Latest Crypto related questions

Suppose the highest level is $L$. There are 2 ciphertexts from 2 different messages under the same secret key but in different level, one is in level $\ell$: $\mathsf{ct}(\pmb{m})\in\mathcal{R}_{Q_{\ell}}^{2}$, one is in level $k$: $\mathsf{ct'}(\pmb{m}')\in\mathcal{R}_{Q_{k}}^{2}$, and $k<l-1$.

We want to calculate homomorphic multiplication of $\mathsf{ct}$ and $\mathsf{ct'}$. Should we move

I am wondering does AES-GCM which uses Authenticated Encryption provide us with all 3 properties (Authenticity, Confidentiality, and Integrity), or does it not provide integrity?

I'm curious to hear of algorithms that use this new standard (there is a new IRTF CFRG Draft for it, for instance). It's useful for verifiably deterministic signatures on elliptic curves, but what else?

Hi I'm trying to understand the logic behind a CTF challenge basically we are given a program which encrypt some data, we have the following options:

1. Select encryption mode (EBC, CBC, CTR, OFB, CFB)
2. Encrypt the flag and see the resulting ciphertext
3. Encrypt a choosen plaintext and see the resulting ciphertext

Now I think the weakest alg here is ECB, but bruteforce block of 128 bits seems not feasibl ...

Here's a modification of the textbook RSA scheme, in an attempt to achieve semantic security.

Key generation: chooses public key $pk = (N,e)$ and secret key $sk = d$ as in any RSA-based encryption scheme.

Encrypting message $m \in \mathbb{Z}^*_N$ using $pk$: Choose $x\gets \mathbb{Z}^*_N$, output $\mathsf{ct}_1 = x^e \bmod N$, $\mathsf{ct}_2 = (m + x \bmod N)^e \mod N$. Output $(\mathsf{ct}_1, \mathsf{c ...

Assume a standard ECC curve in a prime field $\mathbb F_p$ with $p\equiv3\pmod 4$, such as secp256k1; and code turning a bytestring for a compressed ECC public key into an Elliptic Curve point, that does as specified except in the following two emphasized spots:

2.1. Parse $M=Y\mathbin\|X$ as a single octet $Y$ followed by $\lceil(\log_2 q)/8\rceil$ octets $X$.

2.2. Convert $X$ to a field element

Is it possible to get the x, y of the compressed public key?

I have decompress it and naturally it gives the xy of the decompress public key.

I need the xy coordinates of my compressed public key . How do I get it? Is there a python script I can get my hands on?

Update: I have tried it via

#! /usr/bin/env python3 

import binascii 
  
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF ...

I am implementing BLS signature verification on smart contracts and I have a question regarding the way that Ethereum verifies the signature. Recall that bls signature works as

• $e(P_2,H(m)_1)_T=e(G_2, S_1)_T$ where $_2$ and $_1$ denote points of $G_2$ and $G_1$, and $_T$ for $G_T$.
• Off-chain, you take your secret $x$ , and do $x\,G_2\to P_2$ (your public key).
• You then provide your public key $P_2$

Although many different lattice-based signature schemes exist, Hash and Sign signatures schemes, like [GPV08], are prevalent. On the other hand, it is well known that collision-resistant hash functions may be built out of lattice problems [SWIFFT08]. However, I've never seen a scheme that combines both; why? Such composition seems obvious, so I guess there is a good reason for its absence.

Can you h ...

I have a my own PBKDF2 automated implementation that automatically salts the hash. The output looks like this:

xxxxxxxxxxxxxxxxxxxxxxxx.xxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
\-- 24 byte salt ------/ \data/ \-- 48 byte output hash --------------/

• Salt is a random byte array
• Interations are stored in data
• Output hash is a derived key
• Everything is encoded using Base64Url, not including dots

As an amateur, my first encounter with commitments has been in the form of an hash of the committed value, then I have learnt about seeding the hash as blinding technique. Going on I have discovered how useful is the structure induced by Pedersen or El-Gamal commitments and the binding/hiding flavours. All of this to explain my current background.

Recently I have had a bird-eye view on KZG commitments

I am struggling to solve this proof.

The goal is to prove that $H \circ G$, which is a composite function $H(G(s))$ can be a pseudo-random generator under some conditions on $H$, given that $G$ is also a pseudo-random generator. Note that $H$ is length-preserving.

However, I can't find a way to prove (using the definition of a pseudo-random generator) that if $H$ is bijective, deterministic, can be comp ...

Let us say that we have 3 entities: an Issuer I , a user/prover P and a verifier V.

1. V trusts I but does not trust u
2. u wants to show that he respects some kind of property (eg. being over 18yo) to V without revealing their whole birth day
3. V possesses the data that u needs to convince V, eg. using a ZK-proof, but V would not trust such a proof because u could easily use a fake date

How would you desig ...

A probable attack for RSA (factorization): how to improve it?

$N=8*G+3$ can be factored if there is a non-trivial negative $k$ such that

$\frac{(N*(9+24*k)-3)}{8}=-6*m^2 $

[to exclude the two trivial solutions $m=\frac{(N+1)}{4}-N*t$ and $m=N-\frac{(N+1)}{4}-N*t $]

given the system

$ \frac{[[8*[\frac{(N*(9+24*k)-3)}{8}+2*x^2*h^2-2*x^2+2*x*h-2*x]+3+6*n-(n*(n+4))]-4*n*y-3]}{8}-[4-\frac{(-(2*h-2)-7)*(- ...

TLDR/End goal

I want to encrypt a tree of data/files so that anyone with the master key K can decrypt everything, key K-1 can encrypt and decrypt anything encrypted with K-1-*, and so on. However, K-2* must not be able to decrypt any of K-1*.

First ideas/initial research

To be quite frank the only way I can think of achieving this is have each key be a public-secret pair and have each child create their ...

I want to distinguish different concepts: Bootstrapping, Modular Switching, and Key Switching. I am also sometimes confused about Evaluation & Relinearization.

My understanding of these concepts are:

1. Bootstrapping is a method to shrink errors in ciphertext.

2. Modular switching is just an arithmetic technique to transfer, for example, ring elements in $\mathcal{R}_{t}$ into $\mathcal{R}_{q}$.

I'm new to crypto!

The situation is,

• Aes-256-cbc encrypted message(including not encrypted iv & salt) is revealed.
• We also know pbkdf2 function uses 10000 rounds with sha256.
• All we need to decrypt the message is just put all the possible passwords in pbkdf2 function with 10000 rounds & sha256,
• and then decrypt encrypted message with those keys with iv & salt revealed.

I tested with js code ...

Is it possible to introduce a new signed attribute in the CMS Advanced Signature format (RFC 5126) for a custom data type? I want to include location data from GPS or Galileo and extend CAdES for my thesis.

I would appreciate it if you can provide me with some directions if it makes sense.

I'm new to the topic guys, but as there are literally too many encryption methods out there, too that I could even come up with many ideas of them, how to we actually test/calculate "how secure" an encryption algorithm is?

Do we a standard or a formula that we can use to test security level of encryption algorithm?

And how strong would a monoalphabetic cipher would be?

It might be a little dumb: I think it should be possible, if I encrypt a plaintext using the same public key twice, it should be possible to end up with two ciphertexts that for whom the statistical distance is non-negligible.

Specifically, I was exploring a paper which required that the statistical distance between ciphertexts be negligible in ciphertext space (in terms of homomorphic encryption ...

I am working on problem 2.11 from the book: A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup. The problem reads as follows:

Problem 2.11: Let $\mathcal{E} = (E, D)$ be a cipher defined over $(\mathcal{K}, \mathcal{M}, \mathcal{C})$. A key recovery attack is modeled by the following game between a challenger and an adversary $\mathcal{A}$: the challenger chooses a random key

I have implemented an authentication scheme using JWT with assymetric keys (RS256). The idea is that (assuming some microservice-based acrhitecture) the authentication service will sign all JWTs with a secret/private key (PRIVATE_KEY) and distribute the public key (PUBLIC_KEY) to all other microservices, so they can verify whether 1) the JWT was issued by the authentication service and 2) the JWT was no ...

I have a question about the definition of the (Closest Vector Problem) CVP. In the literature you can find for example this definition of the approximation variant of CVP:

$CVP_\gamma$, Search: Given a basis $B \in \mathbb{Z}^{m \times n}$ and a point $t \in \mathbb{Z}^m$, find a point $x \in \mathcal{L}(B)$ such that $\forall y \in \mathcal{L}(B)$,$||x-t|| \leq \gamma|| y-t ||$

Question:

My quest ...

Searches here indicate that D/H primes of 2048 bits are "safe"? How do we know that this is true? Using a pathetic retail laptop (Intel N5000 Silver) it's possible to find 60,000 bit primes and test them in about a week! Using a 60,000 bit prime in a custom D/H encryption program, and using the same pathetic retail laptop, encryption (or decryption) of a 100K byte message only takes a few seconds.

I'm having an issue with a key created by the manufacturer of an equipment. Checking the details of the key I've noticed that it's exponent is zero. Is this a valid exponent?

While reading A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup. There was the next exercise (Ex. 4.2 (b)), let $F$ be a secure PRF over $(K,X,Y)$ where $Y := \{0,1\}^n$ and $|X|$ is super-poly. Define $F_1(k, (x,y)) := F(k,x) \oplus F(k,y)$, prove that $F_1$ is weakly secure even if we modify the weak PRF attack game and allow the adversary A to query $F_1$ at one chosen point ...

I am interested in a polynomial form of the lattice problem Closest Vector Problem (C.V.P), or in other words if C.V.P. can be ''transferred'' to Ring-LWE.

My idea about this question is that a polynomial form of C.V.P will look like the following:

Let $R = \mathbb{Z}[X]/\Phi_M(X)$ and its residue filed $R_q = \mathbb{Z}_q[X]/\Phi_M(X)$ where $q$ is a modulus and $\Phi_M(X)$ a cyclotomic polynomial with

The F5 steganography algorithm hides information in images using binary codes. But when hiding a bit, the affected DCT coefficient becomes zero, it is necessary to hide the same bit again. This is because the receiver ignores DCT coefficients with a value of zero, and otherwise would not be able to read that bit. As this phenomenon usually occurs, the capacity is considerably reduced, at the same time a ...

If I had a true random number generator that had a fault where 10-20% of the bits never change (these bits always produced the same value every time the TRNG was called), could I feed the result of the TRNG through a hash function (let's say SHA-256) to generate a unique and secure key?

For encryption, we want identical plain-text's to encrypt to unique ciphers, also called Semantic Security.

For Signatures, the plain-text (i.e. message hash) is not a secret. The plain-text, if you can call it that, is publicly known. We don't need Semantic Security. There is no “plain-text”, so to speak. We aren’t encrypting.

So do we actually need padding in RSA Signatures? Does padding do  ...