Latest Crypto related questions

Score: 2
Daniel S avatar
Learning with rounding: uniformity
ru flag

Naively, when one applies rounding to a uniform random value one anticipates that the change is uniformly distributed. In lattice-based cryptography, is there a formal notion or proof of equivalence between learning with rounding and learning with uniform error schemes?

Secondly has anyone proposed a dynamic version of learning with rounding where the level of rounding is chosen to optimise the b ...

Score: 3
rerouille avatar
Understanding RLWE Encryption
dk flag

LWE Encryption Scheme by Regev is inefficient due to its public key sizes in $O(n^2)$. This led to the variant problem RLWE, defined in this paper :

Let $n$ be a power of two, and q a prime satisfying $q = 1 \mod 2n$. We define $R_q = (\mathbb{Z}/q\mathbb{Z})[X] / (X^N+1)$, which is the polynomials with coefficients in $\mathbb{Z}/q\mathbb{Z}$ considered modulus $X^N+1$ ($X^N = -1$). We choose

Score: 2
fgrieu avatar
A property of some Koblitz elliptic curves over a prime field
ng flag

secp256k1 is an elliptic curve $E$ over a prime field $\mathbb F_p$, of equation $y^2\equiv x^3+b\pmod p$, with prime order $n$.

I noticed† that the different curve $E'$ over the prime field $\mathbb F_n$ with the same equation has order $p$. The roles of $p$ and $n$ are reversed in $E$ and $E'$.

That also holds for secp160k1 (not secp224k1 or secp192k1), and it's easy to come with other examples small ...

Score: 1
Pierre avatar
Correct terminology for ECC in PGP
ao flag

These days I'm generating some PGP keypairs, and I'm struggling to understand the correct terminology behind ECC keys. Moslty in the differences between ed25519/cv25519/ECDSA/EdDSA/ECDH. I tried to check RFC 6637 and this RFC draft without being sure of what I understood.

Let's take a practical example, with RSA first. Let's generate a keypair:

$ gpg --expert --full-gen-key

Please select what kind of  ...
Score: 3
tobalr avatar
Can I use Libsodium crypto_box_easy for signing with 32 byte keypair?
gi flag

I have a chat system where multiple clients communicate securely using Libsodium authenticated encryption. Every client have their own 32 byte key pair. If two clients want to communicate they first share their public key out of band and then use e.g. crypto_box_easy for encryption.

I want to create a service that allows a client to vouch for another clients public key using signing.

However, pub ...

Score: 1
Nserser avatar
The hardness of deducing z (\in Z/pZ) from z^l and l
jp flag

I am writing to request information about the difficulty of finding z in Z/pZ (where p is a large prime) given z^l and l. I am working on a project that involves this problem, and I am interested in learning more about its complexity.

Specifically, I would like to ask for your insights on the following:

  1. Is there any known efficient algorithm to find z given z^l and l?
  2. Is the problem of finding z given z^ ...
Score: 2
wxist avatar
NIST algorithm testing results
tr flag

I have an algorithm that encrypts large text. I want to test this algorithm on statistical tests. The ciphertext contains ~10,000,000 bits. I decided to test the algorithm in two different ways, I took the ciphertext and passed it to the input of statistical tests:

  1. The first parameters were as follows: /assess 1000000 and How many bitstreams? 10
  2. The second parameters were as follows: /assess 1000 ...
Score: 0
Josh avatar
Who developed SHA-2 family?
fr flag

When I look up who developed SHA-2 family, the result I get is along the lines of

SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard.

What I am really looking for is "Which individuals have developed SHA-2 family?". I understand, that most probably there are many induvial behind its development, but like any other scientific endeavor, som ...

Score: 3
OptimalNailcutter1337 avatar
CSIDH - The inverse problem
my flag

I started studying CSIDH a few weeks ago and, seeing these papers [1] [2], I was wondering:

  • Given $[a]E$ and $E$, find $[a]^{-1}E$.

I read that is easy to find $[a]^{-1}E_0$ knowing $[a]E_0$ by quadratic twisting, but I haven't found any resources explaining how to compute $[a]^{-1}E$.

So, is it possible to compute $[a]^{-1}E$ knowing $[a]E$ and $E$?

Score: 1
Jeffrey avatar
Simulation based proofs: how many simulators should be constructed?
bo flag

In simulation based proof of cryptographic scheme, if k parties are invovled in the scheme, then k simulators should be constructed for all the parties?

Score: 1
Amer Yassir avatar
Calculate the key of a Hill-cipher using known plain- and ciphertext
mh flag

I know I should calculate the multiple inverse of plaintext with ciphertext $\pmod {26}$. However, the problem I have is that the plaintext is a $3 \times 4$ matrix which is not square, so how would I get an inverse?

Should I get the inverse of one side (left or right) of the plaintext or is there another way?

Score: 2
wxist avatar
NIST statistical tests
tr flag

I'm having trouble testing a not-so-popular algorithm that I haven't found an implementation of, so I wrote it myself and now I'd like to test it with nist tests, but I have a suspicion that I'm doing something wrong.

I got encrypted file with ~10,000,000 bits. I tested my algorithm in the following wayю. I set the input parameter to 1,000,000, it will look like: /assess 1000000, then the amount  ...

Score: 0
user108142 avatar
Unable to retrieve the binary string using LWE and Lattice-based decryption
sy flag

I am new to this encryption scheme, so I may not be exactly sure of its implementation. I have a list of (u, v) ciphertext pairs to decrypt, each of them are 1-bit.

          { "u": [ 1, 19, 3, 2, 24 ], "v": 16 },
          { "u": [ 3, 20, 22, 26, 15 ], "v": 21 },
          { "u": [ 7, 3, 24, 26, 22 ], "v": 13 },
          { "u": [ 9, 20, 7, 25, 14 ], "v": 5 },
          { "u": [ 28, 11, 26, 22, 16 ...
Score: 1
Omid Bodaghi avatar
Question about the Residual Pseudorandomness property in Verifiable Random Function paper, written by Micali, Rabin, Vadhan, in 1998
bn flag

I am reading a paper named Verifiable Random Function, written by Micali, Rabin, Vadhan in 1998. In Residual Pseudo randomness propoerty of a VRF, it is written that If T runs for at most s(k) steps, it succeeds in the experiment with probability 1/2 + 1/s(k). I do not understand the exact meaning of s(k). If it is polynomial, then the scheme is not safe. It is exponential, T cannot run s(k), because it ...

Score: 2
Poseidon avatar
What bitlength should I use for generating primes for a ElGamal Encryption Cyclic Group (given the data to encrypt has a short time-value vector)?
lu flag

I am generating large prime numbers to create a cyclic group for ElGamal encryption, I can specify the bit-length n but want to limit the size because this will ultimately allow me to limit the amount of data passed through external channels.

Also the data being protected has an extremely short time-value vector meaning after a short amount of time the data will become useless to anyone who might ...

Score: 7
cryptoman534345 avatar
Can Quantum Computers crack RSA and AES?
vu flag

Im trying to learn more about cryptography and ran into a post, Is AES-128 quantum safe?, which asks if AES-128 is safe. From the articles and replies it seems that AES-128 (symmetric key) is safe even with the advent of quantum computers (for now). However, it seems that asymmetric keys are not safe?

So, assuming you have a TLS 1.3 (which uses symmetric AND asymmetric keys) would quantum computers be  ...

Score: 0
艾霖轩 avatar
Could Diffie-Hellman ciphertext be used as OPRF(Oblivious pseudorandom functions) input?
in flag

In my recent PSI project, I wanted to use Diffie-Hellman encryption to obtain ciphertext as OPRF input, but I could not find similar work related to it.

In my opinion, Diffie-Hellman ciphertext length is very long. Is there any performance or security problem if it is used as the input of OPRF?

Score: 1
Satochi avatar
Can $s$ be any number in $s^x = x \bmod N$, where $N = p \cdot q$ for de Jonge / Chaum?
eu flag

I was reading about some way to imagine the signature of a message using the RSA problem :

Let $N$ be the product of two prime numbers $p$ and $q$. Let $s$ be the signature of a message $s$ (provided that such $s$ exists) defined as $s^x = x \bmod N$.

Later on the following requirement is made on $x$ : $x$ is prime with $\phi(N)$.

I do not understand this requirement. And why with $\phi(N)$ and not  ...

Score: 1
Krijn avatar
Variant of Decisional Diffie Hellman
tr flag

Given a cryptographic prime $p$ and a generator $g$ of $\mathbb{F}_p$, the Decisional Diffie Hellman problem asks us to distinguish $(g^a, g^b, g^{ab})$ from $(g^a, g^b, g^z)$ for random $a, b, z$. This is an easy problem, because the generator has Legendre symbol -1, which allows us to differentiate between such triples.

But the distribution of the Legendre symbol for $g^{ab}$ and $g^z$ for random ...

Score: 3
Georg avatar
Reference implementation of Shamir's Secret Sharing
mk flag

Is there an implementation of Shamir's Secret Sharing that can be regarded as a "canonical" (or "reference" or "standard") implementation, so that I can test other implementations to be "standard compliant"?

The above question is pretty vague. I have more details in mind, but some of them might be misleading or based on false assumptions. So possibly not all of them can be fulfilled or are relevant.

 ...
Score: 1
Dominic van der Zypen avatar
Pseudo-isomorphic graphs
br flag

Some famous cryptographical protocols rely on the construction of graphs $G_i= (V_i, E_i)$ for $i=0,1$ that are not isomorphic. For the safety of this protocol, it is central that one can not easily verify that $G_0\not\cong G_1$. So, for instance, one could easily establish that $G_0\not\cong G_1$ if $|V_0| \neq |V_1|$, or if the iterated degree matrix of $G_0$ and $G_1$ differ.

As a non-rigid termino ...

Score: 1
user108142 avatar
LWE and Lattice-based cryptography: How to recover binary message $M$ from $(u, v)$ values?
sy flag

I am given a set of $(u, v)$ values, matrix $A$, primary key vector, private key vector, error vector and prime $q$. I wanted to recover the binary value of each $(u, v)$ pairs using LWE decryption.

The formula I used to get that was: $\mbox{result} = v - s u$, where $s$ is the private key. I then compared the result with $q//2$. If result is more than $q//2$, the output is 1. If the result is less th ...

Score: 0
CaffeineAddiction avatar
Logic Flaw, why cant you use randomness to seed more randomness?
bv flag

If I have 256 bits of handwavium "perfectly random data" and I hash this 256 bits of data with a secure hash function (possibly sha256) could the resulting hash be considered "perfectly random data" as well? I am assuming no, but don't know why.

What information / keywords would I use to find out more information about this?

Interesting seemingly related topics:

Score: 0
Yuniel G avatar
Would it be technically possible to use hundreds of computer processors together to work on an algorithm like the Shor's algorithm and break RSA?
do flag

Would it be technically possible to use hundreds of computer processors together to work on an algorithm like the Shor's algorithm and break RSA?

I've been reading about the crazy amount of qubits required to break RSA but what if hundreds of 64 bit processors work together towards the same goal? I would assume, if possible, it would be a very complex system and would require other algorithms to  ...

Score: 3
P_Gate avatar
Equivalence of lattice definitions
mq flag

I have come across two supposedly identical definitions of lattices in the lattice crypto literature. There are mainly these two definitions of lattices, the first considers lattices as discrete additive subgroup and the second is the common vector space definition.

Definition 1: Discrete additive subgroup $$\forall x \neq y \in \mathcal{L}, ||x-y|| \geq \varepsilon, \quad \exists \varepsilon >0 \qu ...

Score: 1
Luce avatar
What mode in EVP for AES-128 should I use for cryptanalysis of AES?
br flag

I've been trying to use AES from OpenSSL and got to know that I need to use the EVP-based implementations rather than the AES_*.

I need to use AES-128 implementation to generate bitstreams, essentially passing various keys, and plaintexts to analyze the ciphertext generated for cryptanalysis of the algorithm. I went through the Question, How do I decide what mode to use? which linked to the NIST docum ...

Score: 0
ruslan Murzagaliev avatar
Runs and Autocorrelation test
bv flag

I have the book "Handbook of applied cryptography". In there we have example for random tests.

I have bits sequence [11100 01100 01000 10100 11101 11100 10010 01001]*4 length on this sequence n = 160. And I need test this sequence in order to understand this sequence is random or not. And problem with understanding this example.

Runs test I understand how they got

$ e_i=\frac{n-i+3}{2^i+2}$

For  ...

Score: 0
Is this Zero Knowledge interactive proof for Quadratic non-residuosity proper?
et flag

This is from Alan Rosen's video on Interactive proofs - https://youtu.be/6uGimDYZPMw?t=1754

Proof on Quadratic non-residuosity

Here the proof is that

  • the Verifier gets a random bit $b$ .

  • If $b = 0$, then Verifier gets a random $y \in Z^*_n$ & sends $z = y^2$ to the Prover.

  • if $b=1$, then the Verifier sends $z = xy^2$ to the Prover.

  • Now if $z$ is a Quadratic Residue, then the Prover sends back $0$, else $1$

Now, doesn't this de ...

Score: 1
Kai avatar
Can new decryption keys be issued without modifying the encrypted contents?
id flag
Kai

I'm curious if there's an encryption scheme where content may be encrypted to a public key where the associated private key can generate new decryption keys for the same content. The goal is to publish data that is encrypted with a server's public key and allow the server to produce new decryption keys as needed.

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.