Latest Crypto related questions

What PKCS standard is the public key in the image below? It seems to me that it is PKCS#8, but what I've read makes me think that PKCS#8 only applies to private keys.

Here is the corresponding private key which is PKCS#8. Note they look identical except the private key only contains modulus and exponent info.

Based on the Schnorr signature below: What is the suitable size of lamda to generate a secure key?

Consider the following case, given x(private key) and y(public key), how to determine whether this key pair is generated by a pre-defined Safe Prime Group(Say FFDHE, RFC 7919)?

In context of SP800 56Ar3 Section 5.6.1.1.4, my understanding is we need to check 2 conditions,

i. y = g^x mod p
ii. 1 < x < min(2^N, q-1)

where N is the max bit size of private key can generate

(i) makes sense because ...

Hi I am searching for public key encryption schemes that if not encrypt with the desire public key the encryption would not be valid
e.g if having a pair of key pk/sk, and want to encrypt message m
however if I use a different public key pk’, I.e getting ciphertext c: c=enc(pk’, m), then with pk and sk I could detect that c is not encrypted with pk

I am implementing Bulletproofs over Ristretto255. (I am using libsodium, so can't switch to another Elliptic Curve implementation.)

I need to implement zero knowledge verification of elliptic curve operations, with the ultimate intention of using these to implement with these more advanced operations like EdDSA and (Pedersen) hashing.

In order to do this, I need to choose an elliptic curve whose sca ...

$$f_0 = A$$ $$f_{n+1}=AES(f_n,k_n)$$ $$f_i = B$$

For given 128-bit values $A, B$ we want to find a chain of suitable 128-bit keys $k_1$ to $k_i$.
The total length $i$ is undetermined. Every valid key chain size gets accepted.

How long will it take?
If we limit $i=1$ it would be equal to the normal use case. $$B = AES(A,k_1)$$ Finding the 128-bit key $k_1$ for given $A, B$ would take in mean $\ap ...

I'm attempting to generate a private/public key pair in a few different standards and formats for testing an encryption library I'm working on (i.e. keys with the same "guts", but different formats and standards). Specifically I want a keys generated by OpenSSL in the DER and PEM formats, using the PKCS#1, PKCS#8, and "traditional" standards for each. The "traditional" standard is because apparently O ...

There is a claim by Chinese researchers making the rounds (Schneier's blog here) that RSA can be broken by Quantum Computers. The paper is on arXiv.

Wading through the discussion in Schneier's blog, and distinguishing between noisy qubits and physical cubits, the claim does not seem as catastrophic but also not as outlandish as some comments might suggest. I think this comment summarizes the issu ...

What I've read:

• https://crypto.stackexchange.com/a/12256
• https://crypto.stackexchange.com/a/20328

Seems in practice, will first choose an e, then choose the 2 big primes p1 and p2.

What I've learned so far:

• e is usually between (2^16, 2^32), e.g 2^16 + 1 = 65537. // TODO .. not sure
• e should not be too large, otherwise the public-key operation is slow.

I've also try to read openssh source code ...

Recently, I am very interested in the hash function attack paper, so I am reading it closely.

I found out that there are Free-start and Semi-free-start settings among the attacks on the hash function.

The example below introduces these two definitions. (The definition is similar to other papers, so I brought it here.)

https://eprint.iacr.org/2017/800.pdf

There are two attack models on the compre ...

Triple DES (using an existing cipher 'DES' of key length 56bits) provides security of 112bits (although it requires key material of 168bits).

Does there exist a mechanism to increase block length of an existing cipher? like creating double AES with block length of 256bits?

In small subgroup confinement attack we are taking k (the power which Eve will use to be)

k = (p-1)/w

where p-1 is the order of the group on which Alice and Bob is working on (Legit Users) and w is the order of the subgroup.

Is it necessary that w has to be of prime order ?

One of the examples I saw

P = 29 W was taken as 4

So k turned out to be 7

I am a beginner in cryptography.

I wonder is it possible to create by Zero Knowledge Proof, to prove Two cipherTexts that are encrypted by same Public Key with Paillier Encryption have the same value inside but without decrypting the texts. I have access to the Public Key at the moment.

I have an array which is like [1,0,0] => Paillier Encryption => [encryption(1),encryption(0),encryption(0 ...

I'm somewhat confused about how the definition of a proof of knowledge relates to the Theorem 19.1 in Boneh-Shoup (http://toc.cryptobook.us/book.pdf), particularly in relation to Schnorr's protocol for proof of knowledge of a discrete logarithm.

As far as I'm aware, the standard definition of a "proof of knowledge" is the existence of an efficient knowledge extractor $\mathcal{E}$ that has access to ...

How to apply local differential privacy to specific categorical values in order to perform some analysis? Does there exist a tool?

For example, I have the following dataset.

   email               address
0  exampleemail1        exampleadress1
1  exampleemail2        exampleadress2

From this dataset, I take as output some results

After the injection of statistical noise, I want to have the following

I'm watching "SSL, TLS, HTTPS Explained" by ByteByteGo on YouTube and at the end, starting around 5:15, there are two points that are interesting:

in TLS 1.3 RSA is no longer supported as the a method for key exchange Diffie-Hellman is a more common way nowadays for exchanging session keys Diffie-Hellman is complicated but in a nutshell it uses some advanced math involving large prime numbers to derive ...

One method to create a secure MPC protocol against malicious adversaries is to create a secure protocol against semi-honest adversaries and then add some zero-knowledge proofs to ensure that the latter protocol runs honestly.

What if we create an honest programming language in which every line of code can be proven to run correctly?

Can you tell me what the problem is with this approach?

Maybe it is ineff ...

I am searching for the exact definition of High density SIS and Low density SIS, but there is something unclear about it.

SIS problem is to find $x\in \mathbb{Z}^m$ such that for random $A\in\mathbb{Z}_q^{n\times m}$, $Ax=0$ and $\lVert x\rVert < \beta$.

As far as I know, high density SIS is when $n\log q < m$, so that the number of inputs are larger than the output and hence there are many so ...

This question is a direct follow-up (hopefully - the last) of my previous one; please see it for full information. I would like to further generalise NTRU cryptosystem on higher-order algebras. Following these two papers: resource1 and resource2 I am trying to implement the method for sedonions over polynomial quotient rings in Sage.

Sedonion class is implemented in a similar manner as Quaternion

What if we consider an MPC protocol in which all parties are dishonest? Is it unattainable (even with allowing abort) or is it just meaningless to think about?

As shown in this paper the IND-CPA of NTRU is based on both the decision key cracking problem and the decision ciphertext cracking problem. However, I often see claims (such as in this paper) that the OW-CPA of NTRU only relies on decision key cracking problem. I don't see a way to prove this.

Suppose that in the OW-CPA game we replace the key generation step with uniform sampling, it is not apparent to m ...

Is it possible to efficiently solve the discrete log problem for $r$: $$ g^r\equiv v\pmod N $$ When the following constants are know: $$ N,\ g,\ v,\ \phi=(p-1)(q-1)\text{ s.t. }N=p\,q $$

You can get access to this document via institutional login at https://www.researchgate.net/publication/220556089_Security_and_composition_of_cryptographic_protocols_A_tutorial So in Ran Canettis Tutorial on Composable Security I came across some definitions of how protocols can be composed:

Earlier, it explains an example on what can go wrong if protocols are composed. He mentioned an example, where y ...

NIST P-521 has the longest key size for standardised ECC, which has 521 bits instead of 512. If a quantum computer is available, how many qubits can break P-521?

Cryptographic sponge functions are a hot topic right now with LWC and all. They solve the symmetric crypto problem with simplicity and efficiency. However, none of them seem to achieve 256-bit security without relying on a gigantic state (such as Keyak).

For example, why isn't Gimli (as per the NIST LWC paper), which has a 256-bit capacity (filled by a 256-bit key in the AEAD mode), capable of ac ...

Are there any known weaknesses in Barreto-Naehrig Curves (e.g. BN P256) ?

I'm trying to implement ECDSA for learning purposes and have generated public and private keys, which seem to be correct as I have compared them with those generated by an online tool called noble. However, my signing or verification algorithm (or both) is not working correctly and I am having difficulty debugging the code due to my lack of cryptographic or mathematical background. I have been tryi ...

I'm working on the blinding portion of some RSA code. Some implementations I've looked at don't verify that the random number used for blinding is relative prime to N as described on the Wikipedia page for blinding:

RSA blinding involves computing the blinding operation E(x) = (xr)^e mod N, where r is a random integer between 1 and N and relatively prime to N (i.e. gcd(r, N) = 1)

I assume this is  ...

I'm working on some RSA code that uses Toms Fast Math (TFM for short), and I'm trying to understand why the functions fp_exptmod (for modular exponentiation operations) and fp_invmod (for modular inverse operations) both require an odd modulus and the former also requires an odd exponent. I've written code to allow the use of evens, but TFM is built with crypto in mind, so I'm thinking maybe allowing e ...

I understand that from security perspective the sign-then-encrypt approach is the best.

I tried to implement it in Python with the cryptography package and I got this error: ValueError: Encryption/decryption failed.

This is not surprising. The maximum I can encrypt with RSA and OAEP padding is 190 bytes, but the signature alone is 256 bytes and there is the actual data I want to encrypt.

So if the m ...