Latest Crypto related questions

A cyclic sequence can be produced with

$$s_{i+1} = s_i^a \mod N$$ with $N = P \cdot Q$ and $P = 2\cdot p+1$ and $Q = 2\cdot q+1$ with $P,Q,p,q$ different primes.
and $a$ a primitive root of $p$ and $q$.

Let $s_0 = x_0$ be a quadratic residue $\mod N$ and the cyclic sequence $S = \{x_0^{a^i} \mod N\}$
(we ignore special case bases like $0,1$ here)

Question: How can (pseudo)-random members $x_r$ of the sam ...

I read few answers about the question: why are hash collisions so dangerous? But did not get a really satisfying answer. Assume we are the first people who found a SHA256-collision, like

sha256($§"%fa7asd8ft6sds) = sha256(889=?`/&&%"HSF)

(this is not a real equation, but assume it is true).

Why is this dangerous? Why is SHA256 broken now? How do I get more collisions out of this? And maybe mor ...

Mathematically is it possible to find the GCD of two points on a prime curve, one of them not being the order as you do in Extended Euclidean Algorithm?

I have tested out with a few test cases, it seemed like the ciphertext $M^e$ of RSA is always coprime with N when e=3. Is there a reason why? What would happen if the ciphertext $M^e$ is not coprime with M when e=3?

Suppose that we play the game from Adversarial Indistinguishability but adversarial can choose three messages $m_0, m_1, m_2$. Of course, $Pr[M=m_i]=1/3$ for $i=0,1,2$. I suppose that to have adversarial indistinguishability, one cannot have an advantage greater than $1/3$. The question is if this is stronger than the version with two messages. Intuitively it is, but then we could take more and more ...

I'm learning about Shor's algorithm and how it can be applied to break ECDSA. I've clearly missed something basic here - I thought I understood that the challenge ECDSA presented was to find the private key given the public key, as follows:

$x\cdot P = X$ (where $x$ is the large and randomly-generated private key, $P$ is the secp256k1 base point, and $X$ is the public key).

Since we know the base point fo ...

Let's say we have the following encryption:

$AES^2_k(x) =AES_{k1}(AES_{k2}(x))$ with k = k1 || k2 and k1, k2 are 256 bit keys.

$AES_{k2}(x)$ means that we use AES encryption to encrypt message x with key k2. Apparently, there is a security vulnerability with this, since the double encryption should require $2^{511}$ exhaustive searches for a 50% of success, whereas there is a way to perform an attack  ...

I have this definition:

each ciphertext is equally probable for a given plaintext and key chosen at random

I know that perfect security can be defined as $$\forall c \in \mathcal{C} \ \forall m_1,m_2\in \mathcal{M} \ Pr[Enc_k(m_1)=c \ for \ k \ random]=Pr[Enc_k(m_2)=c \ for \ key \ random]$$

Are these equivalent?

The easiest thing to do is to somehow show that the first definition implies the second on ...

Calculating the RC5 encrypted size of any data is as simple as rounding up the plaintext length to the nearest multiple of 8. What I'm wondering is whether this can be done in the other direction, to get the length of the original plaintext data given the ciphertext. Obviously this information isn't revealed until the decryption actually happens, but can it be tracked/calculated during the decryption pro ...

I am trying to understand the difference between the usage of permutation and substitution in a SP Network. Normally, in ciphers except DES, substitution appears to be done before permutation. But what if permutation is done first before the substitution. What are the plausible advantages or disadvantages to these approaches specifically in the SP Network design?

In game-based security proof for key-exchange protocols, there is a Test query. The Test(U) query typically is only available to the adversary if the attacked instance U is fresh. (U represents either a participant or an oracle)

Fresh: Before the session expires, there is no SSReveal(U), SKReveal(U) or Corrupt(U) query that has been asked by the adversaries. Both U and its matching session are not loca ...

Multiple Encryption For Multi-Key Security

I have a hypothetical question about multiple encryption after reading Matthew Green’s blog on multiple encryption. For those who are familiar with GCM…I want to understand the efficacy of multi-key security through an implementation of multiple encryption with a secure form of authenticated encryption such as AES-256-GCM.

https://blog.cryptographyengineerin ...

My understanding was that SHA-256 is pretty random or "random" enough.

I assumed that would mean that every character would behave like a 1 to 16 dice roll.

With this assumption, I would expect that you can model the probability of repeating characters as $16^x$. So a chain of $\texttt{FFF}$ or $\texttt{333}$ would have a chance of 1 to $16^3 (4096)$ and a chain of $\texttt{FFFF}$ a chance of 1 to