Latest Crypto related questions

It was a challenge from CTF (ended), but I didn't solve it.

p, q = keygen(512)
n = p * q
flag = bytes_to_long(flag)
enc = pow(n + 1, flag, n**3)

So we have module and encrypted flag. We don't know module's factors (p,q). I have tried some ways, search another writeups and read many topics, but I didn't find any information how solve it.

As far as I know Additive Secret Sharing uses a finite field to generate its shares. The gist of the scheme is that the shares $A_{shares}$ = {$A_1, A_2, ..., A_n$} of a value $A$ on a finite field $N$ can be attained by:

$A\ mod\ N = \sum_{A_i \in A_{shares}} (A_i\ mod\ N)$

If all shares in $A_{shares}$ are positive and no finite field was used, an adversary could infer from any given share that the t ...

I am learning about the concept of two security notions called IND-, which include IND-CPA, IND-CCA1 and IND-CCA2. While I got some grasp understanding about the scenarios between the challenger & attacker for each of these models. I am still not able to comprehend what properties of a security model are required to "upgrade" from IND-CPA to IND-CCA1, thus IND-CCA2.

• Starting with IND-CPA, I under ...

I have a question in the context of two-party computation and the proof of the security of an MPC. I have looked at some of the beginning parts of this, this chapter 7, and
this But I couldn't achieve my answer.

I want to understand the difference of a malicious adversary with an honest-but-curious one, and to get what does it imply.

Does the security against malicious adversary exactly means that if ...

Is there a way to transform the BGN encryption into non-malleable (i.e., IND-CCA2) without the use of symmetric encryption or signature?

I thought that simply publishing a proof of knowledge (via non interactive Sigma protocol) on $m$ is sufficient (i.e., if you have $E(m)= h^rg^m$ for some random nonce $r$), but I am concerned that the proof may be malleable. There is the Naor-Yung transformatio ...

A user of this forum said that the whole entropy of a seed goes to the hashed result if using a counter and also that is suitable for key generation even if the internal state or digest size of the hash function is smaller of that of seed.

Let's suppose I have a seed with an entropy of 512-bits and hash it with a counter using a hash function with half of the seed size in bits as Blake2s (256-bits  ...

I was following why the BFV reliearization works, so I supposed 2 ciphertexts $b_1$ and $b_2$ and did the product:

$$b_1 = a_1s+e_1+\Delta m_1$$

$$b_1b_2 = (a_1s+e_1+\Delta m_1)(a_2s+e_2+\Delta m_2) = \\ a_1a_2s^2 + a_1se_2 + a_1s\Delta m_2 + e_1 a_2s +e_1e_2 + e_1\Delta m_2 + \\ \Delta m_1 a_2s + \Delta m_1 e_2 + \Delta ^2 m_1 m_2$$

We want to isolate $\Delta m_1 m_2$ in a way that we have $as + e + \D ...

a zero-knowledge proof is a method by which a prover proves to a verifier that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true

Is there a definition of proof in which the prover conveys no more than X information (where X can be 2 bits for example)? If yes, is it a field of research?

I'm researching about e2e encryption. Do the protocols that use e2ee to exchange information also require users to sign the message before encrypting it with the shared secret? Is it even required to ensure the authenticity of the message being sent?

In the half-gate construction of garbled circuits, is it possible to garble multiple instances of a circuit while re-using certain input labels?

Suppose Alice and Bob would like to compute a function using garbled circuits. Alice will act as the generator and Bob the evaluator.

As usual, Alice generates the input labels for the circuit $W_A$ for her inputs, and $W_B$ for Bob's then sends the encry ...

In MITM attacks against the NTRU cryptosystem, we exploit the fact that in the ring of truncated polynomials of degree $n-1$ it holds that $$fg=h\mod q$$ for our secret and public keys $f,h$. The basic idea is splitting $f$ into $f_1,f_2$ such that $f_1+f_2=f$ and therefore considering $$f_1h=g-f_2h. $$This is almost like finding a collision in the function $f(x)=xh$, if it weren't for the prese ...

I want to estimate when and wether different types of functions provide full or partial diffusion.

I'm trying to understand diffusion of basic operations, like:

• addtion,
• multiplication,
• xoring.

If we change one bit in $a$ how many bits will be changed in average in result $c$ if we do:

$a+b \mod n = c$

If we change one bit in $a$ how many bits will be changed in average in result $c$ if we do:

I've been itching my head over this for a while despite going through the queries related to the topic. Can someone explain me negligible and non-negligible function in a concise way?

As of my naive understanding (correct me if I've the wrong take);

A non-negligible function is one which approaches zero relatively slow (eg: reciprocal of polynomial function as compared to exponential function) and given ...

I'm very new to cryptography and this may sound so foolish. Often I read quantum computers will brute force keys. Let's assume this is true (does it depend on key length? or on an algorithm? I don't know, let's say they will).

If I have a file encrypted with ChaCha20-Poly1305, or perhaps a LUKS encrypted partition with default options (AES 256?), and I split that file in two. If you have only one ...

Are there good learning resources on how to program ZCash, or Monero, or some zk-rollups? I want to find all the sources to build a proof of concept or MVP in the shortest time. But I didn't find much systemic zero knowledge proof/programming related resources

So I am a math major who is trying to learn some crypto. However I have some difficulties with some of the probability definitions that are assumed in the cryptography book that I am using at the moment. So here it goes:

Def(perfect security): Let $(E,D)$ be a Shannon cipher defined over $(K,M,C)$ where all these are finite sets and are respectively the key space, message space, and ciphertext space. Now ...

Is there any use for Fermat's Factorization Method in the world of cryptography? I see that several algorithms are based on it, such as the quadratic sieve and general number field sieve. I understand that Fermat's can be very fast if the factors are close to the square root. Generally RSA moduli have factors that are far enough apart to be resistant to Fermat's.

Are there any real-world examples ...

In §2.3.4 of Standards for Efficient Cryptography 1 (SEC 1), the authors define the following step in deserializing elliptic-curve points that were serialized in the format given in §2.3.3 (emphasis added):

2.4.3
If $q = 2^m$ and $x_P\neq 0$, compute the field element $\beta=x_P+a+b x_P^{-2}$ in $\mathbb{F}_{2^m}$, and find an element $z=z_{m-1}x^{m-1}+\cdots+z_1 x+z_0$ such that $z^2+z=\beta$  ...

Apple's Find My technology is described in this Wired article and explains how Apple, or other third parties, are not able to decrypt location data. It mentions how the keys are rotated every hour:

That public key frequently changes, "rotating" periodically to a new number. Thanks to some mathematical magic, that new number doesn't correlate with previous versions of the public key, but it still reta ...

How would a proof of inclusion be done here as the number of nodes is odd and some hashes don't have a sibling hash? Normally you would send the sibling for each level to the client.

Here there are none, is the proof of inclusion not possible here, or do you just send the parent, until you reach a node that has a sibling? But what would the client calculate then?

I'm new to cryptography and signatures, I've done work that involves a signature model, and now I need to run tests on it.

In this paper [1], a signature model called Linkable Spontaneous Anonymous Group Signature is created. The algorithm is described in the paper, it is capable of creating signatures for groups of public keys. If a signature was created using LSAG, a verifier can verify the correctnes ...

I need a chat between two users and I obviously want to make it as secure as possible. I am, by no means, a cryptography expert, so I turn to you guys for some advice.

Because I like the idea of having E2E encryption, I did some reading about the Diffie–Hellman method and the Signal Protocol.

My issue is that this is a web app and the users are not bound to a fixed device, so I can't just generate ...

I am implementing wet-paper codes (WPC) with randomly generated parity-check matrix $H$, based on this paper. As the wet DCT coefficients, I set DCT coefficients with value 0, or with values 0 and 1 (trying both).

For almost every cover image, the input vector at iteration contains too many wet pixels and the program fails to find the vector v. What is the way to deal with that? Do I even choose the ...

From the literature, STC seems to be the current state-of-the-art for the coding part of steganography. From the description of the method, it appears to me it could be parallelized for GPU. Does developing of STC implementation for GPU even worth it? Are there any existing GPU implementations of STC.

The existing implementations of STC I know of are

• C++/SSE implementation (x86 only) by DDE/Tomas Fille ...

Let's suppose I have a 2MB photo and I want to generate a key from it, and the key should have 2048-bits of size.

A hash function such as SHA3-512 would not deliver a key with with the desired strength.

Is it possible to generate such a key with a hash function having the hash function a maximum digest output/internal state smaller that it, without having to split the file in many parts?

I have been th ...

I am learning Keccak Hash Algorithm and I am a little bit confused about the Capacity bits parameter. I am trying to understand how we can set the capacity parameters while implementing Keccak in python3.

Example: trying to get a collision in Keccak using Capacity = 0 irrespective of hash size (let's say hash size at least 128 bits).

I am working out ICAO verification process (biometric IDs), and here is one of their publicly available certificates:

# openssl x509 -in 492F0116.crt -text -noout
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 1227817238 (0x492f0116)
    Signature Algorithm: ecdsa-with-SHA256
    Issuer: C = GB, O = UKKPA, CN = Country Signing Authority
    Validity
        Not Before: Feb  1 00:00:00 2 ...

I have written a mathematical paper in cryptography and I want to publish it but I don't know any professors in the field to collaborate with them. So what should I do and how to get contacts that could help me setting up with this work?

I have bumped into this challenge from a well known CTF site. I don't want to make a reference to it because I don't want this to be a hint for anyone. And also to avoid giving out the source code of the challenge I will try to describe the code. The thing is that they provide a small script with a class that implements Textbook RSA (no padding or anything). On this script $e$ is predefined and is ...

Is a random number generated by a CSRNG equivalently secure as the SHA hash of that number? I know that RNGs generate numbers that look random, and aren't necessarily random. For example, in a range of [1, 2^256], number 100 might be picked randomly, but it isn't secure, so it needs to be changed.

However, the SHA256 hash of a number that looks random has the same chances to be 100 just like any  ...