Latest Crypto related questions

Suppose an adversary wins IND-CPA against ElGamal,

1. They're given public key $h=g^x$,
2. Give a pair of messages $m = [m0,m1]$,
3. Get back ciphertext $(a,b) = (g^r, g^{xr} \cdot g^{m[b]})$,

from which they determine $b$ with probability better than guessing (plus some negligible probability):

How can such an adversary be used to solve DDH?

^{Katz & Lindell (Introduction to Modern Cryptography), Shoup (}

I have this Montgomery curve $y^2=x^3+10x^2+x \mod 83$ and a point $Q(3,28)$, doubling this point in affine coordinates I get $2Q(61,35)$.

Switching to projective coordinates I know that $x = X/Z$ and $y = Y/Z$ and $Z = 1$ at the beginning so $Q(3,28,1)$, following the Wikipedia formulas for doubling in projective coordinates, I get $X_2p = 64$ and $Z_2p = 65$.

How do I verify that this point in projec ...

Different to the usual adversary use case we do not want to find the hidden key but instead pairs of $(m,c)$ which each fulfill a certain property $f(x)=true$
An example property could be e.g. 42 leading '1' at the bit representation.

With brute force we could start at different such messages $m$ and receive an encrypted version $c$ which has a chance of $1 : 2^{42}$ to also fulfill this property. Wi ...

I think this question is related to this other question, but somewhat different.

Let there be a hidden datum $D$ that we observe using a hash function $H_1$, $h_1 = H_1(D)$. There's another hashed value that we get from $h_2 = H_2(D)$. Is there a way to pick $H_1, H_2$ such that there is another function $G$ that we can apply to get $h_2 = G(h_1)$, without having to know about the true value of $ ...

I have been working on the post-quantum safe ID/signature-schemes of Vadim Lyubashevsky (https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf).

I am in particular studying the security proof, and wanting to structure this in a game based fashion. Any ideas on how to approach this in terms of sUf-CMA security?

Also, replay attacks in term of rewinding is used in the security proof. How c ...

In the Paillier cryptosystem we choose $n=p\,q$ where $p$ and $q$ are primes, $g=n+1$, $\lambda=\phi(n)$, $\mu=\lambda^{-1}\bmod n$.

The public key is: $(n,g)$.

The private key is: $(\lambda,\mu)$.

Encryption: choose random $r$ ($0<r<n$), encryption of message $m$ is $c=(g^m)(r^n)\bmod n^2$

Decryption: $m=((c^\lambda\bmod n^2-1)/n)\,\mu\bmod n$.

I am asking: is it possible to decrypt the cipher ...

I've a question about XChaCha20-Poly1305, from a brute force perspective. Suppose we have the power to brute force crack it. If the IV is known to the attacker and it's only one file. The time needed to crack it's the same if the attacker doesn't know the IV. But if you use the same key for different files with different IV and the attacker doesn't know them, he'd have to crack each file from scratch if ...

From Vitalik Buterin's Blogpost - Quadratic Arithmetic Programs: from Zero to Hero.

In the blog, a cubic equation:x**3 + x + 5 == 35 is chosen. It has been assumed that this equation is some computational problem. Since, zk-SNARKs cannot be applied to any computational problem directly, we convert to algebraic circuit, R1CS, QAP, Linear interactive proof, and zk-snarks finally.

Finally, we get t:A. ...

Last year I learned about another NIST competition. https://csrc.nist.gov/projects/lightweight-cryptography/finalists

And I thought to myself: "why would I continue to use heavyweight cryptography in my desktop and server environments, if we have these new schemes?" Or are they flawed in some way?

I like to liken the encryption to natural languages. If there are too few people speaking a particul ...

I'm trying to crack a crypt with a known key length. I deduced that the operation made was a hex XOR. Here is the crypt:

330a1448010816101c1e470b0248104711050903040a0844511317130d030817024812150d014817150d1c48050f0751181415071f0618060e510618000a051b190606144822080e1006040a42051d1302101e1b040a423d4651330a14480608101548010816101c1e470f1011511507170d0347161e48050f0751181d060c0548181311140417470b1f4810 ...

The one time pad is unbreakable because each message could be one of many, and each one is equally likely.

Is it possible to do this with a key exchange? (So if someone records the key exchange, there would be a large number of equally possible keys)

I am already aware of Quantum Key Distribution, so please don't put that as your answer.

I'm currently implementing a Merkle Tree in Rust. One of the problems I'm facing is the complexity of generating the proof. Meaning the vector I give to the verifier in order to check if an element is present. Many people say that I should transverse the tree to find the path for the element (if the element is part of the data set), but I don't understand how that would work if the Merkle Tree is not so ...

Let's say that Alice and Bob have generated truly random private keys $a$ and $b$ and want to use them in Schnorr signing. They calculate $X = g^a \cdot g^b$ as their mutual public key. For whatever reason, they want to derive several new key pairs from their existing keys. They pick a hash function $H$ and some prefix "foobar" and derive new keys like this:

$$ X_1 = X^{H(\text{"foobar"} || 1)} \\ X_2 = ...

In secp256k1, the prime order field $\mathbb F_p$ uses $$p=2^{256}-2^{32}-977$$ This is the largest prime $p$ less than $2^{256}-2^{32}$ allowing to construct a Koblitz curve $y^2\equiv x^3+b\bmod p$ of prime order, and $b=7$ is the smallest positive $b$ for this. The term $2^{256}$ is clearly to define the bit size of the coordinates, and the order of magnitude of the group order.

Similar criteria  ...

So I've been visiting a security lecture at my university and they introduced the concept of Chaum's mixes to us and how replay attacks can compromise the anonymity granted by a mixnet.

It is explained that by adding a random string to the encryption of message X an attacker cannot simply guess a message Y in order to confirm K(X) = K(Y) or X = Y, respectively. I thought this is done in order to make encr ...

I am new in Elliptic curve, so I started with implementing (single scalar multiplication) I have done it the simple way, and then I moved to Double & Add algorithm later with NAF form.

When I moved to the NAF form. Two versions of algorithm gave me two different results. And I'm not sure what did I miss.

I'm using ECC defined as: $y^2=x^3 - 2x +2$ over the finite field $GF(23)$

I'm trying to comp ...

I'm new in Cryptography, if i will use SHA512, but only with 256 bits, is it equal or similar to SHA256?

I'm trying to understand if there is a way to use SHA512 as SHA256

FIPS 186-4 and NIST SP800 56B states following limits for public exponent $e$

$e$: a pre-determined public exponent − an odd integer, such that $65,537 ≤ e < 2^{256}$.

What security issue arises if a larger/ smaller fixed $e$ is chosen?

What happens if $e_{BitLen} > (RSA_{modulusBitLen}/2)$. Does the such $e$ introduce some vulnerability or weaken the system (like shorter length of $d$

Table 2 of NIST SP-800 56B provides Estimated Maximum Security Strength of different modulus sizes. It means that RSA-3072 provides security of 128-bits at Max.

Is it the case for symmetric algorithms also? Like AES-128 provides security strength of 128 bits at maximum? or is it like AES-128 provides security strength of 128 bits at minimum?

Given an encryption scheme $\Pi = (G,E,D)$, either public or private, is there a name or a property to emphasize that for $c\gets \Pi.E(k,m)$, where $k$ is a key and $m$ is a message, we want $m^\prime \neq \bot$ where $m^\prime \gets \Pi.D(k^\prime, c)$ with $k\neq k^\prime$? ($\bot$ here means empty)

Schemes such as Stream-Cipher (i.e., $E(k,m) = G(k)\oplus m$ with $G$ being a pseudorandom gener ...

Many works, such as [YCX21] cite that $2^{-40}$ is a reasonable statistical distance for zero-knowledge proof based signatures, even when the security level is $\lambda = 128$.. I was wondering if there is any concrete analysis which motivates this decision.

An even more peculiar situation is for soundness parameters. In some works, they do not use a soundness error of $2^{-\lambda}$, but some larger quan ...

Section 5.1 of FIPS 186-4 states that

An RSA key pair used for digital signatures shall only be used for one digital signature scheme (e.g., ANS X9.31, RSASSA-PKCS1 v1.5 or RSASSA-PSS)

and

RSA digital signature key pair shall not be used for other purposes (e.g., key establishment)

What problems can arise from not following these guidelines?

Use of same RSA key pair with RSA-OAEP and RSA-PSS is ...

For example zcash uses such approach with Pederesen hash which is collision-resistant, but not preimage-resistant. I assume that it’s used to ensure that we can’t reuse hash from one level which collides with a hash from another.

can someone please explain to me what's the role of montgomery reduction algorithm and how to implement it in python. I wrote the code below to calculate a*b mod m but it doesn't seem to work well.

def montgomery(a,b,m):

bin_m=format(m,'b')
R=pow(2,len(bin_m))

a_prim= a *(R % m)
b_prim= b *(R % m)

reverse_R=euc(R,m)

if inverse_R<0:
    inverse_R+=m

c_prim=(a_prim*b_prim)*reverse_R
result=c_prim ...

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

How to map points from curve

E6 = EllipticCurve(GF(p), [0,7])

to

E1 = EllipticCurve(GF(p), [0,n])

n = 1...6

?

Suppose we have the additive subgroup of reals generated by $\sqrt{3}$ and $\sqrt{5}$. How would you show you that this subgroup does not form a lattice?

In the Kate Polynomial Commitment scheme, a commitment of a Polynomial $f(x)$ at $x=s$ is defined as

$Com_f = f(s).G$ where $G$ is the generator of the Elliptic Curve of prime order which is used.

So the polynomial to be committed, which Polynomial Ring should it be belong to?

Consider an Elliptic Curve $E$ defined over $F_p$. Let the order of the generator of Elliptic Curve which is used for the ...

I would like to make a zk proof that would set the leaf of an SMT tree at an index that is an eth address to 1. The SMT is built offchain.

I already have the SMT and the root of the tree onchain.

I only want the from root and the to root to be public.

Any suggestions on how to implement this using circom?

Also looking for similar proofs that update data in trees if anyone can suggest some.

My apologies for the long post.

I read on AWS docs that, when keys are generated using java keytool, the certificates are stored in a local store file and the actual private key material is stored in Cloud HSM.

Generate keypair with a certificate without store file

keytool -genkeypair -alias alias1 "CN=alias1.example.com, OU=Research, O=Acme, L=XYZ, ST=CA, C=US" -storepass password -keyalg rsa -keysiz ...

How I can find the point to perform this twist attack - https://cryptodeep.ru/twist-attack/

English version of previous link:

https://github.com/demining/Twist-Attack

This video has additional information - https://youtu.be/fBY9Q2DxcLE

I have the RSZ signature, but how do I calculate points from the signature for a twist attack as is shown in the above link?

Example of point:

Q11 = E1([346186717893939 ...