Latest Crypto related questions

Alice encrypts file using her public key and upload it to decentralised file store (some service). Bob buys access to the file. Is it possible to share decrypted file with Bob without having Alice's key? Decentralised file store doesn't store any private keys, but it knows that Bob has access to the file (e. g. from smart contract).

I have a collection of images to transform in NFTs. For that purpose I have selected to work with solana blockchain, since it is fast and cheap.

I have used the following software resources:

• solana-cli
• node.js
• metaplex
• candy-machine-mint

In order to publish a collection, I needed to order the tokens from 0.png to Nth-1.png, and I have done some tests on solana devnet. In fact, I have the project almost ...

One way of verifying Shamir's secret shares is to use the technique by Feldman where $c_0,\cdots,c_k$ represent the coefficients of the polynomial $p()$ in $\mathbb{Z}_q$. For verifying share $(i,p(i))$ and public parameters group $G$ of prime order $p, q|p-1$ and generator $g$, the share generator provides $(g,d_0,\cdots,d_k)$ where $d_j=g^{c_j}, j \in\{0,1,\cdots,k\}$. The receiver of the share

I have the following question and don't really understand it. I thought OTP offers perfect secrecy, why do we need modulus? Can somebody please help me answer the question?

$Z_n$ denotes the ring of integers $\pmod n$. Alice and Bob share a random key $k \leftarrow Z_n$. Alice wants to send a bit $b \in \{0, 1\}$ securely to Bob (so that Eve cannot learn any information about $b$). She computes $b ...

In an MPC protocol, does anyone know a better way to multiply a var p by epsilon in {-1,1} than using a beaver triple ?

(I am thinking about doing it in a SPDZ like protocol such as Overdrive)

I'm building a project on Arduino Mega microcontroller and I need some nonce generator for challenge-response exchange. But I failed to find some alphanumerical string generators. Then I came up with an idea to make one using the random() function that generates random int in limit you give and hash that integer with HMAC using another secret key (one that could be auto-generated on startup since it  ...

In the SEC#1 elliptic curve cryptography standard, the encoding of the public key involve a leading octet:

• 00h: The public key is the point at infinity.
• 02h, 03h: The public key is the compressed point.
• 04h: The public key contain both x and y coordinates.

What is (or was) the value 01h for? Had there been other values defined for ECC?

I'm interested in learning about cryptography and making something practical out of it - make own cryptocurrency sometime im future.

I think I have good knowlegde of c++, I learned from learncpp.com and from Bjarne's books. So first what I need is book about basics of cryptography. After that I would do some practical things so I need something to cover cryptocurrencies in c++.

Any suggestions? Than ...

Given only $p,$ $g,$ $A = g^a\pmod{p}$ and $B = g^b\pmod{p},$ the possible values for the shared secret are all the unique values of $A^b\pmod{p}$, where b is some integer. The shared secret is also equal to $B^a\pmod{p}$, where a is some integer.

So, we can check each one of these possible values for the shared secret. My question is, how do we check if a number is the correct shared secret?

My guess i ...

I am working on an E2E encrypted app. I am using OpenPGP.js and storing public and private keys on the server. The private key is encrypted with a BIP39 passphrase which is stored in browser LocalStorage so it's never sent to a server. But I also need some credentials for users to login.

My idea is to make SHA256 from BIP39 passphrase and split it to two strings. First can be used for "username"  ...

I am not good at cryptography so please :)

After reading this discussion it is now clear to me that xxHash is not resistant to collision attacks and is not secure for MAC usage. But after reading it, I still don't understand how resistant XXH3 (one of xxHash family) is to preimage attacks.

Yes, XXH3 output is $64$/$128$ bits which means that the probability to find image is $2^{64}$/$2^{128}$ correspondi ...

In Rabin and Ben-Or, their basic assumption is that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly. Hence, they design a protocol of communication that is called verifiable secret sharing protocol (VSSP), and show that any multiparty protocol, or game with incomplete information, can be achieved if a majority of the play ...

I am wondering if one can apply Grover algorithm on a key encapsulation mechanism in order to crack the shared key.

For example, FrodoKEM is a key generation protocol that, for some parameters, shares 128 key bits.

Can we break it using Grover? i.e. reduce it to $2^{64}$ operations?

Reference for FrodoKEM: https://frodokem.org/files/FrodoKEM-specification-20171130.pdf

I've been reading about perfect secrecy in crypto systems and I've ran across two definitions which turn out to be equivalent.

The first is Shannon secrecy:

A crypto system $(\cal K, \cal M$, $\text{Gen, Enc, Dec})$ is said to have Shannon secrecy if for all distributions $\cal D$ over $\cal M$ and for all $m\in\cal M, c\in \cal C$ $Pr_K[M=m| C=c]=Pr_K[M=m]$

where $K,M,C$ are random variables whose dist ...

I try to use a sequence of games to prove a scheme is CCA secure. In the final two games, the ciphertexts are $(c_1^*, Hash(x)\oplus m_b, Hash(x,a))$ and $(c_1^*, random, Hash(x,a))$ respectively, where $c_1 ^*$ and $a$ can be viewed as given numbers, $x$ is a variable and $m_b$ is the challenge message.

The advantage of the adversary in the latter game obviously is 1/2, so if the two games are indis ...

I was wondering why ecdsa generates a signature in form of a pair (r and s) and why it can't be only one value.

When I want to use encryption only for challenge-response exchange and not for hiding the contents of an encrypted message, is it still a threat to me not changing IV for new encryption?

For easier understanding why I ask this here is my situation:

I'm using two Arduinos with LoRa transceivers to communicate with each other. One is a bridge connected to the internet and the other is connected to servos ...

Call a prime $p$ devious if $(p-1)/2$ is a Carmichael number. They are called devious since they superficially look like safe primes but are not. In particular, Diffie-Hellman using such a prime could be vulnerable to the Pohlig Hellman algorithm.

Devious primes exist. A small example is $4931$. A more interesting example is

$$1947475860046218323 = 2(973737930023109161) + 1 = 2(220361)(1542521)(286 ...

Is there a strict proof for secure multiparty protocols? What do they serve? I mean some have shown the existence for such protocols, but can I use them in order to substitute a mediator in game theory who sends messages to the players? How can I model a process of $3$ or $4$ players who can play a game wihtout the central mediator and they exchange infroamtion with each other?

From what I've read so far, nonces are random one-time values, which are sent in plaintext in addition to the ciphertext to verify identity of sender/receiver. Theoretically, if the nonce is random, an attacker E can intercept Alice's message which was designated to Bob, and impersonate as Bob by generating a random nonce, without ever communicating with Bob.

So if the request-response protocol i ...

why is breaking a (asymmetric) 1024 bit RSA key less difficult than breaking a 128 bit (symmetric) AES key? Breaking RSA key involves finding the prime factors of a large number. What is involved in breaking an AES key?

Look I know AES256 is ridiculously secure but to keep aes secure even after quantum computers, I have a concern.
Using the Grovers theorem aes can be reduced from 256 to 128 bits for brute force attack which is also pretty strong but I don't want to be limited to it
Is it (atleast in theory) possible to implement aes512, aes1024, etc...
I mean what's stopping us like for 128bit aes we use 10 rounds of ...

I am searching for a simle model that can simulate the following procedure.

Suppose that $i$ and $j$ are two agents that each one obtains her state dependets signal $s_i(\omega)$ and $s_j(\omega)$. After observing their own signals with probability $1$, they do not know anything about the signal that the other agent has, but they do know the common prior $\pi$ about the signals, s.t. $\pi:\Omega\to \D ...

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Suppose we have a (t,n) Shamir-secret sharing scheme. A value of some computation is shared with n parties where at most $t-1$ parties are malicious. What is the best strategy to reconstruct the shares? I believe we can use Reed-Solomon error corrections to retrieve value for upto t<n/3. For t<n/2, we can randomly reconstruct $k$ times using $t$ shares and check for the value that appears the most n ...

I read in literature that Rabin Cryptosystem can be broken using chosen-ciphertext attack. It is described that after chosen ciphertext is decrypted attacker can factorize public key $n$ by using square root with probability of $1/2$. But in article it is not described how this factorization is done.

If somebody can give some example I would be grateful.

The Cryptography made simple (page 207, under Fig 11.12)(Nigel Smart) say that adversary's advantage of IND-PASS Game is $Adv1 = 2\times|Pr[b=b']-\frac{1}{2}|$.
The reason for multiplying by 2 is to normalize advantage from $[0,\frac{1}{2}]$ to $[0,1]$.

But in this paper (page 5, line 9), the advantage of IND-CKA Game is $Adv2 = |Pr[b=b']-\frac{1}{2}|$ which is not normalized and scale is $[0,\frac{1}{2 ...

Can anyone tell me how to find the inverse of a given polynomial using python programming? Ex: input given is to find the inverse of (x^2 + 1) modulo (x^4 + x + 1). the output should be : (x^3 + x + 1).

I found a scheme for white-box RSA. It seems to protect the input and output of modular operations.
I'm curious about how to analyze the security of this solution.
Does anybody know anything about it?

I am trying to calculate Alice and Bob's shared key by hand without the use of a calculator as I feel this is an important trait when progressing into cryptography.

I understand you can use the square and multiply method however we are being taught a shortcut method which I don't quite understand fully.

Question Example:

Alice and Bob use the DH protocol with p = 19,g = 2 and secrets a = 6 and b =  ...