Latest Crypto related questions

Score: 2
Ss1996 avatar
AES key encryption on one time pad
ve flag

I need to use the following scenario: There are 2 keys: AES-key and OTP-key (one-time pad). I encrypt the AES-key (as if it were plaintext) with an OTP key. Then I send the encrypted AES-key to another person who has the same OTP-key on which the AES-key was encrypted. This person decrypts the AES-key. Is it safe for him to use this AES-key to encrypt plaintext on it in CBC mode? And the second question ...

Score: 1
Abol_Fa avatar
Can proofs be generated from Merkle Patricia Tries in the same way as merkle trees?
pe flag

I'm kind of confused about this, I have read that nodes in Merkle Patricia tries are key-value pairs, can someone provide a proof of membership for a data in a Merkle Patricia Trie just as he would with a Merkle tree? That is, providing hash of some nodes and allowing the other party to calculate the rest?

Score: 0
Cerina avatar
Does Index calculus work on secp256k1?
hr flag

Does Index calculus work on secp256k1?

I did a search but couldn't find answers, Can I use Index calculus to find private key of the elliptic curve secp256k1?

Score: 3
vinod avatar
The successive minima of a lattice
vu flag

I am new to lattice theory. I hope(will be grateful) that one could explain to me this claim 7 in REGEV course(this claim appears in this file page 6 : https://cims.nyu.edu/~regev/teaching/lattices_fall_2004/ln/introduction.pdf) which states that : The successive minima of a lattice are achieved i.e., for every 1 ≤ i ≤ n, there exists a vector vi ∈ Λ with ‖v_{i}‖ = λi(Λ).

Thank you,

 ...
Score: 3
Dontmilkme avatar
Arithmetic Circuit to Square Arithmetic Program (SAP)
tl flag

I'm trying to figure out how to convert a circuit into a Square Arithmetic Program (SAP). This is to eventually use it for zk-SNARKs such as Groth16. I do however understand how to convert arithmetic circuits into Quadratic Arithmetic Programs (QAP). As an example if we have the following circuit $c_1 \cdot c_2 = c_3$. Here we would define the following three polynomials: $L_1 = R_2 = O_3 = x$ (where  ...

Score: 2
user212942 avatar
Elliptic Curve digital signature algorithm without "hashing to point"?
tn flag

Through " Why do we need to convert hashes to points on an elliptic curve? ", I found out why Hashing to Point is necessary.

However, using the algorithm below can sign and verify without Hasing to Point?

  • $a$ is secret key
  • $H$ is scalar hash function

Sign:

  • $k = random (mod\ r)$
  • $r = kG_2$
  • $s = a (H(m||r) + k)$ : If don't know k, won't know a. Also hashing both m and r to prevent tamper.

Verify:

Score: 6
Mathijs avatar
How can 4 users generate a provable fair random number?
mo flag

The past few weeks I have been trying to solve a difficult problem. I have asked some cryptography experts but unfortunately they had no clue on how to solve the problem.

The situation is as follows, an online casino wants to host an online bet, each bet can have a variable amount of players. For this example we will use four players. Each player wants to be sure that the outcome of the bet is ra ...

Score: 1
xsw2_2wsx avatar
Understanding symmetric encryption security in relation to password-based key derivation
gs flag

Here are some assumptions on which the question is based. If anything is wrong with this, please point this out straight away:

Let's say I have a file I want to encrypt with AES256 symmetric encryption. This requires a 256-bit key. It would be very hard to remember though. In its original form it probably contains characters with no ASCII representation, and base64 encoded is would be over 32 charac ...

Score: 1
ostrich avatar
Can a quantum attacker prove that incomplete ECDSA signatures were produced with the same key?
US flag

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

A quantum attacker obtains the first 32 bytes of each signature. However, the rest of each signature, the messages, the private key and the public key remain conceal ...

Score: -2
arjunballa avatar
Can someone please explain RSA-OAEP in plain english mathematically?
ru flag

RSA mathematics: https://youtu.be/4zahvcJ9glg

I understand how RSA works mathematically.

Can someone explain RSA-OAEP in plain english?

Score: 1
Florat avatar
Concatenating RNG with PRNG
ng flag

Is it secure to concatenate numbers from an RNG with numbers from a PRNG? I was thinking to throw a dice and use four outcomes to use as real random numbers, one outcome to change to the next permutation, and one outcome to add a pseudo-random number:

I generate a pseudo-random shuffled array from all permutations of the eyes:

shuffle([[1, 2, 3, 4, 5, 6], [1, 2, 3, 4, 6, 5], ...])

I choose the first ...

Score: 2
William Le avatar
is this how RS256 works in JWT?
gs flag

I'm a newbie that is studying about JWT using RS256 algorithm for signing and verification. I have drawn a diagram that represents my understanding of how RS256 works.

enter image description here

Basically, below is what I have by far:

  1. header and payload after being trimmed are both base64url encoded
  2. base64url encoded header and payload are hashed using SHA256
  3. 2 resulting hashes from above will be joined by a dot "." to p ...
Score: 3
user1035648 avatar
Why do we need "selective security" for ABE?
pt flag
  1. The general question is: Why are ABE schemes usually/sometimes proven in the selective-set of attributes model of security? Or even co-selective (both attributes and policy function)? Is it just because of difficulties in security proofs, i.e., reductions?
  2. More precisely, what are the limitations of the simulator in answering the adversary's secret key queries? Like generating secret keys by the simula ...
Score: 2
user212942 avatar
Why do we need to convert hashes to points on an elliptic curve?
tn flag

In order to sign message m, m must be mapped to a point in G.1

However, Point can be multiplied. Why can't I simply do $mG$?

Example:

  • $pk = [sk]G_1$
  • $m = hash(message)$
  • Signing: $s = m [sk] G_2$
  • Verify: $e(G_1, s) == e(pk, m G_2)$

Oh, if it is possible to convert G1 to G2, it seems possible to multiply the public key by m. then,

  • Signing: $k = random, r = kG_2, s = [sk] (m + k)$
  • Verify: $e(G_1, sG_2) = ...
Score: 0
arjunballa avatar
What is difference between Payload -> Sign (JWE) -> Encrypt (JWE) vs Payload -> Encrypt (JWE)-> Sign (JWE)?
ru flag

In RSA® Adaptive Authentication for eCommerce specification, the below flows are described.

Payload -> Sign (JWS) -> Encrypt (JWE) | Decrypt -> Verify -> Payload

Payload -> Encrypt (JWE) -> Sign (JWS) | Verify -> Encrypt -> Payload

As per my understanding end result is same. Authenticity, Data Integrity and Confidentiality are achieved in both the flows.

Am I missing something?

Score: 2
kakacar avatar
Protecting against CPA for AES128/ECB by using padding
kw flag

I was going to encrypt with AES, But I noticed ECB mode is not safe for CPA. So I thought about preventing CPA by padding input text to a multiple of 16 bytes.

First, perform custom padding system: pad input text and secret text for 16bytes "each" like this, so input text will be a multiple of 16 bytes.

For example pad for 8 bytes, pad text is part of "12345678" in ASCII:

AAAAA   -> AAAAA123
A       ...
Score: 2
Sanu avatar
Discrete log problem over special primes
it flag

I am trying to find discrete log over $GF(P)$ using Cado-NFS (https://gitlab.inria.fr/cado-nfs/cado-nfs/-/blob/master/README.dlp). It works well for random primes. But if I take primes that are divisor of numbers of the form $2^n-1$ for some positive integer $n$, it gives error. I use this in terminal:

./cado-nfs.py -dlp -ell factor of P-1 target=a P

I am getting error as follows:

Traceback (mo ...
Score: 3
ostrich avatar
Given multiple incomplete ECDSA signatures, what can a quantum attacker learn in the following scenarios?
US flag

Assume a 256-bit ECDSA private key used with Secp256k1 and SHA-256. This key signs multiple different messages in a fully deterministic manner as described in RFC-6979, so signing the same message always produces the same signature.

Let's analyze four threat models involving a quantum attacker:

  1. They obtain the first 32 bytes of each signature. However, the rest of each signature, the messages, the p ...

Score: 0
Edward Akina avatar
How to encrypt with CBC, step by step?
kn flag

I have this message "Hello from another world"

  1. Can you explain how to encrypt it with CBC step by step?

  2. Are the message characters H, E, L, L, O .. converted to binary first, then every 8 bits or 16 bits XORed with IV and passed to the encryption function to be encrypted with a secret key?

Score: 2
Karup avatar
Protecting value decomposition risk in microdata release
mk flag

Consider a scenario where a company wants to release a microdata of their employees total annual compensation for the following year to an analyst in a recruiting firm in order to provide an indication of relative employee importance so that the recruiting firm could suggest similar candidates for hiring to the company. An employee's total offered compensation for year X is made up of 3 components:

 ...
Score: 1
tonythestark avatar
Is it necessary keys to have equal propabillities for the system to have perfect secrecy?
vi flag

Shannon's theorem for perfect secrecy states that $$\forall x \in M, y \in C:\quad P[x|y]=P[x] $$ I know we need $|M|\leq |C| \leq |K|$. If $|Μ|=|C|=|K|$ all keys should have equal probs.
If $|Μ|<|Κ|$ is it still necessary? I think not because : $$P[x|c_i]=P[x|c_j] \implies \sum_{k_i: E_{k_i}(m_i)=c_i}P[K=k_i]=\sum_{k_i:E_{k_i}(m_i)=c_i}P[k=k_j]$$ The difference is that when $|Μ|=|C|=|K|$  ...

Score: 2
U. Windl avatar
Is finding an encryption (or hash) algorithm science, or is it art?
cn flag

I'm not into cryptography, but I read a bit about it. I wonder:

AFAIK all encryption (decryption) and hashing routines are built using some very primitive functions (let's name them "atoms" for now) with specific properties.

As the set of atoms is probably rather small, a suitable algorithm consists of "combining" such "atoms" to (let's name them) "molecules" in a way that produces "suitable" molecu ...

Score: 1
Don Freecs avatar
Hardness of a modified version of NTRU
sz flag

Let the modified NTRU be $h=f/g$ such that $f$ is not necessarily a short polynomial, is the NTRU problem still hard in this case?

Score: 4
CHTM avatar
Is $g(x_1||x_2) = f(x_1 \wedge x_2)$ a one way function assuming f is a one way function
ms flag

Intuitively I think not because assuming the bit string $x_1,x_2 \sim \{0,1\}^{n/2}$, $x_1 \wedge x_2$ is not uniformly random so if $g$ were still a one-way function then the fact that the definition of one way function requires the input string $x$ to be uniformly random seems unneeded.

But I'm not sure how to construct the $f$ required. I tried the usual $f(x) = 0^{n/2}||f(x_{[1:n/2]})$ but got st ...

Score: 0
sv savage avatar
Verify ES256 CSR
cc flag

I created a CSR using ES256(ecdsa). I want to verify it. How do I verify a CSR using ES256?

-----BEGIN CERTIFICATE REQUEST-----
MIIBCzCBsAIBADAfMQ0wCwYDVQQDDAR0ZXN0MQ4wDAYDVQQEDAVvdGhlcjBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABAJA4hRnXwSydejyKYgB349JX/MKueTl6qei
Ge7s6Leny05ze4oQWaLS7qsQfJGt/8RPCoymGypU12iakhIUfE+gLzAtBgkqhkiG
9w0BCQ4xIDAeMA0GBGgAAAAMBWF0dHIwMA0GBGgAAQAMBWF0dHIyMBMGByqGSM49
AgEGCCqGSM49 ...
Score: 2
gormatron3000 avatar
exponent bit-length for hard DL (128-bit security)
fi flag

Following up on my previous post, I thought I might get a more concrete answer if I gave a more concrete question.

I require 128-bit security so I choose a 3072-bit RSA modulus ($\ell_n=3072$). Specifically I choose $n=pq=(2p'+1)(2q'+1)$ that is a product of safe primes $p$ and $q$.

Now, I want to choose $\ell_\Lambda$ such that finding DL with $\ell_\Lambda$-bit exponents is hard in $QR_n$, for an ad ...

Score: -1
Mogambo avatar
Zero knowledge proof to validate/invalidate a claim
ae flag

Have a look at the Twitter conversation below in the screenshots.

  1. @theveveshow asks if @trader1sz has sent ETH to the girl in question? @trader1sz responds that the girl in question has indeed sent him ETH. @theveveshow asks for proof.
  2. @trader1sz asks if @theveveshow can prove @trader1sz is not his father?

How can we prove the above statements with zero-knowledge proof?

enter image description here enter image description here

Score: 1
Towdo avatar
Is AES distinguishable if the attacker has an decryption oracle?
ne flag

Let the following game be given:

G^IND-CCA':

  1. Prepare a key k <- KeyGen(1^Kappa)
  2. Choose a hidden bit h <- {0, 1} uniformly random
  3. Prepare a decryption oracle O_Dec. Given a cipher text c, it returns the decryption m
  4. Prepare a one-time oracle O_Test. When called with m_0, m_1, it will return the encryption of m_h. Call it c*
  5. Call the attacker with input 1^Kappa, O_Dec, O_Test and await a guess ...
Score: 0
Tree Lover avatar
Higher encryption, means less strong password required?
lc flag

Does higher encryption mean that my password could be shorter? If the time to decrypt is longer, then the chance to bruteforce gets lower too, right?

I've created a KeePass database, and at the creation you get to choose the decryption time (to 100 ms to 5 seconds). I was wondering if this implies a more secure way to use a short password, since the time to decrypt trying with each password would ...

Score: 1
Abhiroop Sarkar avatar
Reencrypting in Homomorphic Encryption
ec flag

I am getting started with Homomorphic Encryption libraries. I am trying to port a codebase written in Python to Haskell. I see that there is a re-encryption operation happening in one part of the code. Something like this:

  def re_encrypt(self, values):
    n = values.shape[1]
    values = values.flatten()
    ret = []
    for i in range(n):
      pt = self.pri_key.decrypt(values[i])
      ret.app ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.