Latest Crypto related questions

I was working on implementing shamir secret sharing in GF(2^256), According to my knowledge multiplication in a finite field is defined as mul(a,b) = (a*b)%mod, where mod is the irreducible polynomial.

But when I saw the implementation here, It uses bitmasking to multiply and when I compare my multiplication results with this it doesn't matches, what could be the reason?

From the PLONK paper.

On Page 31, Point 6

Compute the Lagrange Polynomial Evaluation $L_1(\zeta) = \frac{\omega(\zeta^n - 1)} {n(\zeta- \omega)}$

I don't think this formula is correct.

We have $n$ gates from $H=\lbrace 1, \omega, \omega^2, \omega^3, ..., \omega^{n-1}\rbrace$.

So the formula for computing $L_1(X)$ should be

$L_1(X) = \frac {(X-\omega)(X-\omega^2)(X-\omega^3)...(X-\omega^{n-1})}{(1-\omega)( ...

While setting up PGP for the first time, I am presented with various encryption standards I can use being:

1. RSA (2048, 3072, 4096 bits) with an option for + RSA (2048, 3072, 4096 bits)
2. DSA (2048 bits) with an option for + Elgamal (2048, 3072, 4096 bits)
3. ECDSA/EdDSA (ed25519, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, NIST P-256, NIST P-384, NIST P-521) with an option for + ECDH (ed25519, brainpo ...

1. Does AES-GCM take replay attacks into consideration?
2. If an attacker intercepts the AES-GCM secured message and gains access to the initialization vector (IV), can they inject falsely fabricated data (ciphers) or replay past data (replay attack) to confuse the recipient? (Since the IV is also sent along with the message for decryption)
3. Could an attacker misuse an IV by reusing it if the key is still  ...

Is there a cryptographic function that employs two locks: first 'Lock A', and then on top of that 'Lock B' but it permits unlocking 'Lock A' before 'Lock B' to read the message?

Suppose I have some ZK proofs that were turned non-interactive using Fiat-Shamir heuristic. So I need to generate the challenge value deterministically using some data shared between the prover and the verifier. Different proofs require different challenges of varying size, so using a fixed-output hash is not very convenient. I can:

• Feed the shared data to an XOF hash (e.g. SHAKE256), and generate ho ...

1. If we have a scheme for inner product predicate encryption (IPPE), then can we claim that we already have designed an attribute based encryption (ABE) scheme; So we do not need to design an ABE again. I mean, is IPPE more general than ABE?
2. What about predicate encryption (PE)? I think PE is more general than ABE, Right?

I am working on an investigation on TLS 1.3. I've came across an article of qacafe where they shared a TLS 1.3 handshake sequence. Wireshark capture. In this capture you see that in the Client Hello a key_share is being send where it is "guessing" which cypher suite to use. This saves some bytes. by not having to send the whole list. However I don't see any certificate exchange in this capture.

Does so ...

I'm new to cryptography and I was trying to find key to an intercepted vigenere ciphertext using ciphertext-only attack, I'm following book "cryptography and network security" by Forouzan. The book introduced some complicated formulas for finding Mutual Index of Coincidence but I didn't get it. This was mentioned in the text "So in order to find the actual key, we divide the ciphertext into m (key lengt ...

I know the standard algorithms for D-log. Pollard-rho, Baby-step-big-step, Pollig-Hellman, index calculus, etc.

I'm looking for fast algorithms to find a relation for the generalized discrete logarithm:

$$\prod p_i^{a_i} = 1 $$

That is, given $p_i$, find some non-trivial $a_i$ for the above relation.

What are the current best algorithms and runtimes? Any papers or references would be good.

It cannot be "frequent" because that implies $H$ is not really 256-bit. Are there statistical or mathematical bounds on this? Finding the inverse is computationally difficult, but what matters here is existence.

I have been looking for benchmarks on the precomputation phase of PLONK (https://eprint.iacr.org/2019/953.pdf), but found none. Is there a resource where one can get a feel for this? Either in terms of CPU cycles or in terms of asymptotic complexity.

Specifically, I am trying to estimate how big of a burden it is to update the setup with new randomness for different sizes of the circuit.

I want to create a shared secret from a short string (e.g. a password) which should be easy to decrypt also in the long term. Unfortunately, I have quite a hard time to make the different tools work with each other (e.g. encrypt with ssss and decrypt using an online tool like that one.)

1. How should one convert the string into a hex/int? Most tools have some str2hex methods implemented. But to maximise ...

Might be a bit weird but interesting scenario: I have a telegram bot and I need to authenticate users but I don't want to store any user data(at least openly).

So here's a breakdown:

0. I need to prove that the user has access to the bot. So there's a "timeframe" variable, an extra piece of information which might be helpful.
1. The infrastructure can not be trusted so the db can't store any user data.

Edit: One half of the answer to this question also applies to a recently asked and now deleted question regarding the impact of an algorithm which breaks DLP over integers but has no impact on factoring. It would be tricky to go pure RSA.

This is a question based on hypothetical scenarios, please bear with me.

Consider the two widely implemented (in the real world) public key cryptosystems (PKC), RSA an ...

I am newbie to openssl and I am trying to create a end-device certificate (from command-line options). I want to set the length of the serial number (16 bytes) of the certificate. I read that -set_serial option can only be used for self-signed certificates. In my openssl.cnf file I have set serial = $dir/serial and also created a serial file. For now I have specified 16 bytes (random numbe ...

since I already have plaintext and ciphertext why would I need the key for? what purpose would that serve?

I'm struggling to find good resources/tutorials on the libraries to develop MPC for blockchain. In contrast, there is a lot of resources on SNARK libraries.

My scenario is that I need to perform some MPC that eventually need to be recorded on-chain. I am starting from GMW/BMR and have a simple circuit constructed on paper. I'm looking for a tool to take this circuit and coordinate the parties to  ...

I now understand the initial key from all the round keys will be the original 4x4 block for 128-bit keys, but I do not know how it would work for something else, like AES-256 or 192. Would it be that you copy the rest of the key and put it into the second block, but what would you do with the third and fourth columns? Thanks in advance!

I need to prove that given vector of commitments of length N contains N-1 commitments to zero (and one to an arbitrary number). More formally, given vector: $$\textbf{a} = \begin{bmatrix} C(0, r_1) & C(0, r_2) & C(x, r_3) & ... & C(0, r_N) \end{bmatrix}$$ I want to prove that there is exactly one such commitment, that commits to x, rather than 0. Note that x is also private.
I've seen ...

(Cryptographically and hash/checksum wise consider me a rookie, as I'm rather just using algorithms.) While there are many names, not all of them are explained - I tried searching for the meaning of a couple of names, but found neither an explanation in Wikipedia articles (multiple, like English, German and French), nor in published papers.

• HAVAL - its uppercase letters imply an acronym/abbreviatio ...

Imagine a large array (Megabytes) that is virtually empty, i.e. contains 0 in almost all locations. But also imagine there's 1000 pseudo random locations that contain a pseudo random byte. There is no correlation between bytes nor locations. So on average, there is a random byte > 1000 bytes apart. Then the entire array is hashed with a Merkle–Damgård type hash.

Is there a way to speed up  ...

In Kyber-CCA-KEM, there's a step in the Fujisaki-Okamoto transformation, where decryption failure results in a random shared secret returned from the decapsulation call.

I have a C language project currently implementing RSA-OAEP and ECDH, and I haven't reserved a PRNG parameter for the decryption interfaces, since they use explicit rejection, have no decryption failure, or doesn't support CCA in ...

Is it safe (or optimal) to use a BCrypt hash directly as the key to an HMAC-SHA256? I ask because all the BCrypt hashes I will use contain the same salt, version, and cost, so the first 29 characters of the hashes will all look the same, e.g. "$2a$06$/H63GWnve78WGVBSDouFTO". I'm not comfortable with this much known structure in a key. Should I run the BCrypt hash through a SHA256 first before using i ...

ECDSA and EdDSA both require the generation of a single-use value. Are there any elliptic curve signature schemes in existence which don't require nonce and maintain the usual security strength equal to that offered by the curve?

I have a Windows 10 laptop with an algorithm that creates a random number using the PRNG CryptGenRandom. According to Wikipedia:

Because CryptGenRandom is the de facto standard CSPRNG in Win32 environments, its security is critical for Windows users.

However,

The specifics of CryptGenRandom's algorithm have not been officially published. As with any unpublished random number generation algorithm, it ...

Can anyone point me to techniques for efficient computation of modular multiplication/exponentiation modulo a square, as comes up, e.g., in the context of Paillier encryption? The standard references don't seem to have anything relevant, probably because they tend to focus on RSA and/or elliptic-curve cryptography where this issue doesn't come up.

Update: my hope for an optimization here is based  ...

Use of plain random-IV's in CTR mode, without any special "nonces/counters" (or any "dedicated" bits!), can lead to problems with "partial overlaps", whereby attackers can execute known-plaintext-attacks if there is a collision in the keystreams used for encryption.

But, what if we just simply use that random IV also as the "key" as well? For example, let's say $K$ is our original key and we generate a r ...

Using Fiat-Shamir, an interactive 3-round sigma protocol can be compiled into a non-interactive zero-knowledge proof in the random oracle model.

A NIZK through Fiat-Shamir is not UC-Secure due to rewinding. There are some straight-line-extractable compilation techniques, and to the best of my knowledge, the most efficient one is the proof-of-work-based Fischlin transform.

My question is about the co ...

I am currently reading the paper "A 2-round anonymous veto protocol" and have run into some trouble verifying the claims made about the zero knowledge proofs presented within. My knowledge of ZKPs is relatively elementary so I am looking for guidance as to where I may be going wrong in my understanding.

The relevant quote from the paper:

"Schnorr’s signature is a suitable choice because it is sho ...