Latest Crypto related questions

Given a Schnorr Public Key (32 bytes) x, I'd like to generate a compressed ECDSA Public Key (33 bytes) and thus be able to generate the bitcoin address that the private key holder can generate with their private key.

• A Schnorr Public Key is x (BIP340, https://bips.xyz/340 - more detail about the Schnorr signature.)

• An uncompressed ECDSA public key has the starting byte 0x04 + x + y

• A compressed E ...

I have an encryption scheme set up with a client and server that utilizes AES 256. What I am curious about is whether or not all information sent from the server to the client can be verified as legitimate using just a single digital signature (ECDSA, secp256k1 specifically) on the key that is sent to the client.

Given a key (k1, k2), and material (m1, m2), I have heard that the following behavio ...

For clarification, the protocol works as follows: $P$ wants to convince $V$ that he knows $x$ such that $g^x=y$, where $g,y\in\mathbb{G}$ of order $p$; they perform the following steps:

1. $P$ samples $k\stackrel{R}\leftarrow\mathbb{Z}/p\mathbb{Z}$ uniformly at random, computes commitment $r\leftarrow g^k$, and sends $r$ to $V$.
2. $V$ samples a challenge $e\stackrel{R}\leftarrow\mathcal{C}$ from a challenge  ...

Suppose we have two ciphertexts c1 and c2. c1 is generated based on the param whose slots are 1024. c2 is generated based on the param whose slots are 512. Then is multiplication available between c1 and c2? If not, can we shrink c1 to have 512 slots? If we can shrink, how to shrink? Any ideas, steps or references? The only element I want to keep is the first element(value).

BR

Let $G:\{0, 1\}^n \to \{0, 1\}^m$ be a PRG. We define another PRG $G_0 : \{0, 1\}^n \to \{0, 1\}^m$ as follows: $G_0(s) = G(s) \oplus (0^{m−n}\mathbin\|s)$. Can there exists a secure PRG $G$ for which $G_0$ is insecure?

The question asks me to prove that such a PRG exists. But I am not sure how. Primarily I was thinking if the PRG $G$ keeps last $m-n$ bits of its output constant, the $G_0$ will ...

The NIST Computer Security Resource Center called for nominations for a process to standardise lightweight symmetric primitives in August 2018.

In the update talk in the 2019 Lightweight Cryptography Workshop, it was hoped that winners would be announced in 2021.

At the 2020 workshop, it was hoped that finalists would be chosen by the end of 2020 with the final round roughly one year to complete.

I have two keypairs on the curve curve25519

k1 --> (a, aG)
k2 --> (b, bG)

I can compute and verify that a(bG) = b(aG).

Lets say k = a (bG), I'm computing scalar inverse of a which is pow(a, -1) and computing pow(a, -1) a (bG) and expecting that it will be equal to (bG) but i see its not equal to bG.

From a(bG) by only knowing a and aG, is it possible to know bG?

My studying material states that although symmetric ciphers can be either block or stream ciphers, it also states that asymmetric can only be block ciphers without further clarification.

With TLS 1.3 supporting only secure, forward-secret cipher suites, are there any significant technological improvements that could still be made to the protocol?

The overview of Blake3 states that Blake3 is internally a Merkle tree. Diving a bit deeper into the paper one finds out that Blake3 splits its input in chunks of 1 KiB (1024 B), organizing chunks in a binary tree whose root is used as the Blake3 hash of the input. This makes it fast to compute the Blake3 hash of large inputs taking advantage of an essentially unlimited amount of paralelization, b ...

Community,

I'm new into lattice based cryptography, and I'm interested about the security of cryptography schemata like Kyber and why the focus of solving this problem lead into solving approx. SVP.

If you're looking into breaking Cryptography schemas like Kyber you find statements like:

“The best known attacks against the underlying MLWE problem in Kyber do not make use of the structure in the l ...

The linear regression is simply $y=Wx+b$, where the server holds $W$ and $b$ and the client holds $x$. The private linear regression means the client sends encrypted $x$ to the server, and receives encrytped $y$. Then the client can decrypt $y$ for result. I have read some papers about privacy-preserving linear (logistic) regression. But I have a question before designing protocols for it. One goal of ...

Suppose someone has figured out how to factor integers in polynomial time, thus breaking the RSA system. Also suppose this person does not want to reveal the secret of how to factor integers in polynomial time, only to prove he or she has broken it (or at least give evidence that he has broken it). One way to do this would be to present factors of the RSA numbers https://en.m.wikipedia.org/wiki/RS ...

Modulus n = 1024 bit

p * q = 1024 bit

phi_n = (p-1)*(q-1) = 1024 bit

When calculating key d the multiplicative inverse

d = inverse_mod(e, phi_n)

The result of d is 1022 bit long instead of 1024 bit long, which is stopping me to decrypting the cyphertext of 1023 bit, the calculation is done in sagemath, where am I doing wrong?

This problem is related to Fields in Cryptography, My Question is why there is no multiplicative inverse for 2, isn't it 0.5?? or matters are diffrent if it was related to galois field ? I don't quite understand.

This is the Addition Tabel...

This Is the Multiplication Tabel...

And this is the tabel with the additive and multiplicative inverse that i have a problem with....

Trying to decrypt RSA Ciphertext with a private key using OpenSSl

Used rsatool to generate a .pem file for private key which is 1022 bit long.

Converted the original cyphertext 1023 bits long from just numbers to hex values of bytes

I have used the command: openssl pkeyutl -decrypt -in C:\Users\abc\Desktop\Cypher.txt -out C:\Users\abc\Desktop\result.txt -inkey C:\Users\abc\Desktop\key.pem

But received an  ...

I am reading this explanation of zkSnarks written by Maksym Petkus - Why and How zk-SNARK Works

They work through the concept of zkSnarks using a polynomial which the prover knows & he has to convince the verifier that he knows it. The verifier knows that the polynomial has 2 factors ($x = 1$ & $x = 2$), he doesn't know the other factors.

The polynomial used in the examples are something like the ...

The secret key of BFV, BGV schemes is generated as a random ternary polynomial from R2 ( R2 is the key distribution used to sample polynomials with integer coefficients in {−1,0,1}) Is there any specific reason for it to be a ternary polynomial? can we have it as polynomial from Rq i.e integer coefficients from {0, 1, 2, 3, ..q-1} and still have all the guarantees of being post quantum secure?

I have a

• 1024-bits modulus n,
• the key d which is 1022 bit long,
• public exponent 65537,
• two factor p and q,
• and the ciphertext y 1023 bits which is all in numbers.

How can we perform decryption and work out the plaintext? I have tried CrypTool, tried entering the key d, two factor p and q, but it always give me an error saying

Output block size = 127 is too small must be 128

According to sources that I've read, it says that DES is not suited to a software implementation and that it is better suited to hardware, what does this mean?

Fix an interactive proof system $(P,V)$ and denote by $(P_k,V_k)$ an interactive proof system in which the parties play in parallel $k$ copies of $(P,V)$ and for which $V_k$ accepts if and only if $V$ would have accepted in all $k$ copies. The Parallel Repetition Theorem says that given a prover $P$ and input $x$ to the proof system: $$\text{If } \Pr[(P^*,V)(x)=1] \leq \epsilon, \text{ then } \Pr[(P^ ...

Stream ciphers use a deceptively simple mechanism: you combine the plaintext data, bit by bit, with “key” bits, using the exclusive or operation.

Why can't I use other opeartions such as NAND, AND, OR . Can you guys give me one real time example which brings advantage of using XOR over other operations.

I am using AES-GCM to encrypt some data. I want every encryption to be done with a new random iv. For every encryption a new iv is generated and appended to the encrypted text to produce the cipher. Since the iv would be send in plaintext I thought I could also generate a HMAC of the iv and the encrypted text and append this mac to the cipher.

mac: HMAC(iv || encryptedText)

The cipher would look ...

I am working on ssl client because of some server update I was enabling the cipher TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. While handshake with server I was facing Bad Record MAC Alert message from the server.

I was verified the time stamp and encryption status that are correct. That doesn't make any problem. I have no idea how to debug kindly give me the support how to debug.

I have got the gcm code f ...

IKEv2 RFC7296 Section 2.16, provides overview of how IKEv2 is used with EAP. That section states the following when a different identity (IDi) is used in message 2 IKE_AUTH from initiator to responder, eg anonymous@realm, and realId@realm used in EAP identity response:

When the initiator authentication uses EAP, it is possible that the contents of the IDi payload is used only for Authentication, Auth ...

I wonder if there is any practical attack on MD5(key || fixed-length-message).

Why is it that most implementations define an sha256_init, sha256_update, and sha256_final function that each operates on a SHA256_CTX object? The specification only mentions returning an almost unique hash for any given string of bits of any given length.

• What is the reason to have these 3 functions instead of just a standalone function that returns an output hash for an input bitstring?
• What exact ...

I've been implementing RSA as a learning exercise and am at a point now where I'd like to try serializing my key to a file using some standard format. I've implemented it without using the Chinese Remainder Theorem, so my private key is composed only of my modulus $n=pq$ and my modular inverse exponent $d$. I've seen that PKCS1 & PKCS8 expect the use of the Chinese Remainder theorem. I know that I ...

This is an example of a bitlocker recovery key;

820042-335825-646573-481530-265253-688132-339900-822810 

İs that key actually strong? It does not have any letters, it uses only numbers, so is it OK?

In (lattice-based) cryptography, the quotient ring $\mathbb{Z}[X]/(X^n+1)$ where $n = 2^e$ is a power of 2 is used in various cryptographic schemes (e.g., CRYSTALS-Kyber). It is my understanding that this is a common choice because we can efficiently compute products in this ring using the Number Theoretic Transform (NTT).

Another ring that admits fast multiplications via FFT-techniques is $\mathbb{Z}[X]/ ...