Latest Crypto related questions

In the case of a OTP (One Time Pad), if we encrypt two different images with the same key, then two encrypted images will be generated. Then if these two encrypted images are mixed with bitwise xor ⊕, then the traces of the two original images are revealed.

On the other hand in a hypothetical MTP (Many Time Pad) stream cipher this problem is eliminated.

*MTP= Many Time Pad= *many times reuse the  ...

CCM mode refers to CTR+ CBC-MAC encryption mode.

Based on this paper, the adversary's advantages against the authenticity of CCM is:

Eq(1)

Authenticity: it should be infeasible for an adversary to forge a valid ciphertext without knowing the secret key.

and the adversary's advantage against the privacy of CCM is:

Eq(2)

Privacy: It should be infeasible for an adversary to derive any information from  ...

WhatsApp has taken the step of using the Open Whisper Protocol for their message encryption, borrowed from the Signal application.

I was wondering if there was any obvious, high level, difference in the implementation of the Open Whisper Protocol between these two mobile phone applications? For example, Perhaps Signal is using HMAC as part of their design, whereas WhatsApp is not?

This question focu ...

Suppose two signature schemes provides the same level of security. The sum of the sizes of a public key and a signature, i.e., sizeof(sig) + sizeof(pk), are equal in the two schemes. One of the schemes has smaller public key size, and the other has smaller signature size. Then which scheme is preferred in practice? If it depends, then in what scenarios we prefer smaller public keys, in what scenarios we ...

Are there any cryptographic methods $f,g,h$ which can be applied in any order to an input $x$ while still resulting in the same result $r$: $$f(g(h(x)))=h(g(f(x)))=ghf(x)=fhg(x)=hfg(x)=gfh(x) = r$$ Same for their inverse function: $$f^{-1}(g^{-1}(h^{-1}(r)))=h^{-1}(g^{-1}(f^{-1}(r)))=g^{-1}(h^{-1}(f^{-1}(r))) =...= x$$ If now $f,g,h,$ is applied $i,j,k$-times to an input $x$ finding/computing $x$ ...

I was reading this paper by Philippe Golle on using the homomorphic properties of ElGamal encryption to play a game of mental poker (i.e. cryptographically secure poker without a trusted third party dealer). I decided that it would be a good project to try to implement some basic version of but I quickly ran into some problems.

It seems that ElGamal (and RSA, for that matter) are considered generally inse ...

In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways.

Checksum seems to serve in the same way, which is added in the message, and the verifie ...

I was going through Signal's Double Ratchet algorithm specification, and they mention that the DH ratchet step is done for every message.

I'm curious what happens if you only ratchet 1 every X messages? Specifically, what info would be leaked to an eavesdropper, and could the the protocol be adapted to handle this.

What's the meaning of Apostrophe over a variable in the context conversations of verification?

Reference number: https://people.eecs.berkeley.edu/~jfc/'mender/IEEESP02.pdf

In TLS 1.3, handshake messages (except for ClientHello and ServerHello) are protected by keys derived from the handshake secret. After the handshake completes, master secret is derived from the handshake secret, which is then used to derive keying material for application messages.

Why are handshake and master secrets distinct? What security issues would arise if the handshake secret was used as the  ...

I was recently reading the paper Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. To prove the security, the authors assume that the NIZK used in the protocol is simulation sound extractable.

What I have already know is that:

1. If a NIZK is simulation sound, then it must process soundness
2. In a high level, simulation sound extractable means that the prover could not ...

In IKE exchanges, first messages sent unencrypted and unauthenticated. For authentication, messages sent encrypted with nonces.

If a man in the middle is eavesdropping this conversation, he/she will know which encryption algorithm will be used in exchanges. Can't the attacker know contents of every encrypted messages because nonces are also included in messages? How can we say these exchanges are ...