Latest Crypto related questions

Score: 0
Transforming BGN to non-malleable
es flag

Is there a way to transform the BGN encryption into non-malleable (i.e., IND-CCA2) without the use of symmetric encryption or signature?

I thought that simply publishing a proof of knowledge (via non interactive Sigma protocol) on $m$ is sufficient (i.e., if you have $E(m)= h^rg^m$ for some random nonce $r$), but I am concerned that the proof may be malleable. There is the Naor-Yung transformatio ...

Score: 1
phantomcraft avatar
Hashing a seed together with a block counter and using as a encipherment scheme: Will this have the same security in bits as the seed used?
pf flag

A user of this forum said that the whole entropy of a seed goes to the hashed result if using a counter and also that is suitable for key generation even if the internal state or digest size of the hash function is smaller of that of seed.

Let's suppose I have a seed with an entropy of 512-bits and hash it with a counter using a hash function with half of the seed size in bits as Blake2s (256-bits  ...

Score: 0
Why BFV relinearization works?
ru flag

I was following why the BFV reliearization works, so I supposed 2 ciphertexts $b_1$ and $b_2$ and did the product:

$$b_1 = a_1s+e_1+\Delta m_1$$

$$b_1b_2 = (a_1s+e_1+\Delta m_1)(a_2s+e_2+\Delta m_2) = \\ a_1a_2s^2 + a_1se_2 + a_1s\Delta m_2 + e_1 a_2s +e_1e_2 + e_1\Delta m_2 + \\ \Delta m_1 a_2s + \Delta m_1 e_2 + \Delta ^2 m_1 m_2$$

We want to isolate $\Delta m_1 m_2$ in a way that we have $as + e + \D ...

Score: 1
Amit Keinan avatar
Is there an extension of the definition of zero knowledge proof to different information quantities?
in flag

a zero-knowledge proof is a method by which a prover proves to a verifier that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true

Is there a definition of proof in which the prover conveys no more than X information (where X can be 2 bits for example)? If yes, is it a field of research?

Score: 0
Enrico Bottazzi avatar
Does Signal or other communication protocol based on E2EE use signature too?
cr flag

I'm researching about e2e encryption. Do the protocols that use e2ee to exchange information also require users to sign the message before encrypting it with the shared secret? Is it even required to ensure the authenticity of the message being sent?

Score: 2
sinu avatar
Reusing input labels in half-gate construction
do flag

In the half-gate construction of garbled circuits, is it possible to garble multiple instances of a circuit while re-using certain input labels?

Suppose Alice and Bob would like to compute a function using garbled circuits. Alice will act as the generator and Bob the evaluator.

As usual, Alice generates the input labels for the circuit $W_A$ for her inputs, and $W_B$ for Bob's then sends the encry ...

Score: 0
MITM against NTRU
jp flag

In MITM attacks against the NTRU cryptosystem, we exploit the fact that in the ring of truncated polynomials of degree $n-1$ it holds that $$fg=h\mod q$$ for our secret and public keys $f,h$. The basic idea is splitting $f$ into $f_1,f_2$ such that $f_1+f_2=f$ and therefore considering $$f_1h=g-f_2h. $$This is almost like finding a collision in the function $f(x)=xh$, if it weren't for the prese ...

Score: 1
Tom avatar
Diffusion of arithmetic and bit operations
tf flag
Tom

I want to estimate when and wether different types of functions provide full or partial diffusion.

I'm trying to understand diffusion of basic operations, like:

  • addtion,
  • multiplication,
  • xoring.

If we change one bit in $a$ how many bits will be changed in average in result $c$ if we do:

$a+b \mod n = c$

If we change one bit in $a$ how many bits will be changed in average in result $c$ if we do:

Score: 1
A typical nerd avatar
Physical meaning of Negligible and Non-Negligible Functions
gd flag

I've been itching my head over this for a while despite going through the queries related to the topic. Can someone explain me negligible and non-negligible function in a concise way?

As of my naive understanding (correct me if I've the wrong take);

A non-negligible function is one which approaches zero relatively slow (eg: reciprocal of polynomial function as compared to exponential function) and given ...

Score: 1
hajalev896 avatar
Dividing an encrypted file is secure against classical or quantum
gq flag

I'm very new to cryptography and this may sound so foolish. Often I read quantum computers will brute force keys. Let's assume this is true (does it depend on key length? or on an algorithm? I don't know, let's say they will).

If I have a file encrypted with ChaCha20-Poly1305, or perhaps a LUKS encrypted partition with default options (AES 256?), and I split that file in two. If you have only one ...

Score: 0
frt132 avatar
Learning resources for ZCash?
es flag

Are there good learning resources on how to program ZCash, or Monero, or some zk-rollups? I want to find all the sources to build a proof of concept or MVP in the shortest time. But I didn't find much systemic zero knowledge proof/programming related resources

Score: 1
mathInferno avatar
Clarification of some probability concepts used in crypto
mw flag

So I am a math major who is trying to learn some crypto. However I have some difficulties with some of the probability definitions that are assumed in the cryptography book that I am using at the moment. So here it goes:

Def(perfect security): Let $(E,D)$ be a Shannon cipher defined over $(K,M,C)$ where all these are finite sets and are respectively the key space, message space, and ciphertext space. Now ...

Score: 3
Raine Conor avatar
Is Fermat's Factorization Method used in any practical application?
gr flag

Is there any use for Fermat's Factorization Method in the world of cryptography? I see that several algorithms are based on it, such as the quadratic sieve and general number field sieve. I understand that Fermat's can be very fast if the factors are close to the square root. Generally RSA moduli have factors that are far enough apart to be resistant to Fermat's.

Are there any real-world examples ...

Score: 0
JamesTheAwesomeDude avatar
How to find $z$ when deserializing elliptic curve?
cn flag

In §2.3.4 of Standards for Efficient Cryptography 1 (SEC 1), the authors define the following step in deserializing elliptic-curve points that were serialized in the format given in §2.3.3 (emphasis added):

2.4.3
If $q = 2^m$ and $x_P\neq 0$, compute the field element $\beta=x_P+a+b x_P^{-2}$ in $\mathbb{F}_{2^m}$, and find an element $z=z_{m-1}x^{m-1}+\cdots+z_1 x+z_0$ such that $z^2+z=\beta$  ...

Score: 5
Jared avatar
Apple "Find My" Key Rotation
cn flag

Apple's Find My technology is described in this Wired article and explains how Apple, or other third parties, are not able to decrypt location data. It mentions how the keys are rotated every hour:

That public key frequently changes, "rotating" periodically to a new number. Thanks to some mathematical magic, that new number doesn't correlate with previous versions of the public key, but it still reta ...

Score: 0
Yoinkers McGee avatar
Proof of inclusion for odd-valued tree
ao flag

How would a proof of inclusion be done here as the number of nodes is odd and some hashes don't have a sibling hash? Normally you would send the sibling for each level to the client.

Here there are none, is the proof of inclusion not possible here, or do you just send the parent, until you reach a node that has a sibling? But what would the client calculate then?

Score: 1
Cesar11031 avatar
Help for testing signature model property
pl flag

I'm new to cryptography and signatures, I've done work that involves a signature model, and now I need to run tests on it.

In this paper [1], a signature model called Linkable Spontaneous Anonymous Group Signature is created. The algorithm is described in the paper, it is capable of creating signatures for groups of public keys. If a signature was created using LSAG, a verifier can verify the correctnes ...

Score: 1
SparxDev avatar
Encrypt messages for two-participants chat
er flag

I need a chat between two users and I obviously want to make it as secure as possible. I am, by no means, a cryptography expert, so I turn to you guys for some advice.

Because I like the idea of having E2E encryption, I did some reading about the Diffie–Hellman method and the Signal Protocol.

My issue is that this is a web app and the users are not bound to a fixed device, so I can't just generate ...

Score: 2
Martin Benes avatar
Too many wet positions in Wet-Paper Codes steganography with random H
nc flag

I am implementing wet-paper codes (WPC) with randomly generated parity-check matrix $H$, based on this paper. As the wet DCT coefficients, I set DCT coefficients with value 0, or with values 0 and 1 (trying both).

For almost every cover image, the input vector at iteration contains too many wet pixels and the program fails to find the vector v. What is the way to deal with that? Do I even choose the ...

Score: 1
Martin Benes avatar
Accelerating Syndrome-Trellis Codes (STC) for GPU
nc flag

From the literature, STC seems to be the current state-of-the-art for the coding part of steganography. From the description of the method, it appears to me it could be parallelized for GPU. Does developing of STC implementation for GPU even worth it? Are there any existing GPU implementations of STC.

The existing implementations of STC I know of are

Score: 1
phantomcraft avatar
Is it possible to generate a key from a hash function, being the key larger than the hash function digest output without spliting the seed?
pf flag

Let's suppose I have a 2MB photo and I want to generate a key from it, and the key should have 2048-bits of size.

A hash function such as SHA3-512 would not deliver a key with with the desired strength.

Is it possible to generate such a key with a hash function having the hash function a maximum digest output/internal state smaller that it, without having to split the file in many parts?

I have been th ...

Score: 0
Crypto_Learner  avatar
Keccak Capacity bits Parameter
ba flag

I am learning Keccak Hash Algorithm and I am a little bit confused about the Capacity bits parameter. I am trying to understand how we can set the capacity parameters while implementing Keccak in python3.

Example: trying to get a collision in Keccak using Capacity = 0 irrespective of hash size (let's say hash size at least 128 bits).

Score: 0
wick avatar
ECC Public key import understanding
lv flag

I am working out ICAO verification process (biometric IDs), and here is one of their publicly available certificates:

# openssl x509 -in 492F0116.crt -text -noout
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 1227817238 (0x492f0116)
    Signature Algorithm: ecdsa-with-SHA256
    Issuer: C = GB, O = UKKPA, CN = Country Signing Authority
    Validity
        Not Before: Feb  1 00:00:00 2 ...
Score: 0
Bubbaloo avatar
Publishing a paper in cryptography
il flag

I have written a mathematical paper in cryptography and I want to publish it but I don't know any professors in the field to collaborate with them. So what should I do and how to get contacts that could help me setting up with this work?

Score: 0
JAAAY avatar
Can we force a chosen ciphertext to be decrypted to a chosen plaintext while controlling only $e(=3)$ in RSA?
us flag

I have bumped into this challenge from a well known CTF site. I don't want to make a reference to it because I don't want this to be a hint for anyone. And also to avoid giving out the source code of the challenge I will try to describe the code. The thing is that they provide a small script with a class that implements Textbook RSA (no padding or anything). On this script $e$ is predefined and is ...

Score: -2
Angelo M. avatar
Does a pseudo-random number have the same security as its SHA digest message?
bq flag

Is a random number generated by a CSRNG equivalently secure as the SHA hash of that number? I know that RNGs generate numbers that look random, and aren't necessarily random. For example, in a range of [1, 2^256], number 100 might be picked randomly, but it isn't secure, so it needs to be changed.

However, the SHA256 hash of a number that looks random has the same chances to be 100 just like any  ...

Score: 1
n-l-i avatar
How to write a Zero-Knowledge Proof of Knowledge of input to a one-way function?
cx flag

I'm having a bit of difficulty understanding how to construct Zero-Knowledge proofs. So given a one-way function $f$ and a secret message $x$ so that $f(x)=y$, $f$ and $y$ being public, how could one construct a simple Zero-Knowledge Proof of Knowledge algorithm proving that one knows $x$?

I think I understand how this could be done if the verifier also knows $x$, because then they should be able to send ...

Score: 1
What is the problem with having a hash to group function where you can find a discrete log relation between 2 different hashes?
et flag

I was reading some notes on a naive hash to a group function.

Consider a cryptographic Hash function $$H: \{0,1\}^{*}\to \{0,1\}^{k}$$

Consider a Discrete Log Hard Group $G$ with a generator $g$. We can build a Hash to group function $$HG(a) = g^{H(a)}$$

(We raise $g$ to the numerical representation of the Hash output)

Apparently, the problem with this is that it's easy to find a relation between 2 hash o ...

Score: 1
Are pedersen hashes of small inputs safe?
cn flag

I understand that the end result of a Pedersen Hash (like this one) is a point in an Elliptic Curve.

In the example implementation mentioned above, the input $M$ is split into chunks of 200 bits (the last one possibly being smaller). For each chunk, disconnected/random points in the Elliptic Curve are generated and the end result is a linear combination of those points, with the coefficients depend ...

Score: 1
Shädam avatar
Is TLS' 1.3 "required key update" enforced in any way?
jo flag

From RFC 8446 section 4.6.3:

   If the request_update field is set to "update_requested", then the
   receiver MUST send a KeyUpdate of its own with request_update set to
   "update_not_requested" prior to sending its next Application Data
   record.

Say I have a client connection that sends things to the server, but doesn't read anything that's sent to it after the handshake (it doesn't drain any inco ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.