Latest Crypto related questions

Score: 5
kentakenta avatar
Zero-Knowledge Proof of Equality between RSA Modulus and Prime Order Group
kn flag

Assume there is an RSA public key $(e,n)$ such that factarization of $n$ is unknown to both prover and verifier parties. We also have a prime order group $G$ and a generator $g$ for the group. For $m\in QR_n$, is there a zero-knowledge proof protocol to prove that $C_1=m^e$ and $C_2=g^m$, for public values $(C_1, C_2, e, n, g)$?

Score: 6
Bob avatar
Why are elliptic curves over binary fields used less than those over prime fields?
cn flag

In practical applications, elliptic curves over $F_p$ seem to be more popular than those over $F_{2^n}$. Is it because operations over prime fields are faster than those over $F_{2^n}$ for the same security level?

Maybe it is my imagination. I just see many more open projects using elliptic curves over $F_p$ but not as many over $F_{2^n}$.

Score: 3
jacobi_matrix avatar
Uniform and Non-Uniform PPTs
in flag

While reading the paper

I stumbled upon the case in which it was necessary to state whether the authors were assuming uniform or non-uniform attackers. For what I know, non uniform PPT are basically a sequence of PPTs, so $\mathcal{A}=\{\mathcal{A}_1,\mathcal{A}_2,\dots,\math ...

Score: 4
fgrieu avatar
Quantitative reduction of Schnorr's identification scheme to DLP
ng flag


I seek a quantitatively better proof of theorem 13.11 in Katz and Lindell's Introduction to Modern Cryptography (3rd edition) (or nearly equivalently, theorem 19.1 in Dan Boneh and Victor Shoup's freely available A Graduate Course in Applied Cryptography). The proof is about the Schnorr identification scheme for a generic group $\mathcal G$ of prime order $q=\lvert\mathcal G\rvert$ and genera ...

Score: 1
hola avatar
Complexity of Hash mining/signing
bd flag

While reading about mining in crypto currency, I found that it requires some leading bits of a hash function output to be 0. This boils down to preimage resistance of the hash function, hence done with exhaustive search.

My question, say I have an ideal hash function that gives 128 bit output and I want leading 4 bits be 0. What is the expected number of time I have to run it (with randomly chose ...

Score: 2
Bob avatar
Parameters in RLWE
cn flag

Let $n, q, \sigma$ be the polynomial degree($x^n+1$), coefficient modulo, and the standard derivation, respectively. I often see some parameters such as enter image description here

For RLWE, we can use the CRT to decompose the $\text{RLWE}_{q}$ to some $\text{RLWE}_{q_i}$ for $1\leq i\leq l$, where $q = q_1 q_2\cdots q_l$, then when we consider the security of RLWE, we should take $\log q$ or $\log q_i$ to be considered?

Score: 1
CrypTool RSA Features
in flag

I am attempting to manually encrypt a plaintext message (message = MI) using RSA.

Manual Encryption of Plaintext Message

I receive an answer of: 33,264 and 21,164.

When I enter the same plaintext into CrypTool to confirm that my calculations were correct, I receive a different answer:

CrypTool Screenshot

What am I doing incorrect? How can I obtain the same result as CrypTool?

Score: -1
Am I Doing RSA Correctly?
in flag

I am trying to figure out how to complete RSA manually. I am trying to encode a simple block message (Mi). I used CrypTool to determine the encryption. When I "manually" computed the plaintext, I obtained a different number than what CrypTool provided. Can someone guide me? Am I doing the manual encryption for RSA correct?

RSA Manually

Score: 1
How does password_verify() function gets the salt from the password stored in DB?
sg flag

I am creating a simple Sign up and Sign in form using PHP. At the sign up, I create hash using password_hash() function and then store it in the DB. At the time of Sign in, initially what I did was created a new hash using password_hash() function again and then compared it with the stored Password hash.

This failed all the time because as I understand now, a new salt is used every time you creat ...

Score: 1
user77340 avatar
Can we instantiate VRF without using pairing?
ie flag

As my survey, most of(I am not sure if it is "all") the constructions of VRF are instantiated with the use of pairing. Can we construct a VRF without using pairing?

Score: 0
retep avatar
Decrypt Ciphertext Using different private key, given knowledge of original private key
cn flag

A message, m is encrypted using a private key d.

p = prime()
q = prime()
e = 65537
c = pow(m, e, n)
PHI = (p-1)*(q-1)
d = mod_inverse(e, PHI) 

Assume all these values are known to the attacker, except for the message (m) and ciphertext (c).

Is it possible to find an alternate value for d such that:

c ^ d_alternative % n == m (the ciphertext decrypts correctly to the message)


d_alternative % PHI ...
Score: 1
PrincePolka avatar
Finite field Elliptic Curve line intersection
cn flag

I want to find the curve points that intersects an arbirtary line, not just tangent line or a line through curve points. An example:

p = 1303
b = 7

input : arbitrary points : (1, 1),(2, 2)
output : curve points : (319,319),(356,356),(629,629)

(319,319) 319^3+7 ≡ 319^2 ≡ 127 (mod p)
(356,356) 356^3+7 ≡ 356^2 ≡ 345 (mod p) 
(629,629) 629^3+7 ≡ 629^2 ≡ 832 (mod p)

The line should wrap aroun ...

Score: 1
John M. avatar
Signal protocol: X3DH
ru flag

I've been trying to get a grasp of how the Signal protocol works. According to the spec, DH is done on four keys: IK_A, SPK_B, EK_A and IK_B:

If the bundle does not contain a one-time prekey, she calculates:

    DH1 = DH(IK_A, SPK_B)
    DH2 = DH(EK_A, IK_B)
    DH3 = DH(EK_A, SPK_B)
    SK = KDF(DH1 || DH2 || DH3)

Given that all these four keys are public keys and are announced through untrusted  ...

Score: 1
factor2 avatar
Verify that x, y coordinates given as hex string are valid points on an Elliptic Curve
cn flag

Given the following information:

"curve": "P-256",

"qx": "729C51D177EBE2079A0FB7B0B3C2145159CF81EC61960E642A1744719AA9F913",

"qy": "8C36BCF51475016E614F8C7E0CB1B37C7EA65B4ECCF809852C9B2D0E438710BD"

The above coordinates are supposedly valid as per the test vector expected results:

"testPassed": true

I need to determine if the above public key coordinates are valid points on the curve or not. I have t ...

Score: 2
Ievgeni avatar
Gap between DLog and CDH
cn flag

Is there any concrete group in which one CDH is exponentially easier (even it's still hard) than DLog.

Score: 1
Formal security arguments for 3 round feistal network using PRF
in flag

There is a proof sketch in Introduction to modern cryptography that a three-round feistel network using pseudorandom round functions is a secure pseudorandom permutation PRP Πk against probabilistic polynomial time adversaries which have access to Πk. Now my confusion is to turn the proof sketch into a formal security arguments?

Score: 2
hiren_garai avatar
Checking Independence of combination of uniform random variables to use pilling up lemma
br flag

My question is very basic one. Suppose $a_0, a_1, a_2, a_3, a_4, b_0, b_1, b_2, b_3, b_4$ are $10$ uniform random variables from $\{0,1\}$ independent of each other. Now there are expressions of the form

  1. $a_4b_4 + a_3(b_0 + b_2+1) + b_3(a_0 + a_2 +1) + a_1(b_2 + b_4) + b_1(a_2 +a_4)$
  2. $a_2b_0 + a_1b_1 + (a_0 + a_2 +1)b_2$

Can we apply Pilling up lemma? Or alternatively are the random variables $a_4b ...

Score: 2
mehdi mahdavi oliaiy avatar
What happen if the curve used in key agreement protocol also used in signature inside of protocol?
ro flag

In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $aP$ and  ...

Score: 1
Stoopkid avatar
Does my asymmetric/symmetric mixed file encryption pseudo code pass sanity check?
sk flag

I realize this depends on my implementation and the implementation of the libraries I use. I am asking about my process assuming that the encryption libraries and my code are not flawed/compromised, the user's password is secure and the machine is not compromised.

The goal here is to protect the confidentiality of the files with a password, and be able to encrypt them without entering a password. ...

Score: 3
eetar1 avatar
Enigma machine Encryption steps
us flag

I am trying to build a simulated enigma machine.I am basing it off of this one

I have setup the 3 rotors and I am having trouble understanding the rings and rotations. For example I have set the rotors to III,II,I with the 3rd rotors having a ring setting of AAB. If you enter and A then the output is a N. My simulator agrees with this.Then if  ...

Score: 1
Verifiable Delay Function - Fake Proofs
tv flag

For unknown group order such as RSA groups $ G %$, it takes $T$ sequential steps to compute the below function (time-lock puzzle).

$$ y = g^{2^T} mod N$$

This paper states that if $ /Phi(N) $ (Group order) is known, it takes only two exponentiation to compute $y$.

$$ e = 2^T mod |G| $$ $$ y = g^e $$

I am not sure I understand how these two results are equivalent.

Score: 1
What are the algorithms used in Facebook's Diem algorithm?
am flag

Facebook plan a new cryptocurrency release called Diem. What algorithms are used? What output size is used for the hash function?

Score: 2
tarun14110 avatar
Efficient private set intersection protocol for small sets
us flag

I need to implement a PSI that will be used on mobile devices to find mutual contacts. Assuming the set cardinality from both parties A and B are less than 1000, what would be the most efficient PSI protocol that I can use in such a scenario without involving a third party? Would it be possible to extend this protocol for multi-party PSI?

Score: 1
Miguel Gutierrez avatar
Sensitivy Maximization RAPPOR (Local Differential Privacy)
cn flag

Hi I have a doubt at the end of the proof of the RAPPOR Algorithm, when they say the sensitivity is maximized when $b'_{h+1}=b'_{h+2}=...=b'_{2h}=1$ and $b'_{1}=b'_{2}=...=b'_{h}=0$. I don't understand if the maximized is define as the ratio of probabilities or comes from the definitions of sensitivity in differential privacy.

enter image description here

Link Paper: ...

Score: 1
Mary avatar
Four round Feistel network using pseudo random round function
tn flag

I am solving a four-round Feistel network using pseudo-random round function is a strong pseudo-random function for security against adversaries, but I don't understand that how to solve I know 3 round.

Can you please explain the procedure?

I am assuming ${F : \{0,1\}^λ × \{0,1\}^λ → \{0,1\}^λ }$ be a secure PRF with in = out = λ, and define ${F^∗ : \{0,1\}^{4λ} × \{0,1\}^{2λ} → \{0,1\}^{2 ...

Score: 0
Jasper avatar
A few questions regarding the 4-Round AES-Distinguisher (by Gilbert and Minier) and DS-MITM
kr flag

I am struggling to understand the DS-MITM attack on AES (Original Paper). Especially the 4-rounds distinguisher by Gilbert and Minier (section 3).

I get the basic idea that we check exactly on which input-bytes and key-bytes the first entry of the AES-State after three rounds $C_{11}^{(3)}$ depends. So we have a function $f: a_{11} \longrightarrow C_{11}^{(3)}$ (where $a_{11}$ is the first plaint ...

Score: 1
Tom avatar
Key stream instead of key schedule
tf flag

Let's consider a block cipher in CTR mode. And let's consider a keyed PRNG or just a good PRNG with a seed as the key. The PRNG has to be very fast.

Is it a good idea to put away the key schedule and do "infinite" key scheduling by generating a keystream? Then every block in the cipher will be encrypted with a different key.

Of course, even a fast PRNG needs some time to generate a few 128 -bit keys ...

Score: 1
Raghu avatar
Is it alright to generate RSA keys with bit sizes other than 512/1024/2048?
in flag

I am keep generating RSA keys for 512/1024/2048/4096... as bit size. Each time the key length is increasing.

Is it possible to generate/use keys other than the above bit sizes. Let us say 800/1000/2000/...

Am I missing any theory behind ?

Score: 0
When is a PQ key-exchange algorithm suitable for use with long-term static keys?
cn flag

I took a look at Cloudflare Circl because I'm curious which Post-Quantum algorithms are implemented in Go, which could be used to exchange a key.

I read this comment that SIDH is only good for ephemeral key exchange, in contrast to CSIDH.

Question 1:
Therefore, I wonder, what characteristics must a Post-Quantum algorithm have to be suitable to create a long-term static key for key exchange (like RSA  ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.