Latest Crypto related questions

I would like to implement a hash function $H1 \colon \{0,1\}^* \to \mathbb{Z}_p^*$ such that $p$ is a prime number and second fonction $H2 \colon \mathbb{Z}_p^* \to \{0,1\}^k$ where $k$ is a security parameter

what is the best way to implement them with SHA 256 or another hash function?

CKKS is a levelled scheme, because the rescale $\lfloor\frac{x}{\Delta}\rceil$ operation requires truncating a modulus to be efficiently evaluated, and rescale is (usually) needed after every multiplication to control noise growth.

But I don't understand why rescale have to decrease ciphertext modulus. In residue number system it is probably hard to divide without removing ciphertext modulus, but w ...

Suppose we define privacy as a game where a machine $M$ has a coin $b$, and on input $M_0, M_1$ always replies with encrypted $M_0$ if $b=0$ and encrypted $M_1$ if $b=1$. The adversary can send as many pairs $M_0, M_1$ as he wants. The goal is to guess $b$. If he cannot do better than guessing at random (i.e., with probability $1/2$), then privacy holds (Simplified Benaloh's ballot privacy definition, i ...

If I test the Pseudo Random Number Generator(PRNG) and it satisfies the serial test, it is not sure that the resulting distribution is uniform. Is my observation correct? If it is correct, what test should I do to be sure?

Given a list of base entities (B) with each of them having a universally unique identifier (UUID) of 128 bits.

I want to attach to them a list of ≤ 7 related entities (T_E, U_E, ..., Z_E) with each of them having their own UUID. One requirement is that I should be able to get the UUID of the main entity from the related entities, and get the UUIDs of the related entity from the main entity.

Example: ...

In Wesolowski's VDF (verifiable delay function) a prover produces a pair $(x, y)$ and needs to argue to the verifier that the pair satisfies $y = x^e \pmod N$ for some $e$ computable to both. The verifier is compute limited and $e$ is really large, so cannot compute $x^e\pmod N$ herself. The prover needs to convince the verifier with the verifier doing little work.

To achieve this, the verifier g ...

I have a simple question but I can't seem to find the answer of.

I know that

• A 128-bit hash contains 32 characters since each represents a hexadecimal.
• Similarly, a 64-bit hash would contain 16 characters.

1. However, if I had a 64-bit and 128-bit string consisting of letters (both uppercase and lowercase) and numbers (0-9), how many characters would it occupy?

2. Similarly, if I had a 64-bit and 128-b ...

I’m sorry if this is already answered, however, regarding symmetric key components to create a symmetric key using xor (So eg comp1 xor comp2 xor comp3 = key)

If in the case of an AES KEY, which goes through an expansion routine(?) If someone gets one of the values (who shouldn’t), what is the actual risk? It gives nothing away of the resulting key except size?

I am new in Elliptic curve and I got a lot of knowledge through reading :) but I reached to NAF method as a scalar multiplication method, but don't understand how in this example get it:

Let k = 1234567 and its binary representation contains 21- bits:
100101101011010000111. In this 
11 1′s and 10 0′s can be found resulting in 20 doubling operations (D) and 10 point addition operations (A). The  ...

Is there any algorithm that I can check if point(G^9857) is more near to point(G^54) rather than point(G^448)?

I am looking at the paper on Kate Polynomial Commitments.

On Page 7, VerifyEval, the verifier checks the following to verify commitment.

$e(\mathcal C, g) \stackrel {?}{=} e(w_i, \frac {g(\alpha)}{g(i)})e(g, g)^{\phi(i)}$

In the next line, the paper explains why this equality will be true if the commitment is in fact honest.

I understand the completeness part of the proof, but I am not convinced abou ...

All,

Recently, I came across a question on privacy for big data and AI.

IMO, big data privacy focuses on "anonymization" aspect where sensitive informatino such as Personal Identitfiable Information should be protected, while AI privacy focuses on "raw data stealth" where raw data should not be inferred or derived from the training and inference processes.

Just want to know other's thought. All comment ...

NIST's main recommendation for encryption/decryption mechanism is CRYSTALS-KYBER. Whereas, the BSI (German equivalent) chooses FrodoKEM.

As far as my knowledge goes both these mechanisms use LWE lattice problem for their cryptographic security.

• Then what makes the two mechanisms different?
• Is it just the parameterization of the lattices?
• Is one better than the other, if so why?

An encryption scheme should be injective in the sense that each ciphertext should only be associated with at most one message, in order that decryption is unambiguous. An efficient signature verification scheme should be surjective in the sense that each message (equivalently message hash) has an associated signature, so that all possible messages (resp. hashes) can be signed without rehashing.

I ...

Consider a Schnorr group with order a prime $q$ sized for security against current computers (like $q$ of 256 bit); modulus a prime $p=q\,r+1$ large enough (e.g. 3072 to 32768-bit) that the algorithms of choice for solving the DLP in the group are Pollard's rho or Pollard's kangaroo, rather than Index calculus, Function field sieve or GNFS.

The expected cost of breaking the Discrete Logarithm Problem ...

What is the significance of theoretical weaknesses? Any real life incident where a theoretical weakness was ignored and later it compromised the system? Whats the dividing line between theoretical and practical weakness? Are there any other categories? How quantifies a practical weakness as what seems impossible for one person might be doable by another?

I am working on my master thesis which has as a main subject the CKKS algorithm. I am following the paper https://eprint.iacr.org/2016/421.pdf in which on page 8 it is mentioned that the encoding/decoding in the CKKS are isometric ring isomorphisms between $(S, \|\cdot \|_{\infty}^{can})$ and $(\mathbb{C}^{N/2}, \|\cdot \|_{\infty})$ where $S = \mathbb{R}[X]/(\Phi_M(X))$, $\Phi_M(X)$ a cyclotomic ...

I am looking at this in the context of password hashing in PostgreSQL, specifically, the crypt function of the pgcrypto extension.

The PostgreSQL documentation refers to the Unix man page of the crypt function. The man page (man 3 crypt) of the crypt function states that it performs Trapdoor encryption. Now a trapdoor function should

1. Be easy to compute in one direction - this I understand.
2. Be hard to com ...

Is hashing a pseudo-random generated string of letters upper/lower + numbers 256 characters long with SHA256 insecure, in the sense that in any reasonable amount of time you can go from hash to original string?

Would using a more conventionally strong password hashing algorithm be necessary to still answer no to the above question?

Consider the following construction of a SKE scheme $\Pi^*=(Enc^*,Dec^*)$ based on a PRF family $F=\{F_k:\{0,1\}^n\rightarrow \{0,1\}^n\}_{k\in\{0,1\}^\lambda}$ and on a MAC $ Tag:\{0,1\}^\lambda \times \{0,1\}^n \rightarrow \{0,1\}^\lambda$ with UF-CMA security.

Key Generation: The key generation algorithm returns a random key $k^*=(k^{'},k^{''})$ where $k^{'},k^{''} \in \{0,1\}^\lambda$.

Encryption:

In some RSA libraries I've encountered, the P bit count is left shifted by some amount and Q bit count right shifted by the same amount. For example, if generating a 2048 bit key, the P bit count would be 1088 and the Q bit count would be 960, so the N bit count would still be the requested 2048, assuming appropriate P and Q values are selected.

I've only seen one comment in code explaining this ...

I am doing a RSA cryptography task where I need to decrypt a ciphertext but I am only given the ciphertext ,c, a public exponent, e, and a RSA modulus, n, which has two prime factors p and q such that |p − q| < 10000.

I am unsure of how to do this but I am given the hint of using a low exponent attack (although the exponent is the usual 65537) and a binary search somewhere.

Could someone point  ...

I'm currently taking a computer security module in University and as part of a problem have been asked:

My thought for the question is that no it does not provide 64 bits of security strength. This is as (IV,C) is transmitted over the network meaning that if the signal were intercepted by an adversary IV can easily be obtained as it has not been encrypted and hence is not confidential meaning that it doe ...

Kyber and Dilithium are post-quantum cryptographic designs, but the resources are hard to understand. Is it possible to explain those ciphers to children?

The task is something like this. Alice must send Bob the money, but so that the amount remains hidden.

How can this be done if only "hiding" balances are stored in the blockchain? How can I prove to someone that my balance is positive after the transfer?

In other words, how can I prove to someone that the number x >0, if the person only knows the "hiding" of this number, say, g^x, where g is the ge ...

I'm working on a problem where I need to track some state that's 64-bit integers. It turns out this state can tracked by simply accumulating a sum of differences, which in my case turns out to naturally sum to zero:

$$s = \sum_k (b_k-a_k)$$

This is a "closure" relationship that relies on all the values being transitively accounted for, so I might have e.g. $(a-c)+(c-b)+(b-a) = 0$, but that will a ...

Since AES needs IV to be random (unless fed by a unit test), I was wondering how to properly handle it.

I know that Intel/AMD now supports the rdrand64 function but I don't fully want to rely on that.

Can I safely combine multiple sources of randomness and SHA256 them to produce a random 256-bit number?

My sources of randomness will be: time in ns, clock from rdtsc instruction, BCryptGenRandom (for win ...

In one proof I show that, given a cyclic group $Z_{p}^{*}$ where $p$ is prime, and a set of information $X$ computing $y\in Z_{p}^{*}$ is as difficult as solving Computational Diffie Hellman (CDH) problem.

In another proof can I make the argument that as transformation $X \rightarrow y$ is proven to be CDH, given $X$, distinguishing between any random $r\in Z_{p}^{*}$ from $y$ is as difficult as De ...

Does this research also work for breaking bitcoin ECDSA? If so, how many qubit will be needed for 256-bit elliptic curve key?

The Inhomogeneous Short Integer Solution (ISIS) problem is as follows: given an integer $q$, a matrix $A\in \mathbb{Z}^{n\times m}_q$, a vector $b\in \mathbb{Z}^{n}_q$, and a real $\beta$, find an integer vector $e\in\mathbb{Z}^m$ such that $Ae=b\mod q$ and $0<\Vert e\Vert_2\leq\beta$.

if we assume that $n=m$ is this average-case problem is still hard for a well-chosen $(n,q,\beta)$?

because (I have te ...