Latest Crypto related questions

I've been messing around with lattice based cryptography and came across the SWIFFT algorithm, a provably secure cryptographic hash function which has a security proof stating that finding collisions is as hard as reducing a lattice, a provably difficult problem, infeasibly difficult.

I could understand basically using an orphaned lattice public key with no private key as a one way hash function  ...

I need a way to make the signatures shorter, currently with a ring size of 1000 members I get a signature size of 34000 bytes, this is too big for me I need a way to make it smaller.

I tried compressing the signature with gzip but it only makes it bigger, the only other solution I can think of is to use other linkable ring signatures schemes like "Short Linkable ring signatures". The only problem w ...

The NIST publication for AES defines $Nb$ as:

Number of columns (32-bit words) comprising the State. For this standard, Nb = 4.

In Section 5.2: Key Expansion, $Nb$ has been used to calculate the number of round keys to be generated.

Section 6.3 states:

This standard explicitly defines the allowed values for the key length (Nk), block size (Nb), and number of rounds (Nr) – see Fig. 4. However, future  ...

I'm doing a small code that performs a simple SSL/TLS analysis and I'm stuck on determining the size of the key exchange in the case of DH / DHE.

If I take the following example (wireshark capture) :

p Length: 128
p: acb31[...]
g Length: 1
g: 02
Pubkey Length: 128
Pubkey: 1935[...]

I just thought I could get the necessary information from G regarding this article

But it doesn't seem to be the case, bec ...

The famous names of mathematicians at Bletchley Park are now a matter of public record and include eminent figures such as Max Newman, JWS Cassels, Philip Hall and Sandy Green as well as the more cryptanalytically celebrated Alan Turing, Jack Good and Bill Tutte.

Other countries also began making use of mathematicians in cryptology around this time. The Polish Enigma successes of Rejewski, Rozycki and Zy ...

I want to share the secret key of the BFV scheme among N users using the additive secret-sharing protocol (n-out-of-n threshold secret-sharing). Can anyone please help me to adapt the two algorithms correctly? Note that the secret key of BFV is generated as a random ternary polynomial from R 2 ( R 2 is the key distribution used to sample polynomials with integer coefficients in $\{-1,0,1\}$)

secret key ge ...

I need to send sensitive information from frontend to backend and from backend to frontend. Which is best to do this by encrypting all the communication between the parts? Should I use symmetric/asymmetric in encryption? What is the best approach?

Suppose I have a device which encrypt my fix plaintext (On request) using Paillier algorithm. So this device every time generate a new random number (used in Paillier algorithm) and a new ciphertext (of the same palintext) will be generated. I want to know is it possible for me to proof to third one that I know the plaintext without exposing any information about the plaintext using sigma protocol(

In the TLS 1.2 handshake, after checking the certificate, the public key from the certificate was used to encrypt the data to create a symmetric encryption key, hence the authentication took place on the factor of knowing the private key, as it is needed to decrypt that data.

In TLS 1.3, the public key cannot be used to encrypt data needed to create a symmetric encryption key because this data is ...

CMAC is defined for AES for authentication. My question is pretty simple: is it possible to extend CMAC for ChaCha? Does it even make sense? I cannot find anything related and I am wondering if I am missing something trivial.

When compared to AES, there are algorithms for AEAD with AES, in addition to CMAC for AES. CMAC, as read in the RFC 4493, is an OMAC1 function that is combined with AES. Loo ...

I saw some recent papers(e.g Encrypted DNS --> Privacy? A Traffic Analysis Perspective) about adopting ML technology to overcome cryptography implemented to ensure network security. Network packets have a fixed form and limited possibilities for each section which could be used as side-channels. I'm wondering what are the main challenges here to overcome cryptography and some mitigations for ML appro ...

Let's say you downloaded a file from a certain website, and later the website claims that it didn't made that file available, is there any way to prove that the website is lying?

Example 1: You download a youtube video and the channel later delete the video and claim that the video was never there.

Example 2: A website post a certain content and later you find that the link is broken, the website do ...

I am looking at the description of Weil MOV Attack from the Vanstone, Menezes Book (Guide to Elliptic Curve Cryptograpy)

Suppose now that the prime order $n$ of $P \in E(F_q)$ satisfies $gcd(n,q) = 1$. Let $k$ be the smallest positive integer such that $q^k \equiv 1 \pmod n$, the integer $k$ is the multiplicative order of $q$ modulo $n$ and therefore is a divisor of $n − 1$. Since $n$ divides

I am implementing pollard kangaroo to compute the discrete logarithm of a group element $G$ of generator $g$. $G$ is a$\mod p$ multiplicative group ($p$ a prime number). So, I want to solve $g^a=h$ knowing $a\in[[0,w]]$.

What I am basically doing:

1. Define $w=2^{58}$
2. I define $k$.
3. Split $G$ into $k$ subset $S_i$.
4. I define $f(x)=xg^{2 ^ {x \mod k}}$
5. From here I make two kangaroo walk alternatively... ...

What kind of attack of image encryption that exist out there, especially if the cipherimage was created using secure stream-cipher like Salsa20 (256 key) or ChaCha20 (256 key)?

From https://cr.yp.to/streamciphers/attacks.html#chacha20 page, i know that the algorithm itself can be attack using Brute force attack to find 256-bit key (But, of course this is gonna takes alot of time, resources & d ...

In Regev's Paper "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography" he considers in the introduction of the paper the "learning from parity with error". Where we have an unknown $s \in \mathbb{Z}_2^n$ our goal is to find this $s$, given a list of equations with errors e.g. $\langle s,a_i \rangle \approx b_i (\text{ mod } 2)$ etc. The $a_i$'s are chosen independently from the  ...

I want to implement Camenisch-Lysyanskaya Signatures based on the strong RSA (SRSA) assumption using python. However, I have a question. Here public key of the signature PK=(n,a,b,c) and private key SK=p But while signing the message, only the parameters from public key is used. Am I missing something because for signing the message private key is required? Or is it a specialty of the Camenisch-Lysyansk ...

I've recently become quite interested in lattice based cryptosystems, and I wish to understand them more deeply. I have only a rudimentary understanding of the shortest vector problem (SVP), and its brother the closest vector problem (CVP), which are central to this form of cryptography, though I understand lattices, vectors, and bases quite thoroughly (I took some linear algebra in college back in the  ...

I know exactly how a generated BitLocker recovery key works and I can write a code to brute-force it.

How is the recovery key generated though?

I could think of some answers:

1. it is generated using an algorithm which generates a random number using a specific seed;

2. it is generated using some information extracted from the hard drive or the computer (like some characteristics in TPM module) and a s ...

Not sure if this falls into crypto from contextual point of view but it is about hashing algorithms. I have two directories -- assets/ and cache/. Anytime there is a file added, deleted, or changed in the assets/ directory, a corresponding, application specific file will be generated in the cache/ directory. On top of that, an additional "cache file" gets created that stores the following informat ...

I want to share the secret key of the BFV scheme among N users using the additive secret-sharing protocol (n-out-of-n threshold secret-sharing). Can anyone please help me to adapt the two algorithms correctly?

Note that the secret key of BFV is generated as a random ternary polynomial from R 2 ( R 2 is the key distribution used to sample polynomials with integer coefficients in $\{-1,0,1\}$

this is a school challenge. I have a cipher file which is the audio file, and no key of course, encrypted with AES ECB mode. The size is around 550 Kb. I know the key size used is 16 bytes, and I have the plain file of 20 Kb that is part of the whole original plain file, but I do know the offset of it.

I guess attacking the key is off. Am I right to go like this: move by 16 bytes in ciphered file ...

Assuming that I want to encrypt a 1 GB file with e.g. AES in GCM mode or ChaCha20Poly1305.

[I'm specifically referring to the cryptography module for Python: https://cryptography.io/en/latest/hazmat/primitives/aead/ but I can't find anything in the documentation]

For "non-AEAD" ciphers, the syntax is basically

cipher = Cipher(key)
cipher.encrypt(data)

and I can call .encrypt() as many times as I like. ...

Suppose in a network, the identity of users is their public key, which is generated based on the ECDSA algorithm. That is, to create a valid identity, a user must generate an ECDSA public key and then send it to the network administrator for validation. Then, the network administrator needs to know if the user followed all the ECDSA key generation steps correctly to ensure that the user's public key is  ...

In Whatsapp, are the same private keys used in all my devices? Is the sharing of the keys from scanning the QR code on the web browser to link to my device? Thank you!

In the "On the Non-malleability of the Fiat-Shamir Transform" article by Faust et.al., there is a definition for unbounded NIZK. What unbounded means in this context? It does not look like perfect ZK because the distinguisher is PPT and not unbounded as required here.

Moderator note: this question has moved there at reverseengineering-SE.

I'm trying to reverse the save game of an old game. It use text codes to save the games (anyone remember this?). When decoded the data contains game info like level, checkpoint, objects in inventory, etc.

I ported the code of the decoding function from assembler to Python. I now would like to produce the inverse function in o ...

I am learning to utilize flush+reload method to get private key of CRT-RSA.

CRT-RSA calculates two parts separately: mp = c^dp mod p and mq = c^dq mod q

x = b^e mod m is calculated by the code below.

[![enter image description here][1]][1]

There is a loophole in this method, that is, the execution of Square-Reduce-Multiply-Reduce in the code can be detected, and the exponent can be inferred.

Squ ...

I have read that perdersen commitment can be used to hide the messages such as transactions by participants. The verifier will just have to make sure that the difference of the commitments is zero. But I don’t quite understand how is this verification valid.

For eg, for the input messages, 10, 5, 2, Alice could choose and apply a blinding factor, (7, 3, 8) to each of them: $$ input_c = g^{10} \c ...

I am trying to learn about basic hashing using the modulo operator and am a bit confused. In the text that I am reading, it says that the modulo operator can be used to accept an input of any length and return a fixed-size output. However, take 1mod11 = 1 and 21mod11 = 10. The first equation yields a one-digit number and the second equation yields a two-digit number, how is it returning a fixed-sized ou ...