/r/crypto

Cryptography is the art of creating mathematical assurances for who can do what with data, including but not limited to encryption of messages such that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This is a technical subreddit covering the theory and practice of modern and *strong* cryptography.

... is the art of creating mathematical / information theoretic assurances for who can do what with data, including but not limited to the classical example of encrypting messages so that only the key-holder can read it. Cryptography lives at an intersection of math and computer science.

This subreddit is intended for links and discussions surrounding the theory and practice of modern and *strong* cryptography.

**Please note that this subreddit is technical, not political!** The focus is on the algorithms and the security of the implementations.

Because this subreddit currently is in restricted mode, you will NOT be able to post or comment before your account has been approved. Send us a reason for why you want to join via mod mail, click here and tell us why you want to discuss cryptography;

https://www.reddit.com/message/compose/?to=/r/crypto

(along with normal reddiquette)

Don't forget to read our **RULES PAGE**! The rules listed there are also used as this sub's report reasons. The quick version;

- Assume good faith and be kind. This is a friendly subreddit.
- Codes, simple ciphers, ARGs, and other such "weak crypto" don't belong here. (Rule of thumb: If a desktop computer can break a code in less than an hour, it's not strong crypto.) You're probably looking for /r/codes.
- Do not ask people to break your cryptosystem without first sharing the algorithm. Sharing just the output is like...
- "Crack this cipher" challenges also belong in /r/codes
*unless*they're based on interesting crypto implementation bugs, e.g. weak RSA keys. - Familiarize yourself with the following before posting a question about a novel cryptosystem, or else the risk is nobody will take their time to answer:

Internal:

- Our wiki pages
- Threads on starting in crypto one & two
- Thread of crypto links - older thread
- Our monthly cryptography wishlist threads!
- Our hiring threads

External:

- Cryptology ePrint archive
- Discussion site for ePrint papers
- Libera Chat's IRC:s #crypto - (IRC protocol URL)
- Metzdowd cryptography mailing list
- Randombit cryptography mailing list
- StackExchange cryptography community

**Other subreddits that may be of interest:**

Theory:

Practical:

- /r/netsec - Network Security
- /r/RNG - Randomness generation
- /r/compsec - Local computer security
- /r/websec - Security in the browser
- /r/security - General security subreddit
- /r/privacy - General privacy subreddit
- /r/compsci & /r/ComputerScience - Development and application of algorithms

Educational, hobbyist:

- /r/codes & /r/breakmycode - For cracking basic codes
- /r/gpgpractice - Learn to use GPG here
- /r/primitiveplayground - test your homebrew ciphers here
- /r/stanfordcrypto

Political and in the news:

- /r/privacypatriots/
- /r/NSAleaks - Snowden documents and more
- /r/restorethefourth

Software:

- /r/gpg (fairly empty)
- /r/bitcoin, /r/cryptocurrency - crypto applied to money

Related:

- /r/cryptography
- /r/encryption
- /r/weboftrust (fairly empty)
- /r/capabilities - A type of security model
- /r/Intelligence - Espionage

Memes and low effort submissions:

Feel free to message the moderators with suggestions for how to improve this subreddit, as well as for requesting adding links in the sidebar.

/r/crypto

6

Wouldn't that mean the Department of Commerce has keys to the entire world's communications?

How would the Clipper Chip apply to foreign nations?

4 Comments

2024/10/31

01:29 UTC

01:29 UTC

7

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/10/28

11:00 UTC

11:00 UTC

6

G is the Generator of a Discrete Log Hard Elliptic Curve Group.

2 Private keys x1 & x2, corresponding Public Keys P1 = x1G & P2 = x2G.

Now P = P1 + P2 is also a public key with corresponding private key x = x1 + x2.

If I sign (Schnorr Signature) with x, does it only prove possession of the private key corresponding to P or does it also prove possession of the 2 individual public keys x1 & x2? Or if not proof of possession of both x1 & x2, does it atleast prove something more than just x?

I am looking up Monero Documents & they seem to do this (MLSAG) & it's kind of confusing me.

14 Comments

2024/10/24

10:57 UTC

10:57 UTC

8

Hello, I have a final project for my bachelor’s degree at university on the topic of private bidding using MPC protocols. However, my coordonative teacher didn’t really provide me with a lot of material or resources in that area and I need a starting point. Could someone give me some refferences on how to start, What to study? (I am familiar with pretty much any programming language, I know Docker and Linux so a simulation of the bidding process would be quite nice using containers)

7 Comments

2024/10/22

12:14 UTC

12:14 UTC

9

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

0 Comments

2024/10/21

10:00 UTC

10:00 UTC

5

Hello, Im currently making a encryption algorithm and I am trying to add a key exchange in my algorithm. I found a method using Diffie Hellman to produce integers however I need a key (datatype) that is bigger than 64!. Because Im shuffling an array of size 64. Im gonna use Fisher-Yates shuffle. Can I achieve this using Diffie-Hellman or is any key I produce with Diffie-Hellman is smaller than 64! ? Thanks in advance. If theres anything I couldnt explain, please ask!

7 Comments

2024/10/18

13:27 UTC

13:27 UTC

5

This is another installment in a series of monthly recurring cryptography wishlist threads.

The purpose is to let people freely discuss what future developments they like to see in fields related to cryptography, including things like algorithms, cryptanalysis, software and hardware implementations, usable UX, protocols and more.

So start posting what you'd like to see below!

0 Comments

2024/10/18

10:00 UTC

10:00 UTC

2

I'm doing Set 1 Challenge 6 from Cryptopals.

This is my code so far:

```
# https://cryptopals.com/sets/1/challenges/6
import base64
with open('repeating-keyXOR.txt', 'r') as file:
text = file.read()
decoded_bytes = base64.b64decode(text)
bits = ''.join(f'{byte:08b}' for byte in decoded_bytes)
# let's try keysize from 2 to 40
keysize_list = range(2, 41)
def hamming_distance(bytes1, bytes2):
bits1 = ''.join(format(byte, '08b') for byte in bytes1)
bits2 = ''.join(format(byte, '08b') for byte in bytes2)
counter = 0
for i in range(len(bits1)):
if bits1[i] != bits2[i]:
counter += 1
return counter
def find_keysize(text, keysize_list):
encoded_bytes = text.encode('utf-8')
keysize_dict = {}
for keysize in keysize_list:
first_four_chunks = [encoded_bytes[i:i+keysize] for i in range(0, len(encoded_bytes), keysize)][:4]
edit_distance = (hamming_distance(first_four_chunks[0], first_four_chunks[1]) / keysize +
hamming_distance(first_four_chunks[0], first_four_chunks[2]) / keysize +
hamming_distance(first_four_chunks[0], first_four_chunks[3]) / keysize +
hamming_distance(first_four_chunks[1], first_four_chunks[2]) / keysize +
hamming_distance(first_four_chunks[1], first_four_chunks[3]) / keysize +
hamming_distance(first_four_chunks[2], first_four_chunks[3]) / keysize
)
# divide by 6 to find the average
keysize_dict[keysize] = edit_distance / 6
min_keysize, min_value = min(keysize_dict.items(), key=lambda x: x[1])
return min_keysize
guessed_keysize = find_keysize(text, keysize_list)
blocks = [decoded_bytes[i:i + guessed_keysize] for i in range(0, len(decoded_bytes), guessed_keysize)]
def transposed_blocks(blocks, keysize):
list_of_blocks = []
for i in range(keysize):
new_block = b''
for block in blocks:
try:
new_block += bytes([block[i]])
except:
continue
list_of_blocks.append(new_block)
return list_of_blocks
block_of_blocks = transposed_blocks(blocks, guessed_keysize)
block_dict = {}
for block in block_of_blocks:
block_dict[block] = find_char(block)[0]
byte_sequence = list(block_dict.values())
# Combine all bytes into one bytes object
combined_bytes = b''.join(byte_sequence)decoded_string = combined_bytes.decode('utf-8', errors='replace')
print(decoded_string)
```

I got the key length of 3 and used it to decrypt the text. Since it was not a meaningful text, I understand that I the correct key length if different.

Could you please advise what I did wrong? I think something is not correct with the function find_keysize(text, keysize_list) but don't what. I take 4 chunks and go through all 6 pairs. Then I normalize all hamming distances by the keysize, and finally I divide total distance by 6 to find the average.

3 Comments

2024/10/18

05:36 UTC

05:36 UTC

5

I am implementing an anonymous credential system following Lysyanskaya, 2002, specifically much of chapter 3. We assume that the user (not anonymous) U has a user public key PK^(U) (I will try to do my best without LaTeX support here re: notation) and user private key, SK^(U.) When creating the pseudonym N, this user creates a key pair (PK^(N,) SK^(N),) but will not store these credentials. Upon pseudonym creation only, U will provide the pseudonym public key PK^N and the pseudonym private key SK^(N), but encrypted with their own public key PK^(U). That is, Encrypt(message: SK^(N), withKey: PK^(U)). Let's call this value EK^(N) for encrypted key since the notation will become quite unwieldy otherwise.

If I want to allow this user to authenticate as N, my thinking is the server (organization O in Lysyanskaya) stores the pseudonym N, the pseudonym public key PK^(N) and the encrypted pseudonym private key, EK^(N). This way if the user really is who they claim to be, then O can encrypt some random message m with the pseudonym public key, provide the user only with the encrypted message Encrypt(message: m, withKey: PK^(N)) and the encrypted private key EK^(N).

If the user is not U, all this info will be useless to them. If the user is U and thus has SK^(U), they can then return to O the original message m, and I will know that they have the private key SK^(U) and thus are authenticated as pseudonym N.

I would be storing the following tuples in the database (in two separate tables).

Users table: (U, PK^(U))

Pseudonyms table: (N, PK^(N,) EK^(N))

Is this safe to store in the database?

I don't plan on exactly broadcasting this value, but say if there was a data breach, would it still be safe and not risk de-anonymizing the user?

It’s worth adding that I have since asked this question to ChatGPT and it said that we must always assume that PK^(U) is public and even if someone could not *decrypt* EK^(N), that they could tell that PK^(U) was used to encrypt it if provided with PK^(U), thus de-anonymizing the user U. It suggested using a key derivation function instead to derive SK^(N). That is, the server would not even send EK^(N) and would only send the encrypted message E(message: m, withKey: PK^(N)).

2 Comments

2024/10/17

05:10 UTC

05:10 UTC

23

This is probably more significant than any of these papers coming out of China claiming to break RSA or Gift 64 using a western quantum computer. Scott Aaronson, the consummate quantum pessimist has rather abruptly changed his mind. The man who is famous for debunking claims related to quantum capabilities says:

To any of you who are worried about post-quantum cryptography—by now I’m so used to delivering a message of, *maybe, eventually,* someone will need to *start thinking about* migrating from RSA and Diffie-Hellman and elliptic curve crypto to lattice-based crypto, or other systems that could plausibly withstand quantum attack. I think today that message needs to change. I think today the message needs to be: yes, unequivocally, worry about this now. Have a plan.

https://scottaaronson.blog/?p=8329

Maybe he's been bought off by Big NIST or Quantinuum, but I kind of doubt it.

12 Comments

2024/10/16

17:18 UTC

17:18 UTC

4

Hey everyone, I am an engineering student working on a research paper on Zk proofs , I need a detailed contrast between zk snark and zk stark and all the future and current projects going on this topic. Where can I find some good resources to understand more about them. Also if there is a good resource to understand Binius.

1 Comment

2024/10/16

09:04 UTC

09:04 UTC

0

Does ChatGPT help in understanding cryptography papers? What should I do when I encounter concepts I'm not familiar with when reading papers? What are the most efficient ways to approach research?

A lot of topics sound like gibberish, I am also struggling to understand certain mathematical concepts. Any advice?

12 Comments

2024/10/15

19:12 UTC

19:12 UTC

3

Hi,

Given SHA256 is supposed to be random and well distributed, is it true to say that essentially each output can have an infinite and relatively equal number of collisions generated by infinite inputs.

i.e. given in reality we have infinite inputs to feed the function (think arbitrary long binary numbers), can we assume that a properly functioning hash function has "even and reachable" collisions across it's output space?

Also, how can we gain confidence that a specific hash function is random and evenly distributed?

15 Comments

2024/10/15

14:59 UTC

14:59 UTC

1

So I made this signature scheme, it's the most bare bones version available. Anyone see any obvious holes in the core algorithm?

It's python, so don't try are actually use it for anything.

I do imagine it's quantum resilient, but I'm curious if it's classically resilient. Here's the repository.

git@github.com:tart-grapes/dntl.git

Have fun.

2 Comments

2024/10/14

22:57 UTC

22:57 UTC

12

What happens when an X25519 DH process is performed using a private key and the public key derived from it? I've tried to find any work on this question, and my Google-fu is coming up short. Is the resulting shared key particularly weak? Does it reveal anything about the private key? Is there any place I can look for work done on this particular question? Thanks!

4 Comments

2024/10/14

20:15 UTC

20:15 UTC

0

Hello! I was wondering if anyone has utilized the relativity new/old rubber ducky tool by Hak5 on your airgapped machine and if it’s subtle or clonky. I was unimpressed by the video demonstrations…the reason I’m asking is I was curious as to the utility of putting an airgapped machine in a room covered in faraday fabric as a cheap alternative to well, a concrete bunker I guess. 😂😅

0 Comments

2024/10/14

18:30 UTC

18:30 UTC

5

Welcome to /r/crypto's weekly community thread!

This thread is a place where people can freely discuss broader topics (but NO cryptocurrency spam, see the sidebar), perhaps even share some memes (but please keep the worst offenses contained to /r/shittycrypto), engage with the community, discuss meta topics regarding the subreddit itself (such as discussing the customs and subreddit rules, etc), etc.

Keep in mind that the standard reddiquette rules still apply, i.e. be friendly and constructive!

So, what's on your mind? Comment below!

4 Comments

2024/10/14

10:00 UTC

10:00 UTC

2

Is there a known efficient way to generically convert a secure KEM into a signature scheme? I'm looking for a method that doesn't devolve to turning the KEM into an OWF and then building a hash based signature scheme.

I am aware that you can use a secure KEM to create a secure identification protocol like so(Assumes a secure channel):

```
1- Register with the verifier for a given identity a KEM public key (This needs to be trusted in some manner). The entity must retain their private key.
2- When an entity (Prover) claims to be a given identity, the verifier retrieve the known public key for that identity. If the identity is not known, either abort and fail or generate a random KEM public key(statically from the claimed non existent identity). Then encapsulate a shared secret using known_pub and send the challenge ciphertext.
3- The prover deencapsulates the challenge ciphertext and recovers the shared secret. This shared secret serves as proof of identity and can either be directly returned to the verifier or used in a MAC.
```

However, unlike Schnorr's identification protocol, I can not find a way to use the Fiat-Shamir transformation*. From my understanding, the reason why the KEM identification protocol works is that the random input to the encapsulation operation and the shared secret generated by it is kept secret. If I try to use a random oracle that is fed some data in our supposed signature scheme and use that to feed the encapsulation protocol, anyone with knowledge of the KEM public key(ie our verifier and would be adversary) can run the encapsulation function and generate the shared secret themselves without the need for the private key. I am not aware of any other way to convert a identification protocol into a signature scheme.

Is there any way to turn a generic secure KEM into a signature scheme without needing to dive into the specific properties of the KEM or it's underlying hard problem?

3 Comments

2024/10/13

12:46 UTC

12:46 UTC

5

hello everybody,

is there any way to generate an ecdh key with javascript in a browser and with c on a backend?

how are the common secrets calculated? im trying to get a edch shared secret in a browser and on a backend without using subtle on the backend itself?

thx

5 Comments

2024/10/12

09:04 UTC

09:04 UTC

8

Hey everyone, I am a third year engineering student, I have been researching zero knowledge proofs and I came to know that plonk is the most used and latest zk snark.I was wondering if there is any drawbacks in Plonk other that vulnerability against quantum computers attack. Please let me know if you have any knowledge in this matter. Also if u can suggest me any other zk snark that is being used other than groth16.

4 Comments

2024/10/11

18:14 UTC

18:14 UTC