Latest Crypto related questions

Normally I use Argon2 to generate an encryption key, and then use AES to encrypt data with that key. Can I just set the hash size to be equal to the data size, set the associated data to a random value, and then just use Xor on the Argon2 output to encrypt/decrypt the data instead? Or are there some cryptographic properties that make it insecure to use it this way?

Hello I am trying to understand why the Sidelnikov-Shestakov attack doesn't work for McEliece cryptosystem based on Goppa codes whereas it works when based of GRS codes.

I understood how the attack works but I don't see why it fails with Goppa codes since they are quite similar than GRS codes.

On the 2007 paper https://www.degruyter.com/document/doi/10.1515/JMC.2007.009/pdf by D. Engelbert, R. Overb ...

I'm currently working on a distributed consensus-based system. I currently give the system a private key through a threshold encryption model, and I want to be able to take some data encrypted with the network's public key and re-encrypt it with an arbitrary public key without any member of the network knowing what the data was.

I know proxy re-encryption is a good solution if the person who orig ...

I recently took an exam where one of the questions was roughly the following:

You need a specific way for sender S to send a large file M to a receiver R with their secret-public key pair, without interaction. You cannot use interactive key exchange protocols. The receiver’s public key is assumed to be authentic. The sender does not have her own public key pair. In addition to the strongest sec ...

On an exam I recently took, one of the questions was:

Consider the following signature scheme. The public key is $(p,g,g^x)$, where $p$ is a large prime number. $g$ is a generator of $\mathbb Z^*_p$, and $x$ is a random number in $\mathbb Z_{p-1}$. The secret key is $x$. The scheme also uses a public hash $H(M)$ that maps arbitrary messages to $\mathbb Z_{p-1}$. The signature algorithm signs message ...

I have a request in which I get a series of data in clear (nothing encrypted) and a MAC / authentication tag.

The question is whether the MAC should be validated first or if the fields are filled in or are numerical (or similar validations). I have always considered that the MAC must be validated first, however, I can think of no arguments for the case where the text is in clear, for the cipher  ...

Suppose we sign and verify messages with a DSA scheme. Before signing the first message the necessary parameters $(p,q,h,g,x,y)$ are initialized, including the nonce $k$ as an integer between $(1,q-1)$.
For each message, this value is increased by a fixed amount $b$. Therefore it grows linearly .
How can I prove that this approach is as vulnerable as using the same value of $k$ for every message?

I'm having problem proving the following, I intuitively think this is correct but can't formally prove why.

given a PRF $F_k(x)$

proove that the following is also a PRF

$$ F'_k(x) = \begin{cases} F_k(x)&\text{if }k\neq0\\ \\\text{const(some const value)}&\text{if }k=0 \end{cases} $$

I found my mistake, I did not use the probability axioms correctly here is the full solution

I recently read the article on the threshold signature scheme “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” and I have a question.

In the key generation section, each player $P_i$ selects $u_i$ and then performs a $(t, n)$ Feldman-VSS of the $u_i$ value. In this case, other participants can make use of Lagrange interpolation to construct the polynomial related to $P_i$, and they can ...

Where can I find a clear algorithm diagram of SPECK algorithm? I want to follow steps to write ARM assembly code.

I am reading this explanation of zkSnark written by Maksym Petkus - https://arxiv.org/pdf/1906.07221.pdf

In page 24, the zk-SNARK of polynomial is explained. In setup phase, the proving and verification keys are created by a trusted setup. I understood how proof is created using the proving key.

However, if we see the verification key = ${ g^α, g^t(s) }$, I didn't get how it is used in verification  ...

Specifically if we know the $r$ takes values from the set $\{0,1\}$and $c=g^r*h^m$ does the hiding property still hold? I think I already managed to prove that the binding property holds due to the difficulty of the Dlog problem and my intuition says that the hiding property is compromised. But I can't seem to figure out a successful probabilistic hiding attack method that runs in polynomial time.

I want to use a data structure like merkle tree in a hypothetical blockchain that, if needed, can fast check whether a wallet/account has received directly or indirectly from a specific list of wallets/accounts in the past. And in an ideal case, how much of the current balance of this wallet has been received from the list. Considering that this data structure needs to be optimized in size and computing ...

Consider a Tor hidden service. I want to retrieve the main page of such website in such a way that I can later prove to a skeptical third party that the website with this certificate (identified by the public key in the address) provided me with this exact HTML page.

Is this possible assuming the website does not install additional software and is just a normal website on the Darknet?

I know this canno ...

In my application I have an SQLite database that stores labels for images, like this:

The LABEL column is indexed as it is important that I can efficiently find all images with a certain label.

At rest I would like to encrypt those labels so that no one can learn the actual labels. Unfortunately encrypting the whole database seems difficult ...

The OpenSSL 3.0 rand function's DRBG uses the getrandom() system call to get 48 bytes of secure entropy from the kernel. It also uses other information like the system uptime, available RAM, and other factors public in user space. So if the getrandom() function is compromised by an adversary using a rootkit, how would that affect OpenSSL DRBG in a practical attack? 48 bytes of entropy would be lost.

Is it possible to find a secure curve which's base field is the scalar field of secp256k1?

In general, can you find a secure curve defined over the scalar field of any secure curve? (For example, a secure curve defined over the scalar field of ed25519?)

Edit: Using the same parameters as secp256k1 (in short Weierstrass form), $a = 0$ and $b = 7$, yields a curve of prime order in the scalar field

Does the order of Lagrange interpolation have any role in reconstructing the secret key in Shamir's secret share?

Is it theoretically possible to use homomorphic encryption to run an encrypted algorithm over encrypted data? If this is not possible, is it at least possible to run an encrypted algorithm over plain data (beyond a plain algorithm over encrypted data)? Ideally, can you cite papers where I can read about it?

I'm using the Rivest Shamir Wagner Time Lock Puzzle setup in an application, leveraging Pietrzak's algorithm for generating the proof. My question has to do with selecting a proper starting point. In this paper the authors talk about verifying that the starting point is a modular square root. They discuss the choice of groups on page 9 and they provide a proof I don't understand in Appendix 1 on p51.  ...

Consider a system where DES is used to encrypt HTTP GET requests. The first three bytes correspond to the character sequence "GET". How many encrypted messages is it necessary to intercept to be sure to guess the key used to encryption ?

According to FIPS 186-4 § D.1.1.5 Choice of Base Points I should be able to create ECDSA signatures with custom base points on P-256 (secp256r1).

Does standard PKCS#11 support this feature?

This is how far I got building example code, based on org.xipki:ipkcs11wrapper:1.0.4 and SoftHSM 2.6.1:

import org.xipki.pkcs11.wrapper.*
import org.xipki.pkcs11.wrapper.PKCS11Constants.*
import org.xipki.pkcs11.w ...

I would like to investigate if it is possible to introduce Differential Privacy (DP) to a model via both adding Laplacian noise to the training data and then training with DP-SGD updates. Is it a valid way to introduce DP ?

In other words, if we separately applied Laplacian noise to the data the system would be assigned with (ε1,0)-DP per epoch and if we trained with DP-SGD it would be assigned  ...

I'm a dev new to security and cryptography.

I'm writing a password manager and Time-based OTP combo in dart/flutter to use in multiple devices and platform for fun and use it personally for real. I have done some reading over google, stackoverflow.com and crypto.stackexchange.com, came up with following skeleton, and here to ask for some further security advice, for encryption, implementation and ...

I am trying NIST SP 800-22 to test the randomness of 128 bit output in AES, but i always get igamc: UNDERFLOW or Segmentation fault (core dumped) error.

My data file has 128 bit output format, for example as follows:

01101100010001011111011101010011011000000101111001111100010010111011111001010011101101000000111011011100011011101101100011011001
00000000101100000010110001100100101101000010010010110101 ...

Suppose we have a standard $\Sigma$-protocol for proving the knowledge of a witness $x$ for the statement $y$. It has an honest-verifier ZK and special soundness. Now we do an unusual modification to get an interactive $\Sigma'$-protocol in ROM:

1. The prover $\mathcal{P}$ compute $a$ exactly like in $\Sigma$-protocol and sends it to the verifier $\mathcal{V}$.
2. The verifier $\mathcal{V}$ replies with ...

I am trying to understand STARK with not much math. I understand SNARK like this: Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK

From the helpful article: https://z.cash/technology/zksnarks/

We have a computation with many steps that can prove something. We take that and create an arithmetic circuit (in simple words a algebraic equation). Then we have R1CS which is going to valid ...

Finding a cryptography library to implement various application features is not difficult nowadays, thanks to options like NaCl, Google Tink, PyCA, and OpenSSL. However, I've been struggling to find a library that supports group signatures, which is causing confusion. Would anyone be able to provide an explanation or recommend a library that supports this feature? Thanks so much for helping.

This may be a stupid question but I've been stuck on parsing these definitions for a while.

I am reading the paper "On Ideal Lattices and Learning with Errors Over Rings" by Lyubashevsky, Peikert, and Regev. I am trying to understand the error distributions they are proposing. In section 3, they define a set $\mathbb T = K_{\mathbb R}/R^V$ where $K$ is any number field and $K_{\mathbb R}$ is $K \oti ...

We are planning to organize a workshop with the participation of academicians, engineers and graduate students working in the field of cryptology. On the first day, we are planning a fun competition for the participants as an ice-breaking event. Our goal is to organize a quiz on fun, little-known facts about cryptology via the online app. Interesting general culture questions will be more acceptable ins ...