Latest Crypto related questions

So I am trying to solve some exercises about pseudorandom permutations.

Assume that keyed-permuation $E_k(x)$ is a pseudorandom permutation, where $|x|=|k|=n$. Using $E_k(x)$, we construct an encryption sheme as follows.
$$ c=m\oplus E_k(0^n)\\ m=c\oplus E_k(0^n) $$ where $k$ is a random key.

The task is to show if this sheme either provides OT-IND-CPA or IND-CPA.

So if I understand pseudorandom perm ...

I was considering creating an ML project where it is fed some ciphertext by any classical cipher and would return possible ciphers that encrypted the text. I would have to create a sizeable dataset for it so I was wondering if this idea is relatively feasible before I attempt it.

I've picked up a grad level computer security class. I read a brief overview on block and stream encryption. I understand and have used PGP in the past and it make since to share your public key. Since the keys for block and stream encryption are extremely import for others not to find them. How do you share them in a private way? Are there other methods to keep them safe if you send it over via email / ...

As described in the SSH RFC an initial IV to server, initial IV to client, encryption key client to server, encryption key server to client, integrity key client to server, and an integrity key server to client are generated.

Does TLS use a similar system? If not, Why doesn't TLS use a system like this?

Triple-DES encrypts with the first key, then the second key, then the third key. Two keys are sitting around waiting. Why not encrypt with all three keys at the same time?

You take 192 bits of plaintext (three 64-bit sub blocks) and run the entire 192 bits through an MDS-matrix as a pre-step. Afterwards, in parallel, you simultaneously encrypt the first block with the first key, the second blo ...

I'm really confused about concrete communication in OT-based bit triples generation. In paper CCS20-CrypTFlow2 A.1, the author describe how to generate 2 pairs of bit triples with an instance of 1-out-of-16 OT with length 2, which communicate k+16=144 bits for each pair. However, the original paper to give this idea NDSS17 3.5 summarize this result as 134 bits for each pair. Q1. Which one is tu ...

I'm doing reverse-engineering a product and identified a critical issue with it. The work is done and the developer was notified, but for my own personal curiosity, I'd like to learn how to exploit it so I can make a small write-up.

The short of it is, the developer is using a fixed key and IV for encrypting multiple similar messages using AES-128-CFB. Since I know the IV for all messages, and I k ...

Let $g$ be a generator of multiplicative group mod $p$ a prime.

Suppose we know $$g^{a+km_1}\bmod p$$ $$g^{b-km_2}\bmod p$$ $$g^{a+k'm_3}\bmod p$$ $$g^{b-k'm_4}\bmod p$$ where $m_2m_3-m_4m_1=\phi(p)$ where $\phi$ is Totient and $a,b,k,k'$ are the only unknown and all of $a$ through $m_4$ are of size $\sqrt p$ (we know $m_1$ through $m_4$ over $\mathbb Z$) can we identify $g^a$, $g^b$ in polynomial time?

Here is quote from gnark documenation.

Note that careful consideration must be given to this step in production environment. groth16.Setup uses some randomness to precompute the Proving and Verifying keys. If the process or machine leaks this randomness, an attacker could break the ZKP protocol.

It sounds like there is some randomness in setup process. I would share Verifying key. So it is more like ...

As described in the SSH RFC an initial IV to server, initial IV to client, encryption key client to server, encryption key server to client, integrity key client to server, and an integrity key server to client are generated.

Why does SSH generate a key for server -> client communication and a key for client -> server communication?

Recently, I have been reading the original proof of GCM.

It mentioned the properties of "almost universal" and "return zero" for hash function.

I wonder if there is a connection between the two, that is

If a hash function is collision resistant, then it is "unlikely" return zero.

In a more formal way, we have the following:

For $\forall M, M^{'} \in \{0,1\}^{n}, M \ne M^{'}$,

if $\mathrm{Pr}\left ...

From one-time hash-based signature, one can convert it into 2^d time signature by using Merkle hash tree.

However, it seems to be a trick that enables multi-time signing.

My question is: is there any use case for a signature scheme that can only be used to sign for a fixed number of time (punch/redeem card)?