Latest Crypto related questions

Is there any (k,n)-threshold encryption scheme, such that the decryption process is non-interactive, i.e., the decryption can be processed "in a line" where each party "in the middle of the line" receives a partially decrypted ciphertext, perform partially decryption itself, and then pass it on to some other party?

It can be assumed that the key generation is interactive.

If we talk about the security of public key encryption in Regev's lwe system, if attacker would have knowledge of $(u,u'):[\mathbf u=A\mathbf r, \mathbf u'=\mathbf b^t\mathbf r + \mu q/2, \mathbf r\in\{0,1\}^m]$ and $\mathbf b$, then value of $\mathbf r$ in $\mathbf u'$ can be guessed easily by the knowledge of $\mathbf u$ and $\mathbf A$ and so the value of message($\mu$) from $\mathbf u'$, so how is thi ...

There is this cool paper https://eprint.iacr.org/2017/395.pdf exposing a side channel protected implementation of keccak, in particular Domain Oriented Masking for the Chi function. The Chi function is a 5bit S-Box, so can also be seen as a lookup table of 32 5bit values. My question is, in an hardware implementation with no cache allowing a cache attack (I guess), why bother implementing the masked  ...

If both communicating sides end up with the same secret 3000-bit key, is it enough to XOR each byte of the messages with each byte of the secret key to make it secure?

Wikipedia says it is, but I wanted to ask if this is still the case nowadays.

That would mean each message can be up to 375 bytes in size, so that each of its bytes can be XOR'd with each of the secret key's bytes, then each byte of t ...

In a course I'm taking the following question came up:

A 51% attack means:

  A. 51% of the nodes are bots 

  B. 51% of the nodes are hackers
 
  C. 51% of the nodes are offline or disabled 

  D. 51% of the nodes agree on something

I had answered D, but the correct answer was given as B.

As far as I am aware, I believe that it was required (in a proof of stake system) to acquire 51% of the staked c ...

The Python secrets module claims to produce cryptographically secure random numbers. I did some research on which random number generator is used when you call the secrets module on Windows. I found the following:

->secrets uses random

->random uses os.urandom

->os.urandom uses _PyOS_URandom() from Python/bootstrap_hash.c

->_PyOS_URandom() uses the Windows CryptGenRandom algorithm.

How ...

It seems like every CCA-secure KEM¹ has some sort of check that the decapsulator performs. Sometimes failure will result in rejection ("explicit rejection") or the decapsulator will simply return a random value ("implicit rejection", like in Fujisaki-Okamoto without aborts). But in any case, the decapsulator knows when a decapsulation fails.

Is this necessary? Is there a CCA-secure KEM where decrypting  ...

My understanding is that an elliptic curve $E$ over a finite field $\mathbf{F}_q$ has a bit security of $\sqrt{q}$ assuming Pollard rho or Baby-step giant-step. In this thread, it is explained that the field $\mathbf{F}_{2^{256}}$ has a bit security of $128$, but the field $\mathbf{F}_{2^{256^{2}}}$ supposedly only has a bit security of $\approx60$. I struggle to understand why this is.

Thank you ...

Do $\exists $ keys $k_1, k_2$ which given any (128-bit) message $m$ are related to each other by being

• commutative to each other with $AES(AES(m,k_1),k_2)=AES(AES(m,k_2),k_1)$ $\forall m$ and generally $AES(m,k_1) \not= AES(m,k_2)$
• or $k_2$ is equal to applying $n$-times $k_1$ with $AES^n(m,k_1)=AES(m,k_2)$ with $AES^n(m,k_1) = AES(AES^{n-1}(m,k_1),k_1)$, and $k_1 \not= k_2, n > 1$,
  target si ...

Passkey is nice. The math is nice. The tech is nice. https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

What I still dont see after sooo many hours: what software creates the passkey. User autonomy is important and it is a (private) key question (pun intended). I do not really see this answered anywhere.

Of course it is created on the device. But is it the pass manag ...

I am right now studying Pseudo Random Functions. I have a couple of constructions made of a safe PRF F:{0,1}^l x {0,1}^l -> {0,1}^l. I am unsure of wether these are safe ( in terms pseudorandomness ) or not. I will try and reason. Correct me if I am wrong.

1.) F1 = F(k,x)||k

F1 is not safe, since the concatenation of k will always happen. Since the k is fix it should be the same for two different ...

I'm reading Rivest et al.'s "How to leak a secret", but I'm having a hard time understanding step 4 of the generation procedure. This could be because of my own lack of knowledge regarding operations on ring but the following:

makes very little sense to me. How am I supposed to solve this equation? I've tried looking for examples and I stumbled upon this other question, but sadly this only ended ...

Is there any study that has looked into what is the minimum number of ciphertext characters one needs to have to do a reliable frequency analysis? It would be nice to know the evolution of the accuracy of the analysis as the number of characters considered increases, but I haven't found any well done study.

In Regev's publication "The Learning with Errors Problem", a naive algorithm is given on page 3 that can be used to tackle the LWE problem. This is the statement:

Another, even more naive algorithm is the following: keep asking for LWE samples until seeing $poly(n)$ equations of the form $s_1 \approx . . . $ (i.e., a pair $(\mathbf{a}, b)$ where $\mathbf{a} = (1, 0, . . . , 0))$, at which point we can rec ...

Problem

Suppose there is an entity with some users. The users are split into subsets (determined by the entity) and the entity needs to create public commitments to these subsets such that only a user can determine which set they are in. The sets need to be some minimum size, $m$.

More formally

Let $U$ be a set of user IDs--we want some flexibility here so the definition is left loose for now. On ...

In https://crypto.stackexchange.com/a/27828/79037, it's indicated that one can "save space" by using something globally-unique, like an application-wide "pepper", together with something locally-unique (e.g, a user-id field, unique per-user). In other words, by simply "deriving" a salt (from some other fields/values/etc already there), instead of having to explicitly store a completely random full G ...

I'm following the discussion in the question about RSA and what if we set $p<q$.

So, what if we mistakenly let $p<q$ and proceed with the private keys creations; that is, we pick up $p, q, e$ and derive from them: $dP,dQ, qInv$ (I'm using the CRT key structure in PKCS#1).

So, by trying to create those private-key elements, and forcing $p<q$, I see that they differ from those created when

In these two papers the authors mention the "quality" of a trapdoor

• [GPV] https://eprint.iacr.org/2007/432
• [MP] https://eprint.iacr.org/2011/501

But the best detail on this matter I could find was "The quality of a trapdoor S roughly corresponds to the Euclidean lengths of its vectors — shorter is better."

I wonder where could I find a more formal treatment on this matter. Thanks!

In the realm of secure Multi-Party Computation (MPC) schemes, there exist two fundamental concepts known as the covert adversary model and security with abort. From what I understand, both of these concepts involve situations where if a corrupted party engages in dishonest behavior, the honest parties have a reasonable chance of detecting this misconduct. However, I am having difficulty grasping the pre ...

I'm reading through a paper called Unconditionally Secure Signatures (https://eprint.iacr.org/2016/739) and to generate keys, the authors select $\epsilon-ASU_2$ functions, such that:

1. For any $m \in M, t \in T, \vert \lbrace f \in F : f(m)=t \rbrace \vert = \vert F \vert / \vert T \vert$
2. For any $m_1, m_2 \in M, t_1, t_2 \in T$, such that $m_1 \neq m_2, \vert \lbrace f \in F : f(m_1) = t_1 \land ...

In Rabin-Miller primality test, let N be the number you're checking for primality. Here N = 78007. Let m be the number you get after dividing (N - 1) by 2 several times until you can no longer do so. In this case, m = 39003.

The next step is to pick an A, here we pick A = 3. Now we calculate b₀ = A^m mod N. Now, if that A's b₀ turned out to be (N-1) or 1, then the algorithm says "N is probably pri ...

What would be recommended way to make deterministic password based file encryption?

I can use SIV mode, but KDF (like Argon) takes salt for which I could use SIV tag, but I cannot make it because I need key first.

I could use hash of file contents as salt, but that would make it 3-pass. If I would use some other single pass authenticated mode with IV generated with KDF, it would be 2-pass. Is there  ...

In a cryptocurrency with privacy e.g., zcash, where does proof generation take place? Can it happen in the client's device every time a transaction is performed?

If it happens in client's device, are there possibilities of malware compromising the privacy?

Given y = g ^ x is discrete log hard on some finite field, is y = g ^ (kx) also equally secure if the value k is a publicly known value which was randomly selected from a uniform distribution ?

To my understanding, if k and x are independent and chosen randomly, then the security of the discrete logarithm problem is not significantly affected as an attacker still needs to compute the discrete loga ...

Andreas Antonopoulos effectively states: an input of 256bits of entropy into PBKDF2-HMAC-SHA512 will ONLY output a 64 byte hash containing ~128 bits of entropy. He states the algorithm essentially ignores the extra entropy going in, and it is "wasted" entropy.

IS THIS TRUE? Can anyone explain why?

Source: (starts at 14:10 mark and goes for a few minutes)

https://www.youtube.com/live/U0T49duRt74?feature=sh ...

The prover has $n$ group elements $g_1, ..., g_n$ and wishes to demonstrate the knowledge of the discrete logarithm to base $g$ for each of them, i.e, for each $i \in [1,n]$ she knows some $e_i$ s.t. $g_i = g^{e_i}$. We know that by applying Fiat-Shamir to the Schnorr's protocol, we can get $n$ non-interactive proofs in the form of $(R_i, c_i, s_i)$ where $c_i$ is the hash of $(g_i, R_i)$.

The qu ...

According to a Lecture from Lecture notes of a Professor of Purdue University "Diffusion means that a change in any plaintext bit must propagate out to as many ciphertext bits as possible." I can't clearly understand how S-box introduces this diffusion in DES. Can anyone explain with an example? Is it because a change in a single input bit of S box will result in a different number being chosen as out ...

I create this question from here. I am working on a project with C# backend and mobile apps using Java and Swift. I found this documentation to use RSACryptoServiceProvider.SignData method to sign using private key. But I don't have idea on how to verify and decrypt it on Java and Swift. From my understanding, it's signed using Private key and then it needs public key to be verified on Java and S ...

I'm using ECDH for generating shared key for STM32 MCU. Which encryption/decryption algorithm should I use? I looked at RSA and AES project samples provided by STM32 but where do I provide shared key with message to encrypt?

With the current implementation shared key size is 64 bits.

In evp.h, BytesToKey() generates the key from the passhphrase, IV and the MD5 digest in order to decrypt information used by the public/private keypair generation using AES-256-CBC. I am trying to isolate all the EVP_* functions into a standalone implementation for an embedded system. Does anyone have the actual function or what exactly it does?

KEY DERIVATION ALGORITHM The key and IV is derived by conc ...