Latest Crypto related questions

Im looking to learn about forging CBC-Macs.

Given the CBC-Mac for a Message M and the Key used to encrypt the message K.

Can I create a new message M' which would have the same CBC-MAC?

Original Unknown Message: M

CBC-Mac of Original Unknown Message: X

Key used in CBC Block cipher: K

New message with CBC-Mac = X: M'

I am confused about stream ciphers a little so I just wanted to clarify. We have a key that's lets say 2 bits. I have a message that's 8 bits. I used a pseudorandom generator that would add 6 bits to my key. Those 6 bits are deterministic and public. Hence why it's called pseudorandom, it looks random but because the 6 bits are deterministic, it's not. So that makes my keystream, regardless of the key,  ...

While I was reading the documentation for the cryptocode $\LaTeX$ package I stumbled across the "primitive" called puncturing in subsection 2.12. This was the first time I read about this "primitive". Additionally, I am no native speaker, which is why I have no intuition about what it could mean. Can someone explain it to me on a basic level?

The sever holds the N encrypted elements, each element is associated with an index (unencrypted). The receiver wants to retrieve only k-out-N elements using k-out-N OT. The motivation for using OT is to retrieve only k elements, not all N elements, retrieving N elements results in storage overhead on the device (receiver) and another motivation is that the server should not learn which elements have bee ...

What the state of the art for producing quickly verifiable proofs of correct computation when your proof is allowed to leak knowledge?

For context, I am inspired by Miden VM's promises:

For any program executed on Miden VM, a STARK-based proof of execution is automatically generated. This proof can then be used by anyone to verify that the program was executed correctly without the need for re-executi ...

When a tag8 compressed data packet does not contain compressed data i've seen some products simply handle the packet as a tag11 literal data packet, yet i find nothing in the 4880 spec old/new suggesting this is an acceptable behavior. what am i missing here?

I'm working on a Chinese Remainder Theorem Garner's Formula problem in my Cryptography module and was hoping for some help.

Question:
Given the data below use Garner’s formula to find T,U and s

$$ N = pq = 6815731 $$ $$ s \% p = 1 $$ $$ s \% q = 62537 $$

$ s = a \% p $

$ s = b \% q $

$ T = p-1 mod q $

$ U = (b-a)T mod q $

$ s = a+Up $

(p = the smaller prime)

I've figured out $p = 13, q = 52428 ...

When using BLS, let's say Alice signs each of the 5 messages ($m_1, m_2, m_3, m_4, m_5$), aggregates the signatures and sends the aggregated signature to Bob. Bob can verify it.

Here's the goal: However, Bob would also like to send the aggregated signature by Alice to Charlie but hide the values of $m_2$ and $m_4$ messages. So, Charlie wouldn't know there are 5 messages in total and he will only know  ...

One party (master) wants to send data to another party (slave) over an insecure channel using public-key encryption and signature schemes such that:

• master is authenticated,
• data is confidential,
• data cannot be replayed.

The minimal assumptions are:

• master has slave's public encryption key,
• slave has master's public verification key,
• the public keys are trusted (how they were obtained is immateria ...

Suppose I had a new public-key or key exchange protocol. How do I objectively evaluate it so as to determine if it is worth sharing with the broader community? Whenever developing a cryptosystem, it is important to ask "who cares?", to see if it addresses any challenges that current systems face, but it is unclear exactly how to answer that "who cares?" question.

For example, is there a "thresh ...

In NTRUEncrypt, we choose polynomials $\mathbf f,\mathbf g$ (with suitably small coefficients) such that $\mathbf f$ admits inverses $\mathbf f_p, \mathbf f_q$ with respect to the moduli $p,q$. The relationship between the public $\mathbf h=\mathbf f_q\mathbf g\text{ mod q}$ and the private key $(\mathbf f, \mathbf f_p)$ is used to define a lattice

\begin{equation} \mathcal L=\{(\mathbf u,\mathbf v ...

I'm trying to understand how lattice-based schemes with the Reed-Solomon proximity testing work and why the scheme in Bootle's et. al. Fig 3 has no aborts at all (nor big number of repetitions).

TLDR: How do PCPs and Reed-Solomon allow to avoid aborts and multiple repeats in Bootle's et. al. exact proof? I see no aborts and the challenge space is not a bit string either. Plus, they require just two repea ...

Does anybody know or can point me to a source about SHA2 vs SHA3 usage statistics. SHA3 is newer and is claimed to be more secure but ... is it more widely used in real life deployments?

I understand that if the $\gcd(x, n)\neq=1$ then the $\gcd$ is one of the $n$ prime factors, $q$ or $q$. But how is the fact that $x \not\in Z^*_n$ related to $\gcd(x, n)\neq 1$?

I understand that $\text{gcd}(m,n)$ needs to be $1$ so we can apply the Euler's theorem, and if it's not $1$, the result is one of the prime factors of $n$. But Why the result it is always $p$ or $q$? Couldn't it be any other number?

I don't understand which DES key is used in the next round of Feistel construction.

As you can see below, we use our original key that has been inserted in permuted choice 1, where we got 56 bits, divided into two halves, $C_{i-1}$ and $D_{i-1}$. We will apply the left shift rule on that key and therefore obtain 16 different keys.

Do I have to use the key number 1 that I will obtain as the second  ...

This is a slight variation of the shared nonce problem. We do have a lot more shared information between two nonces.

Given a random $k$:

$$ k_1 = ka, k_2 = kb $$

I am now signing two messages, which gives me $s_1,r_1,s_2,r_2$

Based on my understanding of the base equation for signatures in ECDSA (with given generator $G$, private key $d$)

$$ r=kG, s=k^-1(h+rd) $$

So now I have two equations, which I can u ...

Given p = 7 and q = 13, one can obtain n = 91, d = 29, e = 5. However, for plaintext with values less than the modulus both the public and private keys (n, d) and (n, e) are reversible, i.e. encrypting a plaintext value with either key and then using the same key a second time returns the original value.

What is the reason for this and under what conditions will this occur?

This question notes that  ...

It is known that there are two popular applications of lattices: dense sphere packings and lattice-based cryptography. I didn't find any information on the Internet about possible interaction of these domains. Let's forget for the moment that most dense lattices are quite theoretic constructions, hence they don't have fast algorithms to work with them. Nevertheless, in your opinion, can dense lattic ...

I'm trying to carry out a forgery attack on a CBC-MAC algorithm that automatically pads the message.

I have a 5-block message T, consisting of T1, T2, T3, T4 and T5 and its corresponding MAC M. The message is shorter than 5 * block length so it is padded.

I want to construct a message that is not T but has the same MAC M.

Most other questions I have seen are done over either 1-block or 2-block messages ...

this is my first post so I apologise if the formatting of my post isn't perfect.

I should start off by saying that this post is not for any malicious intent, rather for curiosity and understanding AES encryption/decryption.

I have been doing research about AES encryption and everywhere says that ECB mode should never been used and often refers to the famous Linux Tux penguin example. I understand ...

I am trying to write a function that, given an EIP712 ECDSA signature, verifies the signature was signed by a particular person, and then (somehow) retrieves the information that is encoded in the signature.

Is it even possible to retrieve the unhashed data from an EIP712 ECDSA signature, or is it only possible to verify the data that the signature contains, by already having this data in an unha ...

I totally have no idea about this Rabin decrypt problem. source code:

https://github.com/shanzhuer/myctf/blob/main/crypto/rabin.py

Inside there were $2^{21}$ times of encryption and decryption of Rabin-cryptosystem, with 126 bytes plaintext, 1024-bit public key $N$(unknown 512-bit $p$ and $q$ when $p*q=N$)

the output log is $\dfrac{140}{2^{21}}$ decrypt failure because $2$ small root of ciphertext(less  ...

$x$ is challenging string, $y$ is proof string. $\operatorname{H}$ is the proof-of-work (pow) function, to find a $y$ such that $H(x,y)<2^{256}/D$

1. $x ,y = \{ 0, 1 \}^{512}$
2. $\operatorname{H}(x,y) = \operatorname{SHA-256}(x \oplus y)$
3. find a $y$ such that $\operatorname{H}(x,y)<2^{256}/D$

the question is to prove:

If difficulty $D$ is fixed ahead of time, attacker can find $y$ with minimum of  ...

I am using micro-services to interact between various cryptographic technologies like HSMs, keystores, vaults, etc., that are written in different languages. Usually, each technology, or even vendor, is using different names of the cryptographic algorithms, and in some cases they are also case-sensitive.

For example, Java Security Standard Algorithm Names contains different algorithm names as JSO ...

Is it feasible to efficiently calculate a homomorphic absolute value function over ciphertext given a pair of numbers $a$ and $b$, i.e., |a-b|? Although there are approximate methods that use addition and multiplication, their runtime in my project is intolerable. Is there any homomorphic absolute value function that is faster than homomorphic multiplication? And what if $a$ and $b$ are real-value v ...

Assuming evaluation in the online phase (no beaver triple/offline method used), each AND gate in GMW must be evaluated using a 1-out-of-4 OT. I've seen some sources (here, and here) say this can be implemented using 3 1-out-of-2 OTs over 1 bit strings. Can it also be implemented from 2 1-out-of-2 OTs over 1 bit strings? (Assuming we can treat the 1-out-of-2 OT as a black box).

(Note: I know this  ...

For communication between the client and the website, use password (P) as the key using AES-128. If P is less than 128 bits, it is padded with 0 to create a 128 bits key. is there any problem with such an approach if the average password length is 6?

Suppose I have a set $S$ containing $n$ bit strings, where $n$ is on the order of about 10. Consider

$$\mathfrak{S} = \{ R : R \subseteq S, |R| \geq 2 \},$$

the collection of subsets of $S$ with two or more elements.

Does there exist a hashing function which outputs the same hash for any member of $\mathfrak{S}$?

A potential relaxation in which we order the elements of the subsets in $\mathfrak{S}$

In Privacy-preserving machine learning, GC is usually used for privacy operation such as ReLU(x) where sign(x) needs to know. However, binary secret sharing also supports such computation via comparators($[x]_{encryted}$ > 0)(this paper). While compare the performance, binary secret sharing is usually way faster than garbled circuit. But why is garbled circuit still used in many related works, for