Latest Crypto related questions

So I was reading about 1-bit error propagation for AES mode and how it propagates in various modes. I was wondering how error would propagate in ECB, CBC and CTR modes if it was a 2-bit or a 3-bit error on the ciphertext block when the receiver decrypts the ciphertext?

In Gentry's seminal results on FHE (https://dl.acm.org/doi/10.1145/1536414.1536440), it is assumed that the sparse subset set problem is hard. It looks like there is a follow up paper on the concrete parameter of the subset size (https://eprint.iacr.org/2011/567.pdf), which mentions that Gentry's choice of subset size is too aggressive (e.g., 15). But in its section 5 (Discussion), it also mentioned tha ...

Suppose I have a real physical dictionary, and I want to draw words from it randomly, using dices. How should I do it?

Maybe it's easier to work with a coin since it's easier to convert binary to a decimal, but whatever, if I use dice, then I can generate a number in base 6 with some dice throws.

The problem is that the dictionary does not have a index number for each word, so I think that picking a ...

I'm working with SWIFFT, a provably secure keyed hash function, which is desirable to me. Unfortunately from what I gather it is ONLY a keyed hash function. Would there be any disadvantages or security problems if I just gave everyone the key and used perhaps public key encryption to do the authentication "manually", using the keyed hash function in a keyless manner as a general purpose hash function ...

While creating secret keys in IKE protocol, sides use cookies but I did not understand where they come from, how they are generated and why they are used. Can someone explain? Thanks.

Why randomness space must be significantly larger than the commitment space |R|>|C|? the picture is from https://youtu.be/IkNZWJFcfcU?t=236

Please see the Reference section below for terms.

Is there a known one-way method to produce an array of indexes, based only on two input elements:

• length of the resulting array
• number, used as a key to deterministically produce the array

If there exists only a method that can produce only fixed-length arrays - it can also be a good start for me.

Examples:

For some $g$ and prime $P$ the sequence $$x_{i+1} = g^{x_i} \mod P $$ $$ x_0 = g$$ can contain all numbers from $1$ to $P-1$ and with this it is a pseudo-random permutation of those numbers (EDIT: seems to be not the case).

Is there any (quick) way to find big/safe values for $P$ and related $g$ which can still produce every number from $1$ to $P-1$?

Some examples:

With $P=5, g=3$ the sequence would b ...

In game-based security proof, I found that games are defiend to be played between a PPT adversary and a challenger. The adversary is able to issue queries to different oracles and receives corresponding reponses. Assume A is the participant of the protocol, the queries sent by the adversary could be: Test(A) or hash queries.

A little explaination about Test(A) query: This query is typically used  ...

Are there moderns (post World War II) and famous protocols that were proven secure (in any model: game-based, UC...) but whose proof was wrong and could have led to real-world attacks?

Note that:

• I'm not really concerned about attacks on the mathematical assumptions themself (which seem to be the focus of this thread, and can't be considered as mistakes in the proof: they are "just" unfortunate assumpti ...

Assuming we found a constant $g$ and a prime $P$ which is able to produce all values from $1$ to $P-1$ with it's sequence $$s_{i} = g^{s_{i-1}} \mod P$$ $$s_0 = g$$

How many steps are needed to compute $i$ for a given value $v$ ($=s_i$) with known $g,P$?
Can it be faster than $i$ steps?

toy example:

With $P=5, g=3$ the sequence would be $$\begin{split} &[3, 3^3\equiv 2, 3^{2} \equiv 4, 3^{4 ...