# Latest Crypto related questions

Score: 1
How to check security strength of random k if k is an input parameter of ECDSA signature generation function using openssl-fips

As I understand,

1.The security strength is specified in bits according to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

2.Security strength is depend on the length of entropy input when generating random number

So, in the signature generation function, if the random k is an input parameter (not generate random k in this function)

How to check valid k? security strength of  ...

Score: 3
What hash based digital signature algorithms exist that have reasonably small signature sizes?

What hash based digital signature algorithms exist that have reasonably small signature sizes?

• By reasonably small, I mean not much bigger than what you would get with a 256-bit ECDSA (which I believe has a signature of about 64 bytes). If nothing close exists, then what's the smallest signature size I can get?

• I want 128 bit security or better (although its not a hard requirement).

• I will be si ...

Score: 1
Is asymmetric decryption guessable?

I AM an amateur (for some reason, I have originaly written "I am not"... embarassing, sorry) in cryptography so this might be a very basic question.

I am interested to know if there exist ciphers such that if I encrypt a message with it and then lose first say 300 bits then I can't recover any information from the message even if I have the decryption key?

My problem is basically that I don't have a ...

Score: 2
Why do people use protocols like PGP, when TLS already exists?

TLS is the standard cryptography protocol on the internet, and many websites use it to secure their communications. However, for personal use, most people use other protocols like PGP, instead of using TLS keys/certificates.

There doesn't seem to be any reason to not use TLS for these things, or at least the encryption/signing part. The transport part of TLS isn't always needed, since people have ...

Score: 0
What happens when we hash already hashed values, concatenated together?

I read on the page 16 of On the Security of Hash Function Combiners that

the classical combiner for collision-resistance simply concatenates the outputs of both hash functions $$Comb_{\mathbin\|}(M) = H_0(M) \mathbin\| H_1(M)$$ in order to ensure collision resistance as long as either of H0, H1 obeys the property.

Consider H, a secure internal hash function with 256-bit inputs and 128-bit outputs

...
Score: 1
Signing same message 2 times with ECDSA

Can multiple signatures of the same message with the same private key (different nonces) lead to a private key trace?

Score: 1
Birational transformation from Edwards curve with not square d to Edwards curve with square d

How can I transform a complete twisted Edwards curve $$ax^2+y^2 = 1+dx^2y^2$$ with not square $$d$$ and square $$a$$ into an isomorphic Edwards curve $$X^2+Y^2 = 1+DX^2Y^2$$ with a square $$-D$$ i.e. $$D = -r^2$$?

I tried to set $$X = \frac{x}{\sqrt{a}}; Y=y$$, but $$-\frac{d}{a}$$ is also a non square (at least for Edwards25519). This answer is not working as well (i.e. $$-1/d$$ is not a square), because $$-1$$ is squ ...

Score: 2
Sage code for finding generator matrix of MDS code
1. Let $$L$$ be an $$[n,k]$$ code. A $$k\times n$$ matrix $$G$$ whose rows form a basis for $$L$$ is called a generator matrix for $$L$$.

2. A linear $$[n,k,d]$$ code with largest possible minimum distance is called maximum distance $$d$$ separable or MDS code.

I want to find a generator matrix for MDS code using SageMath or in another way, is there any SageMath code to check a matrix is a generator matrix for the MDS ...

Score: 0
Security of verifiable shamir secret share

Let us consider the following verification protocol based on Feldman. Assume, $$c_0,\cdots,c_k$$ represent the coefficients of the polynomial $$p()$$ in $$\mathbb{Z}_q$$. For verifying share $$(i,p(i))$$ and public parameters group $$G$$ of prime order $$p, q|p-1$$ and generator $$g$$, the share generator provides $$(g,d_0,\cdots,d_k)$$ where $$d_j=g^{c_j}, j \in\{0,1,\cdots,k\}$$. The receiver of the share $$s$$,checks wh ...

Score: 5
What are the misconceptions of IBM's CEO Arvind Krishna talk on the "Axios on HBO" about the quantum computing

IBM CEO Arvind made a talk in HBO's Axios program. It seems that there are misconceptions/misleading/flaws in reasoning etc.

What are those!

Some of the details of the speech is given as;

IBM says its new Eagle processor can handle 127 qubits, a measure of quantum computing power. In topping 100 qubits, IBM says it has reached a milestone that allows quantum to surpass the power of a traditional comp ...

Score: 2
What is reaction attack?

In the paper of "Reaction Attacks against Several Public-Key Cryptosystems" CiteSeerX link, reaction attack is defined informally as "Obtaining information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key."

Is reaction attack explicitly defined in literature? What is the difference between fault attack and reaction attack -as defin ...

Score: 1
How are cryptographic tokens and secret keys different?

Can someone throw light on the differences between tokens and secret keys? I understand that "tokens" are crypto artefacts "introduced" into a system by an external party in order to authenticate whereas keys can be either generated on the device (for. eg a key pair in case of asymmetric cryptography & corresponding public key can be used externally to authenticate) or a secret symmetric key can be ...

Score: 0
Securely and Deterministically select a combination of objects from hash (cryptographic seed)

I am working on a project that is using a bit-commitment concept to authenticate information.

I need to select a combination of objects securely from a secure hash, then distribute that hash later. Then a client knows that only the authenticated server selected that combination of objects before distribution of the hash the combination derived from. In other words, I need to select a combination  ...

Score: 0
Is it possible (and if so how) to make one proof for multiple private keys in ECDSA

Lets say I have a message that needs to be signed by two keys that were generated using ECDSA

Is it possible to make a signature that accounts for both keys, meaning I can verify with both and see they are valid?

An example, if we need a cryptocurrency example:

Both inputs are in the transaction, and now need to be signed. Is it possible to make it so only one ...

Score: 2
Linear Complexity of two dimensional finite patterns such as QR codes

Two dimensional patters are omnipresent in information transactions. QR codes, images are most common. I want to know if there is a concept analogous to the well known concept of Linear Complexity of periodic sequences, for two dimensional patterns?

Score: 1
Should Ed25519 verification multiply by the cofactor?

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

1. Check the group equation $$[8][S]B = [8]R + [8][k]A'$$. It's sufficient, but not required, to instead check $$[S]B = R + [k]A'$$.

Does that mean that code doing verification should point-multiply both sides by $$8 = 2^c$$ for cofactor $$c$$ or should they not? The document and

Score: 0
Linear operations on packed Shamir secret share

Suppose I have a k-dimensional secret $$\langle x_1,\cdots,x_k \rangle$$ which I share using a packed Shamir's secret share $$(t,k,n)$$ where $$t$$ is the threshold and $$n$$ is the number of shares as follows: Construct a polynomial $$f$$ of degree $$t+k-1$$ such that $$f(-1)=x_1, \cdots, f(-k)=x_k, f(-k-1)=r_1, \cdots, f(-k-t)=r_t$$ where $$r_1,\cdots,r_k$$ are randomly sampled from the field. Now the n shares are gene ...

Score: 2
ElGamal with elliptic curves and semantic security

To encrypt a group element $$P$$ with public key $$K$$ and randomness $$r$$ using ElGamal on elliptic curves with base point $$G$$ we do the following $$(c_1, c_2) = (r\cdot G; P+r\cdot K)$$.

When we want to encrypt a free-form message $$m$$, we have to convert it to a group element $$P$$ first. For that, we can either use scalar multiplication $$P=m\cdot G$$ (additively homomorphic) or map the message $$P = map(m) ...$$

Score: 1
Are there any public keys for which the private key can be easily derived (ECDSA)?

I know that generally it's infeasible to find the private for any given public key. But I also came across the question "Find ECDSA PrivKey to PubKey = 0", in which it was explained that the private key for a public key 0x0000...0000 can be easily derived.

From the answer to that question it appears that public key 0x0000...0000 is the only public key for which this is the case, but haven't understoo ...

Score: 3
Is the scheme in LWE also valid in R-LWE?

One way of interpreting matrices in RLWE is that they are a subset of standard integer matrices that have special structure. For example, rather than using a random matrix $$A\in\mathbb{Z}_q^{n\times n}$$ (as we might in LWE-based constructions), we can replace this a matrix with a matrix where the first column (or row) is random, and the rest have a cyclic rotation structure:

$$\begin{pmatrix} a_1 & ...$$

Score: 1
Is it insecure to use a hash function to map (potentially critical) inputs to the same length?

Say I have two values $$x$$ and $$y$$ of slightly different lengths. They can be passwords or keys or any other critical value, and I want to deterministically map them to two values of the same length.

Would using a secure hash function to achieve that purpose introduce any weakness into the system? We can assume the the output length of the hash function is not too small compared to the original inputs (e. ...

Score: 1
When are PRNG used and when are CSPRNG used

I understand that PRNG are Random Number Generators that uses a deterministic algorithm based off of a seed.

I also understand that CSRNG are PRNG that are cryptographic-ally safe to use for generating random numbers.

And by cryptographic-ally safe, I believe this means that even if an attacker knows the deterministic algorithm and the seed, they would not be able to predict the next random number.  ...

Score: 2
Enigma machine rotor internal wiring question

I have a question regarding the internal wiring of the rotors of the Enigma machine.

I'm trying to understand some details about the original Enigma machine. To the best of my understanding, each rotor is nothing but a monoalphabetic substitution cipher - except that the rotors can rotate. Yeah. But the rotation is just an additional offset. The actual substitution table is encoded by the internal wiring ...

Score: 3
The decryption correctness of RLWE based Encryption

I get stuck in the proof of decryption correctness in RLWE based Cryptosystem. To state where I am , let me show the full scheme first. The image is from chapter 3.2 of this paper.

And the decryption correctness proof of the scheme follows

In this proof , I can get the second last equation in decryption procedure , i.e. $$\mathbf{m} + (t/q)(\mathbf{v}-\epsilon \cdot \mathbf{m}) + t\cdot \mathbf{r} ...$$

Score: 2
Entropy of SIM PIN code

Each mobile SIM card has a four-digit number ($$b_1$$,$$b_2$$,$$b_3$$,$$b_4$$) called PIN code. Each digit $$0 \le b_i \le 9$$ (for i = 1, 2, 3, 4) is generated using a random 16-bit sequence as follows: $$b_i=(r_{4i-3} + r_{4i-2} .2 + r_{4i-1}.2^2 + r_{4i}.2^3)\pmod {10}$$. How we can calculate the antropy of PIN code? I know the entropy relation but I have no view.

Score: 1
Are there any ways to tell if a cryptographic protocol is UC-secure before formally proven its UC-security?

I do not quite understand the UC framework. Given a protocol to be proven, now I just know firstly we should write down the ideal functionality, and then the concrete protocol, then proving the protocol security realizes the ideal functionality by constructing several simulators. May I ask if it is true that we can tell if a protocol is UC-secure just from its ideal functionality?

Besides, in pag ...

Score: 0
Can I know from a Bitcoin public key if the private key is odd or even?

Can I know just from a Bitcoin public key if the private key is odd or even?

[moderator note] That is, can we find parity of the private key from a secp256k1 public key?
For the original dump of digits, see here.

Score: 1
running Project Wycheproof against crypto implementations in languages other than Java

So I guess https://github.com/google/wycheproof "tests crypto libraries against known attacks". It appears to mainly be intended for Java crypto providers but can it easily be adapted to be used for other languages?

For non timing attacks you could probably just loop through the *.json files in the testvectors directory but it's not clear to me what some of the data in there means.

Consider ecdh_sec ...

### The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.