Latest Crypto related questions

I am wondering whether there are any current challenge problems for Discrete Logarithms.

Specifically in $\mathbb{Z}_p^\ast$ as well as in elliptic curve groups.

It turns out CERTICOM still has some ECC challenges, and it seems 131 bits is the smallest unsolved case. See the link here.

One concern I have is that given the 109 bit challenge was solved in 2004, is it the case that 131 bits is still out of ...

The terms "average-case", "worst-case" hardness are quite confusing.

1. What do they mean when they say certain problems (like lattices) have an average-case to worst-case relationship? Do they mean there is a polynomial reduction between two case of the problem? Because polynomial reductions are of our interest as they are practical.
2. If we call an instance of a certain problem has average-case hardness, ...

ChaCha20 also provides 256-bit encryption, i.e, 2^256 possibilities of keys. But ChaCha20 is very fast, I think it provides at most 2^256 multiplied by decrypting time. 256-bit AES provides 254-bit security due to biclique attack, i.e., 2^254 multiplied by decrypting time. Since AES is slower than ChaCha20 (decrypting AES ciphertext needs more time), I think even if biclique attack works, that 254-bit s ...

I have been reading a paper about accumulators (title of the paper: "Universal Accumulators with Efficient Nonmembership Proofs"). It mentions "auxiliary information" about a function, which I couldn't quite understand. Can anyone explain the term in this context?

For EC Pedersen commitment: The two generators are G and H. Two messages and randomness are $m_1$, $m_2$, $r_1$, $r_2$, so the two Pedersen commitments are $Gm_1+Hr_1$ and $Gm_2+Hr_2$.

When adding these two, I got a new Pedersen commitment as $G(m_1+m_2)+H(r_1+r_2)$ with message $m_1+m_2$ and randomness $r_1+r_2$. But then what if the message $m_1+m_2$(or randomness $r_1+r_2$) overflows?

For example me ...

This is https://github.com/kokke/tiny-AES-c The column mixing function in the AES algorithm implemented.

static uint8_t xtime(uint8_t x)
{
    return ((x << 1) ^ (((x >> 7) & 1) * 0x1b));
}

// MixColumns function mixes the columns of the state matrix
static void MixColumns(state_t *state)
{
    uint8_t i;
    uint8_t Tmp, Tm, t;
    for (i = 0; i < 4; ++i) {
        t = (*state)[i][0]; ...

I've been studying the Schnorr signature scheme and recently came across an example that uses the STROBE protocol. In the classic version of Schnorr signatures, the challenge e is calculated as e = H(m || r), where m is the message, r is an ephemeral value, and H is a cryptographic hash function. However, in the STROBE-based version of the Schnorr signature scheme, it seems that the challenge is generat ...

I'm looking for a mechanism for a type of cert/key signing, where multiple keys need to sign/encrypt something, and a final key/method does not product a valid confirmation unless all those keys did sign/encrypt.

So maybe something like

• raw data
• action by key1
• action by key2
• action by keyN
• action by final user/system

It's ideal if any of the Key1..N do not need to know about each other, or only know abo ...

Suggested by u/HolgerBier on reddit

Is it unpredictable enough or too difficult to manipulate (as in more than a few hundred million USD) to have a sequence of blocks?

What are some ways to produce a pre-determined sequence of a large number of dice rolls (on the order of 100-1000 times) using biased dice or a biased human roller given the constraints that multiple dice (more than 2) have to be projected in one go from a height of at least 1 meter onto a transparent (acrylic/glass) platform? I'm looking for potential security concerns for a proposed method to gene ...

I'm developing a custom Authentication Socialite ADFS Provider using OpenID Connect: Authentication Flow.

Since I have a TLS connection between the client App and the Authentication server that issues the token, what is the point of verifying the access token signature? From my perspective, the connection is already authenticated with integrity.

The keys I would use to verify the signature are ex ...

The sequence number should be a 64 bit number in every TLS record, but the record header layer is only 5 bytes long and I am looking at a Wireshark pcap, where the TLS record only includes the header and encrypted application data. There is no sequence number.

Section 2 of RFC 8446 says about the phase "Key Exchange": … Everything after this phase is encrypted.

The "Certificate" message is sent after "Key exchange" as the scheme in that section shows. So it seems to be encrypted.

I am confused that I haven't found a mention of certificate encrypting in the "Certificate" section 4.4.2.

Could you explain to me - Should the certificate be encrypted and (if i ...

What is meant by "supported groups" in the section 4.2.7. "Supported Groups" of RFC 8446:
/* Finite Field Groups (DHE) */
ffdhe2048(0x0100), ffdhe3072(0x0101), etc:

Is the digits - 2048, 3072 (and groups) etc - are simply numbers of bits of the parameter p (module) in DF algorythm or something else ?

I try to understand a oracle Padding Oracle Attack example. I try to solve this question but I didn't figure out the answer.

A 7-byte message is padded per PKCS#5 and encrypted using the CBC mode of operation. The resulting ciphertext is
0x07 06 05 04 03 02 01 01, 0x08 09 0A 0B 0C 0D 0E 0F

Assume an Attacker modified that to
0x07 06 05 04 03 02 00 02, 0x08 09 0A 0B 0C 0D 0E 0F
and observed that the ci ...

In this image, It describes the basic idea of an iterative hash function. I am confused as to why the i value is set to be m+t+1 as default. Specifically, where does the 1 come from as m+t is just the arbitrary output size + t the message chunk size but the 1 im confused about

While exploring secp256k1, I came across what seems like the official definition at https://www.secg.org/, specifically in https://www.secg.org/sec2-v2.pdf. In terms of authorship, the document only contains references to the Standards for Efficient Cryptography group and Certicom (acquired by Blackberry). However, many resources I come across mention "NIST curves" in the context of secp256k1.

I've  ...

From the PLONK paper.

Page 29, Round 3

The paper doesn't explain the need or the use of the quotient challenge $\alpha$.

I understand why each of the polynomials is multiplied by $\frac {1}{Z_H}$ but don't understand why the second is also multiplied by $\alpha$ & the last by $\alpha^2$ - what purpose does the quotient challenge serve & why are different powers used? I can't find this discussed  ...

I have stuck in two problems when understanding the noise management of BFV scheme, and I don't have any idea about the two problem, help me please.

Problem 1:
In the Lemma 3 , the paper demonstrates that the norm of the noise after multiplying two ciphertexts $ct_0$ and $ct_1$ is $\left \|v_{mul}\right\|$=$E\cdot\delta_R\cdot(\delta_R+1.25)+E_{Relin}$, and I think the norm of $v_{mul}$ should be t ...

I am new at cryptography and start to learn some terms. I just saw an question in the book and didn't got a clue about this question. Could someone can explain me the answer of this question? Because all of the questions seems to be fine for me.

Assuming the block length is 8 bytes (L = 8) Which of the following is/are are valid coded messages?

1. 0x01 FF 52 18 04 04 04 04
2. 0x01 FF 04 04 04 04 04 04 ...

I am working on manual decryption of application data in TLS 1.3 by going through example in RFC8448. I successfully derived and expanded key and IV, but the IV in examples is only 12 bytes long instead of 16, which is required for AES-128-GCM.

Passkeys have this complicated QR code + Bluetooth dance to enroll a new device which seems like it ought to be securely creating a key on the device in a TPM.

However the messaging around "sync" seems to suggest that while that is happening, the device key is only used to encrypt a software key which is encrypted and synced to (Google, Amazon, Microsoft's) servers.

It seems like it would be more sec ...

In a previous question, I asked how to implement arbitrary s-box in side-channel-free fashion. The code I posted in the question loops over all 256 values of a byte to avoid timing channel, and I want to change it to loop over the values of a word.

Before getting carried away and lost, I'm considering lazy-initializing the s-box table. Specifically:

1. write byte-for-byte (i.e. 8-bit) sbox table.
2. on the fi ...

From this blog post: https://medium.com/@VitalikButerin/exploring-elliptic-curve-pairings-c73c1864e627

if P = G * p, Q = G * q and R = G * r, you can check whether or not p * q = r, having just P, Q and R as inputs.

How?

It's easy to see p * Q = q * P = R. But I don't see the leap to proving p * q = r.

I am working on MPCs (multi party computation) in crypto, and now I am developing a implementation of GG 18.

In sign phase, algorithm needs MtA (Multiplicative to Additive) and uses a Paillier key pair for this.

Paillier uses modulus $N$ ($N=p_1 * p_2$†, prime numbers drawn at key generation). But we need to consider the order $q$ of the elliptic curve. spec256k1 for example, so the algorithm has ...

I am working with lossy ID-schemes and their security in the QROM. Following the article of Kiltz et al. , I am at a loss of the number 8 appearing in most reductions throughout the article. I know it comes from the Generic Search Problem for Bounded Probabilites, however how?

The Lemma from the article as wee as the game for a quantum adversary is:

With the following proof in the appendix:

Any and al ...

I'm trying to understand some cryptographic properties of the s-box so I can have my own code. Example of balanced properties I read in this document that they say

A boolean function S : $ GF(2^n) $ $ \to $ $ GF(2) $ is called balanced if the output set contains equal number of ones and zeros in the corresponding truth table.

Example 2.2.3 We provide a comparison of balanced and unbalanced functions. Co ...

The PLONK paper uses the term preprocessed polynomial a lot of times.

• For e.g. page 14

The protocol definition includes a set of preprocessed polynomials $g1, . . . , g_l \in F<d[X]$

• Page 20

Preprocessed polynomials: The polynomial $S_{ID} \in F<n[X]$ defined by $S_{ID}(\mathbf g^i) = i$ for each $i \in [n]$ and $S_\sigma \in F<n[X]$ defined by $S\sigma (\mathbf g^i) = \sigma(i)$ f ...

When we take the coin flip in Blum's algorithm in "Coin flipping by telephone a protocol for solving impossible problems", where Alice and Bob both want ownership over the same car, then one party (the adversary / Alice) can abort the protocol. Provided there does exist a powerful third party (e.g. the law), the protocol can be extended, to give the car to Bob in case Alice aborts. This makes the algori ...

Disclaimer: I first posted this question on security.stackexchange some minutes ago but deleted it, this is probably a better place for it.

My goal is to use JWE with hybrid encryption (ECDH+AES) for exchanging sensitive data with another party. However, the example code I can find for various Java libraries doesn't match my understanding of how ECDH or asymmetric encryption with EC works in gener ...