Latest Crypto related questions

Let's suppose :

• I have a record/database (D) of 754 lines and each line correspond to a SHA256 hash.(Hn)
• I hash all this record to a final and unique SHA256 hash like this : 1a3e6af379316c6b863318f9e23ad0588d7d845ea92f316779f36167fd359fb0 (F)
• I know H34 (single entry of D) which is 9370d1f5ab2fe94f685039fc8a2bb8ec3c2a3b100f20e58f261933b72f3bbd56.

How to prove that a single hash (H34) belongs to the ...

Let's suppose this:

• Message is "I love crypto.stackexchange.com" (M)
• Bob creates hash H1 with the message M and his private key (Priv)
• Alice receives a message X, and hash H2 with message X and the public key of Bob (Pub)

So from 1=(,Priv) and 2=(,Pub) can we tell if =? (thanks to @fgrieu)

If it's not possible with a standard hashing function for an asymmetric cryptosystem, in what case it would b ...

This question is related to this (but it is not the same).

Let's suppose I have a seed with an entropy of 1024-bits and hash it with a counter using a hash function with one-quarter of the seed size in bits as BLAKE2s (256-bits digest size).

I hash the seed with counters and XOR the result to plaintext.

As said in this answer, some options are (the third I proposed by myself):

1. H(00∥F) ∥ H(01∥F)  ...

Assume we want to transform semi-random $n$-bit inputs into shorter $k$-bit outputs computationally indistinguishable from uniformly random bit strings, and there is (in some sense, to be specified) enough entropy in each of the semi-random inputs towards this.

Under what condition(s) on a hash† function (and as far as it's indispensable, on the semi-random input) can we just hash each semi-random inpu ...

A JSON Web Token is supposed to have the following format:

token = encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature)

When I use the jsonwebtoken node.js function to create a token:

jsonwebtoken.sign({username : "admin", password : "admin"}, publicKey, { algorithm:'HS256' });

It produces the following output:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6I ...

I want to transform a semi random input to a shorter, uniformly random bit string. Assuming there is enough entropy in the semi random input, can I use a collision resistant hash function to extract randomness?

Update
After the first answer pointed out that the body of the question is not correctly asking the intended question, I didn’t want to edit the question, so that the answer given wouldn’t b ...

I've found a post here: Small subgroup confinement attack on Diffie-Hellman which says we can pick $k$ in this way:

And, as we know, $2$ will always be a prime-factor of $p−1$, therefore there will be a subgroup with two elements, that don’t generate anything besides themselves. Obviously the neutral element $1$ is in that subgroup, the other element is $p−1$; In this way, can we just pick

Having just finished reading The Code Book by Simon Singh, which I found extremely illuminating, nevertheless I remain deeply puzzled about one aspect in the book regarding the one-time pad cipher. To cut to the chase, I don't understand how a would-be hacker would be able to break a given OTP cipher (thereby deriving its plaintext) even if he or she already knew the key as well as its cybertext.  ...

In the usual definition of security for message authentication codes, we let an adversary $A$ have access to an oracle for $Mac_k(.)$. However, if we consider that there exists a more powerful type of adversary $B$, that is also able to query an oracle for $Vrfy_k(.)$, how can we redefine the notion of security?

Is any concrete and real examples of CCA-attacks in recent history. I'm aware about examples of WW2, but I'm more interested to modern examples in a digital context (for example against OFB, CBC).

I have a course work for university, and am not sure on my answer so if anyone could please take the time out to read the question and my answer to let me know if I'm going in the right direction that would be greatly appreciated.

Question:

My answer:

For a block size of 1 there are no collisions possible using the hash function. This is because the function returns the last block of the cipherte ...

I'm trying to perform ECDSA verification in hardware. I'm using the SECT233R1 curve (NIST B-233). I have a question about the hash function used while doing so.

I want to use the SHA256 hash function while signing and verifying. In this case, the hash function will have a larger message length (256-bits) than the elliptic curve finite field element (233-bits).

I have the same question as this. Is it suff ...

As AES could be considered as a function AES(key, data) that return encrypted data, is there a use of the construct of AES(key1, AES(key0, data)) as the resulting data could be decrypted by key2? Is there a way to determine key2, if key0 and key1 are known?

Linked is a website that has a capture the flag problem with RSA: https://konsolas-2022-04-24.herokuapp.com/

I know very little about RSA decrypting but I do want to try and solve it, but I'm not sure where to start. I found https://www.tausquared.net/src/pages/ctf/rsa.html which would be useful if I knew the public exponent, but unfortunately I don't.

Is it possible to decrypt the ciphertext, and if so, ...

For university I am doing a piece of coursework right now. This question is focusing on CPA and collisions using CPA.

Question:

I have attempted to answer part 3, but am not very confident in the answer. If anyone could please take the time to look at the question and look at my answer to let me know if I am going in the right sort of direction that would be greatly appreciated.

My answer:

From the  ...

How do MRAE schemes (for example, the following) compare from a security standpoint?

Deoxys-II: https://competitions.cr.yp.to/round3/deoxysv141.pdf AES-GCM-SIV: https://www.rfc-editor.org/rfc/pdfrfc/rfc8452.txt.pdf CCM-SIV: https://eprint.iacr.org/2019/892.pdf MGM2: https://eprint.iacr.org/2022/1590.pdf Discussion on AES-PMAC-SIV: https://mailarchive.ietf.org/arch/msg/cfrg/rJQjDHJNtCTspXc-9RxfebOE ...

$$a_1*s+m_1+e_1 = b_1\\\cdots\\ a_n*s+m_n+e_n = b_n$$

The LWE problem is related to finding the solution $s$ to this system, when the $e$ are sampled from the normal distribution. Why the normal distribution?

Regev's Public Key Cryptosystem is defined as follows:

I want to proof the correctness. For this it must be shown that a 0 is decoded correctly and equally that a 1 is decoded correctly. I would present here once my proof:

Case: Encryption of 0

$$b = \sum_{i \in S} b_i = \sum_{i \in S} ( \langle \mathbf{a_i},\mathbf{s} \rangle + e_i) = \langle \mathbf{a},\mathbf{s} \rangle + \sum_{i \in S} e_i \Ri ...

EDIT: The bounty is actually to draw more attention. I accidentally chose the wrong reason.

• $E$ – Elliptic Curve over finite field $\mathbb F_p$.

• Let $k$ be the embedding degree of the Curve with respect to a prime $q$: The full torsion group of all $q$-torsion points lies in $E(\mathbb F_{p^k})$.

• For the MOV attack, we use 2 particular subgroups of the Full Torsion Group, $H_1$ and $H_2$, and we u ...

After reading "Verify the identity of sender" , which was part of an answer on StackOverflow, I was wondering if the following is possible:

Based on part II, if I am sitting between Alice and Bob:

• Can I not wait for Alice to send her public key to Bob.
• I block this key and discard it, and send my own public key instead.
• Bob then thinks this public key is from Alice.
• I send any message I want now, signed  ...

What is the flaw of secret sharing? It seems that there is no mention in the literature of the defects of secret sharing, such as the defects of homomorphic encryption may be less efficient computing, what are the defects of secret sharing?

I'm very new to cryptography and am having some issues with the following question

A hash function H encrypts an n-block message m = (m1, m2 ... mn) in CBC mode:
- Block size is 128 bits
- Hash result is the last ciphertext
- IV is arbitrary 1 block long
- Encryption key is arbitrary number -> 128, 192 or 256 bits
- IV and Key are public

I need to find out if this function is collision resistant

From what I could gather, zero knowledge proof is a way for a prover to convince a verifer of possession of some data without sharing said data. I understood the ali baba cave problem. Diffie Hellman on the other hand seems to be a way for two people to create a shared secret key without explicitly divulging the key itself.

The difference is clear till this point. However, a lot of projects and r ...

What's the difference between BLS12-381 and BLS12-377?

Previously I thought their basic cryptographic algorithms were same, so it's easy to construct BLS12-381 from BLS12-377, or construct BLS12-377 from BLS12-381, by just changing some curve parameters. Is this correct?

However, in some fields, such as ZK-proof, someone told me that their constructions are totally different, which makes no sense to ...

The algorithm tells that, in the effort of solving $a^x \equiv b \text{ mod }N$:

1. Choose some $k \in \mathbb{N}$.

2. Create the baby list: $\{1,a,a^2,...,a^{k-1}\}$

3. Create the giant list: $\{ba^{-k},ba^{-2k},...,ba^{-rk}\}$ where $rk > N$.

Claim: If two lists have intersection, then this DLP has a solution.

$\textit{Proof:}$ Given that these two lists have an intersection, meaning that, for s ...

The following question is from Stanford cryptography course final exam paper.

Suppose an attacker intercepts a ciphertext c which is the encryption of a message m ε {0, 1}^n under nonce-based counter mode. Can the attacker create the encryption of m XOR 1^n just given c? If so, explain how. If not, explain why not.

I cannot prove why that wouldn't be possible, although intuitively given it is a cou ...

I'm looking into how authenticated encryption primitives work and was wondering if non-repudiation is provided with these. Investigating further into them led to the answer being that data origin authentication (DAO) are provided by the primitives.

Now DAO is defined as "the source of the information being verified", providing integrity through MAC. Yet Non-repudiation is almost defined as the sa ...

Given a range of numbers, e.g. [1, 2^256], does each number have the same chances to be picked by a CSPRNG, which are 1 in 2^256?

My concern is that truly random number generators do have this feature, but it's not always secure in cryptography (I presume), because numbers such as 741 in such a large range that is [1, 2^256] are not secure.

If that's true, do CSPRNG skip certain sub-ranges? Like, in ...

so I recently stumbled upon this video by @bertcmiller who created two transactions with the same nonce "k". That seen I researched quite a lot of pages explaining how to recover the private key from this. I know that I first have to find out the "k" value to recover the private key.

The formula for getting k is:

$k = (H(m1)-H(m2)) \div (s1-s2)$

Luckily @bertcmiller exposed the "k" value in his v ...

This question is from Quadratic Sieve Factorization Method. Didn't find the solution on the web also. And not aware of how to solve such questions.