Latest Crypto related questions

Score: 0
Jingyi Li avatar
Can we calculate absolute value function in homomorphic encryption efficiently?
mn flag

Is it feasible to efficiently calculate a homomorphic absolute value function over ciphertext given a pair of numbers $a$ and $b$, i.e., |a-b|? Although there are approximate methods that use addition and multiplication, their runtime in my project is intolerable. Is there any homomorphic absolute value function that is faster than homomorphic multiplication? And what if $a$ and $b$ are real-value v ...

Score: 1
qmango avatar
Most efficient way to implement a 1-out-of-4 OT for GMW?
gr flag

Assuming evaluation in the online phase (no beaver triple/offline method used), each AND gate in GMW must be evaluated using a 1-out-of-4 OT. I've seen some sources (here, and here) say this can be implemented using 3 1-out-of-2 OTs over 1 bit strings. Can it also be implemented from 2 1-out-of-2 OTs over 1 bit strings? (Assuming we can treat the 1-out-of-2 OT as a black box).

(Note: I know this  ...

Score: 1
lmmd1234 avatar
KEY using AES-128, If P is less than 128 bits, padded with 0 and create 128 bits, any problem if average pw length is 6
ne flag

For communication between the client and the website, use password (P) as the key using AES-128. If P is less than 128 bits, it is padded with 0 to create a 128 bits key. is there any problem with such an approach if the average password length is 6?

Score: 0
TheIntern avatar
Same hash for subsets of a set?
tt flag

Suppose I have a set $S$ containing $n$ bit strings, where $n$ is on the order of about 10. Consider

$$\mathfrak{S} = \{ R : R \subseteq S, |R| \geq 2 \},$$

the collection of subsets of $S$ with two or more elements.

Does there exist a hashing function which outputs the same hash for any member of $\mathfrak{S}$?

A potential relaxation in which we order the elements of the subsets in $\mathfrak{S}$

Score: 1
Mumon avatar
Binary Secret Sharing vs Garbled Circuits
kr flag

In Privacy-preserving machine learning, GC is usually used for privacy operation such as ReLU(x) where sign(x) needs to know. However, binary secret sharing also supports such computation via comparators($[x]_{encryted}$ > 0)(this paper). While compare the performance, binary secret sharing is usually way faster than garbled circuit. But why is garbled circuit still used in many related works, for

Score: 0
GGizmos avatar
Is there any way to claculate the hash of (a + b +c)) if you only know hash(a) and Hash(b) and Hash(c)?
jo flag

For example, if you have say, 3 distinct paragraphs of clear text a, b, c and you only know hash(a), hash(b) and hash(c), and then you have a clear text d, which claims to be the concatenation of a, b, and c, is there any way to use hash(a, b, c) to demonstrate that d either is or isn't a+b+c?

Not beng a math person, I'm guessing there is a brute force way, depending on the length of a, b, and c  ...

Score: 0
Mhsz avatar
How do I know the most efficient image encryption algorithm?
cn flag

I am familiar with any algorithm that is based on the number of bits in a key (n-bit) and how to restore a key, such as the Discrete Logarithm Problem or Factorization.  When I use any algorithm for encrypting and decrypting images, such as RSA, how can I estimate this algorithm's security and work efficiently with image encryption.

Score: 5
mikemaccana avatar
Is 'authenticated' in AEAD actually authentication? Or is it message integrity?
cn flag

Despite working with AES-GCM and other AEAD algos for a few years, I've struggled with the concept of 'authenticated' in the term 'AEAD'. In my own experience (of Unix, PKI and blockchain) authentication means being able to attribute actions towards a particular entity (eg, a user account). In the simplest case, say authentication on a Linux box, logging in would use the pam_unix Pluggable Authentica ...

Score: 1
Perseids avatar
Gap in Shamir's Secret Sharing Scheme security proof
na flag

I'm trying to understand the security proof of Shamir's Secret Sharing method, as I want to adapt the polynomial creation a bit, and I've found the proofs I had available to be surprisingly vague or holey.

Some nomenclature

Given a secret $S$ in the finite field $\mathbb{F}_p$ for a $(k,n)$ threshold scheme the Shamir's Secret Sharing method generates coefficients

$a_1, \dots, a_{k-1}$ randomly a ...

Score: 3
Ben Zelnick avatar
Is a simple KMAC-128 or KMAC-256 hash secure as a KDF?
za flag

Context

I am trying to build a simple protocol for key derivation. I want to use SHA-3 family hash functions, which (as far as I understand) should not be combined with HMAC because their security properties make HMAC redundant. Thus, HKDF — which uses HMAC — would also be unsuitable for key derivation using SHA-3 family hash functions.

Proposed Protocol

Suppose that Alice and Bob derive a sha ...

Score: 1
Mona avatar
Shamir's secret sharing homomorphism for different degree polynomials
tr flag

The $(t,n)$ Shamir’s polynomial based secret sharing scheme is $(+,+)$-homomorphic in which the addition of two polynomials secrets equals the Lagrange’s interpolation of the sum-of-shares for the same subset of shares.

My question is: Does the two polynomials need to have the same degree to satisfy the SSS $(+,+)$-homomorphic property? Specifically, suppose that polynomial $P_1$ defines secret

Score: 1
Ernesto Diaz avatar
(DES) What is the probability that two keys (k1, k2) produce the same ciphertext given the same plaintext?
bs flag

Basically, I need to find the probability that DES(p, k1) = DES(p, k2) = c

My guess is that probability = 1 / 2^64 since that's the total number of possible outputs, but honestly I have no clue about crypto. Thanks in advance for any help!

Score: 1
M0S1AM avatar
Is concatenation of two distinct secure PRG still secure?
tz flag

I'm new to cryptography and having a hard time understanding PRGs and PRFs.

Question: $G'(x)$ and $G''(x)$ are two different secure pseudorandom generators, and $G(x)=G'(x) \mathbin\Vert G''(x)$.

Is $G(x)$ still a secure

I thought $G(x)$ is secure at first, since $G'(x)$ and $G''(x)$ are secure, their outputs are uniform.

But I think it's not supposed to be correct later, since concatenation of them doe ...

Score: 0
biosbob avatar
AES-CTR: using the same key and IV with unique messages
ng flag

I have short (8-byte) messages which are effectively true random numbers, and I want to encrypt these messages with a (pre-shared) key....

I'm using AES-CTR for this purpose -- but with the SAME IV each time (which is seemingly contrary to best practice).... but since EVERY message that I'll encrypt with this key is unique, do I really have a security issue?

Score: 1
JAAAY avatar
How to obtain inverse key stream efficiently on Present cipher?
us flag

I was taking a look at the PRESENT lightweight cipher presented here. You can see an implementation of it in Python here. It is basically a Substitution-Permutation (SP) cipher with ultra-lightweight encryption and lightweight decryption.

The algorithm for encryption is the following :

generateRoundKeys()
for i = 1 to 31 do
    addRoundKey(state, k_i)
    sBoxLayer(state)
    pLayer(state)
end for
addRo ...
Score: 2
If $e(aP, bP) = e(P, P)^{ab}$ then how can we solve $e(P^a, P^b)$?
va flag

I'm a bit confused regarding the bilinear pairing operation. Let's say I have a Public key of a receiver $P_r = P^x$ and I want to create a symmetric key using KEM with a pairing operation. If I chose $R = rP$ and compute $V = (Pr, P)^r $which results into $V = (P^x, P)^r = (P^x, rP) = (P^x, R)$. Here, I am confused about how can I solve $(P^x)$?

So, basically, my question is If $e(aP, bP) = e(P,  ...

Score: 2
BGWPVqRM3xIg avatar
(How) can Argon2 be used to create both a hash for authentication and a secret key?
ao flag

The Argon2 specs claim that Argon2 can be used both for password hashing and key derivation.

I want to generate from a single password both a hash for authentication and a secret key to use for encryption. (It would be nice if this could be generalized to any (reasonable) number of hashes and keys.)

From the specs, it is not clear to me why Argon2 can be used for key derivation; nor what related secur ...

Score: 3
eof avatar
Does ECDSA leak information about the message hash?
et flag
eof

ECDSA works by computing the hash of a message and then computing the signature for it. ECDSA uses the signature:

$$s = k^{-1}(h + rp_{pr})\,\textrm{mod } n,$$

where $n$ is the order of the group, $k$ is a randomly sampled nonce, $r$ is the projection onto the $x$ axis of $kg$, where $g$ is a group generator.

If you are only provided $r,s$, then I don't see any obvious way this would leak any bits of

Score: 0
cyborg avatar
Feige-fiat-shamir without trusted center
vn flag

Does anyone happen to have a link to a way to implement FFS without a trusted center? I'm positive that a modified version forgoes the trusted center (at the expense of efficiency), but am turning up nothing in my search for the paper(s) discussing this version.

Score: 1
Orla Mccoy avatar
Prove security against passive attacks by reduction
me flag

I have two private-key encryption ($Π$ and $Θ$) and their concatenation $Π\#Θ$. For example:
$$ Enc_{Π\#Θ}( \ ⟨k_Π, k_Θ⟩, \ ⟨m_Π, m_Θ⟩ \ ) = ⟨ \ Enc_Π(k_Π, m_Π),\ Enc_Θ(k_Θ, m_Θ) \ ⟩; $$ (Same for Gen and Dec)

I need to prove that if $Π\#Θ$ is secure against passive adversaries, then both $Π$ and $Θ$ are.

Actually I have proceeded by reduction, so I can prove that: ...

Score: 1
kelalaka avatar
Can we achieve IND-CCA without a MAC?
in flag

In modern cryptography, IND-CPA is the lowest security we want. We want at least IND-CCAx security from encryption mode. Their relation can be found in

All classical block cipher modes of operations (CTR,CBC,OFB,CFB,PCBC), as stated confidentiality only mo ...

Score: 1
What arithmetic operations are supported from fully homomorphic encryptions(FHE)?
in flag

I'm wondered about what arithmetic operations are supported from FHE.

I want to know for 2nd Gen(BGV,BFV), 3rd GEN(GSW,CGGI), 4th GEN(CKKS)!

  • Is 3rd can support more than and/or/not? I heard it is for a bit.

Thanks

Score: 2
Paul Uszak avatar
Do we also have to transmit the salt with the ciphertext, in addition to the IV for authenticated point to point messaging?
cn flag

Imagine a scenario whereby Alice and Bob have a symmetrical messaging system for talking with each other. It's effectively two polystyrene cups joined by a piece of string. Crucially, there is no central server, and nobody logs into nothing. They do though both have the same messaging application. Also imagine that their architecture transmits an IV, cipher text and HMAC as three separate parts of an En ...

Score: 1
שחר כהן avatar
Linkable ring signatures: is it possible to check linkability between two signatures with different rings?
lb flag

I have two linkable ring signatures, each signed with the same key pair. Therefore, the signer's public key will appear in each of the rings. However, the set of other public keys appearing in each ring are different.

Is it possible to tell that the same person signed both rings, or can this only be known if each ring contains exactly the same public keys?

Score: -2
user104620 avatar
Is it working?? (Asymmetric bilinear pairing)
fr flag

Let we have $G_1 \times G_2 \to G_t$

let $g_1 \gets G_1, \\g_{2.1} \gets G_2, \\g_{2.2} \gets G_2$

$$e(g_1^a,g_{2.1}^b) = e(g_1, g_{2.1})^{ab}$$

$$e(g_1^a,g_{2.2}^b) = e(g_1, g_{2.2})^{ab}$$

Is it working?

Score: 1
CryptoGuru avatar
Which hash functions provide 128 bit resistance?
bm flag

I was wondering out of the functions (MD5, SHA-1, SHA-256, and SHA-512), do all provide 128-bit pre-image resistance and 128-bit second-image resistance?

Also, out of these hash functions, do only SHA-256 and SHA-512 provide 128-bit collision resistance? (Due to $l/2$ bits of security)

Score: 0
riordant avatar
Getting bit length of exponentiation result before computation
sx flag

I'm working in a context where it is cheaper to calculate pow(a,b) via modular exponentiation (modexp(a,b,m)) than to do exponentiation directly. For this I need the minimum modulus value such that the function returns only the exponentiation part of the function call.

Is there an efficient algorithm that exists to calculate the bit-length / highest bit set of a^b, where we just know these values  ...

Score: 1
sunknudsen avatar
Is it normal that cypertext size can be smaller than IV when using AES-256-GCM?
th flag

I noticed that when using AES-256-CBC with a 128-bit IV, the ciphertext is always at least 16 bytes long (size of IV).

I also noticed that when using AES-256-GCM with a 96-bit IV, the ciphertext size can be smaller than the IV.

Normal? Why?

Score: 0
What are Key Size requirements (rather than modulus size) for different Asymmetric Algorithms for 112-bit security?
et flag

A lot of writeups, books & webpages say that to get 112 bit security (i.e $2^{112}$ steps), you need to use RSA or DH with 2048 key size or ECDH with 224 key size. In reality, I think what is meant in most of these cases is modulus size or group size rather than key size, but for some reason it's always referred to as key size?

I think the modulus size requirements are thus for 112 bit security ...

Score: 2
bertrandrussellsghost avatar
Secure option for (hybrid) encryption of a secret key using JWE
il flag

I want to encrypt a private key $sk$ (it's actually an RSA private key in PKCS#8 format) with another person's (and/or my) public key $pk_A$ for secure storage. With JWE, it is possible to use hybrid encryption: we generate a random symmetric key $k$ to encrypt $sk$ and then encrypt $k$ with $pk_A$.

I would use AESGCM+RSAOAEP, though I've read that AESGCM should not be used for Key-Wrapping... but th ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.