Latest Crypto related questions

Score: 1
incisor_supervisor avatar
Age: stream cipher with public key cryptography?
cc flag

I have some rudimentary cryptography knowledge but am by no means an expert.

I generally understand stream ciphers, such as such as ChaCha20-Poly1305, to be symmetric. I am wondering how age (https://github.com/FiloSottile/age) uses public and private keys to encrypt data with ChaCha20-Poly1305. Is it similar to how in some protocols asymmetric encryption is used to establish a shared symmetric key, or is ...

Score: 2
constantine avatar
Is there a CRHF based on integer factorization problem or RSA assumption
cn flag

We know that in the black-box sense, we cannot use one-way functions to construct Collision Resistant Hash Functions.I feel that in my impression, I have never seen CRHF based on integer factorization problem or RSA assumption

Score: 3
iwatanab avatar
Anonymized Spatial Conflict Assessment - Suggested Approaches?
re flag

Scenario:

  1. There are 3 people: PERSON1, PERSON2, and PERSON3
  2. PERSON1 and PERSON2 each have a 2-dimensional polygon on an x,y plane
  3. It is PERSON3's job to assess whether the polygons overlap
  4. However, PERSON1 and PERSON2 must encode their polygons in such a way that PERSON3 cannot identify the location of their polygons, nor is it possible for PERSON3 to decrypt the polygons.
  5. Despite this, PERSON3 mu ...
Score: 1
HarryFoster1812 avatar
Are lattice-based cryptography and error-correcting codes mathematically unsound?
cx flag

From Ronald de Wolf's The potential impact of quantum computers on society:

The first is so-called post-quantum cryptography. This is classical cryptography, based on computational problems that are easy to compute in one direction but hard to compute in the other direction even by quantum computers. Factoring does not fit this bill because of Shor’s quantum algorithm, but there have been propos ...

Score: 2
timberus avatar
I understand the authentication procedure, but are replay attacks possible in these scenarios?
md flag

Would a replay attack be possible in any of these scenarios? My understanding is that in only images 3 & 4 it is possible.

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

Score: 1
HarryFoster1812 avatar
Why can't we just increase the bit length to counteract shor's algorithm?
cx flag

I know that it sounds like a very stupid question but if Shor's algorithm has a complexity of roughly $n^3$ why cant we just increase the bit size until the time for the algorithm to run is unfeasible on a quantum computer or would it just take too much memory and too much computation for RSA/ECC to be worth it?

Score: 2
sbluff avatar
Goldreich Levin Theorem
pe flag

I am running into the Goldreich Levin Theorem.

According to what I know a predicate $h: \{ 0,1 \}^* \to \{ 0,1 \} $ is a hardcore predicate for a function $f: \{ 0,1 \}^* \to \{ 0,1 \}^* $ if:

  1. $h$ is deterministic and efficiently computable
  2. It's hard to find $h(x)$ given $f(x)$ for any probabilistic time adversary

The Goldreich Levin Theorem states that a hardcore predicate can be found given any OWF ...

Score: 2
sWong avatar
Is it possible to reverse GHASH from GCM?
aq flag

How can I create a "reverse" GHASH algorithm for GCM that allows me to compute an input value that generates a specific chosen output, given that I know the authentication key H? If this is possible, what is the process for achieving this?

Score: 2
Mario avatar
Upper bound for the Gap Diffie–Hellman (in the generic group model)
sa flag

Does it exist an upper bound for the advantage of solving the Gap Diffie-Hellman problem (possibly expressed in terms of the order of the group, number of queries to the oracle, time, etc.)?

Score: 4
user avatar
Why did post-quantum key exchanges go extinct?
va flag

On July 5, 2022, NIST chooses one KEM (Key Encapsulation Mechanism) as a PQC standard and 4 KEMs as four-round candidates. Why aren't there any key exchanges?

Similarly, KEMs are usually studied in literature. The post-quantum key exchanges in literature are very rare. Moreover, in those key exchanges, the message to be shared is generated by one party. I do not see any post-quantum key exchange  ...

Score: 0
Sujan SM avatar
How is MLWE used for key generation in Kyber?
br flag

I've been reading about Crystal kyber, and i read that the in the key generation process, the public key pk is computed using secret key s in such a way that the error e is added to inner product of random matrix A & secret key s.

It is said that an attacker trying to crack secret key from public key needs to solve Module-LWE problem to do so, which is computationally hard.

My question is how  ...

Score: -1
Murrchalkina avatar
Can I use many iterations of HMAC function instead of PBKDF2?
be flag

I know, that PBKDF2 uses HMAC with SHA2 function as PRF. But.. can I use many iterations of HMAC with SHA2 directly? Is this effective and securely? P.S I need the best function, but I can’t use bcrypt, argon, pbkdf2.

Score: 1
frt132 avatar
In Zcash, how does a recipient look up which transactions belong to him/her?
es flag

For Monero, the scheme for stealth addresses is pretty straightforward. (For example: https://monero.stackexchange.com/questions/1500/what-is-a-stealth-address) However, I haven't found any details on how the same functionality is done in Zcash, can someone provide more information on this?

Score: 3
brethvoice avatar
Does NordPass Make the Same Error SpiderOak Stopped Making in 2017?
jp flag

According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown here:

https://medium.com/@SpiderOak/why-we-will-no-longer-use-the-phrase-zero-knowledge-to-describe-our-software-ddef2593a489

NordPass has yet to walk back its claim to a zero knowledge architecture:

https://nordpass.com/features/zero-knowledge-architecture/ ...

Score: 3
Emison Lu avatar
Garbled circuit and secret sharing
bl flag

Recently, I was reading the paper One Hot Garbling published on CCS 2021. I noticed a sentence in it:

In this work, we forgo the standard GC notation of garbled labels in favor of garbled sharings of cleartext values held by G and E. This will be convenient for handling vectors and matrices of bits.

I don't understand what garbled sharing is, how to construct 2PC protocol through garbled sharing? what i ...

Score: 3
STARKs for arbitrary computation
ma flag

I have been reading Vitalik's series on STARKs recently (Part 1, 2 and 3). It is a nice and very understandable read for a layman like me.

Brutal summary of my current understanding

Vitalik outlines the following technique to prove the correctness of some arbitrary computation:

  • Encode the computation trace in the values of a polynomial P(x).

  • Define a constraint checking polynomial C(z) such that, if ...

Score: 2
Cisco Saeed avatar
XZ coordinates for Montgomery curves
pl flag

I am learning about Elliptic curve and I reached to Montgomery curve with XZ coordinates with this equation: b*y2=x3+a*x2+x and regarding the information from this link: XZ coordinates add and doubling

and I made this small code in matlab to understand the concepts:

% Define the elliptic curve parameters
a = 1;
b = 1;
p = 23;
% Define the base point
X1 = 8;
Y1 = 3;
Z1=1;
%Doubling
X3 = mod((X1^2-Z1^2)^2 ...
Score: 2
Paritosh007 avatar
Why does joint distribution of simulation output and functionality output is required?
sm flag

I was going through this simulation tutorial.

For example, let x and y be lists of data elements, and let f be a functionality that outputs an independent random sample of x ∪ y of some predetermined size to each party. Now, consider a protocol that securely outputs the same random sample to both parties (and where each party’s view can be simulated). Clearly, this protocol should not be secure. In  ...

Score: 2
BillyJoe avatar
Application firmware sign-then-encrypt vs encrypt-then-sign
no flag

I know that there are previous questions on the subject e.g. here, however I would like to ask it for my particular (simple) case.

I have an application firmware that is downloaded to a microprocessor through a bootloader firmware that is taking care of decryption and signature verification.

The signature is implemented through RSA. The bootloader has only one public key to authenticate the application  ...

Score: 0
Rory avatar
What is this parameter? in Lyubashevsky's ID-scheme
mp flag

I am studying Lybashevsky's ID-scheme from the article Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures(https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf) by Vadim Lybashevsky.

I am trying to work trough the soundness and completness of the ID-scheme through the four steps offered in section 3.1. In step 1 it is claimed that the completness (probability t ...

Score: 3
Shweta Aggrawal avatar
What is the difference between Ring Signature and Multi User Designated Verifier Signature?
us flag

I was going through some text related to designated verifier signature (DVS). I came to know that DVS can be thought of as the two party ring signature. Can we extend this concept and say that ring signature is nothing but multi user DVS.

Score: 1
Joseph Johnston avatar
Public seed expansion for uniform reference strings
gb flag

Many cryptographic protocols are parameterized by a uniformly random reference string (e.g. the commitment key for Pedersen commitments). Our goal is to publicly generate the random values of this string (in a finite field), and to do so using the simplest and fastest seed-expansion process (measured I supposed in `bytes per cycle').

In this scenario, we may have a set of public and random seeds,  ...

Score: 1
kyr0 avatar
Is my TypeScript scrypt implementation using Web Crypto API safe and correct? (Open Source)
id flag

I want to use TweetNaCl.js for encrypting user data that is stored in LocalStorage. Therefore, I want to prompt the user to provide a PIN/password that shall be used to derive a key that is then used as a secret key for TweetNaCl's secretbox.

Looking for a modern scrypt implementation in JavaScript, I couldn't find any implementation that is actively maintained / worked on in the past 4 years and that d ...

Score: 0
nsayer avatar
EC: Can you derive Y from X for a public key?
vn flag

I'm reading through the EDHOC draft spec and they talk about passing just the X portion of the (ephemeral) public key across in message 1. I've only ever heard of EC public keys (in this case the curve is P-256, if it matters) having both an X and a Y. The implication is, I guess, that you can derive the Y from the X? Is this true? If so, how?

Score: 1
thera avatar
Standard vs. specific mappings in SP800-186 for code reuse between different curve models
pl flag

The final SP800-186 outlines mappings between Twisted Edwards and Montgomery curves, and between Montgomery and Weierstrass curves.

These mappings are defined in Appendix B. Relationships Between Curve Models.

There are two types of mappings outlined:

  1. Standard maps between curves on these different models (both in B.1 and B.2), and
  2. Specific maps between Edwards25519 and Curve25519 (and E448 and Curve44 ...
Score: 3
Paul avatar
GCM-SIV vs CBC with fixed IV?
rs flag

I keep hearing CBC with fixed IV mode is bad because it has similar issues to the codebook breakdown of ECB mode. However, people seem quite willing to recommend AES-GCM-SIV for deterministic encryption. Why is GCM-SIV superior to claim CBC with fixed IV?

Score: 2
What degree of k bias is acceptable in ECDSA?
ru flag

So there’s LadderLeak.

RFC6979 produces uniformly random nonce $k$.

There are other techniques, such as hash-to-curve standard (draft-irtf-cfrg-hash-to-curve-16 section 5), which allows to produce uniformly random scalars. They mention it’s OK to use 128 additional bits of entropy, e.g 48-byte hash to produce 32-byte private key, when targeting 128-bit security level. The bias is still there b ...

Score: 0
shockedeel avatar
BV FHE Scheme symbolic polynomial
gu flag

Recently, I began researching fully homomorphic encryption. I'm reading the "Efficient Fully Homomorphic Encryption from (Standard) LWE" paper by Brakerski and Vaikuntanathan and came across this piece where they are multiplying two symbolic functions together where the function is defined as:

$$ f_{a,b}(x) = b-\langle a,x\rangle \mod q = b - \sum_{i=1}^{n}a[i]x[i] $$ and the multiplication: $$ f_{a, ...

Score: 3
Padding Oracle Attack with Length Prefix
US flag

I'm learning about the padding oracle and had a question about a modified padding oracle. Essentially the only difference is the length of the original message is prepended to the message as a 4 byte string. It is then padded and encrypted as normal. How would the approach to this scheme be different from the standard padding oracle attack?

Score: 1
Johnny Bass avatar
RSA Key Generation & encrypted output using OpenSSL
cr flag

When is it generally acceptable, if ever, to generate RSA keys without encrypting the PEM output with another encryption algorithm?

I am working on a CI/CD process and want to leverage asymmetric encryption, but not entirely sure whether or not it is safe to generate the RSA keys without encrypting the output. At the moment I am generating the private key and extracting the public key using the f ...

The Stunning Power of Questions

Much of an executive’s workday is spent asking others for information—requesting status updates from a team leader, for example, or questioning a counterpart in a tense negotiation. Yet unlike professionals such as litigators, journalists, and doctors, who are taught how to ask questions as an essential part of their training, few executives think of questioning as a skill that can be honed—or consider how their own answers to questions could make conversations more productive.

That’s a missed opportunity. Questioning is a uniquely powerful tool for unlocking value in organizations: It spurs learning and the exchange of ideas, it fuels innovation and performance improvement, it builds rapport and trust among team members. And it can mitigate business risk by uncovering unforeseen pitfalls and hazards.

For some people, questioning comes easily. Their natural inquisitiveness, emotional intelligence, and ability to read people put the ideal question on the tip of their tongue. But most of us don’t ask enough questions, nor do we pose our inquiries in an optimal way.

The good news is that by asking questions, we naturally improve our emotional intelligence, which in turn makes us better questioners—a virtuous cycle. In this article, we draw on insights from behavioral science research to explore how the way we frame questions and choose to answer our counterparts can influence the outcome of conversations. We offer guidance for choosing the best type, tone, sequence, and framing of questions and for deciding what and how much information to share to reap the most benefit from our interactions, not just for ourselves but for our organizations.