Latest Crypto related questions

Scenario:

Consider a scenario where Server 1 stores a 600-800 KB ebook encrypted with a certain private key. Server 2, a computation-purpose server, holds this private decryption key and get access to the encrypted file. Its task involves decrypting the file and re-encrypting it with a public key using a specific algorithm.

Problem:

The problem lies in ensuring that Server 2 doesn't create a local cop ...

I'm designing a cipher which has key-dependent S-boxes. The procedure is like this:

1. Transform the key (a string of bytes) into 96 16-bit words (the high bits are ignored, but make a difference when these 96 numbers are reshuffled to make the other two S-boxes).
2. Start with the identity permutation [0..255].
3. Take it 8 bytes at a time, and permute it using one of the 96 numbers. This can produce 32768 of  ...

I was reading the paper One-way Accumulators: A Decentralized Alternative to Digital Signatures by Benaloh and de Mare [link], and in section 4.2, they say that given $z\in (\mathbb{Z}/n\mathbb{Z})^*$ and a set $$\{(z^{1/m_1}, m_1),(z^{1/m_2}),\dots, (z^{1/m_k}, m_k)\}$$ with $m_i \in \mathbb{Z}$, computing $z^{1/r}$ for $r \in \mathbb{Z}$ is hard, which I get since the order of $(\mathbb{Z}/n\mathbb{Z ...

Given the following conditions:

• The encryption program, which uses some algorithm resembling AES-128 but with unknown modifications to real AES-128.
• It uses a fixed key and IV.
• It is written in Rust WITH debugging symbols but no source code is provided.
• One is able to provide an input and get the encrypted output back.

Would it be possible to achieve the following?:

• Decrypt let's say 48 bytes of  ...

I am currently playing around with some of the Python FHE libraries and found out that, e.g. TenSeal (SEAL) is able to perform "only" 8 ciphertext-ciphertext multiplications on the same ciphertext (8x1 Vector) (c1 = c1*c2 in a loop) before the noise threshold is surpassed and decryption fails.

The parameters I set for this are: poly_modulus_degree=16384 and plain_modulus=536903681 using the BFV Schem ...

The effectiveness of hash function attacks is typically measured in $x$ broken rounds of $N$ total designed rounds. And some constructs containing iterated hash functions include proof of work schemes, blockchains and key derivation functions. Constructs like $H^i(...)$.

What is the predicted effect on $x$ as $i$ increases? Or simply, can we still break $x$ rounds of $H$ no matter how many times it's ite ...

Christel Bach's elliptic curve calculator has the coordinates for the "point at infinity" be $(0,0)$. Is that just a stand-in?

I have an application that encrypts files in the following manner (I think I can hear sighs already but bear with me):

• Start with two byte arrays generated from random strings of lengths l1 and l2 (fwiw, l1 and l2 are primes)
• Loop through both arrays (nested loop) and generate a third array of length l1 * l2 where each byte is the result of XORing the indexed bytes of the other arrays
• Accept a password ...

• Say we have a very limited password space with only a 4 digit PIN, so only 10000 PIN possibilities.
• Say also that the attacker has access to the stored form of the PIN.

Can breaking the PIN be made reasonably difficult by storing the PIN in a way that makes the reverse computation impossible, as well as the storing itself really time-intensive?

Of course, arbitrary hashing alone - although usually ...

Is anyone aware of an in-depth study of algorithms using preprocessing to compute fixed-base exponentiations? Assuming I am willing to do arbitrary computation in the preprocessing phase (but not store an arbitrary amount of data afterward), what is the optimal time/storage tradeoff here?

Note: I have read this page on Wikipedia as well as this answer from 9+ years ago. (However, the link provide ...

There's a keyed-permutation I'm playing with, $\ell_{i,x} = \pi_i(x_i)$, which is a bijection $X \leftrightarrow X$, where $|X| = 2^{256}$, and whose evaluations on plaintext inputs $x_i$ perfectly fill out a Latin-square, $L$, when an appropriate incrementing function, $\pi_{i+1} = \pi_i\mathrm{.step()}$, is applied on the inner-state.

Each $x_i$ is the $i$-th block of some plaintext. Each row in  ...

I was looking at the security level of instances of sponge construction on Wikipedia depicted in the following image. It seems to me that the security level for collision resistance follows the formula $\min(d/2,c/2)$ while for the preimage it is $\min(d,c/2)$. Can somebody explain why it is the case, please? I mean why do both have c/2 but one is d/2 and the other d?

I am trying to solve another CTF challenge. The challenge consists in trying to exploit an oracle that decrypts any hex text we send (see code below). I am kind of stuck on this one as this is not a classical challenge, since the decrypted text is not displayed. My guess would be one should exploit the fact that exceptions are printed to find some detail regarding the key, and once the key is found, dec ...

Which method will generate stronger secret?

64 character secret generated by nanoid (https://www.npmjs.com/package/nanoid) with characters: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_- e.g.: hNr3COb9fSz5qfZBCQx3GkpLVW-tbVM0E-Nl8xgcf8Js8-l6fqOIfSd6Gk-T_nkE

or crypto.randomBytes(32).toString('hex') e.g.: d152189824ea6b25c34048960dfa57722d547eff9e4e98a67064d910010e6747

both create 6 ...

I have the following AES encryption code in JavaScript, but I can't seem to get comparable result in Perl. (Please let me know if this is the correct forum.)

'use strict';
const CryptoJS = require('crypto-js');

const message = 's3cret';
const aesPassword = 'MyPassword';
const salt = CryptoJS.lib.WordArray.random(16);
const iv = CryptoJS.lib.WordArray.random(16);
const key = CryptoJS.PBKDF2(aesPass ...

I'm currently undertaking a course on Blockchain cryptography. And our first project is to transfer tokens from one wallet to another using client / server application. All mock of course.

This project is using the prescribed https://www.npmjs.com/package/ethereum-cryptography

The theory is this as I understand it:

Client side

• generate public and private key
• Create what I call an action object -

I am trying to solve a CTF challenge based on DES. I attached the code of the challenge to the question. So far I have noticed that the otp used for the encryption is the same for the entire session, and my idea would be the following:

1. Get the OTP by using choice 1
2. Use the obtained OTP to decrypt the ciphertext given by choice 2 (since I pass the key)

I tried to implement this process and haven't m ...

I was reading the Coercion-Resistant Electronic Election paper and don't understand why the authors chose a modified version of ElGamal.

I guess that it was for security reasons. If so, what are the security issues of using a basic ElGamal scheme?

I want to create an application in which users can cast vote to blockchain in encrypted form using RSA. The private key will be revealed only after completion of the election.

My major use case is as follows:

• There will be certain number of candidates, $c$. So voter has to choose a number from $1$ to c, lets say his choice is $v$;
• Encrypted votes will be: $ballot = v^e$;
• Since there are finitely small ...

Summarized Question:

In the context of JWK generation using RSA-PSS 4096bit with SHA-256, where the public exponent is "e" = 65537, is there any situation where the prime number 21863 comes in view?

Context:

To start, I'm not well versed with the mechanics of the algorithms discussed here, just the overview.

The question comes from a metapuzzle I'm trying to solve, the mini-puzzle I'm working is a dra ...

How fast are the fastest ones? Which ones have the most entropy? Which ones are the most practical ones?

I tried looking for answers on Wikipedia and also, I tried reading papers, but I am couldn’t find answers to these questions. I was looking for a recent paper that would have compared all the TRNGs, but I couldn’t find one.

There is also an underlying assumption in the question: Is there a wa ...

Why is the following protocol never used to share a symetric key between two parties ? ⊕ is the XOR operation.

Alice has M and wants to send it to Bob. Alice generates K₁ randomly. Bob generates K₂ randomly.

• Alice has M.
• Alice : M -- ·⊕K₁ --> M⊕K₁
• Alice sends M⊕K₁ to Bob.
• Bob : M⊕K₁ -- ·⊕K₂ --> M⊕K₁⊕K₂
• Bob sends M⊕K₁⊕K₂ to Alice.
• Alice

I understand that R.x is a field element.

I don't understand why in ECDSA verification ie. FIPS 186-5 section 6.4.2 step 1, we check whether r is less than subgroup order.

If it has something to do with the curve (what?), then why in BIP340 Verification step 2 do we check whether r is less than the field order?

From the PLONK paper.

On page 19 & ahead, the permutation check is described. In particular, on page 20, the protocol is described.

Step 5 of the check is described as

Verifier checks if for all $a \in H$

a) $L_1(a) (Z(a) -1) = 0$

b) $Z(a) f'(a) = g'(a) Z(a\cdot g)$

However, in the actual Round where (I think) this check is implemented (Round 2 on Page 28), this is how the polynomial is created ...

I'm trying to read about Diffie Hellman (One to One) kind of protocols for group communication. Is Message Layer Security the state of art protocol for group encryption (not necessarily chat or application layer)? I found Tree Based Group Diffie Hellman as one such handshake algorithm for group encryption, but not sure about industrial application of it. Is there a RFC for the class of group encryption  ...

This might be a silly question. But since more and more people simply use public blockchains as a secure ledger to store mutually agreed information to secure their high level applications, could we abstract blockchains as a secure ledger primitive that has the following properties:

• Append-only
• Tamper-proof (by minority of the participants)
• Universally consistent view (under certain synchrony assumpti ...

I am a bit confused about Sponge construction and Merkle-Damgard-style ones for hashing. The only advantage I see for sponge construction is that they are secure against length extension attacks. So if the application does not mind about such an attack, Merkle-Damgard should be better, Is that the case? My intuition is that to hash long messages with sponge ones every block message has to be smaller (du ...

Can cryptography solve this problem?

Two people are chatting, Mr. X and Ms Y. They give each other a CRC16 hash of someone's name initials and salt a random number at the end (suffix).

Ms Y: "I love someone with the initials {53d4}".

Mr X: "Are that person's initials {da17}?"

{CRC16} -> Original String
{53d4} -> A7777
{da17} -> X123

This means, Ms. Y loves someone with initials name

I am following Vitalik Buterin's article to study zk-SNARKs recently.

I can understand the main procedure of zk-SNARKs when given example equation x**3 + x + 5 == 35. However, in cryptography, most equations contain exponents. For example, the prover may want to prove the knowledge of $a$ in $g^a=A$. In this case, an arithmetic circuit seems hard to be built by multiplication gates (since the number of ...

I am given the ECDSA public key x and y coordinates below, calculate the compressed public key in HEX:

PubKey.X :

61702053028733271054209908027052318932346644879827564097906752978487519734153

PubKey.Y :

107222915356196552656214196479588207773590978294786246589469812962187242002272

How do I find the Compressed PubKey?

For example, say Alice generates a private key ‘a' (currently these kinds of ke ...