Latest Crypto related questions

This question is relevant for both crypto stack exchange and infosec stack exchange. I thought I'd ask here to get answers from a cryptography perspective.

If two systems use the same public key signature system, is it reasonable to re-use keypairs from one system on the other?

For example, both Matrix and the Solana blockchain use ED25519 keypairs.

Potential benefits of re-using keypairs would be: ...

Suppose the circuit is a hash function with the input being the pre-image (private) and the output being the digest (public). If one knows of a collision can they create 2 different proofs that are equal bit-for-bit by inputting the 2 different pre-images that give the collision?

It seems such a SNARK does not exist at the moment because when the Fiat-Shamir transform is used there is an opening  ...

Assuming I have single-key Even-Mansour with single $2n$-bit permutation in wide-pipe Merkle-Damgård specifically with Matyas-Meyer-Oseas mode outputting $n$-bit hash.

What security can I expect against collisions and preimages?

Am I wrong to expect $2^\frac{n}{2}$ for both?

In AES, the MixColumns operation involves a linear transformation from GF(2^8)^4 to GF(2^8)^4. The branching factor for this transformation in the original AES is 4, and it is considered secure against differential cryptanalysis with 4 rounds, where the differential probability falls below 2^(-128).

If we replace this linear transformation with a linear transformation having a branching factor of ...

They say the security of Diffie-Hellman depends on the factorization of (N-1), where N is the big prime number you feed it.

More specifically, (N-1) itself has to have a big prime factor, such as (N-1)/2 also being prime.

My question isn't about why that's the case or how to tell if it has a big prime factor or not, I've seen those on here already.

My question is: HOW BIG of a prime factor does (N-1) need ...

Assume we have a central issuing authority that sends each participant a share that reconstructs in key $P_k$. I.e. Shamir Secret Share with $2$ out of $N$ format where $N>3$.

This central authority also broadcasts public key $P_a$ so every participant guaranteed to receive same $P_a$.

Is it possible to generate such a proof, that participants can be sure that shares they receive indeed reconstruct i ...

In your opinion, is the correlation between the length of the ciphertext and the decrypted text (even if it is approximate) a cipher vulnerability? Or is there a solution to this problem outside of it? After all, if the attacker knows the approximate size of the message, he has some information about what type of information the victim transmitted.

Let's say I encrypt a message with some secret and store it in a database. Later, I want to securely share that secret with someone, so that they can read the message as well. Even later, I want to further expand the group of people who know the secret by adding another person.

Basically, I want end-to-end encryption, but with two differences:

• New parties can be spontaneously added
• Those parties have to  ...

Suppose that there are $n+1$ parties - $B,A_1,A_2,...,A_n$ that want to share a secret key

The protocol of exchanging is roughly the same as Diffe-Hellman

Chose a group $G$ with an order of $p$ - a prime number and a generator element $g$

• Each $A_i$ generates a random number $a_i \in \{1,...,p\}$ and send $B$ the value $X_i \leftarrow g^{a_i} $
• B generates a random number $b \in \{1,...,p\}$ and s ...

In theory this is what I have :

• Around 10 000 offline machines
• Each machine will generate around 10 000 ids
• I can program the machine in any way I want, but I prefer a low memory and low cpu
• They all will be generated in a short timeframe (1 day)
• It should not have id collision
• It should not be possible to determine when and which machine has generated it.

How could I do that ?

The Schnorr signature scheme was defined originally as $(c, s)$ such that $sG = R + cX$, and the verification process consisted of computing $R = sG - cX$ and then verifying that $c = H(R||m)$ so using only $H(m)$ would not have worked for verification. However, in the verification process of the Schnorr signature variant $(R, s)$, we first compute $c = H(R||m)$ and then verify that $R = sG - cX$

I am recently reading about multi party computation and its various existing protocols. From what I understand, all the arithmetic operations are performed over a field or a ring such that when two secret values, a and b, are used to perform secure computation c = f(a,b), the output of the MPC protocol is c mod P (for some modular P).

My question is, in real-life applications when we are performi ...

I have been investigating libraries that implement operations and protocols involving BLS12-381 curves. I have noticed an absence of libraries that support encryption over (either of) the groups G1 and G2 that are defined by the BLS12-381 curves.

Is there some cryptographic reason that encryption (say, ElGamal encryption) over these groups is not appropriate, or is this instead just an indication ...

I am mainly looking to perform this trick for fun. I have access to an API that uses WebCrypto under the hood for encrypt and decrypt methods. I would like to hijack the decrypt method in order to create a deterministic seed.

I have read other articles, and it seems like this trick should be relatively straight-forward, as AES-CBC does not have any integrity checks (that I know of). My understandi ...

I am trying to find out how to write a security proof for a two-party computation problem.

I have read some examples to write simulators like $x_1 ∧ x_2$ problem and the example in Goldreich's book. I have also read some parts of Lindell's toturial . But I am still unsure about my understanding. I have also seen the paper which uses the game-based approach for its security analysis. I have also re ...

I'm having some trouble understanding the idea behind C_InitToken. I can tell what it does from the standard, but not its purpose.

One of the things it does is to provide authentication of the user as the SO, or initialize the SO's PIN if the token comes from factory. The second half I understand, but the first one seems unnecessary: this could be accomplished by opening a session and logging in  ...

I need some help for the following simple game:

An adversary is given a multiplicative group $\mathbb{G}$ and the 4-tuple $(g_1, g_2, g_3, g_1^a \cdot g_2^b \cdot g_3^c)$ where $g_1$, $g_2$ and $g_3$ are random elements from $\mathbb{G}$, and $a$, $b$ $c$ are hidden.

During the challenge phase, the adversary either receives:

• Case $b=1$: $(g_4, g_5, g_6, g_4^a \cdot g_5^b \cdot g_6^c)$,
• Or case $b=0$

While XOR is used as simple symmetric encryption with arbitrary custom key, what is a simple asymmetric encryption that use arbitrary custom key?

That means I want to be able to set custom private key or public key (in ASCII format).

Expectation:

pub = "mypubkey"
pri = "myprivkey"
msg = "hello world"

encrypted_msg = encrypt(msg, pub)
decrypted_msg = decrypt(encrypted_msg, pri)

print(decrypted_msg) # "h ...

Let's suppose I take 1MiB of truly random data and split in pieces (seeds) of 32-bytes (256-bits), so I hash each seed with a hash function with the same output digest size (32-bytes/256-bits) and XOR each piece of hashed seeds into a 1MiB plaintext.

The random data is kept secret.

My question is:

Will this scheme have the same security of One-time pad?

At a high level, the Uber assumption states that it is not possible to compute (distinguish) linearly independent elements. In the decisional version, the problem is restricted to $G_T$, but it is unclear whether the linearly independent elements can be from $G_1$.

Here is a simple example:

Let be type-3 pairing $E$: $(e, G_1, G_2, G_T, g, h)$ where $g$ and $h$ are generators over $G_1$ and $G_2$ ...

Let's suppose I encrypt an 1MiB plaintext with AES-256 in ECB mode but using different keys for each 16-byte block (I know this is weird but it's just an example).

Remembering that a different 256-bit key will be used for each 128-bit block, so if the adversary wants to break a block, a brute-force in the key space of 2^256 will be needed, and due to the Pigeonhole principle, many different keys wil ...

This question may be of no practical interest. But as a meaningful or meaningless question, can we extend the domains of the keyspace, input space and output space of a PRF to be defined over intervals of $\mathbb{R}$?

For instance, let $I := (a,b) \subset \mathbb{R}$ be some interval of $\mathbb{R}$, and $F: I\times I \to I$ be a function that takes a parameter $p\in I$ and an input $x\in I$ and maps ...

I am trying to implement a stream cipher that uses an LFSR PRNG. I have found resources online that give good primitive polynomials, but I am struggling to find resources with the initial states as well.

I really need to be able to have something to test against so I know my code is working as intended. I would really like something like the example below but with a "bigger" polynomial.

Example 3.4 ...

I am new in the field of cryptanalysis and wonder how the differential cryptanalysis work

Reading about index calculus for discrete logarithm, I noticed that it works for $(\mathbb Z / p \mathbb Z)^*$. Is this the only situation in which it works? If not, please give examples of other situations in which index calculus works to solve discrete log.

I have a question regarding understanding representation of length in AES-GCM while doing padding for the IV to calculate ICB/J0. In the aes GCM test vectors testcase5 I see the IV is of length 8 bytes as follows:

IV cafebabefacedbad

But len({})||len(IV ) is mentioned as

00000000000000000000000000000040

but since the length of IV is of 8 bytes in length the representation len({})||len(IV ) should be  ...

I am currently studying a course in cryptography, and I have this exercise about OWF.

I'm failing to prove that this is an inverter to f. Am I in the right direction at all? Thank you!

I'm currently confused about the distinctions between two-party computation (2-PC), secure function evaluation, and private function evaluation. Additionally, I came across the term secure circuit evaluation, which has further added to my confusion. If these concepts are essentially the same, then why are they referred to by different names in various papers? I would greatly appreciate any assistance in ...

Is anyone aware of the source for a technique that incorporates external wire values into Garbled Circuits? I have come across this technique, which can be found here. However, I was unable to locate the primary reference for it.

The purpose of this technique is to reduce the number of decryption operations required during the evolution phase. By incorporating external wire values into Garbled Circuits, ...

Rumba20 is a compression function that maps a 192-byte (1536-bit) string to a 64-byte (512-bit) string. It's designed to provide collision resistance by using Salsa20 (or ChaCha20) with the feedforward.

However, from the Rumba20 webpage:

Rumba20 is not designed to provide unpredictability, truncated collision resistance, etc. These features must be provided by an appropriate output filter. Rumba20' ...