Latest Crypto related questions

I have bumped into this challenge from a well known CTF site. I don't want to make a reference to it because I don't want this to be a hint for anyone. And also to avoid giving out the source code of the challenge I will try to describe the code. The thing is that they provide a small script with a class that implements Textbook RSA (no padding or anything). On this script $e$ is predefined and is ...

Is a random number generated by a CSRNG equivalently secure as the SHA hash of that number? I know that RNGs generate numbers that look random, and aren't necessarily random. For example, in a range of [1, 2^256], number 100 might be picked randomly, but it isn't secure, so it needs to be changed.

However, the SHA256 hash of a number that looks random has the same chances to be 100 just like any  ...

I'm having a bit of difficulty understanding how to construct Zero-Knowledge proofs. So given a one-way function $f$ and a secret message $x$ so that $f(x)=y$, $f$ and $y$ being public, how could one construct a simple Zero-Knowledge Proof of Knowledge algorithm proving that one knows $x$?

I think I understand how this could be done if the verifier also knows $x$, because then they should be able to send ...

I was reading some notes on a naive hash to a group function.

Consider a cryptographic Hash function $$H: \{0,1\}^{*}\to \{0,1\}^{k}$$

Consider a Discrete Log Hard Group $G$ with a generator $g$. We can build a Hash to group function $$HG(a) = g^{H(a)}$$

(We raise $g$ to the numerical representation of the Hash output)

Apparently, the problem with this is that it's easy to find a relation between 2 hash o ...

I understand that the end result of a Pedersen Hash (like this one) is a point in an Elliptic Curve.

In the example implementation mentioned above, the input $M$ is split into chunks of 200 bits (the last one possibly being smaller). For each chunk, disconnected/random points in the Elliptic Curve are generated and the end result is a linear combination of those points, with the coefficients depend ...

From RFC 8446 section 4.6.3:

   If the request_update field is set to "update_requested", then the
   receiver MUST send a KeyUpdate of its own with request_update set to
   "update_not_requested" prior to sending its next Application Data
   record.

Say I have a client connection that sends things to the server, but doesn't read anything that's sent to it after the handshake (it doesn't drain any inco ...

Background: A cryptocurrency, such as Bitcoin, have a global order of all transactions that is guaranteed to be agreed by all participating nodes. With Bitcoin, this is ensured by making the longest chain win, and that creating a long chain requires performing a lot of computations (so it is not trivial to arbitrarily create a longer chain).

A problem comes when there is a long-lasting network parti ...

Let's suppose that we have two parties, $A$ and $B$ that are using a Shamir Secret Sharing scheme with $k=3$. $A$ holds the points $[x_1, f(x_1)]$ and $[x_2, f(x_2)]$ while $B$ holds $[x_3, f(x_3)]$ and $[x_4, f(x_4))]$.

$A$ sends the point $[x_1, f(x_1)]$ to $B$, and $B$ answers with the point $[x_3, f(x_3)]$, so that both $A$ and $B$ can reconstruct the shared secret to be used in the following par ...

In "The Skein Hash Function Family" paper authors wrote:

The MIX/permute structure has been designed to provide full diffusion in 9 rounds for Threefish-256, 10 rounds for Threefish-512, and 11 rounds for Threefish-1024.

How they know it? Is there some rule of designing such structures, which can quarantee some level of diffusion and it was used there (then they could estimate the number of rounds need ...

I am not an expert in cryptography and therefore I would like to address this problem to people who have been working on this topic for a long time and thus verify the facts from several sources.

I use Winrar for file encryption because it is most suitable for me, it's fast and I'm already skillful with this program. I am using up-to-date version of Winrar which uses PBKDF2(HMAC-SHA256) AES-256 C ...

In aggregated BLS Signatures, there's a known attack which allows an adversary to forge a valid signature for a message $m$ knowing only the victims public keys.

Reading about the maths behind it, this justification is done:

After some juggling math around, everything is clear but the middle equality. What allows one to assert that $e(g_1, H_0(m)^b) = e(g_1^b, H_0(m))$?

My algebra is far from th ...

I have a help recommended high-school project that I'm stuck with. To basically explain the problem: I have an encryption function that is used as the decryption function and I need to reverse it to make an encryption function.

I tried many things but I can't find the proper result. The best I came with was to encrypt 1 byte on 2 properly.

Here is the core of the function (the rest is variables init ...

The RSA modulus is the product of two $2048$-bit primes.

And the two Public Exponents are both $16$-bit.

I also got the difference between two Private Exponents $\left | d_1-d_2 \right |.$

Is there any way to factorize the Modulus $N$?

Can we use a MAC to transform a CPA secure encryption scheme into CCA secure one?

In EdDSA with Ed25519 the algorithm of public key computing is following:

h = hash (privateKey)
h[0] &= 0xF8
h[31] &= 0x7F
h[31] |= 0x40
publicKey = h * B

The questions are

1. Why is Hashing in Ed25519 key generation needed?
2. Why are the actions on h bits are needed?
3. What does the clearing relate to the 31st bit?

I need a fast linkable ring signatures library, something that is O(log(n)) and n is the ring size. I read a few papers about these kinds of schemes but I didnt find any implementations of them. Here are few of the papers I read: https://reader.elsevier.com/reader/sd/pii/S0304397512009528?token=6FCBA7389B1AF78F2C3B52B706F5C9E13130E044B14FD7F6DD55632C02F6B742E9CE2B288610AC2FFE0FCF198729F510&ori ...

In the Blum Blum Shub random number generator, we take two random prime numbers $p$ and $q$ such that both have a remainder of $3$ when divided by $4$. My question is why can't we just take any $2$ random primes? What is significance of having remainder $3$ when divided by $4$ from the perspective of mathematics and security?

For LWE decryption, Someone told me that If we can bound r⋅e by q/4 then we can retrieve M by checking if this is closer to 0 or q/2

However, how to use tail estimation to derive the relationship between upper limit bound of standard deviation (α) and q/4 ?

Note: There is also upper bound value of sqrt(M) for r, which I am also quite confused with.

This might be a silly question but I am unable to wrap my mind around it. In Diffie-Hellman can we find $a$ when $A = g^a\bmod p$, given we know $A$, $g$ and $p$?

I recently implemented AES block cipher, encryption side only, to be used in QUIC parsing (QUIC uses GCM mode). There are other modes than GCM that use only encryption: for example CTR, OFB, and CFB.

When implementing the AES cipher encryption side, it occurred to me how everything is done there has to be reversible, so the bit-mixing operations you do can't be arbitrary, they have to be carefull ...

When performing homomorphically encrypted computations, when should I use BFV / BGV / CKKS?

It seems BFV / BGV is better suited for integers, and CKKS for floats. It also seems BFV-BGV have some portability. I want to calculate using integers.

How do I understand if I should use BFV or BGV?

I also don't understand why the imprecision from CKKS could not simply be fixed by rounding, since it is comparat ...

I was asked recently if it is somehow possible to use already existing keypairs stored in HSMs for, e.g. ped-DKG.

Which ultimately led me to the question, which data is actually exchanged between parties when generating a shared key-pair? I was thinking surely there has to be some communication of the parties, e.g. agreeing on a threshold (degree of polynomial) before generating their private key fra ...

Assume I create a hash using SHA-256 and then take only the first 160 bits of the hash, as the result. is the result more cryptographically secured than SHA-1? Or are the two algorithms equally secure except for the hash size? (for example in terms of uneven distribution of the hashes and other means that determined the resilience of hashing algorithms)

What about the rest of the SHA family of ha ...

I wonder if there is a more efficient polynomial multiplication than Karatsuba over the finite field $\operatorname{GF}(2^n)$. Brief research on this topic gave me a few results on fast multiplication on $\operatorname{GF}(2^n)$ using a polynomial over $\operatorname{GF}(2)$, however, it was hard to find a fast 'polynomial' multiplication over GF(2^n). (i.e. Multiplication over $\operatorname{GF} ...

If Alice does the trusted setup, how does Bob validate the proving key and verification key are well formed, i.e., they are actually a pair derived from the said circuit and same toxic waste? Alice could run the setup twice and give Bob the proving key from the first run and verification key from the 2nd run, causing key mitmatch. Can Bob detect this kind of subversion in a SNARK such as Groth16?

I'm looking at scheme on Wikipedia:

https://en.wikipedia.org/wiki/Merkle–Damgård_construction

And it looks like function f takes two inputs. So do we have to use in this scheme OWF which can take two inputs or maybe we can somehow combine IV with message block, for example by xoring them? Then f can technically take only one (combined) input?

I do not understand how to formally argue using the simulator of the original Honest Verifier Zero Knowledge Proof?

Why physical random number source can be weak? I see two kinds of problems:

• it is hard to control it and make it resistant to some unwanted bias, but also deliberate attacks,
• it has normal distributuon, while we usually want to have uniform distribution (that's why we use randomness extractors or KDFs).

Can anyone elaborate on this topic? What is weak physical random number generator/source and wh ...

In a Sigma-protocol, the steps are (1) commitment, (2) challenge, and (3) response. In general, the prover has a statement and witness that they can use to compute the commitment step. But in some cases (like Schnorr or equality of two discrete logarithms) the prover doesn't use the statement or witness in the first step.

Are there more general Sigma-protocols that have this delayed input propert ...

I am reading the Paper of Traceable Ring Signatures and I do not really understand how the Tag is created and how you achieve the traceability when using the same tag for two different messages. Could you explain how the Tag is created?