Latest Crypto related questions

Let's say I have a public generator $G$, an unknown, private $p$ and a public point $pG$ on an elliptic curve.

Given $pG$ it's easy to construct $-pG$ by just taking the negative. But can you construct $p^{-1}G$?

I'm trying to understand the inhomogeneous SIS problem and I'm came across to a scenario that I don't know how to evaluate.

Let $A,B \in \mathbb{Z}_q^{n\times m}$ be two random matrixes and $u,v \in \mathbb{Z}_q^m$ be two vectors of small norm $||u||,||v||<\sigma$, such that $A.u=B.z$.

How easy would be to find another pair $w,y \in \mathbb{Z}_q^m$, of short vectores that satisfy $A.w=B.y$, assuming ...

I'm trying to understand CKKS (non bootstrappable) and I'm struggling with the encoding part. I'm using the original paper , "Homomorphic Encryption for Arithmetic of Approximate Numbers ", also this notes "Lattices, Homomorphic Encryption, and CKKS" and this blog.

I have four questions (will have sense after):

1. If Im right of the projection.
2. The final steps are trivials?
3. Why when we round the coefficien ...

I have a series of backup files which are being generated daily and which I need to store encrypted. The files are to be used by bob as and when they need it.

I am planning to use public key cryptography with private key being held by the bob. The backup program will have the public key and will encrypt the files with it, and bob will use the private key to decrypt it.

I need to rotate the encryptio ...

I wrote an attack based on frequency analysis to break the substitution cipher. The code is below by Python.

...

import random
import operator
import sys


cipher = """lrvmnir bpr sumvbwvr jx bpr lmiwv yjeryrkbi jx qmbm wi
bpr xjvni mkd ymibrut jx irhx wi bpr riirkvr jx
ymbinlmtmipw utn qmumbr dj w ipmhh but bj rhnvwdmbr bpr
yjeryrkbi jx bpr qmbm mvvjudwko bj yt wkbrusurbmbwjk
lmird jk xjubt trmui jx  ...

I was studying about how to transport keys from one HSM environment to another and it came to me that I would need some sort of transportation key so the HSM keys would be double encrypted. How would this key be generated so it would be imported in both HSM securely? Coyld It be used RSA or EC? Since the key could be generated in the target HSM and in the source we would just import the public key whic ...

Key generation: Key Generation Firstly, the RSA algorithm will be used to generate a public and a private key.

1. Generate two random prime numbers p, q.
2. Select RSA public key, P k such that gcd(P k, Φ)= 1 and 1< P k < Φ.
3. Calculate the RSA private key, Sk= P k mod Φ.
4. Calculate Elgamal public key, g= P k, private key, x= Sk.
5. Generate pEl such that P k< pEl and Sk< pEl.
6. Calculate publi ...

This is not a programming question. This is to confirm whether a crypto documentation is incorrect.

I am using Rust's p384 crate. I am creating a private key from a JWK string.

In the source code, at line 85:

https://docs.rs/elliptic-curve/latest/src/elliptic_curve/jwk.rs.html#85

it says:

The `d` ECC private key parameter as described in RFC 7518 6.2.2.1:
<https://tools.ietf.org/html/rfc7518#section ...

The are some linearly upper bounds on Hermite's constant $\gamma_d$, such as $\gamma_d \leq 2d/3$, $\gamma_d \leq d/4+1$. So we can claim that $\gamma_d=O(d)$. There is also a rather tight asymptotical bound for $\gamma_n$: $\frac{d}{2\pi e}+\frac{\log(\pi d)}{2\pi e}+o(1) \leq \gamma_d \leq \frac{1.744d}{2 \pi e}(1+o(1))$ (see page 34 of The LLL algorithm edited by Phong Q. Nguyen et al.). After this t ...

I have read that despite strong connections between prime factorization and DLP an algorithm for the former does not imply the latter directly. But I was reading about the number field sieve and it seemed like the bottleneck was identifying smooth norms. Wouldn't an ultrafast prime factorization algorithm achieve that?

What is the best known asymptotic/concrete complexity of modular multiplication?

Using Montgomery multiplication, if $M(n)$ is the cost of one integer multiplication of $n$ bits, then the cost is $2M(n)+o(M(n))$ (assuming comparisons and bit-shifts are $o(M(n))$. Is this the best known?

Would either $\alpha$ or $r$ suffice as challenge?

I am aware that the signature and verification were to adapt. However, what is the motivation behind using two challenges?

I am trying to implement ECIES properly with X25519/HKDFwithSHA256/AES-128-GCM with Node.js crypto library. It is not clear to me how to determine the input key material (IKM) to HKDF.

Initially, I thought it is okay to directly use the shared secret generated by X25519 as the IKM.

const {diffieHellman, hkdfSync} = require('crypto');
const sharedKey = diffieHellman({
  privateKey,
  publicKey,
});
con ...

I've been reading about ZK-STARK. There's an example that appears in several blogs. The most detailed explanation of that specific example which I have found so far is in this blog.

The description of the example (the requirement) is:

Suppose that you want to prove that you have a polynomial $P$ such that $P(x)$ is an integer with $0 \leq P(x) \leq 9$ for all $x$ from 1 to 1 million.

I will quote t ...

I am following the steps in LoRa Cloud in order to derive the PIN value using the Algorithm smtc0 (https://www.loracloud.com/documentation/join_service?url=derivation_schemes.html). I don't quite understand how the DMKEY(i) = (hash[0]+i mod 256) | hash[1] | .. | hash[15] is derived.

Why is the signature in DSA the way it is?

I am referring to $r$ and $k$ in the Signing-Algorithm depicted below. Is it really necessary to have both, $r$ and $s$, or would it still be secure if only one of them is used?

In the Schnorr-Signature only one random number is involved, for example.

By going through the document: https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.2.0.pdf I could get that this spec will be used to verify the identify and attestation of h/w & firmware with the help of TCG_UDS spec. I want to know that do we have any other advantage of having SPDM specification?

Under the Wassenaar Arrangement and applicable export control law, symmetric cryptography of an (effective) key size of 56 bits or less is (generally) exempted from export control. I am forced to work within this constraint. My goal is to maximize security regardless. Encryption and decryption operations may take about 0.125 seconds per byte.

In theory, it would be possible to design a cipher t ...

I'm taking 2 medium-length strings (50-70 chars) and hash them using md5 to get results like d2ae4f4919a10958e2c603782f0ec1cc, then recording the first 5 symbols of the hash to provide a (unique) short key. If md5 distribution is (almost) random then would the chances of a collision be 16^5 ([0-9a-f]^5) = 2/1.048.576, or different? Am I extremely lucky to get 2 hashes like d2ae4f4919a10958e2c603782f0ec1c ...

A few months ago I decided to write my own custom prime number generator. One of the tests I use is a modified Miller-Rabin test that tests the number against base 2 and then only tests random odd numbers, instead of completely random numbers. I figured this might get better probability than 1/4^k for k rounds since if we factor out all the powers of 2 from a random base there should be an odd remainder ...

From Introduction to Modern Cryptography, 6.2.1 Substitution-Permutation Networks A description of an optimized attack on one round SPN

A better attack is possible by noting that individual bits of the output depend on only part of the master key. Fix some given input/output pair (x, y) as before. Now, the adversary will enumerate over all possible values for the first byte of k2. It can XOR each such  ...

According to Jack Watling & Nick Reynolds,

Ukrainian officers recalled one incident in which the Russian headquarters gave pre-emptive warning to its units of an artillery strike based on Ukrainian troops calling in a fire mission. The Ukrainian troops were communicating with Motorola radios with 256-bit encryption, but it appeared that the Russians were able to capture and decrypt these transmiss ...

Assume that Prover have $n$ pedersen commitments ($V_{a_1},V_{a_2},\cdots,V_{a_n}$ where $V_{a_i}=G \cdot a_i + H \cdot r_{a_i}$) of $n$ elements $a_1,a_2,\cdots,a_n$. The Prover have another element $\theta$.

The verifier is provided with these $n$ pedersen commitments ($V_{a_1},V_{a_2},\cdots,V_{a_n}$) and $\theta$.

How can the Prover prove that the sum of $\textbf{only one}$ subset of these eleme ...

I am interested in what the state of the art results on the hardness of the Short Integer Solution (SIS) instances are. The one I am the most familiar with (and the most discussed) is to use lattice reduction, which can be ignored. I have also found the Blum-Kalai-Wasserman (BKW) algorithm, which seems to be applicable to SIS, though I have not looked too deeply into it. Apart from these, are there  ...

Decrypt “jjjj aaa cccc ddddd” using Vigenère cipher with the key “CONVO”. I used 2 different generator and online calculator and i am getting 2 different results

I am just getting started with cryptography. After doing some research, I see that people usually advice against encryption using the same key and nonce. However if a message is too long and has to be broken up into multiple packets, how exactly does this work? Will a different key and nonce be generated for each packet with a distinct authentication tag computed for that packet? Would it be considered  ...

In a lecture at my university, the following proof of correctness of RSA is given (the lecture is not mainly on cryptography or even computer science):

$m^{ed} \equiv m^{ee^{-1}} \equiv m^{1} \equiv m \ \textrm{mod} \ N$

The given reasoning is: $d$ is chosen as the multiplicative inverse of $e$ in the modulo ring $\mathbb{Z}_{\phi(N)}$, therefore this holds.

Surely, this cannot be a proof, conside ...

There's a problem in detecting whether the sum of public key addition has crossed the cyclic group order boundary

For this example, think of public keys $Pub$ as private keys $Priv$, (private scalars), one-way converted to points on the elliptic curve.

$n$ - is the order of the group. Private keys can range from $1$ (the generator point $G$) to $n - 1$.

$n - 1$ is the maximum size (integer value) of  ...

I am reading about Schnorr signature (for example, from BIP-340) and I thought, what if we add instead of multiplying for $s$? So, in the signing process it will be s = r + e + d mod n instead of s = r + e*d mod n. Verification will be the similar: calculate $s*G$ and compare it to $r*G + e*G + P$ instead of $r*G + e*P$.

$(r*G,s)$ is signature, $d$ is private key, $P$ is public key, $r$ is random value ...

If I talk about efficiency of system of learning with error, is it it fine for q to be composite in Z_q, the ring of integers. As when q would not be prime, Z_q will not be field anymore, won't it create problems for the system?