Latest Crypto related questions

What is the minimal computation time algorithm that I can use for E2E encryption in MQTT protocol which has never been used before

A prover has two pedersen commitments, $V_{a}=G\cdot a+H\cdot r_a$ and $V_{b}=G\cdot b+H\cdot r_b$, which commit the values $a$ and $b$ respectively.

The prover has another commitment $S_{\sigma}=G\cdot \sigma$ (which has no $H$ component). The verifier is provided with $V_a, V_b$ and $S_\sigma$. How can the prover prove that $\sigma \in \{a, b\}$ without revealing $a,b$ and $\sigma$?

Generally, we instantiate Ring-LWE with the polynomial ring $R = \mathbb{F}_q\ /\ (X^N+1)$ for prime $q$ and some power-of-two $N$.

Can we instead do Ring-LWE over the ring $R = \mathbb{F}_q\ /\ (X^N+1)$, where $q$ can be any prime power? Basically, this would mean the coefficients of ciphertexts are elements of $GF(q)$.

(Also, is this an unusual choice, or covered by existing literature that I'm not aw ...

I'm looking for a textbook or article that spells out the details of Kilian's paper on the completeness of oblivious transfer for secure two-party function evaluation (2PC). Kilian's paper is in the form of an extended abstract which doesn't include many of the details. Moreover, there have been many development in the 2PC theory since Kilian's seminal work, such as the universal composability framewo ...

This is taken from page 16 of Stacking Sigmas

Essentially, let $0<t<\ell$ be integer values smaller than a certain prime modulus $q$. We have a set $\mathcal{X}$ with $|\mathcal{X}|=\ell-t+1$, $[k]:=\{1,2,\ldots,k\}$ and $[k]_0:=[k]\cup0$. For a given set $A\subset\mathbb{Z}_q$, define the polynomials $$f_A(X)=\sum_{i\in A}y_i\cdot L_{(A,i)}(X)$$ where $L_{(A,i)}$ is the Lagrange polynomial ov ...

I'm enhancing the venerable ent randomness test suite. And I came across this idea in On Independence and Sensitivity of Statistical Randomness Tests.

"To have more confidence in a random number generator, it is advantageous to use as many randomness tests as possible. In this part of the study, we propose to apply simple transformations to input sequences that significantly change the output p-va ...

Consider the construction of "A Pseudorandom Generator from any One-way Function" [HILL99] in Hastad et al.

One way to proof pseudorandomness of this construction is by contradiction. That is, an assumed PRG distinguisher is transformed into a OWF inverter (usually through an intermediate notion called pseudoentropy generator). There is both a uniform and a non-uniform version, considering uniform resp ...

In LWE systems, why is it recommended to add only small error vectors to the system of equations and not big error vectors? Can someone come up with an example?

I'm trying to pad some plaintext to be a multiple of 16 bytes to use it as input in AES ECB block cipher.

 def encrypt(plaintext):
    plaintext = bytes.fromhex(plaintext)
    padded = pad(plaintext, 16)
    cipher = AES.new(b'0'*16, AES.MODE_ECB)
    try:
        encrypted = cipher.encrypt(padded)
    except ValueError as e:
        return {"error": str(e)}
    return {"ciphertext": encrypted.hex( ...

As we know, the popular PEM format for textualizing private key binary blobs uses base64 encoding. Typical base64 codecs use look-up tables to find characters and byte values and pack them together, and this represents a memory side-channel.

While in most cases, loading of private key is completely opaque to the clients of servers that loads them, there may be situations that necessitates side-ch ...

How to determine the homomorphic encryption CKKS scheme's parameter bounds for correctness and 128-bit security using some specific floating-point numbers and specific computation metrics like summation or variance?

Any formal proof and theoretical process to decide the parameters like polynomial degree and so on?

I need to generate a key and IV that will be used to encrypt multiple things over a period of time with AES in CFB mode. The decision to use AES in CFB mode is not mine to change and the key will only ever be stored in a secure way or transmitted out-of-band (i.e., not over any network where it could be intercepted)

What's the best tool for generating such a key and IV on Windows in a way that en ...

Assume there are multiple secure elements, and also multiple man-in-the-middle or malwares. How can any two secure elements authenticate each other without a third party and hard coding something in all elements? Since a hard coded code is vulnerable and can be attacked by brute force.

I'm currently working with an undocumented crypto offload processor that is capable of accelerating modular multiplication in some fashion. I need to figure out what operation it is implementing exactly in order to emulate it in software.

The hardware has four big integer inputs:

• Multiplicand $a$
• Multiplier $b$
• Modulus $p$
• Unknown value, let's call it $q$

The output is a single big integer $r$ of the s ...

I can see that True Random Number Generators can produce some null bytes, after some megabytes of data, even 2 consecutive null bytes are produced:

$ timeout 0.5 /usr/sbin/haveged -n 0 -f - | xxd -p | grep "^0000"
haveged: command socket is listening at fd 3
Writing unlimited bytes to stdout
000010aa8070250869b3727f3f30cf87ae9554207180928e3e638bb58efe
0000677b49156973346bd9d9e358ca920755a519230a0e2 ...

Suppose that a prover holds two secret values $x,y\in\mathbb{F}$ and both the prover and verifier have $z\in\mathbb{F}$. The prover wishes to prove that $z=x+y$ without revealing $x,y$ to the verifier.
We can further assume that the verifier has access to some oracle which confirms whether commitments $X,Y$ to $x,y$ are honestly generated.

One way of doing it is the following: The prover sends $X  ...

Recently, I read here on Crypto SE that $2^{60}$ doesn't provide enough resistance to current adversaries. Could someone please provide me with good references related to that threshold, or any updated versions of it, say, $2^{70}$ or $2^{80}$?

I made an effort to find the exact discussion, but, unfortunately, I was unable to locate it.

I would like to understand how Keccak's permutation function is reversible. The difficulty I have is with the $\chi$ step that uses the and operator which is not revertible. All the other suboperations are using xor and rotations which can be reversed.

Let's say we embed a text using steganography by modifying an existing cover object. What would be the steps needed to be done on the message?

I can think of

• source coding (compression)
• channel coding (adding redundancy)
• encryption

Do I forget anything? What methods would you use for each step? And how the efficiency of the steps differ when I change the message size?

Assume the following:

• $E: \{0, 1\}^k \times \{0, 1\}^b \rightarrow \{0, 1\}^b$ is a block cipher with a $k$-bit key size and a $b$-bit block size.
• $T$ is a $b$-bit authentication tag that is guaranteed to be untampered with (e.g., by being calculated abd stored by a trusted system).
• $X_i$ represents the $i$^th of a string of data blocks that $T$ is calculated against.
• $X_i \in \{0, 1\}^b$.
• $K_1$ and

Rust and NodeJS implementations of ECDH on secp256k1 produce different shared secrets, when using identical keypairs:

NodeJS:

sk1 <Buffer 71 17 9b 99 1d 76 93 de 81 3a ea a5 bf a2 41 a2 ac 9e 05 35 86 7e bf 8f 6b 1b 08 84 47 2e f4 a7>
pk1 02de4cba976ab77795c46c1c3b95afc077b17afe1bca02d28963a3bcdd9c082168
sk2 <Buffer 1e 11 4f 23 7e 3c 59 ba 2b 92 ae df 21 3f 11 27 c9 16 9c 03 97 52 49 5c 1f fb 64  ...

I've been reading "Misuse Attacks on Post-Quantum Cryptosystems" (https://eprint.iacr.org/2019/525). In what scenarios are the attacks described in the paper applicable? Is it specifically if a key is reused to generate more than one encapsulated key? Or is it more general? Does it apply to all 'unfailing' reconciliation mechanisms?

Consider two data streams $a_1,\cdots, a_n \in [a_{min}, a_{max}]$ and $b_1,\cdots, b_n \in [b_{min}, b_{max}]$, Such that $[a_{min}, a_{max}]$ and $[b_{min}, b_{max}]$ do not overlap.

A Differential private mechanism (Laplacian with privacy budget $\epsilon$) with zero mean and scale parameter $\beta$ is applied to these streams with different ranges to generate the DP-induced output streams $a^{\pri ...

In round 4, protocol evaluates a(zeta), b(zeta), c(zeta), Sσ1(zeta), Sσ2(zeta). I know linearisation trick in round 5 implies the identity of other terms. Can we evaluate other term e.g. Sσ1(zeta), Sσ3(zeta) instead? Is there any consideration behind these selected terms in paper?

ref:

1. PLONK paper: https://eprint.iacr.org/2019/953.pdf
2. https://hackmd.io/@aztec-network/ByiUK_Plt

I am currently trying to solve a training challenge based on AES with CBC. This is the infos I'm given:

KEY = "yn9RB3Lr43xJK2██".encode()
IV  = "████████████████".encode()
msg = "AES with CBC is very unbreakable".encode()

Those spaces are unknown characters, and I also have the output:

c5████████████████████████■...

The Windows RNG infrastructure is specified in this article. On page 4, it states that the PRNG called AES_CTR_DRBG is used (with 256-bit security strength).

According to Wikipedia, this PRNG has security problems when used with certain parameters.

Specifically:

When AES is used as the underlying block cipher and more than 128 bits are taken from this pseudorandom number generator, then the resultin ...

so recently I've been exploring zk-SNARKs algorithm, and I have a maybe stupid question. For example, let's take $x^2+x+1$ and make an algebraic circuit from it:

1. $y=x*x$
2. $sum=x+1$
3. $out=sum+y$

(First question: are finite fields needed here?)

Now we need to construct a R1CS to each gate. Our variables and one: ${1, x, y, sum, out}$

So we have:

1. $A_1 = [0, 1, 0, 0, 0]$, $B_1 = [0, 1, 0, 0, 0]$, and

I have a congruential generator where $$ r_{n+1} = r_n^2 - c\;(mod\;p) $$ known $r_0$, $c$ and $p$ can i get $r_n$ without having to compute all the previous values?

Let's suppose I have two 2GiB files and I want to encrypt them using One-time pad (Vernam cipher), but I don't want to store two big keys.

May I use only one key for the two files if I encrypt the One-time pad key two times with a block cipher with two different keys for block cipher? I mean, take the One-time pad key, encrypt with a block cipher and XOR file 1, and repeat with the file 2 but usi ...

print(tan(int.from_bytes(open("plain.txt", "rb").read().strip(), "big")).n(1024))

Its sage code. How difficult or easy is it to recover the plaintext from the output of this code? I don't think the hash collision, or second preimage attack will be usefully unless we know the length of the plaintext.

Is there any possible way to recover the plaintext efficiently or is there no other way?