Latest Crypto related questions

Score: 1
bca-0353f40e avatar
Could Grover's algorithm perform a search in N/2 for a match in a particular subset of a hash function preimage?
zm flag

Suppose I first define some function f(x) where x is some unsigned 256-bit integer, and the function's output is a set of distinct strings of any length so that output set would be 2^256 unique strings, i.e. a bijection for the specified domain of x.

Example f(x) = 0xAA || x || 0xBB (|| indicates byte concatenation), but it could also be more complex like f(x) = 0xAA || g(x) || 0xBB.

Then, if I plugg ...

Score: 1
Marja avatar
Frequencies of bigrams in English alphabet(with space)
sn flag

Does anyone know where to find bigram frequencies for English alphaber with space?

Score: 4
Rurock avatar
Zero knowledge validation to check if private element is in a set hidden on a central server
bd flag

I am trying to determine how to apply ZK proofs to the asymmetric scenario below.


Say there is a list of 5000 secret elements on a centralized web server.

Users are trying to guess what those 5000 elements are.

However, users don't want to reveal their incorrect guesses to the central server.

Users submits proofs of their guess selection to the web server, and the server checks if the proof shows the ...

Score: 2
geust213 avatar
Knowledge extractors in proofs of knowledge
ws flag

I'm somewhat new to cryptography and I've been looking at knowledge extractors in proofs of knowledge and I am a little confused by the use of somewhat different definitions.

In textbooks or early papers, (as an example see Definition 4.7.2 in Goldreich's textbook [G]), I've seen the knowledge property defined roughly as $\exists$ $\mathcal{E}$ such that $\forall$ PPT provers $P^*$ that convince the ve ...

Score: 1
landau avatar
How do certificates help?
sc flag

I am reading a networking book by Mike Meyers, and it says that a certificate is a file that contains

  1. A public key, and
  2. A signature (cryptographic hash of the public key, encrypted with the private key).

I can understand that the signature helps ensure that the public key was not tampered with. If I make a request to a secure site and get a certificate, then I get a public key and a signature a ...

Score: 0
Tom Scott avatar
Given the CBC-MAC for a message M and the key K, How could I forge a new message M' so that it has the same CBC-Mac as M
rs flag

Im looking to learn about forging CBC-Macs.

Given the CBC-Mac for a Message M and the Key used to encrypt the message K.

Can I create a new message M' which would have the same CBC-MAC?

Original Unknown Message: M

CBC-Mac of Original Unknown Message: X

Key used in CBC Block cipher: K

New message with CBC-Mac = X: M'

Score: 0
Abdulahad Ghuman avatar
Stream Ciphers clarification
ma flag

I am confused about stream ciphers a little so I just wanted to clarify. We have a key that's lets say 2 bits. I have a message that's 8 bits. I used a pseudorandom generator that would add 6 bits to my key. Those 6 bits are deterministic and public. Hence why it's called pseudorandom, it looks random but because the 6 bits are deterministic, it's not. So that makes my keystream, regardless of the key,  ...

Score: 8
Titanlord avatar
What does puncturing in cryptography mean
tl flag

While I was reading the documentation for the cryptocode $\LaTeX$ package I stumbled across the "primitive" called puncturing in subsection 2.12. This was the first time I read about this "primitive". Additionally, I am no native speaker, which is why I have no intuition about what it could mean. Can someone explain it to me on a basic level?

Score: 0
A_guest avatar
Oblivious transfer protocol to retrieve k elements
cf flag

The sever holds the N encrypted elements, each element is associated with an index (unencrypted). The receiver wants to retrieve only k-out-N elements using k-out-N OT. The motivation for using OT is to retrieve only k elements, not all N elements, retrieving N elements results in storage overhead on the device (receiver) and another motivation is that the server should not learn which elements have bee ...

Score: 5
Matthias avatar
Succinct verification of computation without ZKP
mx flag

What the state of the art for producing quickly verifiable proofs of correct computation when your proof is allowed to leak knowledge?

For context, I am inspired by Miden VM's promises:

For any program executed on Miden VM, a STARK-based proof of execution is automatically generated. This proof can then be used by anyone to verify that the program was executed correctly without the need for re-executi ...

Score: 1
mvh avatar
OPGP: tag8 being converted to tag11, part of 4880 spec?
ru flag
mvh

When a tag8 compressed data packet does not contain compressed data i've seen some products simply handle the packet as a tag11 literal data packet, yet i find nothing in the 4880 spec old/new suggesting this is an acceptable behavior. what am i missing here?

Score: 0
hjds avatar
Garner's Formula to find a and b given 2 mod equations equal the same variable
ec flag

I'm working on a Chinese Remainder Theorem Garner's Formula problem in my Cryptography module and was hoping for some help.


Question:
Given the data below use Garner’s formula to find T,U and s

$$ N = pq = 6815731 $$ $$ s \% p = 1 $$ $$ s \% q = 62537 $$

$ s = a \% p $

$ s = b \% q $

$ T = p-1 mod q $

$ U = (b-a)T mod q $

$ s = a+Up $

(p = the smaller prime)

I've figured out $p = 13, q = 52428 ...

Score: 1
Is it possible to show and hide certain values of a message and still able to very a BLS aggregated signature?
nl flag

When using BLS, let's say Alice signs each of the 5 messages ($m_1, m_2, m_3, m_4, m_5$), aggregates the signatures and sends the aggregated signature to Bob. Bob can verify it.

Here's the goal: However, Bob would also like to send the aggregated signature by Alice to Charlie but hide the values of $m_2$ and $m_4$ messages. So, Charlie wouldn't know there are 5 messages in total and he will only know  ...

Score: 0
minimal public-key authenticated encryption protocol
in flag

One party (master) wants to send data to another party (slave) over an insecure channel using public-key encryption and signature schemes such that:

  • master is authenticated,
  • data is confidential,
  • data cannot be replayed.

The minimal assumptions are:

  • master has slave's public encryption key,
  • slave has master's public verification key,
  • the public keys are trusted (how they were obtained is immateria ...
Score: 0
Generic avatar
How to evaluate efficacy of new public-key cryptosystems
lu flag

Suppose I had a new public-key or key exchange protocol. How do I objectively evaluate it so as to determine if it is worth sharing with the broader community? Whenever developing a cryptosystem, it is important to ask "who cares?", to see if it addresses any challenges that current systems face, but it is unclear exactly how to answer that "who cares?" question.

For example, is there a "thresh ...

Score: 1
Basis matrix of NTRU lattice
jp flag

In NTRUEncrypt, we choose polynomials $\mathbf f,\mathbf g$ (with suitably small coefficients) such that $\mathbf f$ admits inverses $\mathbf f_p, \mathbf f_q$ with respect to the moduli $p,q$. The relationship between the public $\mathbf h=\mathbf f_q\mathbf g\text{ mod q}$ and the private key $(\mathbf f, \mathbf f_p)$ is used to define a lattice

\begin{equation} \mathcal L=\{(\mathbf u,\mathbf v ...

Score: 2
pintor avatar
How do lattice-based proofs with Reed-Solomon codes simultaneously avoid aborts and multiple repeats?
ng flag

I'm trying to understand how lattice-based schemes with the Reed-Solomon proximity testing work and why the scheme in Bootle's et. al. Fig 3 has no aborts at all (nor big number of repetitions).

TLDR: How do PCPs and Reed-Solomon allow to avoid aborts and multiple repeats in Bootle's et. al. exact proof? I see no aborts and the challenge space is not a bit string either. Plus, they require just two repea ...

Score: 4
user104734 avatar
SHA2 vs SHA3 popularity
ss flag

Does anybody know or can point me to a source about SHA2 vs SHA3 usage statistics. SHA3 is newer and is claimed to be more secure but ... is it more widely used in real life deployments?

Score: 2
P00 avatar
Why if x ∉ Z*n then the gcd(x, n) != 1? RSA
mh flag
P00

I understand that if the $\gcd(x, n)\neq=1$ then the $\gcd$ is one of the $n$ prime factors, $q$ or $q$. But how is the fact that $x \not\in Z^*_n$ related to $\gcd(x, n)\neq 1$?

Score: 0
P00 avatar
How do I prove that if $\text{gcd}(m,n) \neq 1$, the result is $p$ or $q$ in RSA?
mh flag
P00

I understand that $\text{gcd}(m,n)$ needs to be $1$ so we can apply the Euler's theorem, and if it's not $1$, the result is one of the prime factors of $n$. But Why the result it is always $p$ or $q$? Couldn't it be any other number?

Score: 1
joxavy avatar
DES next round key
cn flag

I don't understand which DES key is used in the next round of Feistel construction.

As you can see below, we use our original key that has been inserted in permuted choice 1, where we got 56 bits, divided into two halves, $C_{i-1}$ and $D_{i-1}$. We will apply the left shift rule on that key and therefore obtain 16 different keys.

Do I have to use the key number 1 that I will obtain as the second  ...

Score: 1
kazamatzuri avatar
Recovering nonce in ECDSA with known shared components in ECDSA
so flag

This is a slight variation of the shared nonce problem. We do have a lot more shared information between two nonces.

Given a random $k$:

$$ k_1 = ka, k_2 = kb $$

I am now signing two messages, which gives me $s_1,r_1,s_2,r_2$

Based on my understanding of the base equation for signatures in ECDSA (with given generator $G$, private key $d$)

$$ r=kG, s=k^-1(h+rd) $$

So now I have two equations, which I can u ...

Score: 2
Bike Tours Dragon avatar
Under What Conditions Will the Public and Private Keys Produced by RSA Algorithm Be Reversible?
fr flag

Given p = 7 and q = 13, one can obtain n = 91, d = 29, e = 5. However, for plaintext with values less than the modulus both the public and private keys (n, d) and (n, e) are reversible, i.e. encrypting a plaintext value with either key and then using the same key a second time returns the original value.

What is the reason for this and under what conditions will this occur?

This question notes that  ...

Score: 2
Dimitri Koshelev avatar
Dense sphere packings and lattice-based cryptography
id flag

It is known that there are two popular applications of lattices: dense sphere packings and lattice-based cryptography. I didn't find any information on the Internet about possible interaction of these domains. Let's forget for the moment that most dense lattices are quite theoretic constructions, hence they don't have fast algorithms to work with them. Nevertheless, in your opinion, can dense lattic ...

Score: 0
dum-dee-dee-dum avatar
How to conduct a forgery attack on a CBC-MAC algorithm, given a n block plaintext message T and its corresponding MAC M?
sg flag

I'm trying to carry out a forgery attack on a CBC-MAC algorithm that automatically pads the message.

I have a 5-block message T, consisting of T1, T2, T3, T4 and T5 and its corresponding MAC M. The message is shorter than 5 * block length so it is padded.

I want to construct a message that is not T but has the same MAC M.

Most other questions I have seen are done over either 1-block or 2-block messages ...

Score: 0
Shafin Kamal avatar
Why is ECB mode unsafe if the key is kept secret?
tf flag

this is my first post so I apologise if the formatting of my post isn't perfect.

I should start off by saying that this post is not for any malicious intent, rather for curiosity and understanding AES encryption/decryption.

I have been doing research about AES encryption and everywhere says that ECB mode should never been used and often refers to the famous Linux Tux penguin example. I understand ...

Score: 0
Barney Chambers avatar
Is it impossible to extract any data from an ECDSA signature of hashed data
md flag

I am trying to write a function that, given an EIP712 ECDSA signature, verifies the signature was signed by a particular person, and then (somehow) retrieves the information that is encoded in the signature.

Is it even possible to retrieve the unhashed data from an EIP712 ECDSA signature, or is it only possible to verify the data that the signature contains, by already having this data in an unha ...

Score: 0
shanzhuer avatar
CTF question with hint "Quadratic method to solve ifp problem"
ad flag

I totally have no idea about this Rabin decrypt problem. source code:

https://github.com/shanzhuer/myctf/blob/main/crypto/rabin.py

Inside there were $2^{21}$ times of encryption and decryption of Rabin-cryptosystem, with 126 bytes plaintext, 1024-bit public key $N$(unknown 512-bit $p$ and $q$ when $p*q=N$)

the output log is $\dfrac{140}{2^{21}}$ decrypt failure because $2$ small root of ciphertext(less  ...

Score: 1
user2383960 avatar
Why is $\operatorname{Hash}(x \oplus y)$ not a secure proof-of-work algorithm?
na flag

$x$ is challenging string, $y$ is proof string. $\operatorname{H}$ is the proof-of-work (pow) function, to find a $y$ such that $H(x,y)<2^{256}/D$

  1. $x ,y = \{ 0, 1 \}^{512}$
  2. $\operatorname{H}(x,y) = \operatorname{SHA-256}(x \oplus y)$
  3. find a $y$ such that $\operatorname{H}(x,y)<2^{256}/D$

the question is to prove:

If difficulty $D$ is fixed ahead of time, attacker can find $y$ with minimum of  ...

Score: 1
user1563721 avatar
Standardized names of cryptographic algorithms
cn flag

I am using micro-services to interact between various cryptographic technologies like HSMs, keystores, vaults, etc., that are written in different languages. Usually, each technology, or even vendor, is using different names of the cryptographic algorithms, and in some cases they are also case-sensitive.

For example, Java Security Standard Algorithm Names contains different algorithm names as JSO ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.