Latest Crypto related questions

Score: 2
Razor Sharp avatar
How to find second subgroup for ECC Pairing?
cc flag

Pretty new to ECC Pairings. I am trying to understand KZG Commitments from multiple sources. I found this blog beginner friendly and easier to understand. However, I'm stuck at ECC Pairings and having difficulty in order to completely understand it.

The blog mentioned:

  • Input: 2 points ($P$ and $Q$) on 2 subgroups of the same curve ($\mathbb{G}_1$ and $\mathbb{G}_2$).
    • $\mathbb{G}_1$ is a subgroup of  ...
Score: 2
funerr avatar
Using embeddings to anonymize information
co flag

This might be a stupid question, so bear with me. I was wondering if LLM embeddings can be used to anonymize input text. I couldn't find any information online that says that embeddings can be 1:1 decoded back to the original text.

An example: A user wants to check some metadata about a query with an external API, but doesn't want the exact text input to be sent to the API (it might contain perso ...

Score: 5
Sumuk Shashidhar avatar
Theoretical Approaches to crack large files encrypted with AES
hk flag

I have a large file (> 200 Gb), that I encrypted a while ago with AES-256-CBC. The file itself is a tar which I ran through openssl. I've forgotten the exact password, but have a general idea of what it is.

Brute force is the easiest way to crack this from what I've seen (given the circumstances that I have a general theory of what the passwords might be), but the hitch I've run into is the time i ...

Score: 0
Beingcrypto avatar
Why does compressed WIF generate a different address when importing to a wallet
tt flag

I have a compressed WIF private key starting with K but when ever i try to import it gives a different address. What could the issue be. The address generated is correct for the private key as i do have the screenshot as well when it was generated back in 2018 using a well known python script. Everytime i try to convert the Compressed WIF i keep getting a new address but not the old one

Score: 0
user1035648 avatar
Hiding property of Elgamal-like bit commitment
pt flag

An Elgamal-like bit commitment scheme:
Let $\langle g \rangle$ be a group of order $n$, where $n$ is a large prime.
Let $h\in_{R}\langle g \rangle\setminus\{1\}$ denotes a random group element such that $\log_{g} h$ is not know to any party, neither the sender nor the receiver.
$commit(u,x):=(g^{u},h^{u+x})$, where $u\in_{R}\mathbb{Z}_{n}$ and $x$ is the value we want to commit to it.

Elgamal-like bit co ...

Score: 2
Clara Höfner avatar
May RSA-PSS DB MSB be 1?
fi flag

I've used OpenSSL to generate an RSA-PSS keypair.

8slDhv5hoHJq1HizAiEAwi1yKT4YeBWc7vxwBwQ5i2DtrhfOxOs1+Mzij7xu1z0 ...
Score: 0
Erik Aronesty avatar
Non-interactive EC DKG (Distributed Key Generation) question
br flag

Normally, when computing an EC threshold DKG, I have all parties reveal a commitment to the public key, and only reveal their own public key after verifying the commitments. Otherwise it's trivial to produce a public key that gives one member control. In a 2 party, for example, one can just wait for the other's public key, compute the inverse, and then publish that.

But can you make it noninte ...

Score: 1
GH HONG avatar
proof of uniform hypersphere sampling
at flag

In this paper, they shortly introduced how to uniformly sample points from the n-sphere.

The points of n-sphere consist with normal variables. My question is ..

  1. If I samlpe coefficients of ring using normal distribution, what is differences between sphere sample and normal sample of ring?

  2. How normal variables make uniform distribution in sphere? Can I formally prove it?

  3. If Q2 is possible, is it ...

Score: 2
tesoke avatar
Poly-commitment based on Bulletproofs
hu flag

I am reviewing the ZKP course, represented by the university of Berkley ( In pages 41 and 42 of lecture 6 that is attached below (, the instructor explains the Poly-commitment based on Bulletproofs scheme. He uses an example for a polynomial with degree 3 and then define $f'_0 = rf_0 + f_2$ and $f'_1= rf_1 + f_3$. I think that if

Score: 4
P_Gate avatar
Proof regarding a property of "$q$-ary" lattices
mq flag

In this question we are dealing with "$q$-ary" lattices. I will give the definition available to me and I'm interested in proving the lemma. As a reference see the PDF on page 2 from Peikert's lectures.

Definition. Let $\mathbb{Z}_q := \{ 0, 1, \dots, q-1\}$. We define $ \Lambda^{\perp}(\mathbf{A}) := \left\{ \mathbf{z} \in \mathbb{Z^m} : \mathbf{Az = 0} \right\} $, where $\mathbf{A} \in \mathbb{Z}_q^{n \ ...

Score: 3
deja avatar
Is it possible to forge a RSA signature with a known public key, hardcoded padding, and unlimited oracle information?
pf flag

I'm doing vulnerability research and looking at a device that is using some u-boot RSA encryption that they've modified. I've extracted the 4096-bit public key from the flash, it has an exponent of 65537. They simplified the padding to use a hardcoded 480-byte array that's labeled as "PKCS 1.5 paddings as described in the RSA PKCS#1 v2.1 standard"

[ 0x00, 0x01, (458 * 0xFF), 0x00, 0x30, 0x31, 0x30 ...

Score: 0
mmazz avatar
Homomorphic Encryption CKKS scheme: How library SEAL represents in memory a Ciphertext
ws flag

I'm trying to understand how its represented a ciphertext of CKKS in memory, or the data structure.

Here is what I understand, correct me if I'm wrong. I also add some questions.

  1. To start with, given a polynomial degree N and and a coefficient modulus, say {60, 40, 40, 60}. This means that the encoding in the CRT representation there will be 4 polynomials with two of them with coefficients of 60bits and ...
Score: 1
Godzilla84 avatar
What are the software tools used for customizing secret sharing and network steganography, which can be used for enhancing secret data transmission?
mu flag

My goal is to enhance by bringing some changes to these techniques and schemes so that any improvements can be brought to them. So I tried to find some of the tools and came up with these:

Secret Sharing Protocol:

Cryptool: Cryptool is an open-source software suite that includes various cryptographic tools and modules. It provides a platform for designing, simulating, and analyzing secret sharing proto ...

Score: 2
Allexj avatar
Bit flipping attack in hash function for message authentication
ch flag

Use of a hash function for message authentication

In this picture we have a use of a hash function for message authentication.

M is plaintext message. H is hash function. E is encryption block with K symmetric key. || is concatenation of plaintext M with the output of E.

Is it true that this is vulnerable to bit flipping attack? I'm not sure how though.

This is what they said to me:

You do the bit flipping on the encrypted hash in such a way th ...

Score: 3
user57467 avatar
Would sending audio fragments over a phone call be considered a form of cryptology?
ae flag

I have been wondering if sending audio fragments over a phone call would be considered a form of cryptology.

Let's say that you own two mobile phones and say that one of your phones is on the Verizon network and the other is on the AT&T network. You have a friend who also owns two mobile phones. Say that one of his phones is on the T-Mobile network and the other is on the U.S. Cellular networ ...

Score: 3
Kolja avatar
Reference for basic secret sharing and MPC arithmetic algorithms
cn flag

I am looking for references for the most basic secret sharing and MPC arithmetic algorithms for generic rings or prime fields.


Suppose there are $m$ parties $P_1, \ldots, P_m$ which wish to do arithmetic over a ring.

They hold some secret shared values $[x], [y]$ and they wish to compute $[x+y]$ and $[xy]$.

What are the basic algorithms for solving these problems?
What are the basic se ...

Score: 1
Felipe Rampazzo avatar
Error to create PQ certificate in C - x509 certificate routines:X509_PUBKEY_set:unsupported algorithm
in flag

I'm learning OQS OpenSSL and I'd like to create a certificate with dilithium in C, using liboqs and OQS OpenSSL. This is my code (based on and a lite bit of chagpt):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/obj_m ...
Score: 1
Joe Rowell avatar
Is there a ZKP that proves knowledge of a particular elliptic curve point?
bv flag

Let E be an elliptic curve of prime order n. If we assume that Alice and Bob both know a scalar value z, is there a known zero-knowledge protocol (ideally a Sigma protocol) that allows Bob to convince Alice that he knows some point R such that zR satisfies some equation?

The context of this is as follows. I've recently been looking at ZKAttest, which allows a prover to display knowledge of an authenti ...

Score: 0
wzh avatar
Fast Private Set Intersection from Homomorphic Encryption
mo flag

I encountered a question while reading an article. My understanding is that fully homomorphic encryption supports ciphertext addition and multiplication. Why does the basic protocol given in this article include ciphertext subtracted by plaintext? enter image description here

Score: 3
user4242 avatar
Assumptions on zero-knowledge proofs without trusted setup
bj flag

Let's start with what got me wondering about this issue: It's a curious construction, that while most digital signature schemes come from public-key encryption (Impagliazzo's cryptomania), there are constructions like SPHINCS that construct secure signature out of a hash function (Impagliazzo's minicrypt).

Now there exists a SNARK construction without trusted setup ala Hyrax. Has there been any w ...

Score: 1
Amir Hassan avatar
Stuck on Decrypting with RSA and SHA256 in Encryption Task
kn flag

I'm working on solving a encryption task, and I'm a bit stuck. I want to clarify that I'm only seeking hints and not direct answers since I want to solve it myself. The goal is to solve it on my own; otherwise, it wouldn't make sense. Therefore, I'm just looking for hints to help me progress from where I'm stuck or any comments suggesting that I might be missing an aspect or something.

The task s ...

Score: 2
Halfuhmeatball avatar
For fun puzzle has me stumped on a book cipher
tg flag

So originally a puzzle was given out to a community i'm a part of and what was given was this.

. .. . ... . . . . . . . ... . .. . . . . . .. . ... . . . . . .... . .. . . . . . .. .. .. . . . . . .. . . . . .. ..... . . . . . .. .. ..... . . . . . .. . . . . . . . .... . . . . . . . . . . . . . .... . . . . . .. . . . . . . . ... .. .... . . . . . .... ...

Score: 1
donaastor avatar
Poly1305 variants with bigger output?
br flag

This is a rather simple question, but answers are nowhere to be found. Are there any variants of Poly-n hashing algorithms which provide bigger outputs (like 32 instead of 16 bytes)? Or, is there any research which discusses the variability of the constant $2^{130}-5$, why this number is special or whether there are other good alternatives? I understand that it would be better if it was a prime nu ...

Score: 3
tock203 avatar
Verify HMAC tag without knowing the key
cn flag

Let's say there's Alice and Bob.

  1. Let Alice and Bob agree on a message $M_1$, a tag $T_1$, and a function $HMAC$.
  2. Alice proves to Bob that she knows a key $K$ such that $T_1 = HMAC(M_1, K)$ without revealing what $K$ is, using a zero knowledge proof.
  3. Alice sends Bob some cryptographic object $MysteryBox$.
  4. Alice dies.
  5. When Bob puts $M_2$ and $T_2$, which Alice doesn't know, into $MysteryBox$ she left, he c ...
Score: 2
John dow avatar
ZKP of knowledge of EC keys preimage
pk flag

There is a random scalar seed $s$ which we may call a master secret.

There are 2 public strings or scalars: $m1, m2$ and 2 corresponding EC keypairs: $a, A=a*G$ and $b, B=b*G$

$a$ and $b$ are somehow securely derived from $(s, m1)$ and $(s, m2)$ respectfully.

It might be $a = HKDF(s, m1)$ or $a = s + m1$, or some hash, it does not matter right now.

I need to prove 2 things without disclosing $s$ or

Score: 4
Why NIST 800-56A rev3 does not use cross secret calculation in C(2e, 2s, ECC CDH) scheme?
br flag

In the NIST 800-56A rev3 "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography" in section "(Cofactor) Full Unified Model, C(2e, 2s, ECC CDH) Scheme" the shared secret is calculated as follows:

Party U Calculates:

  1. $Z_s = d_{s,U} Q_{s,V}$
  2. $Z_e = d_{e,U} Q_{e,V}$
  3. $Z = Z_s || Z_e$

Party V Calculates:

  1. $Z_s = d_{s,V} Q_{s,U}$
  2. $Z_e = d_{e,V} Q_{e,U}$
  3. $Z = Z_ ...
Score: 2
kodlu avatar
Best Known Attacks on Discrete Logarithm in Generic Groups
sa flag

This is a followup to my recent question Discrete Logarithm Challenges and Records.

I am interested in confirming my understandings from the answer to that question, stated below:

  1. For a discrete logarithm problem in a generic group of size $N$ with no special algebraic structure, the best known attack is the Pollard's rho method. If memory complexity were not an issue (it is!) then Baby Step Giant Step ...

Score: 1
mactep Cheng avatar
Is the Lemma4.5 in the Plonk paper correctly described?
za flag

In lemma4.5, of PlonK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge they claim that we can construct a polynomial protocol $P^*$ with an $S$-ranged polynomial protocol $P$. However, in my opinion, I think it constructed $P$ using $P^*$ in the proof.

Specifically, in the last step of the construction, the verifier queries the identity of a polynomial(not in a ran ...

Score: 1
Benjamin V avatar
Proving set membership using Plonky2
hn flag

I'm not sure if this is a good place to ask, but I have some issues with using plonky2 to make some proof.

In particular, I want to prove that a private element is part of a set (i.e. $x \in X$), and that this same element is the primitive of a hash function (i.e $\operatorname{SHA}256(x) = h$). The set $X$ and the hashed $h$ are public, but I need to keep the value $x$ private.

It was fine to prove ...

Score: 1
Miral avatar
Secure encryption in the presence of a keyservice
sn flag

Imagine this scenario:

  • On a particular PC is a service that provides cryptographic functions -- in particular AES-CBC and ECC (ECIES/ECDSA).
  • The service provides access to a single key stored in an HSM -- the key itself is never visible to any software on the PC (including the service itself).
  • Copying the service software to another PC will not provide access to the same key, since the HSM doesn't foll ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.