Latest Crypto related questions

could anyone help me understand how is ECDSA broken using Shor's Algorithm? All the papers I find are too complex to understand, and even though I feel I understand some concepts, some others are a bit more of a mess.

I was very surprised when I said that hashing the same data twice was "double pass" and a comment came in that this wasn't the case if the hashing could be performed in parallel. This would mean that calling CCM/EAX a "two pass" system or GCM a 1.5 pass system would be wrong.

I've always understood that if data is "passed through", a primitive (possibly using some mode of operation in case of a b ...

The purpose is for a server to ensure the content of the flash memory of a slave IoT contains a good known firmware.

1. The server does not have a copy of the IoT firmware code - but only a hash or equivalent.
2. The server transmits a nonce/seed random key to the IoT to perform the hash computation.
3. The IoT computes a new hash using the nonce/seed - it cannot predict the answer.
4. The IoT transmits the compute ...

Please explain what goes wrong if we always set the IV to 0 in randomized CBC, and use the system to encrypt two different messages m0 /= m1 with the same key k.

I tried to find answer and read CBC mode IV .

I can't understand what goes wrong if we always set IV = 0

I'm looking at document of SEAL and openFHE, and they both use $\mathrm{NTT}^{\mathrm{CT}, \psi_{rev}}[\text{no to bo}]$ and $\mathrm{INTT}^{\mathrm{GS}, \psi_{rev}}[\text{bo to no}]$, 2 kinds of butterflies. $[\text{no to bo}]$ means natural order to bit-reversal order, similar to the other one.

I'm quite confused because they are pretty similar so why can't we just use one of them, like $\mathrm{N ...

I'm currently working with BLS Signature Schemes in the field of publicly verifiable Compact Proofs of Retrievability by Shacham and Waters.

So for creating the Sigmas the following function is defined: $$ \sigma_i \leftarrow\left(H(\text { name } \| i) \cdot u^{m_{i}}\right)^\alpha . $$ $\left\{m_{i}\right\}_{\substack{1 \leq i \leq n}}$ are bytes derived from a File $M$ which is devided into $n ...

Two parties share a password. They need to now exchange some data. Is there a way where one party generates a public/private key pair from the data and password and shares just the public key with the other party. The other party should retrieve the data using the shared password and just the public key. Is this possible?

Basically, the communication between the two parties should happen via the  ...

I am looking for some practical examples on how to use SMCQL on some typical SQL queries. The paper seems to be oriented more towards theory. Can somebody point me to some examples to understand it better? Thanks.

What are the best known cryptanalytic attacks against AES-128 with 9 rounds?

I found many such attacks on AES-192 and AES-256 with 9 rounds, but not for AES-128 with 9 rounds.

Are there any cryptanalytic attacks that show that such a version of AES-128 would be weaker than the 10 rounds one?

I am working on a system involving multiple parties performing homomorphic cryptographic operations using Microsoft SEAL (BFV). Because of the nature of the system, it would be preferable for the parties to share zero-knowledge proofs of correctness for the operations performed.

I am specifically interested in a non-interactive ZKP to attest the correct encoding and encryption of a plaintext (whe ...

For given 128-bit numbers $S$ and $E$ we want to find a series of keys $k_i$ with $$ E = BC(BC(BC(.....BC(S, k_1),k_2) ..k_n)$$

• We can either use a 128-Bit blocksize block cipher similar to AES (ECB mode) with $$BC(m_i,k_i) \equiv AES(m_i,k_i)$$
• Or a 256-Bit blocksize block cipher similar to AES (like Rijndael, not AES256!) with $$BC(m_i,k_i) \equiv TakeOnlyLast128Bit[RIJ_{256}([k_i\space m_i],0)]$$

I am trying to figure out how to use a custom password with a JWK that uses the password for key wrapping. The JWA spec contains for example "PBES2-HS512+A256KW", which does "PBES2 with HMAC SHA-512 and 'A256KW' wrapping". So, if I understand correctly, PBES2 involves using a KDF, so can I just use a password and a key will be derived from that is used to encrypt a randomly generated DEK?

For exampl ...

I'm trying to create a script that will take a snapshot of the contents of a directory. For each file, all possible metadata will be recorded and written to the database. The point is that with some transfer of this directory, you can take a new snapshot and compare it with the original one taken in the "safe zone" to check whether any third-party changes have been made to the files.

Along with t ...

Suppose m is a positive integer converted from the plain text in bytes.

And there are two positive integers a, b which satisfies $a^2=1+4919b^2$ in the encryption process. (a and b are both unknown)

The cipher text is x which satisfies $x = (am+b) mod p$ where p is known and is a large prime number.

For some reasons, the cipher texts are shuffled by group. And so I got several possible values of x (which ...

So I found some test vectors for my SSE implementation of AES256-GCM and unfortunately it seems that after the last step of AAD it goes wrong. My guess is that this is because the AAD is actually misaligned; it's 8-byte instead of 16. I read this into a 128-bit vector and read the byte array into it as a byte array and initialize it to zero first. Is the document with test vectors just wrong, or am I pa ...

For verifying transactions, normally nodes do proof of work and agree with the majority of workers, but why can't they just do the computation themselves and agree with any other node that has the same result? That way even if an attacker has 99% of the work/stake/etc, the other 1% (aka all the actual users) can ignore the attacker because they all know he's wrong, essentially an automatic pruning of in ...

If I do a simple encrypt and decrypt test like so:

echo 'Hello World' | \
openssl enc -aes-128-cbc -pass pass:SeCrEt | \
openssl enc -d -aes-128-cbc -pass pass:SeCrEt

It works fine, it correctly outputs 'Hello World'.

However when I change the blockmode to gcm and keep everything else the same:

echo 'Hello World' | \
openssl enc -aes-128-gcm -pass pass:SeCrEt | \
openssl enc -d -aes-128-gcm -pass ...

I am reading a pdf on pseudorandom function I found here https://www.cs.utexas.edu/~dwu4/courses/sp21/static/reductions.pdf

My problem/struggle is with the computation of the distinguisher's $B$ advantage.
According to the notes $b=0$ means that $B$ receives a sample from the function of interest, let's call it $F$, whereas $b=1$ means that they receive a sample from a truly random let's call it

Seems there are 2 ways:

1. d = (ϕ(n)*k + 1) / e
   In this case, need to choose a proper integer k.
   Question 1: How to choose k, just try positive integers start from 1, until found one?
2. Use The Extended Euclidean algorithm, make d * e - k * ϕ(n) == 1, where k can be adjusted as need.
   Seems need to add LCM(e, ϕ(n)) to d * e part, if d is negative ?

Question 2: Are the two ways identical, if not, whi ...

I'm wondering whether is of any use to add salt when computing a signature of a piece of data. I looked around but didn't find an answer to this, although there's a very similar question: Why hash or salt when signing?

My use case is the following:

• I have a small JSON-like document that I want to encode & sign on the server and deliver to the client

• The client must be able to verify that it c ...

I have been trying to follow this paper for zk-SNARKs to create Zero Knowledge Proofs (ZKPs) for verifying computations. Specifically, given a public program $F$, a public input $x$, I would like to create a proof $\pi$ which "proves" that there exists some private input $w$ such that, $$F(x,w)=z,$$ without revealing what $w$ is. However, as I am new to cryptography, although I have a decent backgr ...

Consider the fields highlighted in red in the following keys.

1. Will the "version" fields (i.e. INTEGER 0) always be zero for the specified structure?
2. Will the NULL fields fields always be NULL for the specified structure?
3. If "No", what would cause the values to change?

PKCS#1 Private Key:

PKCS#8 Private Key:

X.509/SPKI Public Key:

In the definition of a pseudorandom function, we consider two distributions $D_0$ and $D_1$ over functions, where $D_0$ is the distribution of a random function and $D_1$ is the distribution of a pseudorandom function (defined as the distribution of $F_k$ under uniform $k$ for some public function $F$). The function $F\sim D_1$ is pseudorandom if no probabilistic polynomial time (PPT) machine can distingu ...

I'm trying to solve the following but I don't understand some of the steps and how to proceed. I found similar questions on the internet saying the order is 6 but I want to understand why.

Given an elliptic curve E/Q  (Q are the rationals) E/Q = y^2  = x^3 + 1 
determine the subgroup generated by point <2,3> and its size.

thinking that P(2,3) and P(2,-3) would yield (3-3)(2-2)= 0 why is that not ...

Suppose we have a function that returns a chipertext of a known plaintext that has been encrypted twice with AES-ECB with two unknown keys, is it possible to get both keys ?

Step 2 of the PKCS #1 v1.5 signature verification operation as described in RFC 8017 section 8.2.2 reads:

2.  RSA verification:

          a.  Convert the signature S to an integer signature
              representative s (see Section 4.2):

                 s = OS2IP (S).

          b.  Apply the RSAVP1 verification primitive (Section 5.2.2) to
              the RSA public key (n, e) and the signat ...

Let $\mathbb{G}$ be a cyclic group of prime order q and generated by g. Let $D$ be the uniform distribution over $\mathbb{G}^3$. Let $D_{dh}$ be the uniform distribution over the set of all DH-triples $(g^{\alpha}, g^{\beta}, g^{\alpha\beta})$. Let $D_{ndh}$ be the uniform distribution over the set of all non-DH-triples $(g^{\alpha}, g^{\beta}, g^{\gamma})$ with $\gamma\neq\alpha\beta$. Answer the followi ...

When using openssl or libressl to encrypt or decrypt data with AES, I typically specify -iter 1000000 -pbkdf2 to explicity force the key derivation method.

However I'm currently dealing with a remote system that has an older openssl version (openssl version says OpenSSL 1.0.2k-fips 26 Jan 2017) and it doesn't support the -iter or -pbkdf2 parameters.

If I encrypt a plaintext file on the old machine like t ...

I've read through, and roughly understand, Maksym Petkus' zk-SNARK paper (http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf). I'm re-reading it, and trying to code up the examples as I go along to gain a better understanding. I'm making (hopefully a simple) mistake, but I'm not sure where.

In 3.3.4 Encrypted Polynomial, the paper discusses how the verifier can sample a random value for $x$, encr ...

In the federated learning architecture, there are two methods of gradient privacy protection: differential privacy and homomorphic encryption. What are the advantages and disadvantages of these two methods?