Latest Crypto related questions

We (collectively) salt passwords, then hash them; maybe even run them through something like PBKDF2 first (depending on how the password will be used).

The end result is that we have a string $p$ and map it to a fixed-length string $p'$ using a surjective transformation with the property that it is difficult to find any particular $p$ that maps to a given $p'$.

The fact that there are $\aleph_0$ pos ...

Good morning,

I've been struggling with this protocol for the last few days and I'm out of ideas now. The goal is to impersonate Bob by just modifying or dropping packages. The attacker(me) is a Proxy that is between the clients and the servers so any messages are first sent to me and I send relay them to the servers.

I have thought about setting up two sessions and do a Reflection but then the sess ...

I'm working on a system where I need to sign some data using an ECC private key and share the data and signature over a BLE ADV packet. Since an ADV packet is limited in space, I can't use a full ECDSA signature as the output is too large. As far as I understand, you can't readily truncate an ECDSA signature as you can with AES.

As an alternative, I am considering simply encrypting the data I nee ...

After reading that about "37% of the 256-bit outputs" of SHA-256 are unreachable when fed only 256-bit inputs [1] I'm curious & confused. The formula from the proof here considers a fixed "h-bit" input & output. How does this translate to the maximum number of internal states that are reachable within SHA3?

Does this mean ~37% of the internal states of SHA3 are unreachable after each of it ...

For the Substitution Cipher, for functions such as $$f(x) = x^k \pmod{26}$$ or $$f(x) = x^k + k \pmod{26}$$ (functions that consist of x^k), why do the values of k=5 or k=7 or k > 10 have one-to-one mapping? I know 5 and 7 are relatively prime to 26, however, what about 3 or 9? Also why do it map when k > 10?

I've been experimenting in python with different approaches to cryptographically secure pseudo random number generators, comparing them using the NIST testsuite implemented by https://github.com/InsaneMonster/NistRng/tree/master. My requirements are:

• must be cryptographically secure, so its output is suitable as encryption key
• only a relatively low number of outputs need to be produced (possibly ...

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P = (x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form or −P=(−x,y) in the twisted Edwards form like the case here with BabyJubJub.

But in ...

0

I have two questions:

1. Can someone point me to some solution providing multi-party {t,n}-threshold ECDSA?
2. I imagine that such a scheme works first by creating an ECDSA private key then sharding it to n subkeys, t of which subkeys are required to generate the initial ECDSA private key. Am I right?

I would appreciate any feedback on this topic as I am trying to wrap my head around such systems.

From the PLONK paper.

Page 18

We describe an optimization by Mary Maller to reduce the number of $F$-elements in the proof from $M$. We begin with an illustrating example. Suppose $V$ wishes to check the identity $h1(X) \cdot h2(X) − h3(X) \equiv 0$. The compilation described above would have $P$ send the values of $h1$, $h2$, $h3$ at a random $x \in F$; and $V$ would check if $h1(x)h2(x)−h3(x) = 0$

It seems to have something to do with their bootstrapping technique, that is build on blind rotations, but I fail to see why less than $8$ bits are used.

I have come across the TenSEAL tutorial on implementing homomorphic encryption (HE) and they mention the global_scale parameter.

(https://github.com/OpenMined/TenSEAL/blob/main/tutorials/Tutorial%202%20-%20Working%20with%20Approximate%20Numbers.ipynb)

global_scale: the scaling factor, here set to 2^40.

I am struggling to understand what it means and how to set its value in relation to the polynomial degre ...

Let $r(b,t)$ denote the bitstring $b$ rotated to the left by $t$ bits: for example, $$r(00110101,5)=10100110.$$

Let $m(b_1,b_2,b_3)$ denote the majority function: for example, $$m(10010111,00101110,10100000)=10100110.$$

Consider the following game. Player A picks three arbitrary $n$-bit strings $(S_1,S_2,S_3)$ and nine arbitrary integers $(k_1,k_2,\ldots,k_9)$ less than $n.$ Then Player A computes

 ...

I've developed an algorithm for fast modular exponentiation modulo composite numbers with known factorization. I'm not very well versed in cryptography, so I'm wondering if any of you know of an application of this algorithm to some cryptosystem. Even if there is no cryptosystem where this can be used, I'm also interested in similar applications, like pseudorandom number generation.

The main issu ...

I was wondering if anyone could clarify the differences between PCD vs Recursive SNARKs(like pickles) vs Non-uniform IVC(like hypernova)

They all seem very similar to me

I have read about Montgomery Multiplication on several sites, but I haven't found any examples on specific numbers that explain the algorithm to someone who doesn't have a PhD in number theory.

I know it involves converting the numbers into a special form called Montgomery Form, which makes modular operations easy and fast, and that converting to and from that form isn't exactly cheap, so we'd pr ...

$\bullet$ What does private-key functional encryption mean? Or functional encryption in private-key setting?
Wasn't functional encryption a generalization of public key encryption? So now, why do we have private-key functional encryption?! It's a little confusing.
I've seen a few sentences in Romain Gay's PhD thesis [Romain Gay's thesis 2019, pages 10-11].

A new construction of multi-input function ...

The LWE assumption states that it is hard to distinguish LWE samples from uniformly distributed samples. That is, the distinction $(A,b)$ with $A$ and $b$ uniformly distributed, is hard to distinguish from $(A,b=As+e)$, where $A$, $s$ are uniformly distributed and $e$ follows a different distribution.

However, in cryptographic applications, we have an additional message $m$ that we want to hide wit ...

This protocol is designed to establish a session key K'AB between two parties without the interaction with a server. In this case, the key KAB is a long-term key shared between Alice and Bob. I am supposed to create an attack, where i imitate Bob. I think it is a problem with the missing verification of Bob. I'm stuck with this task for a couple of days and can't get a proper answer. Please help

I have several mathematical operations on binary numbers that are special cases of more general arithmetic operations. I am wondering whether there exist more specialized algorithms purpose-made for these edge cases that are faster than the general algorithm. Could someone point me to such algorithms if they exist?

Please note I'm talking specifically about doing math on binary unsigned integers only. ...

Let's temporarily work upon the assumption that proper KBKDF functions do not exist, for the sake of argument.

Would keccak256 be a secure choice for a KBKDF that derives 256-bit keys from a 256-bit master secret $k_{256}$ with an arbitrary-length derivation path $p$? And is this true in general for hash functions that have the properties outlined below?

My thinking is:

• The input $k_{256}$ is high  ...

I am reading the paper Pseudorandom Quantum States,where the following candidate was shown to be a Pseudorandom state, called the complex random phase state:
$\mathrm{PRF}_k:X → X$ be a keyed pseudorandom function where $X = \{0, 1, 2, . . . , N − 1\}$ and $N = 2^n$ with $n$ being the security parameter. The family of pseudorandom states is then defined to be $$|\phi_k\rangle =\frac{1}{\sqrt{N} ...

This is most likely a dumb question. I'm doing a mathematical research project that overflowed a bit into cryptography. It got me thinking about something. Can the following cryptosystem work?

Let Alice and Bob share a private key $d$ using the Diffie Hellman key exchange, where $d\in \mathbb{F}_p$ for some prime $p$. If Alice wants to send Bob a message $x$, then Alice sends Bob the encrypted message  ...

I want a family of efficiently computable random-ish bijections $f_{k,n} : [0..n) \to [0..n)$ for $n \le 2048$. We cannot make the $f_{k,n}$ be secure for encryption at this domain size of course, but I really only need the set $f_{k,n}\big( [0..n/3) \big)$ to be distributed somewhat randomly. In particular, those set overlaps should've expected size $n / 3^j$ for $j$ distinct random $k$.

I could simpl ...

I am trying to understand how OpenSSL adds points on an elliptic curve. I have understood from here that ossl_ec_GFp_simple_add() is where the addition op works. Can anyone explain the algorithm used here? I know that it's working on Projective/Jacobian coordinates. Is it following the algorithm explained here?

1) For authenticated disk encryption, there are extra data such as IV or tag that need to be stored for all the alternative mods that are placed in Table 1. For these data, it will be necessary to use a sector other than the sector where the encrypted data is located. Consumed space by extra storage of tags or iv is relatively small problem. The main problem here is that you have to process at least ...

I am a student in the process of creating a firewall circumvention program based on smuggling data inside of legitimate HTTP. I have limited cryptographic knowledge.

I need a way to encrypt my higher-level protocol such that I get a random bytestream indistinguishable from random data that can then be disguised as images/video/etc. I plan to use symmetric encryption with pre-shared keys for simpl ...

Do any parallelizable cryptographic hash algorithms that allow for quick—preferably constant-time—recalculation of a hash result upon updating a portion of the data input exist?

I know that BLAKE3 is called "parallelizable", but a Merkle tree doesn't seem like it's what I'm looking for when the time taken to recalculate the final result changes according the input's size. I figured something  ...

I'm trying to implement HMAC SHA256 (I've implemented SHA256 successfully).

I am trying to find examples where they show the results after each HMAC stage (XOR, append, H etc).

Does anyone know of any resources which contain examples with the results from each step?

According to the ZKP MOOC lecture by Dan Boneh, it is possible to batch proofs from different polynomials and different points into a single group element:

Nonetheless, I haven't been able to find any protocol that provides this functionality since most of them batch proofs of the same polynomial on different points.

How could that be done?

I know that compressing data before encrypting it can cause a compression oracle attack such as in the CRIME and BREACH attacks, but if only part of the data is compressed, e.g. non-user controlled and/or non-sensitive data, and the user controlled/sensitive data is not compressed, but they are then encrypted together, does the compressed portion affect the security of the non-compressed portion? ...