Latest Crypto related questions

Score: 1
Wesley Jones avatar
Predicting compromised OpenSSL 3.0 DRBG
is flag

The OpenSSL 3.0 rand function's DRBG uses the getrandom() system call to get 48 bytes of secure entropy from the kernel. It also uses other information like the system uptime, available RAM, and other factors public in user space. So if the getrandom() function is compromised by an adversary using a rootkit, how would that affect OpenSSL DRBG in a practical attack? 48 bytes of entropy would be lost.

 ...
Score: 2
RobinLinus avatar
Can you find a secure curve defined over the scalar field of secp256k1?
cn flag

Is it possible to find a secure curve which's base field is the scalar field of secp256k1?

In general, can you find a secure curve defined over the scalar field of any secure curve? (For example, a secure curve defined over the scalar field of ed25519?)

Edit: Using the same parameters as secp256k1 (in short Weierstrass form), $a = 0$ and $b = 7$, yields a curve of prime order in the scalar field

Score: 0
user109119 avatar
order of Lagrange interpolation in reconstruction of secret key
lt flag

Does the order of Lagrange interpolation have any role in reconstructing the secret key in Shamir's secret share?

Score: 2
Lorenzo avatar
Homomorphic encryption with both algorithm and data encrypted?
ge flag

Is it theoretically possible to use homomorphic encryption to run an encrypted algorithm over encrypted data? If this is not possible, is it at least possible to run an encrypted algorithm over plain data (beyond a plain algorithm over encrypted data)? Ideally, can you cite papers where I can read about it?

Score: 3
Novice Question: Rivest Shamir Wagner 96 Time Lock Puzzles
tc flag

I'm using the Rivest Shamir Wagner Time Lock Puzzle setup in an application, leveraging Pietrzak's algorithm for generating the proof. My question has to do with selecting a proper starting point. In this paper the authors talk about verifying that the starting point is a modular square root. They discuss the choice of groups on page 9 and they provide a proof I don't understand in Appendix 1 on p51.  ...

Score: 1
Angelo avatar
DES attack with known partial plaintext
lk flag

Consider a system where DES is used to encrypt HTTP GET requests. The first three bytes correspond to the character sequence "GET". How many encrypted messages is it necessary to intercept to be sure to guess the key used to encryption ?

Score: 1
sander avatar
In PKCS#11, can I set a custom base point for a secp256r1 ECDSA signature?
cl flag

According to FIPS 186-4 § D.1.1.5 Choice of Base Points I should be able to create ECDSA signatures with custom base points on P-256 (secp256r1).

Does standard PKCS#11 support this feature?

This is how far I got building example code, based on org.xipki:ipkcs11wrapper:1.0.4 and SoftHSM 2.6.1:

import org.xipki.pkcs11.wrapper.*
import org.xipki.pkcs11.wrapper.PKCS11Constants.*
import org.xipki.pkcs11.w ...
Score: 1
batman avatar
Introducing differential privacy in two different ways
li flag

I would like to investigate if it is possible to introduce Differential Privacy (DP) to a model via both adding Laplacian noise to the training data and then training with DP-SGD updates. Is it a valid way to introduce DP ?

In other words, if we separately applied Laplacian noise to the data the system would be assigned with (ε1,0)-DP per epoch and if we trained with DP-SGD it would be assigned  ...

Score: 2
anthonychwong avatar
Best practices on implementing a password manager
lk flag

I'm a dev new to security and cryptography.

I'm writing a password manager and Time-based OTP combo in dart/flutter to use in multiple devices and platform for fun and use it personally for real. I have done some reading over google, stackoverflow.com and crypto.stackexchange.com, came up with following skeleton, and here to ask for some further security advice, for encryption, implementation and ...

Score: 0
Cat Dragon avatar
How to use NIST SP 800-22 to check randomness of 128 bits output in AES?
it flag

I am trying NIST SP 800-22 to test the randomness of 128 bit output in AES, but i always get igamc: UNDERFLOW or Segmentation fault (core dumped) error.

My data file has 128 bit output format, for example as follows:

01101100010001011111011101010011011000000101111001111100010010111011111001010011101101000000111011011100011011101101100011011001
00000000101100000010110001100100101101000010010010110101 ...
Score: 2
pintor avatar
Fiat-Shamir with interactions
ng flag

Suppose we have a standard $\Sigma$-protocol for proving the knowledge of a witness $x$ for the statement $y$. It has an honest-verifier ZK and special soundness. Now we do an unusual modification to get an interactive $\Sigma'$-protocol in ROM:

  1. The prover $\mathcal{P}$ compute $a$ exactly like in $\Sigma$-protocol and sends it to the verifier $\mathcal{V}$.
  2. The verifier $\mathcal{V}$ replies with ...
Score: 1
manu muraleedharan avatar
How can we explain STARK with less math?
gq flag

I am trying to understand STARK with not much math. I understand SNARK like this: Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK

From the helpful article: https://z.cash/technology/zksnarks/

We have a computation with many steps that can prove something. We take that and create an arithmetic circuit (in simple words a algebraic equation). Then we have R1CS which is going to valid ...

Score: 0
American Corn avatar
Where is the cryptography library that support group signature?
it flag

Finding a cryptography library to implement various application features is not difficult nowadays, thanks to options like NaCl, Google Tink, PyCA, and OpenSSL. However, I've been struggling to find a library that supports group signatures, which is causing confusion. Would anyone be able to provide an explanation or recommend a library that supports this feature? Thanks so much for helping.

Score: 1
cryptolearner avatar
Ring LWE distribution definitions
ru flag

This may be a stupid question but I've been stuck on parsing these definitions for a while.

I am reading the paper "On Ideal Lattices and Learning with Errors Over Rings" by Lyubashevsky, Peikert, and Regev. I am trying to understand the error distributions they are proposing. In section 3, they define a set $\mathbb T = K_{\mathbb R}/R^V$ where $K$ is any number field and $K_{\mathbb R}$ is $K \oti ...

Score: 2
NB_1907 avatar
Interesting and fun facts about cryptology
us flag

We are planning to organize a workshop with the participation of academicians, engineers and graduate students working in the field of cryptology. On the first day, we are planning a fun competition for the participants as an ice-breaking event. Our goal is to organize a quiz on fun, little-known facts about cryptology via the online app. Interesting general culture questions will be more acceptable ins ...

Score: 2
zbo avatar
The second moment and fourth moment of $\mathcal{P}(V)$?
br flag
zbo

Backgroud: I am reading the paper "Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures". (here is the link). And I got stuck in understanding the computation of moment.

Question statement: In section 4.3 of the paper, It defined: For any $V=[\mathbf{v}_1,\cdots,\mathbf{v}_n] \in GL_n(\mathbb{R})$ and any integer $k \ge 1$, the $k$-th moment of $\mathcal{P}(V)$ over a vector $\mathbf{w}  ...

Score: 1
Tensor avatar
Compression algorithm with multiple valid same-sized outputs
lb flag

Is there a lossless compression algorithm that has hashing-like properties where there are multiple solutions to it?

As in for example, when a 1000-bit data-sequence is compressed into a 500-bit data sequence, there are multiple possible 500-bit data sequences that can be generated as outputs. Each of these 500-bit data sequences, once decompressed would all output the original 1000-bit data sequ ...

Score: 1
Where can I find 2 of the steps/proofs described in Dan Boneh's video on PLONK in the PLONK Paper? The 2 don't seem to match
et flag

This is Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=vxyoPM2m7Yg

I went through the video multiple times & also tried to go through the original PLONK paper - https://eprint.iacr.org/2019/953.pdf

Boneh's explanation of PLONK involves the steps

1) Boneh consider's the trace of the equation as the inputs (public & private) & the gates. Let's say there are 3 gates & 3 input ...

Score: 1
Tito avatar
decrypting full ciphertext of (AES CTR/GCM) based on partial knowledge of the cleartext
sd flag

I have found myself in a position where I need to encrypt multiple objects (vCards) with AES Counter mode or Galois/Counter Mode using the same key. Now here is the problem the structure of the vCard always starts with predefined values i.e. here is an example from wikipedia

 BEGIN:VCARD
 VERSION:4.0
 FN:Simon Perreault
 N:Perreault;Simon;;;ing. jr,M.Sc.
 BDAY:--0203
 GENDER:M
 EMAIL;TYPE=work:sim ...
Score: 1
Wang Linger avatar
Why do we need the random number in Pinochioo protocol compared with GGPR
my flag

I find it hard to fully grasp the whole Pinocchio protocol .

I understand that the $\alpha$ s are for restricting the prover to compute only the corresponding set-up values.

But it's not clear for me to pick up $\gamma$ for the consistent(same) witness check.

From what I can tell, this protocol cleverly embedded different $r_v,r_w,r_y$ s to generators, $g_v,g_w,g_y$. An insightful improvement on

Score: 1
Ilya avatar
Does information about known input&output for SHA3-256 help to find KECCAK-256 input for the same output?
cc flag

I received two distinct outcomes from a single input using SHA3-256 and KECCAK-256:

input -->   sha3-256 --> output1

input --> keccak-256 --> output2

I want to find input2, which will give me output1 after Keccak-256 hash :

input2 --> keccak-256 -> output1

Is it somewhat possible? I read somewhere that SHA3-256 and keccak-256 have only difference in padding rule. Is it possible that k ...

Score: 0
mnj avatar
Shortest encryption with URL-friendly character set
br flag
mnj

I need a way to encode a set of information in a way that the result would be as short as possible with a requirement of it being usable as part of URL string.

I don't really care that much about security, the encryption is applied mostly for the plain text to not be visible right away. At the same time, just encoding (like base64) is not enough, there needs to be at least minimal security, meani ...

Score: 3
3ric-T avatar
Is it possible to wrap a RSA private key using a EC key pair?
sv flag

In PKCS#11 documentation § 2.1.23 is described how to wrap and unwrap a target asymmetric key of any length and type using an RSA key, called CKM_RSA_AES_KEY_WRAP. This mechanism could be easily implemented by hand in case it is not available in HSM.

The counterpart exists for EC, CKM_EC_AES_KEY_WRAP can wrap and unwrap an asymmetric target key of any length and type using an EC key. Unfortunately, th ...

Score: 0
Norcino avatar
Securely sign URL using a 50 characters long key
eg flag

I need to sign a URL to make sure the URL cannot be tampered or forged. The client has limited capabilities and I cannot use a key which is more than 50 characters long.

Generally I use RSA to generate the signature, with keys of the proper size. So I am not sure what technique to use to keep the signature safe enough. The key shared with the client will have a validation of 1 year.

Any suggestion?

Score: 0
Rabindra Moirangthem avatar
Confusing notation in signature scheme
in flag

In the paper Efficient and Secure Pairing-Free Certificateless Aggregate Signature Scheme for Healthcare Wireless Medical Sensor Networks, on the signature generation part (Page 5), there is an equation $Y_{2i} = [(y_2x_i + h_{2i}d_i)modq]P_{Pub} = (u_i, v_i)$. How is a group element assigned to two integers? $u_i$ is used as an integer in the following steps while $v_i$ is never used again.

Score: 2
3ric-T avatar
Wrap-unwrap of private key using EC master key
sv flag

I want to wrap a private key out of a HSM, using an external EC key pair (master key) and then verify that I can recover it.
The wrapping occurs as follows:

  1. Generate a secret AES key in the HSM, using the public part of the EC master key, the private part of the internal key pair and the derivation mechanism CKM_ECDH1_DERIVE. The derivation parameters for this mechanism are: derivation function CKD ...
Score: 1
Nacho Libre avatar
Why does Shamir secret sharing appear to need ordered shares?
mx flag

The implementation of Shamir secret sharing in this code, only generates the original image if the shares are provided in consecutive order (ex: [2,3,4]) and won't work in any other share order (ex: [2,4,6] or [4,1,3]). However, Shamir secret reconstruction does not require the shares to be in any order, then why does this fail?

import numpy as np
from scipy.interpolate import lagrange as lag
impor ...
Score: 2
VitoCorleone avatar
Padding Oracle Attack - Decrypting First Block with Static IV
sx flag

I'm trying to understand the exploitability of the padding oracle attack, which enables someone to decrypt and encrypt the contents without knowing the encryption key.

Can encrypted data with the first block, be decrypted by the app that relies on a static IV without knowing the IV?

I want to understand the padding oracle attack's exploitability, especially to decrypt the first block of data using st ...

Score: 2
Cristian Baeza avatar
Hiding sum of vectors. Hardness based on CVP
es flag

This is the problem

Let $\mathcal{L}$ be a lattice and $v_1,v_2,\ldots,v_n\notin\mathcal{L}$. Given the values $a_1,\ldots,a_n$ such that

$$a_1=\lfloor v_1\rceil+v_2+\ldots+v_n$$ $$a_2=v_1+\lfloor v_2\rceil+\ldots+v_n$$ $$\vdots$$ $$a_n=v_1+v_2+\ldots+\lfloor v_n\rceil$$

where $\lfloor\cdot\rceil$ means projection to $\mathcal{L}$. Retreive $\Sigma:=\sum_{i=1}^{n}v_i$.

Paraphrasing, say Alice lets Bob kno ...

Score: 2
John Shelburne avatar
Does anyone know of how I would authenticate the data my algorithm generates?
np flag

I have a pytorch model that generates bond trade pairs that have a high probability of reverting to the mean in a 30 day time period.

I want to sell the signals, but I do not want them to be redistributed. Is there a way to encrypt my data signals, if I put them on a marketplace like Amazon Data Exchange or Snowflake?

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.