Latest Crypto related questions

Is there a list of all the (most) assumptions (such as RSA and DDH assumptions) used in cryptography and the corresponding properties?

I'm implementing impossible differential cryptanalysis on mini-AES using Raphael phan's paper.

I've coded mini-AES using Raphael phan's first paper on the structure of mini-AES, where he only mentions 2-round mini-AES.

But in the impossible differential paper we're attacking 5-round mini-AES so I need to extend the key generation algorithm and to do this I need $5\;rcon$ but the paper only mention ...

I read this in the documentation of HighwayHash:

By contrast, 'strong' hashes such as SipHash or HighwayHash require infeasible attacker effort to find a hash collision (an expected 2^32 guesses of m per the birthday paradox) or recover the seed (2^63 requests). These security claims assume the seed is secret. It is reasonable to suppose s is initially unknown to attackers, e.g. generated on start ...

I read somewhere that ike1 does not support asymmetric authentication. Does that mean that it does nit support PKI authentication (digital certs)?

Thanks Champ

I am relatively new to cryptography and am curious what cryptographers would say about what I think is a beautiful one-way hash function described in a paper I found here https://arxiv.org/abs/1801.05079

To summarize the hash function, the Collatz function $f: \mathbb N \rightarrow \mathbb N$, is defined as $f(n)=(3n+1)/2$ when $n$ is odd and $f(n)=n/2$ when $n$ is even.

Let $n$ be composed of 512 bits.  ...

In short what are the differences (pros & cons) between multiplying by powers of Tau (from this lecture https://youtu.be/tAdLHQVW)

and raising to powers of Tau (from this lecture https://youtu.be/xuGQYEvytxk)

I know pairing is used by the verifier in both, and that they deferred the pairing details to the next lecture to get a better understanding of the idea first, but I don't understand wh ...

I have been unable to find any mathematical explanations on how TrueCrypt's plausible deniability encryption works, when using TC containers.

Would someone be able to provide a mathematical walkthrough of how it works?

Other encryption systems implementing things in a similar way is outside the scope of my question. Also, whilst I have some experience in the theoretical side of cryptography, the sim ...

Assume we have a hash table using the function h(x) = x mod 32. h(x) = x mod 33. Also assume it dynamically resizes by doubling the amount of buckets and rehashing. If I was able to provide inputs for the hash table it would be really easy to flood with colliding entries to slow lookups to O(n).

However, say we were to xor each input with a random pepper before hashing. If the input is ever longer t ...

KZG poly-commitment & QAP linear PCP can be proved sound under Knowledge of Exponent assumption or Generic Group Model (I take it for granted from lecture 6 and 9 of ZK-MOOC https://zk-learning.org/), and it seems to me GGM is the preferred one because it permits less trusted setup parameters.

If I have understood correctly, GGM core is about considering opaque the group elements encoding/labelling, r ...

In an online community, you sometimes have to ban certain IP addresses or even entire IP ranges due to abuse. You may hire moderators to help you with this, but you might not trust them enough to show them everybody’s plain IP address.

The question is: Is there a scheme to encrypt or hash IP addresses in a way that preserves prefixes, i.e. such that you can still do range bans, but cannot easily reco ...

There is a common term used in cryptography called a hash collision. If I am reading the definition correctly on Wikipedia, this can occur if two different data values give rise to the same hash value.

Duplicate hash, different input:

text1 encoded = hash1 
text2 encoded = hash1

The first code block is a binary value with a hash obtained from the digest() function, which I found on a website. The sect ...

I am studying the Dilithium signature from Ducas et al's CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme.

Wanting to understand how the supporting algorithms work together, I am trying to work out and visualize an example by hand. If I understand correctly we have the HighBits and LowBits algorithms calling the Decompose algorithm. For instance, how the $ HighBits $ algorithm is called ...

I am given C, e, and d to decode an RSA ciphertext (or would it be SRA given this information?), and I am thoroughly confused. I have tried working backward to n by reversing modulo operators and then brute forcing scalars, but nothing is working, is this even possible? Many thanks in advance.

I have seen various papers discussing the security of the Learning with Errors problem with very small uniform secrets and errors but I have not found any papers on the general LWE problem with uniform secrets and errors within (-b,b) range where b < the LWE modulus q but not so small as to be binary or ternary. Is there a costing for the LWE problem for bounded secrets and errors when they are chos ...

When recovering the public key from ECDSA signature (r, s), the first step is recovering the point R.

You do this by plugging in (r + xn) into the curve equation where n is the order of the basepoint and x is some integer

my question is how do you find this x value, say for secp256k1 but also the general case

I have a vauge notion that this may be related to the cofactor of the curve (usually working w ...

I am currently working on Side Channel Attacks (SCA) on Kyber and Dilithium. I have found myself quite confused with side channel, because so much is mentionned all the time.

For instance, I don't understand when to use distinguishers, when to use tools like the t-test, when you need to work with key guesses, etc... In the articles I am reading, they sometimes describe the attacks, which I unders ...

Some interpretations say "By masking a secret value with a uniformly random zero sharing, the masked value appears to be a random value drawn from a uniform distribution. This randomness helps protect the privacy of the original secret value, as it becomes indistinguishable from other random values. Using zero sharings to mask secret values helps maintain both privacy and correctness in MPC protocols".  ...

JSON Web Tokens (JWTs) (RFC, introduction) are digitally signed using a secret key (which can be symmetric, but for distributed use cases will typically be asymmetric). The signature forms the third and final part of the JWT, and can be verified from the JWT recipient side using the same secret key (for symmetric signing), or the private key's corresponding public key (for asymmetric signing). This  ...

I'm learning about RSA, and one of the textbooks I'm studying from talks about the security implications of various parts of an RSA key pair being leaked. It talks about what happens when an attacker knowns only n and e, only n and d, etc.

One of the combinations it did not cover was one that I was thinking about: what happens when an attacker knows only d, e, and tries to decrypt a given ciphertext  ...

Since all evaluation in BGV scheme is on polynomials it seems that it does not really matter if the coefficients of the polynomials are within $q$ range or not. All must be okay for the congruent values.

I have the following questions:

1. If there are no specific optimizations (e.g. RNS) for BGV, can we work in modulo $Kq$, where $K$ is some arbitrary number? Let us ignore encryption/decryption and focus  ...

Let's suppose I encrypt a plaintext with one key and a nonce in CTR block cipher mode of operation.

Can I reuse the nonce with another key in another plaintext if I start the block counting with different counters than those used in the first plaintext? I mean (for example), encrypt the first plaintext stopping at the counter 999 and start in the next plaintext with the same key and nonce with co ...

I want to understand how the hardness of Learning With Errors problem varies as size of the error term changes.

For example, assuming that the other parameters are the same,

1. LWE with errors sampled from centered binomial distribution of $\{-1, 0, 1\}$
2. LWE with errors sampled from centered binomial distribution of $\{-2, -1, 0, 1, 2\}$

Which is the more difficult problem, in terms of complexity?

The rainbow signature was not seen in round 4 of the NIST PQC standardization process. Was Rainbow not shortlisted?

I'm new to cryptography, so please don't bash me.

I'm trying to learn to recover a RSA private key. As you can see from my profile I'm a cybersecurity professional, which is only now trying to learn some cryptography..

Let's assume we have 5 message and public keys derived from the same string message. It is short (the string content and keys), 1024-bit public key and a public exponent of either 5 o ...

Suppose one has a password manager, based on symmetric cryptography, that requires a master passphrase to be unlocked. Argon2 is used for deriving a secret key from the master passphrase.

I need several secret keys to encrypt different components, so I'm faced with a choice:

1. Output more material using Argon2. For example, If I need four secret keys, tell Argon2 to output $4 \cdot 32 \cdot 8 = 1024$

Is it possible to decipher a ciphertext, in RSA with small primes (two 128-bit factors) when we only have ciphertext $c$, private exponent $d$ and public exponent $e=65537$ to crack it? I try hard on this question but I couldn't find $N$.

First try, I write the code to find factors of $ed-1$ and find it on factordb and try to find out $p$ and $q$ but it doesn't help at all

from itertools import chai ...

The BC should look like this $$BC(m,k,n) = (c,n')$$ $$BC^{-1}(c,k,n') = (m,n)$$ with the additional variable $n$ not symmetric, so in almost all cases: $$n \not= n'$$

$m$... plaintext
$c$... encrypted value of $m$
$k$... key

$n$ would have the same block size as $m,c$
Given now a fixed $m,k$ we assume to calculate the BC for every possible $n$. Doing this we should also get that many different

I would like to implement domain separation in encryption/decryption along with MAC.

The encryption algorithms consists of XChaCha20,XSalsa20,SM4 From China and MAC algorithms consist of HMAC-SHA512 and Poly1305.

Some proposed the following for domain separation encryption and decryption.

1. Have 2 variables, EKey and MKey.
2. Create 2 new variables, NewEKey and NewMKey.
3. NewEKey = Blake2B(EKey,MKey) [Key ...

If we should consider that in an MPC protocol, the confidential messages communicated between two parties can be eavesdropped on by adversaries? If so, should we build a secure channel for that?

This is not a technical question, but rather it seeks advice on what to do if cryptanalytical research goes wrong.

I've discovered a new attack that works great in theory, but in practice, it fails.

I don't know why. Haven't figured it out yet. Tried really hard. I work on this thing alone. Not sure If I could do this alone right now.

All the arithmetic of the attack works great with normal numbers, bu ...