhook-signing

This is their x509 PKIX encoded signing key's public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

I am following this specification to construct the signing string: https: ...

So I understand how one can use Fiat-Shamir to turn a HVZK sigma protocol into a non-interactive zk protocol in the random oracle model. My problem though is I don't understand why is this useful.

If I wanted to use a NIZK in something and I choose a protocol based on Fiat-Shamir, this would mean I have to choose a hash function which surely invalidates the zk proof in the ROM. So do I know anyth ...

What is a good method to generate random numbers between 0 and n from random bits?

For example, I have a one million random bits generated according to NIST SP 800 90 publications. Now I need to generate random numbers between 0 and 100 (inclusive) using these random bits. Few possible methods i could think of are

Read 7 bits, convert these to a number (0 to 127), store the number if its <= 100,  ...

Say a server wants to hash a password $p$. It would use a secure hash function $H$ and a unique salt $s$ to hash the password as $H(p,s)$. If one has access to the salt, each password candidate requires one run of the hash function to be ruled out; the same amount of time it would take for the server to verify a password candidate.

If, on the other hand, the password was hashed as $H'(p,s+r)$, wh ...

I'd like to create a custom type of sortable GUID by concatenating an 8-byte nanosecond timestamp, 6 random bytes, a 1-byte node number, and a 1-byte counter. But, such a precise timestamp can be used to enact very effective side-channel attacks if it can be related to the execution time of other cryptographic operations being done on the same system. It'd be ideal to conceal them in some invertible way ...

I am working on a project for my maths assessment where I research the effect of complexity and length on a given password. Currently, I am working on calculating the probability of guessing a password on the first try. I assumed that I had to start from entropy and go from there but I am kind of stuck on which formula to use in order to find the probability.

I considered 1 / (2^entropy) but I am not su ...

I'm implementing 128-bit AES-GCM (but only the encryption/AES-CTR aspect).

When I set the Secret Key, Plaintext and IV to Test Case 2, page 27 of the GCM spec (see below) I get the wrong value for the output of the cipher block (before we XOR).

https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf

Inputs:

K       00000000000000000000000000000000
P       000000000000 ...

With PHP, I'm trying to setup a HTTP signature verification for webhook requests coming from BlockCypher: https://www.blockcypher.com/dev/bitcoin/?php#webhook-signing

This is their public key: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEflgGqpIAC9k65JicOPBgXZUExen4rWLq05KwYmZHphTU/fmi3Oe/ckyxo2w3Ayo/SCO/rU2NB90jtCJfz9i1ow==

This is an HTTP request that I've collected using RequestCatcher:

POST / HTTP/1.1
Host: 2 ...

I'm following ZK MOOC: https://zk-learning.org/

After some previous readings about these topics, I was believing to have understood that, stated that non-interactivity isn't attainable in standard/plain model, there were to alternatives B-plans:

• Fiat-Shamir heuristic for public coin IPs requiring the acceptance of ROM (Random Oracle Model)
• or CRS (Common Reference/Random String) assuming a trusted setup ...

I am currently studying OFB mode, and one of the vulnerability mentioned for it is that if two different messages have a block at the same position in the ciphertext, and have same plaintext, the attacker can figure out the encryption function output for that particular block. This was brought up to highlight the danger of reusing IV, so this is assuming that same IV and key are used.

I understan ...

Below is part of AES GCM diagram. However, it only shows the behavior of the IV/counter.

The GCM specification examples state both an IV and a Secret Key as two inputs.

Can someone please explain where both are used?

Is the 96 bit IV expanded to 128 bits, incremented (most-significant byte?) and used to create the AES Key Expansion?

And the Secret Key is passed (with the Key Expansion) to E_k for encry ...

Assume we have message M, key K, and MAC = hmac-256SHA(M, K).

I wonder if an attacker can figure out the Key K if the attacker knows the Message M and MAC

What family of bilinear pairing is recommendable for BLS signature when the overriding criteria is compactness of the signature, as desirable for something to be keyed-in from printout, or embedded in a small QR-code?

Is there something giving signature size lower than ≈384 bit for 128-bit conjectured security, as in this draft RFC, which is no more compact than a more conservative and faster s ...

I'm currently looking into pairing-based cryptography and I stumbled upon the definition of the properties bilinearity, computability and non-degeneracy.

Now I have a problem with understanding the non-degeneracy and how it is important to the security of elliptic curve cryptography. I have not found a paper that goes into detail about it, only from a mathematical standpoint which is a little to  ...

I'm developing a desktop application where the users will login with username and password, which is then verified against a database. After the initial login, the current user should be automatically logged in each time the application is started (until the user logs out or 1 month has passed).

I could encrypt and store the last successful username and password on the computer, but the decryptio ...

I have this password hash: $argon2i$v=19$m=128,t=2411,p=2$hmJvvpH3BZlvb2V1vLm/yf3zANU4qNpKuw5TBnGzo2I$<censored>.

I know the password, and I want to verify if this password will produce the same hash the the above. Using an online argon2 hashing site: https://antelle.net/argon2-browser/

My problem is I don't know how to convert the salt into the right format for hashing.

As part of mitigating side-channel attacks, which is the most efficient? Masked cryptography or differential power analysis-resistant cryptography? Or are they both similar?

I want to implement proxy re-signature on elliptic curve.

I've been thinking about ideas like the one below, but are there any problems?

Key Generate:

• $a = $ alice's secret key
• $aG$ = alice's public key
• $b = $ bob's secret key
• $bG = $bob's secret key
• $rk_{ab} = aP * b^{-1} = a/bG$

First Sign:

• $Pm$ is hashed point
• $k = $ random
• $r = ka^{-1}$
• $z = e(G, G)$
• $s = z^kPm$

Resign:

• $r' = rk_{ab} * r ...

In NIST’s ‘competition’ to obtain new public key crypto which resists Shor’s algorithm (aka ‘post quantum cryptography’), two algorithms to make it into the third and fourth rounds have been catastrophically broken (Rainbow over a weekend on a laptop and SIDH/SIKE in an hour on a single core), while others have been shown to have less security than required by NIST (https://zenodo.org/record/ ...

I have theses output on curve for jacobian coordinates which I made doubling for (3,10,1) to get (17,21,20) then I made addition for all points to get this results:

     1     3    10     1
     2    17    21    20
     3    11    13     7
     4    20    21    14
     5     2     6     6
     6     9     1     8
     7    14    18     8
     8     6    13     2
     9     0    20    11
    10     3    ...

I have a small ARM M0 SoC and a smartphone as actors. Encryption keys used are Elliptic curve.

My current security is implemented such that:

1. the SoC has 128 bit hashes of phone public keys (vs 512 bit - due to storage space constraints)
2. the phone has the SoC's public key
3. the phone sends its own public key during negotiation
4. step 3 establishes grounds for ECDH on both sides. From here encrypted co ...

Recently, I've been working on disk encryption. I started with the AES-XTS mode which is the standard for this purpose and tried to understand the concept of disk encryption in general.

I know that AES-XTS is preferable from many aspects for disk encryption as long as authentication is not requested. You don't need to store additional data for an authentication tag or IV and it is more resistant ag ...

Referring to the AES specification:

https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf

Printed pages 35-37...

The first detailed walkthrough is encryption, the second is decryption.... I don't understand what is the third, "equivalent inverse cipher (decrypt)"?

How can there be two decryption techniques?