Latest Crypto related questions

I'm having trouble testing a not-so-popular algorithm that I haven't found an implementation of, so I wrote it myself and now I'd like to test it with nist tests, but I have a suspicion that I'm doing something wrong.

I got encrypted file with ~10,000,000 bits. I tested my algorithm in the following wayю. I set the input parameter to 1,000,000, it will look like: /assess 1000000, then the amount  ...

I am new to this encryption scheme, so I may not be exactly sure of its implementation. I have a list of (u, v) ciphertext pairs to decrypt, each of them are 1-bit.

          { "u": [ 1, 19, 3, 2, 24 ], "v": 16 },
          { "u": [ 3, 20, 22, 26, 15 ], "v": 21 },
          { "u": [ 7, 3, 24, 26, 22 ], "v": 13 },
          { "u": [ 9, 20, 7, 25, 14 ], "v": 5 },
          { "u": [ 28, 11, 26, 22, 16 ...

Previous:
https://web.archive.org/web/20160102181336/developers.yubico.com/U2F/Protocol_details/Key_generation.html
https://www.yubico.com/blog/yubicos-u2f-key-wrapping/

$$ PrivateKey = \operatorname{HMAC-SHA256}(AppID+nonce, DeviceKey)\\ KeyHandle = nonce + \operatorname{HMAC-SHA256}(AppID, PrivateKey) $$

Now:
https://web.archive.org/web/20200514221105/developers.yubico.com/U2F/Protocol_details/Key_gen ...

I am reading a paper named Verifiable Random Function, written by Micali, Rabin, Vadhan in 1998. In Residual Pseudo randomness propoerty of a VRF, it is written that If T runs for at most s(k) steps, it succeeds in the experiment with probability 1/2 + 1/s(k). I do not understand the exact meaning of s(k). If it is polynomial, then the scheme is not safe. It is exponential, T cannot run s(k), because it ...

I am generating large prime numbers to create a cyclic group for ElGamal encryption, I can specify the bit-length n but want to limit the size because this will ultimately allow me to limit the amount of data passed through external channels.

Also the data being protected has an extremely short time-value vector meaning after a short amount of time the data will become useless to anyone who might ...

Im trying to learn more about cryptography and ran into a post, Is AES-128 quantum safe?, which asks if AES-128 is safe. From the articles and replies it seems that AES-128 (symmetric key) is safe even with the advent of quantum computers (for now). However, it seems that asymmetric keys are not safe?

So, assuming you have a TLS 1.3 (which uses symmetric AND asymmetric keys) would quantum computers be  ...

In my recent PSI project, I wanted to use Diffie-Hellman encryption to obtain ciphertext as OPRF input, but I could not find similar work related to it.

In my opinion, Diffie-Hellman ciphertext length is very long. Is there any performance or security problem if it is used as the input of OPRF?

I was reading about some way to imagine the signature of a message using the RSA problem :

Let $N$ be the product of two prime numbers $p$ and $q$. Let $s$ be the signature of a message $s$ (provided that such $s$ exists) defined as $s^x = x \bmod N$.

Later on the following requirement is made on $x$ : $x$ is prime with $\phi(N)$.

I do not understand this requirement. And why with $\phi(N)$ and not  ...

Given a cryptographic prime $p$ and a generator $g$ of $\mathbb{F}_p$, the Decisional Diffie Hellman problem asks us to distinguish $(g^a, g^b, g^{ab})$ from $(g^a, g^b, g^z)$ for random $a, b, z$. This is an easy problem, because the generator has Legendre symbol -1, which allows us to differentiate between such triples.

But the distribution of the Legendre symbol for $g^{ab}$ and $g^z$ for random ...

Is there an implementation of Shamir's Secret Sharing that can be regarded as a "canonical" (or "reference" or "standard") implementation, so that I can test other implementations to be "standard compliant"?

The above question is pretty vague. I have more details in mind, but some of them might be misleading or based on false assumptions. So possibly not all of them can be fulfilled or are relevant.

Some famous cryptographical protocols rely on the construction of graphs $G_i= (V_i, E_i)$ for $i=0,1$ that are not isomorphic. For the safety of this protocol, it is central that one can not easily verify that $G_0\not\cong G_1$. So, for instance, one could easily establish that $G_0\not\cong G_1$ if $|V_0| \neq |V_1|$, or if the iterated degree matrix of $G_0$ and $G_1$ differ.

As a non-rigid termino ...

I am given a set of $(u, v)$ values, matrix $A$, primary key vector, private key vector, error vector and prime $q$. I wanted to recover the binary value of each $(u, v)$ pairs using LWE decryption.

The formula I used to get that was: $\mbox{result} = v - s u$, where $s$ is the private key. I then compared the result with $q//2$. If result is more than $q//2$, the output is 1. If the result is less th ...

If I have 256 bits of handwavium "perfectly random data" and I hash this 256 bits of data with a secure hash function (possibly sha256) could the resulting hash be considered "perfectly random data" as well? I am assuming no, but don't know why.

What information / keywords would I use to find out more information about this?

Interesting seemingly related topics:

• Random Oracle Model
• Synchronous stre ...

Would it be technically possible to use hundreds of computer processors together to work on an algorithm like the Shor's algorithm and break RSA?

I've been reading about the crazy amount of qubits required to break RSA but what if hundreds of 64 bit processors work together towards the same goal? I would assume, if possible, it would be a very complex system and would require other algorithms to  ...

I have come across two supposedly identical definitions of lattices in the lattice crypto literature. There are mainly these two definitions of lattices, the first considers lattices as discrete additive subgroup and the second is the common vector space definition.

Definition 1: Discrete additive subgroup $$\forall x \neq y \in \mathcal{L}, ||x-y|| \geq \varepsilon, \quad \exists \varepsilon >0 \qu ...

I've been trying to use AES from OpenSSL and got to know that I need to use the EVP-based implementations rather than the AES_*.

I need to use AES-128 implementation to generate bitstreams, essentially passing various keys, and plaintexts to analyze the ciphertext generated for cryptanalysis of the algorithm. I went through the Question, How do I decide what mode to use? which linked to the NIST docum ...

I have the book "Handbook of applied cryptography". In there we have example for random tests.

I have bits sequence [11100 01100 01000 10100 11101 11100 10010 01001]*4 length on this sequence n = 160. And I need test this sequence in order to understand this sequence is random or not. And problem with understanding this example.

Runs test I understand how they got

$ e_i=\frac{n-i+3}{2^i+2}$

For  ...

This is from Alan Rosen's video on Interactive proofs - https://youtu.be/6uGimDYZPMw?t=1754

Here the proof is that

• the Verifier gets a random bit $b$ .

• If $b = 0$, then Verifier gets a random $y \in Z^*_n$ & sends $z = y^2$ to the Prover.

• if $b=1$, then the Verifier sends $z = xy^2$ to the Prover.

• Now if $z$ is a Quadratic Residue, then the Prover sends back $0$, else $1$

Now, doesn't this de ...

I'm curious if there's an encryption scheme where content may be encrypted to a public key where the associated private key can generate new decryption keys for the same content. The goal is to publish data that is encrypted with a server's public key and allow the server to produce new decryption keys as needed.

I know that if the input size in a pseurandom-function is larger than its output, many different inputs will generate the same output by the Pigeonhole principle (I also read an article related to that).

AES with 256-bits key size in CTR mode will generate many equal outputs per IV across all the possible keys of such a key space, because the IV capped to 128-bits, smaller than the key size.

Why  ...

I'm a computer programmer and I'm working on a truly unbreakable cypher and I keep going back to a book cypher (each letter of the message is referenced by a page,row,and column number in a random book where both the sender and receiver have identical copies.) In my update we use data files and auto lookup. here is my version:

Step 1) create a book

• generate a "book" of 5,000,000,000 characters writing t ...

It's difficult to implement AES securely and efficiently if the adversary can observe the timing and (approximate) location of memory accesses, unless you have dedicated hardware. The naive implementation uses lookup tables, which are vulnerable to attacks based on caches or on memory bus contention. Timing-invariant implementations exist (using bitslicing) but they're slower.

Are the other candidates  ...

Here, an user says about using a seed to generate a key that is larger than the digest size:

"Do not use hash chaining: that's a bad way of constructing a key derivation function from a hash. If the output is H(S) || H(S||H(S)) || H(S||H(S||H(S))) || …, then it's possible to reconstruct the whole output from the first n bytes where n is the length of the hash. How bad this is depends on how you' ...

I'm experimenting with the parameters for argon2, using argon2_cffi.

Whereas the iteration count or time_cost, and the memory_cost have obvious bearings on the speed and security of the result. I've not seen any guidance on a maximum for the parallelism parameter, other than enough for all the threads you have.

I have a 4-core i5, not sure if that counts as 4 or 8 threads. I am using time_cost=4, me ...

In the MixColumns step of AES, one multiplies each of the columns of the $4\times 4$ box of bytes by the polynomial $a(x)=\{03\}x^3+\{01\}x^2+\{01\}x+\{02\}$ (modulo $x^4+1$). But in this polynomial, the coefficient $\{01\}=1$ is repeated twice. Why is it acceptable for the MixColumns step of AES to have a repeated coefficient? Are there any known or conjectured attacks against AES that take advanta ...

FALCON is a cryptographic algorithm for digital signature, but is it slower than actuals algorithms (ECDSA)?

Assume a message protocol whereby one time pad messages are authenticated with a Carter Wegman type hash on the ciphertext, or some similar construct utilizing a unique authentication key per message.

Since this is a OTP system, there is a store of key material at both the sender's and receiver's ends. Some material is drawn to create the authentication tag and the message sent. It is then authen ...

We have a classic web application, and when a user sign in, we return a session token (UUIDv4). The user can choose if the session should expire when the browser/app is closed or if he prefer to always be connected (1 year at least).

If an attacker get the session token, I want a way to mitigate the possibility to uses it.

A solution could be to also add a One Time Password in each API client call.  ...

I just read about the SolarWinds attack and I have just been taught in class about the these standard but I am not able to understand if there is connect between SolarWinds attack and the above mentioned standards.

I have read about SolarWinds got some info that the company was following the NIST standard but I want to know if there is any connect between the IND-CPA, CCA1,CCA2 and SolarWinds.

I'm currently working on implementing digital signatures on the curve secp256k1 (for learning purposes only), and I'm having some trouble implementing ECDSA on curve secp256k1. As I understand it, this curve is a koblitz curve, which means it can't be written in the Montgomery form. Due to this limitation, I'm unable to use the Montgomery ladder.

Can anyone suggest how I can add and multiply poin ...