Latest Crypto related questions

Score: 0
caveman avatar
Is there any way to ensure that a network merge, after a parition, never causes disagreements?
in flag

Background: A cryptocurrency, such as Bitcoin, have a global order of all transactions that is guaranteed to be agreed by all participating nodes. With Bitcoin, this is ensured by making the longest chain win, and that creating a long chain requires performing a lot of computations (so it is not trivial to arbitrarily create a longer chain).

A problem comes when there is a long-lasting network parti ...

Score: 0
Pietro avatar
Shamir Secret Sharing over an unsecure channel for a protocol design
ir flag

Let's suppose that we have two parties, $A$ and $B$ that are using a Shamir Secret Sharing scheme with $k=3$. $A$ holds the points $[x_1, f(x_1)]$ and $[x_2, f(x_2)]$ while $B$ holds $[x_3, f(x_3)]$ and $[x_4, f(x_4))]$.

$A$ sends the point $[x_1, f(x_1)]$ to $B$, and $B$ answers with the point $[x_3, f(x_3)]$, so that both $A$ and $B$ can reconstruct the shared secret to be used in the following par ...

Score: 2
Tom avatar
How to check whether function provides full diffusion or not?
tf flag
Tom

In "The Skein Hash Function Family" paper authors wrote:

The MIX/permute structure has been designed to provide full diffusion in 9 rounds for Threefish-256, 10 rounds for Threefish-512, and 11 rounds for Threefish-1024.

How they know it? Is there some rule of designing such structures, which can quarantee some level of diffusion and it was used there (then they could estimate the number of rounds need ...

Score: -1
Hasbo avatar
Can I 100% trust the PBKDF2(HMAC-SHA256) AES-256 CBC encryption algorithm for file encryption purposes or not, and why? (Winrar)
id flag

I am not an expert in cryptography and therefore I would like to address this problem to people who have been working on this topic for a long time and thus verify the facts from several sources.

I use Winrar for file encryption because it is most suitable for me, it's fast and I'm already skillful with this program. I am using up-to-date version of Winrar which uses PBKDF2(HMAC-SHA256) AES-256 C ...

Score: 1
joaquinlpereyra avatar
BLS Rogue attack: how does e(x^b, y)=e(x, y^b)?
mu flag

In aggregated BLS Signatures, there's a known attack which allows an adversary to forge a valid signature for a message $m$ knowing only the victims public keys.

Reading about the maths behind it, this justification is done:

rogue-publick-ey

After some juggling math around, everything is clear but the middle equality. What allows one to assert that $e(g_1, H_0(m)^b) = e(g_1^b, H_0(m))$?

My algebra is far from th ...

Score: 1
Roberto avatar
Reversing an XOR encryption/decryption function
hr flag

I have a help recommended high-school project that I'm stuck with. To basically explain the problem: I have an encryption function that is used as the decryption function and I need to reverse it to make an encryption function.

I tried many things but I can't find the proper result. The best I came with was to encrypt 1 byte on 2 properly.

Here is the core of the function (the rest is variables init ...

Score: 1
Manc avatar
How to factorize RSA modulus while given two Public Exponents and the difference between two Private Exponents?
in flag

The RSA modulus is the product of two $2048$-bit primes.

And the two Public Exponents are both $16$-bit.

I also got the difference between two Private Exponents $\left | d_1-d_2 \right |.$

Is there any way to factorize the Modulus $N$?

Score: 2
user104304 avatar
CPA secure to CCA secure encryption
in flag

Can we use a MAC to transform a CPA secure encryption scheme into CCA secure one?

Score: 1
Кирилл Волков avatar
Why are hashing private key in Ed22519 key generation and later the modifications required?
ph flag

In EdDSA with Ed25519 the algorithm of public key computing is following:

h = hash (privateKey)
h[0] &= 0xF8
h[31] &= 0x7F
h[31] |= 0x40
publicKey = h * B

The questions are

  1. Why is Hashing in Ed25519 key generation needed?
  2. Why are the actions on h bits are needed?
  3. What does the clearing relate to the 31st bit?
Score: 0
שחר כהן avatar
Faster linkable ring signatures libraries
lb flag

I need a fast linkable ring signatures library, something that is O(log(n)) and n is the ring size. I read a few papers about these kinds of schemes but I didnt find any implementations of them. Here are few of the papers I read: https://reader.elsevier.com/reader/sd/pii/S0304397512009528?token=6FCBA7389B1AF78F2C3B52B706F5C9E13130E044B14FD7F6DD55632C02F6B742E9CE2B288610AC2FFE0FCF198729F510&ori ...

Score: 2
swarna islam avatar
Significance of having remainder $3$ when divided by $4$ for both $p$ and $q$ in BBS
de flag

In the Blum Blum Shub random number generator, we take two random prime numbers $p$ and $q$ such that both have a remainder of $3$ when divided by $4$. My question is why can't we just take any $2$ random primes? What is significance of having remainder $3$ when divided by $4$ from the perspective of mathematics and security?

Score: 1
kevin avatar
value bound of r⋅e for LWE Decryption correctness
sa flag

For LWE decryption, Someone told me that If we can bound r⋅e by q/4 then we can retrieve M by checking if this is closer to 0 or q/2

However, how to use tail estimation to derive the relationship between upper limit bound of standard deviation (α) and q/4 ?

Note: There is also upper bound value of sqrt(M) for r, which I am also quite confused with.

Decryption correctness

Score: 0
Finding $a$ in $g^a\bmod p$ in Diffie-Hellman
US flag

This might be a silly question but I am unable to wrap my mind around it. In Diffie-Hellman can we find $a$ when $A = g^a\bmod p$, given we know $A$, $g$ and $p$?

Score: 8
juhist avatar
Would an encryption-only block cipher be useful at all?
fr flag

I recently implemented AES block cipher, encryption side only, to be used in QUIC parsing (QUIC uses GCM mode). There are other modes than GCM that use only encryption: for example CTR, OFB, and CFB.

When implementing the AES cipher encryption side, it occurred to me how everything is done there has to be reversible, so the bit-mixing operations you do can't be arbitrary, they have to be carefull ...

Score: 1
Bastiaan Quast avatar
For integers, when should I use BFV / BGV / CKKS / TFHE?
ru flag

When performing homomorphically encrypted computations, when should I use BFV / BGV / CKKS?

It seems BFV / BGV is better suited for integers, and CKKS for floats. It also seems BFV-BGV have some portability. I want to calculate using integers.

How do I understand if I should use BFV or BGV?

I also don't understand why the imprecision from CKKS could not simply be fixed by rounding, since it is comparat ...

Score: 1
seeker58 avatar
Which data is communicated between participants in Distributed Key Generation
lv flag

I was asked recently if it is somehow possible to use already existing keypairs stored in HSMs for, e.g. ped-DKG.

Which ultimately led me to the question, which data is actually exchanged between parties when generating a shared key-pair? I was thinking surely there has to be some communication of the parties, e.g. agreeing on a threshold (degree of polynomial) before generating their private key fra ...

Score: 0
Aviv Aviv avatar
Is sha-256 better then sha-1 in aspects othen then the hash size?
io flag

Assume I create a hash using SHA-256 and then take only the first 160 bits of the hash, as the result. is the result more cryptographically secured than SHA-1? Or are the two algorithms equally secure except for the hash size? (for example in terms of uneven distribution of the hashes and other means that determined the resilience of hashing algorithms)

What about the rest of the SHA family of ha ...

Score: 3
Lukie Boy avatar
Fast polynomial multiplication over finite field GF(2^n)
mh flag

I wonder if there is a more efficient polynomial multiplication than Karatsuba over the finite field $\operatorname{GF}(2^n)$. Brief research on this topic gave me a few results on fast multiplication on $\operatorname{GF}(2^n)$ using a polynomial over $\operatorname{GF}(2)$, however, it was hard to find a fast 'polynomial' multiplication over GF(2^n). (i.e. Multiplication over $\operatorname{GF} ...

Score: 0
How to validate a proving key and verification key are generated correctly in SNARKs?
br flag

If Alice does the trusted setup, how does Bob validate the proving key and verification key are well formed, i.e., they are actually a pair derived from the said circuit and same toxic waste? Alice could run the setup twice and give Bob the proving key from the first run and verification key from the 2nd run, causing key mitmatch. Can Bob detect this kind of subversion in a SNARK such as Groth16?

 ...
Score: 1
Tom avatar
Does Merkle–Damgård construction requires OWF with two inputs?
tf flag
Tom

I'm looking at scheme on Wikipedia:

https://en.wikipedia.org/wiki/Merkle–Damgård_construction

And it looks like function f takes two inputs. So do we have to use in this scheme OWF which can take two inputs or maybe we can somehow combine IV with message block, for example by xoring them? Then f can technically take only one (combined) input?

Score: 0
Shubhojyoti Nath avatar
How does parallel repetition preserve Honest Verifier Zero Knowledge?
pe flag

I do not understand how to formally argue using the simulator of the original Honest Verifier Zero Knowledge Proof?

Score: 4
Tom avatar
Weak physical random number generator/source - what is this?
tf flag
Tom

Why physical random number source can be weak? I see two kinds of problems:

  • it is hard to control it and make it resistant to some unwanted bias, but also deliberate attacks,
  • it has normal distributuon, while we usually want to have uniform distribution (that's why we use randomness extractors or KDFs).

Can anyone elaborate on this topic? What is weak physical random number generator/source and wh ...

Score: 1
eternalmothra avatar
Input Delayed Sigma-Protocol
cn flag

In a Sigma-protocol, the steps are (1) commitment, (2) challenge, and (3) response. In general, the prover has a statement and witness that they can use to compute the commitment step. But in some cases (like Schnorr or equality of two discrete logarithms) the prover doesn't use the statement or witness in the first step.

Are there more general Sigma-protocols that have this delayed input propert ...

Score: 0
Tracable Ring Signature - How is a Tag created?
ru flag

I am reading the Paper of Traceable Ring Signatures and I do not really understand how the Tag is created and how you achieve the traceability when using the same tag for two different messages. Could you explain how the Tag is created?

Score: 3
fgrieu avatar
Can reinforcement learning speed up modular multiplication?
ng flag

In Discovering faster matrix multiplication algorithms with reinforcement learning (Nature, 2022; lightweight intro), the authors used reinforcement learning (an artificial intelligence technique) to devise a new, slightly faster matrix multiplication algorithm.

Could a similar technique work towards a better multiple-precision modular multiplication algorithm, as at the core of RSA and ECC using pri ...

Score: 1
Carlos73 avatar
Trying to understand this Solution related to CCA security
gw flag

4.25) Let F be a strong pseudorandom permutation, and define the following fixed-length encryption scheme: On input a message $m ∈ \{0,1\}^{n/2}$ and key $k ∈ \{0,1\}^n$, algorithm $Enc$ chooses a uniform $r ∈ \{0,1\}^{n/2}$ and computes $c:= F_k(m∥r)$. (See Exercise 3.18.) Prove that this scheme is CCA-secure, but is not an authenticated encryption scheme.

Solution: The scheme trivially does n ...

Score: 2
Beefster avatar
Can a man in the middle tell what kind of encryption you're using from a key exchange?
gb flag

Encryption schemes typically are built on the idea that even if a man in the middle attacker knows exactly what kind of encryption you're using, they cannot decrypt your messages without the key.

There are a number of different mechanisms for two users to create or exchange keys without a man in the middle being able to deduce the keys. If a man in the middle attacker did not know in advance what ...

Score: 4
Bean Guy avatar
Alternatives of how the Fiat-Shamir transform random oracle is applied to a protocol
in flag

The Fiat-Shamir transform typically works by substituting (public) coin tosses from the verifier by hashes of the prover's messages until this point, i.e.: $$H(x,\alpha_1) = \beta_1, \\ H(x,\alpha_1, \alpha_2) = \beta_2,\\H(x,\alpha_1, \alpha_2, \alpha_3) = \beta_3,\\\vdots$$ where $x$ is the public input of the protocol and the $\alpha_i$'s are the prover's messages.

I understand that this is prov ...

Score: 0
georggr avatar
Find the RSA private key only by knowing the public key, the ciphertext and that each letter in the alphabet was encrypted separately
ht flag

Is there a way to determine the private key (or the phi value) without n factorisation if one knows the ciphertext and the public key and that each letter of the (English) alphabet has been encrypted individually?

Score: 0
How to use Argon2 with salt from binary file?
br flag

In the Linux program Argon2, we need to supply the salt in the command line. This limits the salt to be printable characters. How can we use a binary string as the salt?

# argon2 -h

Usage:  argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m log2(memory in KiB) | -k memory in KiB] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
        Password is read from stdin
Parameters:
        salt            T ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.