Latest Crypto related questions

Let $f \in \mathbb{Z}[x]$ be an irreducible polynomial of degree $N$ and $q \in \mathbb{N}$. Consider the rings $R := \mathbb{Z}[x]/f$ and $R_q := R/q$. Obviously, an element of $R_q$ can be represented by means of $\ell(N, q) := N\lceil\log_2(q)\rceil$ bits. In lattice-based cryptography the polynomial $f$ is often cyclotomic $\Phi_n$ for some $n \in \mathbb{N}$ (mainly $n$ is a prime or a power  ...

This is not a duplicate, I'm asking which method is better. I generate an encoded argon2 hash string, so it'll be stored in database to verify login passwords.

Saved encoded hash has salt of length 16 bytes and tag with length of 32 bytes. I need to derive second different key from the saved key using two parameters:

• User password
• Already existing saved hash

Methods

I have an idea how to do it, ...

After implementing and playing around with famous "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1" there couple of questions which I can't really grasp.

• Why do we get intervals with their ends interchanged?
• Why does it work to discard intervals in pairs?

Intervals Ends

I looked at several other implementation in different programming languages, and it's comm ...

This function from Wikipedia calculates the sbox used in AES:

#include <stdint.h>

#define ROTL8(x,shift) ((uint8_t) ((x) << (shift)) | ((x) >> (8 - (shift))))

void initialize_aes_sbox(uint8_t sbox[256]) {
    uint8_t p = 1, q = 1;
    
    /* loop invariant: p * q == 1 in the Galois field */
    do {
        /* multiply p by 3 */
        p = p ^ (p << 1) ^ (p & 0x80 ?  ...

I have two questions I couldn't find straightforward answers to after many searches.

(1) We can perform 2-party MPC over arbitrary functions using Garbled Circuit. To do that, we first need to convert a function to a boolean circuit and then garble it. Is there any tool available where we can convert any arbitrary function to a boolean circuit? Say I want to sort three numbers from a given input. ...

I'm currently trying to understand the Coppersmith's method of finding small integer roots of polynomials modulo some integer. I am reading the original paper Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities by Don Coppersmith. Specifically, in section 6 he claims:

I really can't get the part, where he says that we can compute $c_g$ values. We are given the reduced l ...

In cryptography I am facing the issue to find a generator of some elliptic curve given only the curve over given field and number of elements that the curve has.

The numbers used are enormous so I am struggling to implement any offered scenario how to find generator of an elliptic curve here in stackexchange. If anyone can help I would be thankful.

I'm trying to implement a naive version of CKKS in Python. It was great until I start implementing the modulus.

For this kind of schemes, the modulus $q$ is in the range $(-q/2,q/2]$. How does this work?

In CKKS paper (I think BGV and others do the same) use something like this (a toy example): $c = m (mod$ $q)$. Where $c$ and $m$ are polynomials, so the coefficients of m are mod q. So c and m are congr ...

Background:

TEA uses a 128 bit master key $K_{0\ldots3}$. All odd rounds use $K_0$, $K_1$ as the round subkey, and all even rounds use $K_2$, $K_3$. One cycle of TEA applied to the block $A_i$,$B_i$ is: $A_{i+1} \leftarrow A_i + F_i(B_i, K_0, K_1) \hspace{0.5em};\hspace{0.5em} B_{i+1} \leftarrow B_i + F_i(A_i, K_2, K_3)$. Where the round function $F$ is: $F_i(b,k,k') = (\text{ShiftLeft}(b,4) + k) \oplu ...

I have been reading papers about authentication in VANETS and some of them mention a certificate that a trusted authority generates for a vehicle and has the following form: $${C_{V_i}}=S_{TA}+H(PID_{V_i}|PID_{TA}|P_{TA}|P_{V_I})*x_i$$
Here $S_{TA}$ is a secret that belongs to Trusted Authority.
$H()$ is a hash function.
$PID_{V_i}$ is the pseudo-identity of vehicle $V_i$.
$PID_{TA}$ is the pseudo-ide ...

In the case of RSASSA-PKCS1-v1_5, is it simply that the cryptographic libraries and APIs are designed to only sign if determined superficially that it has a private key, or is the public key mathematically incapable of signing? Or perhaps in asking this way there is some major wrong assumption I'm making about keypairs and how they can be used?

In my usecase, i want to attach a public key to a proof generated by a circom circuit. If my circuit is like follows:

template Example() {
  signal input secret;
  signal input hash;
  signal input salt;

  signal output verified;

  // Hash the secret and the salt, compare it to hash and assign it to the verified output
  // Omitted for brevity
}

component main {public [hash]} = Example();

If i just ...

If I understand correctly (please let me know if any of the following is wrong), a fully homomorphic encryption scheme $\mathcal{E}$ is such that for any messages $x, y$, $$ \mathcal{E}(x + y) = \mathcal{E}(x) + \mathcal{E}(y) \\ \mathcal{E}(x y) = \mathcal{E}(x) \, \mathcal{E}(y), $$ i.e $\mathcal{E}$ is a ring homomorphism. Since the function $\mathcal{E}$ has to be invertible (hence injective), we hav ...

I was experimenting with hashcat and aircrack to test WiFi security. The WiFi AP is a WPA2 encrypted network. The tool I used to capture is bettercap, which captured multiple WPA2 handshakes. The problem is that from those multiple handshakes I get two valid passwords for the same AP.

Question is, did I find a WPA2 hash collision or I am getting something wrong?!

Hashes are converted by hashcat t ...

Having a difficult time wrapping my head around the Blom's key distribution. I found an online resource to understand this but still couldn't get it. I am attaching the screenshot from the book where the author first mentions the algorithm and then he solves an example . A better explanation to the example how values are taken and derived would be better .

How are the different $g$ values and $ ...

Going through the TPM tutorial: https://google.github.io/tpm-js/#pg_keys

The output of KDF would be some pseudo-random bytes. For RSA, the bytes might not be a prime number. For elliptic curves, the bytes would likely not be a co-ordinate on the curve. Even ignoring that output is coming from a KDF I'm unclear on how a "seed" can be used to generate RSA and EC keys deterministically.

How do I calculate the password space of a randomized linked hybrid pasword of 9 images and 10 numbers(0-9)? User allowed to select 4 password

Images=9 Pin= 0-9 Password selection allowed: 4 Every image is linked to a number

Images are randomized at each selection

Is there any generic attack on HMAC SHA 256 ?

I am currently reading up on attacks on Hmac sha-256. However most of the papers I've found are about side channel attacks such as Differential power Analysis.

I have recently understood how we can construct a pseudorandom function from a PRG. However, I would like to prove the reverse - how can I construct a PRG from a PRF?

Could you explain the difference between sigma protocol, Schorr protocol with examples. What is the advantage of using commit-and-prove zero knowledge proof over general zero knowledge proof?

If an attacker wants to hack the passwords of $2^{10}$ users. And all of these users generate a password from the space of $2^{50}$ passwords** and each password is hashed with PBKDF2 with $2^{10}$ iterations**.

How many hashes would an attacker need to do to get all passwords in the worst case?

I was thinking it would be $2^{10} \cdot 2^{50} \cdot 2^{10} = 2^{70}$ since with PBKDF2 each password will ...

Could you please help me? I am reading the paper "Improved Differential Fault Attack on LEA by Algebraic Representation of Modular Addition". I would like to know why there is the claim that the MSBs of A and B lack information in the following phrase "the lower 31 bits of A and B can be determined, excluding MSBs that lack" (page 4 before section B)

To encrypt plaintext $(P_1, P_2, P_3, ... P_n)$ Ciphertext Feedback Mode (CFB) works as follows :- $$ C_0 = IV \\ C_i = E_K (C_{i-1}) \oplus P_i $$

Lets define a modified version of CFB mode as follows :- $$ C_0 = IV \\ SK_i = KMAC(K, C_{i-1})\\ C_i = E_{SK_i} (C_{i-1}) \oplus P_i $$

The modified CFB mode encrypts each block using a new key $(SK)$ and it has a processing overhead.

What security adv ...

If a password is randomly chosen from a space of $2^{64}$ passwords and is stored as an SHA-256-bit hash and a 128-bit salt, how many hashes does an attacker need to perform to recover the password in the worst case?

Would it just be $2^{256}$ hashes because SHA-256 provides $256$ bits of security in a pre-image attack?

As we know, the Schnorr signature enjoys the linearity property, which does not exist in ECDSA. It seems the Schnorr signature is more efficient and can bring more features than ECDSA. What is the advantage of ECDSA over the Schnorr signature? Will ECDSA gradually be replaced by the Schnorr signature (especially after that the Schnorr signature can be used in Bitcoin)?

Let $a_n$, and $b_n$ two sequences generated by two LFSR with connection polynomials $P$, and $Q$. How to show the sequence $(a_n \cdot b_n)$ can be generated by a LFSR wit connection polynomial of degree upper bounded by $\deg(P)\cdot \deg(Q)$?

OU cryptosystem: $N = p^2q$, the secret key is the factorization of $N$, the public key is $g\leftarrow \mathbb{Z}_N$, $g^{p-1} \neq 1\mod p^2$, to encrypt an element $m $ $\in$ $\mathbb{Z}_p$, choose $r\leftarrow \mathbb{Z}_N$, then $Enc(m)= g^m\cdot h^r$, where $h = g^n$

In paper: Paillier's Cryptosystem Revisited [CCS01], is said that

How to factor $N=p^2q$ under CCA model?

I`m solving one crypto problem on rsa.

p^e - q^e = C1 (mod n)
(p-q)^e   = C2 (mod n)

n = p*q*r; p,q,r are prime numbers
e = 2 * 65537

We have e, n, C1, C2.

It's impossible to find p, q, r from this system of equations, since there are 3 unknowns in the system of 2 equations. But is there any way to reduce the possible options?

If a password p is selected from a space of 2^64 passwords, and the server stores this as a hash, h = SHA-256(p||s) where s is a random 128-bit salt. How many maximum hashes would an attacker need to perform to recover "p" given (h,s)?

I was thinking that this is a pre-image attack so the attacker needs to find the same hash as the passwords. SHA-256 provides 256 bits of pre-image resistance. So  ...

In the zero-knowledge cryptography nomenclature, we have multiple representations of arbitrary computation suitable for submission to various proof backends (e.g. Groth16). Two specific examples spring to mind: rank-1 constraint systems (R1CS) and Algebraic Intermediate Representations (AIR).

What are these called?