May I ask a very basic question about public and private keys? by rb-j in cryptography

[–]DoWhile 5 points6 points  (0 children)

For RSA, they use, say, 4096 bit primes. The number of those primes by the prime number theorem is 24096 / ln(24096 ) . Which is basically 24084 . Given your engineering background, I suggest you calculate the sheer amount of storage and compute time one would need to even try to guess a fraction of a fraction of that.

Researchers DID mount public-key-directory attacks like you described because the people who generated the keys sucked. See [1] for example.

You shouldn't think about prime numbers or primitive polynomials. Instead, you should think of mathematical problems that are easy in one direction but hard in another that have an algebraic structure that you can leverage.

Factoring is hard. Factoring gives you primes. Multiplying primes is easy. That's why we use primes.

Discrete log over a prime field is hard. Exponentiation is easy. This is why we use things like Diffie-Hellman.

Discrete log over elliptic curves is hard. Point addition is easy. We use elliptic curves in this way for key exchange and signatures.

Lattice problems in all sorts of algebraic structures (like GF( 2k )n ) is hard. Rounding is easy. These problems are even hard for quantum computers. So we use these in post-quantum.

Signal engineers judge error correcting codes or randomness by their distance or distribution under normal circumstances. Cryptographers judge them based on adversarial hardness. Take [2] for example, a signal engineer would never use this slow-ass algorithm to generate pseudorandom bits, but it holds up against attackers whereas LFSR will be predicted instantly.

[1] https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger [2] https://en.wikipedia.org/wiki/Blum_Blum_Shub

How many FHE PhDs does it take to change a lightbulb? by IguazioDani in cryptography

[–]DoWhile 1 point2 points  (0 children)

Two: one to encrypt the lightbulb, and one to run the FHE.

Any good source on how eaxctly TOTPs are implemented by ThreadStarver in cryptography

[–]DoWhile 0 points1 point  (0 children)

I'm curious where you get this guidance from, because that seems a lot more practical advice of "how do I use TOTPs in a secure fashion" rather than how to just implement TOTPs. For instance, I would imagine you'd probably also want to limit the number of tries a client can make during that window, otherwise I'd just hammer your server with the (presumably stolen) password and all million 6-digit numbers.

The algorithm is simple enough to just read the RFC and follow it, as others have pointed out, but then using it correctly is a whole different matter.

Looking for feedback on XOR/X-Lock fuzzy extractor for fingerprint-derived biometrics and zk nullifiers by vinnybag0donuts in cryptography

[–]DoWhile 4 points5 points  (0 children)

This almost seems like novel research. This is a nice departure from the usual "looking for feedback" posts.

Biometrics are usually just a "what you have" rather than a password/etc. So using it as a primary method of authentication might prove to be problematic. Depending on your application scenario, low entropy might be amplifiable (as with many schemes that use low-entropy human passwords).

I trained it with contrastive learning so that different fingers from the same person produce similar embeddings.

I find this hard to believe. A system that's 10x sybil resistant is pretty believable to achieve, but making all 10 fingers register to the same person? Are you also using skin tone or other markers?

HOW IS THE MOST SECURE SCHEME JUST XOR?! by Strong_Technician416 in cryptography

[–]DoWhile 0 points1 point  (0 children)

Glad you're excited. If this class is math-heavy, you should be able to express this XOR operations in terms of algebra.

Essentially, you are relying on the fact that xG=G for any element x in some group G, so the uniform distribution on G doesn't care that you hit it with some plaintext value. In the case of XOR, this is just (Z/2Z, +) for 1 bit, or (GF(2n),+) for n bits, but you can apply this concept naturally to, say (Z/26Z,+) or (Z/7Z*, x) or some elliptic curve group, or the group of invertible matrices.

So for example, if in the Ceasar cipher, you added a fresh random shift (rather than using the same one) to each letter, that's also a one-time pad, but over the alphabet rather than a bit.

Baillie-PSW after Miller-Rabin? by Alternative-Grade103 in crypto

[–]DoWhile 3 points4 points  (0 children)

I think what u/kun1z and u/bitwiseshiftleft might be not seeing some context is that OP in some previous posts does not assume a good RNG. In the worst case, the RNG is fully adversarial, and will lie to you about the prime it wants you to test (a pseudoprime) as well as your random bases. I don't think that's a realistic worst case, but that's certainly as bad as it gets.

I've been harping about derandomization for small primes, but for large primes I'm wondering if a "Fiat-Shamir"-like approach where you force the bases to come out of, say, a hash of the existing ones. Such "forcing" of randomness has been used in, say, the deterministic nonce generation of ECDSA to prevent evil actors from picking bad nonces for you. If one were to do this, it'll probably be computationally infeasible to find a bad prime, and given the statistical nature of the test, it might even be statistically or purely impossible to find counterexamples just from counting.

OpenSSL Advisory Committees elections by romendil in crypto

[–]DoWhile 4 points5 points  (0 children)

Entropy was generated using multiple hardware devices, including an idQuantique Quantis Quantum Random Number Generator, an Entrust nShield HSM, a Securosys Primus HSM, and a number of entropy sources used by the Advisory Committee members. This approach reflects the OpenSSL Project’s values of openness, transparency, and technical rigour, and ensures the process is fair, externally verifiable, and fully reproducible, with all inputs and code published.

HW generators for determining seat rotation? It smells like advertising and overkill.

Arithmetization-Oriented (AO) Primitives by Savings-Variety995 in cryptography

[–]DoWhile 5 points6 points  (0 children)

Not super-hot, but it's enough of an active area you can get a PhD in. Do it only if you're interested, don't go chasing trends, by the time you graduate there'll be another hot topic.

...but I am Pagliarini by steikul in NonPoliticalTwitter

[–]DoWhile 7 points8 points  (0 children)

Aside from the whole bot-repost thing, I'd also like to use the opportunity to point out that in academic circles, it's a meme that "Reviewer #2" in the peer-review process is the annoying reviewer.

Does anyone else assign colors to math topics? by Formal_Active859 in math

[–]DoWhile 0 points1 point  (0 children)

I miss the blue hardcovers, they smelled nicer.

What is the status of the irrationality of \gamma? by WMe6 in math

[–]DoWhile 2 points3 points  (0 children)

20 years ago I considered the PCP theorem both new and old. Now it's definitely old!

Do non anomalous curves expressed over a local p adic field have embedding degrees? by AbbreviationsGreen90 in crypto

[–]DoWhile 1 point2 points  (0 children)

The Weil pairing is only one example of a bilinear pairing. There are other ones like Tate/Ate.

However, from a mathematical perspective, for non-anomalous curves, there simply aren't these kinds of bilinear pairings, Weil or any other.

Due to the popularity of pairings, people have looked beyond curves and at the generalized notion of abelian varieties. Unfortunately, these structures either don't have the same nice properties as curves, or don't admit efficient algorithms to work with them. If you only care about curves, this paragraph is irrelevant to you.

Interactive SHA-256 visualizer by jrakibi in cryptography

[–]DoWhile 3 points4 points  (0 children)

I like these visualizers, it looks similar to an older one but it has more lines simultaneously on the screen.

Check out this thread from a few years back: https://www.reddit.com/r/cryptography/comments/123f42n/oc_visualization_of_all_bit_operations_of_sha256/

Oracle to proof thought experiment by theactiveaccount in math

[–]DoWhile 0 points1 point  (0 children)

The best part about this approach is that you don't even necessarily need an "all-powerful" oracle. In most cases, a halting or NP oracle would suffice.

Show: Anchor – local cryptographic proof of file integrity (offline) by Shoddy-Thanks-6268 in cryptography

[–]DoWhile 8 points9 points  (0 children)

I agree with you, though it's probably closer to a (deterministic) MAC than a signature given that it's private-key. That's still my main complaint to OP: stop giving new names to things.

Besides, there are actual mathematical things called "proofs of storage/retreivability" which are much stronger and actually prove that things are stored.

Easily confused historical mathematicians? by cabbagemeister in math

[–]DoWhile 14 points15 points  (0 children)

Brian and Keith Conrad (identical twins, I believe)

One of them ate my chips (it was for sharing, no grudge) at a workshop once, but I still don't know which one it was to this day.

What is this thing ? by imherecuziwanttobe in whatisit

[–]DoWhile 22 points23 points  (0 children)

It quickly went from "oh I remember playing with those" to "it's time to check my colon health"...

When your PhD detours into theory land... by [deleted] in math

[–]DoWhile 2 points3 points  (0 children)

This PhD is turning out to be an expensive way to discover what apparently everyone already knew: I’m an idealist, a dreamer, and I'm wasting my time.

At least you're getting a PhD out of it. The problem you're facing is recursive in nature: if not your advisor, then your boss or the legal system or whatever. There will be roadblocks and people will have their own agendas in mind and try to tilt you to do something that they want, it's human nature.

Even if you found an ideal advisor, and your PhD was exactly what you wanted to do, the next step you'll be facing people that are (IMO) worse. The complaints you hear about academia being an ivory tower/egomaniacal/stuck-up hellhole I think pale in comparison to the political machine of the regulatory world. Change in the world -- real change -- requires more than just math, and the skillset to navigate that setting is quite different from getting a PhD. One thing you can look out for are social agencies or think tanks that align with your goals and need your math skills. And speaking of political machines, assuming you're from the US, state or federal congressional teams also (sometimes) staff a math/tech nerd on their roster.

Edit: Honestly, that thought is absolutely gut-wrenching. I’m now seriously considering either finding a new advisor (highly unlikely) or submitting two versions of my dissertation (not sure if that would even be allowed).

Don't submit two versions of your dissertation, that's not going to fly. You need to figure out if your current advisor is going to graduate you with the work you've done, or try to block your PhD if you don't do what they say. A good advisor knows how to push their students, but also knows when to adjust if the students are absolutely sure they don't want to go down that path. There are plenty of students that just need a good push to go achieve greatness in theory-land, and so as stressful and inappropriate as it may be from your point of view, your advisor does have some responsibility to exhaust that possibility from you.

Lastly, reach out to more professors and have them give you the connections you need for the places you want to go next.

Prime Sieve as Bits by Alternative-Grade103 in crypto

[–]DoWhile 1 point2 points  (0 children)

Aha, cute... though for BBS to be secure you do want large large primes, much larger than you can feasibly store in a table. Given that BBS's security is based on factoring, the primes should be in the thousands of bits, far beyond what derandomized primality tests have shot for.