Latest Crypto related questions

I'm learning cryptography recently. I read that for game-based formal security analysis, it is important to embed the hard instance during reduction. Does "hard instance" mean hard-to-solve problems like DDH (Decisional Diffie Hellman) assumption? If so, my understanding of "embedding the "hard instance" during reduction" is to calculate the adversary's advantage by including the probability of breaking ...

I'm doing sequence-of-game formal security analysis for key exchange protocol. It confuses me a lot how to calculate the adversary's semantic secure (SS) advantage. In Shoup's tutorial "sequences of games: a tool for taming complexity in security proofs", SS-advantage = |Pr[S0]-1/2|; while in other papers like ""Security proofs for an efficient password-based key exchange", SS-advantage= |2Pr[S0]-1|. Ca ...

I've been trying to manually decrypt some TLS 1.3 traffic for educational reasons, and have stumbled across a roadblock. So far, I've been able to complete most of the key schedule, including deriving the correct handshake traffic secrets from the ECDHE keys. However, I haven't been able to find much information about how the ciphertext and authentication tag are formatted within Application Data messag ...

Para 3 of Security Requirements for Cryptographic Module (FIPS 140-2) specifies the requirements that will be satisfied by a crypto module protecting sensitive but unclassified information.

What are the standards to protect classified, Secret and Top Secret information?

If I construct a vector pedersen commitment $c = a_1G_1 + a_2G_2 + ... + a_nG_n$ with an arbitrary scalar vector $(a_1, a_2, ..., a_n)$ and group elements $(G_1, G_2, ..., G_n)$, is it possible to create a range proof that proves that each element in this commitment is non-negative?

I understand that it is possible to create a range proof using Bulletproofs for cases like $c=aG+bH$, but is it possible  ...

A polynomial hash defines a hash as $H = c_1a^{k-1} + c_2a^{k-2} ... + c_ka^0$, all modulo $2^n$ (that is, in $GF(2^n)$).

For brevity, let $c$ be a $k$ dimensional vector (encapsulating all the individual $c_n$ values).

Are there particular values for $c$ that make the probability of collisions between two randomly chosen $a$ greater than $k/2^n$?

I would argue that there are not. For $H(c, a)$ equ ...

I'm reading about the key expansion for AES but I can't seem to find the answer to this question yet. The book refers to a cipher key and the expanded key (or key schedule). This is the algorithm from the book:

procedure KeyExpansion(byte K[4][Nk], byte W[4][Nb (N r + 1)]) ? Nk ≤ 6
    for j = 0 to Nk − 1 do
        for i = 0 to 3 do
            W[i][j] ← K[i][j]
        end for
    end for
  ...

Hi I found this question which I am currently struggling with. How to handle IKEv1 and IKEv2 diffie-hellman shared secret bits length not multiple of 8?

In ACVP, the input diffe-hellman shared secret bits isn't multiple of 8, for example, 521 in bits. The given gxy is 9E50F9E86DAF773F657F5F32BA4C84E707284843F422A74DFC6877D236020F86B115230C3BA57A680AED1AF2F0CE59CBB3C5755D80EFCCC1DD350DE79781AC8071 ...

I'm learning how CBC works but i don't understand when altering the first 2 bytes of the ciphered text why the 1rst block and ONLY the first 2 bytes of the second block are altered. The first 2 bytes of the cypher text are altered using a xor operation with random values. Each block is made of 16 bytes.

Those are the random bytes to encrypt:

D6 D7 17 2B D8 1B 73 DF AA D4 D0 DC 94 D1 C2 B2 EE 0D 3B D ...

I've looked around but can't find any discussion on using both CP-ABE and KP-ABE by simply wrapping one with the other. It seems like you'd be able to get more fine grained access control with a scheme like that. The lack of any information makes me suspect that I'm missing something. Would this be a advantageous setup and would there be any problems associated with doing something like that?

I try to use the function $$C_i=E(M_{2i}, M_{2i+1}) = (M_{2i} + M_{2i+1})\bmod 26.$$ to encode English text.

For example,

Plaintext: The quick brown fox jumps over the lazy dog.
Regrouped Text: TH EQ UI CK BR OW NF OX JU MP SO VE RT HE LA ZY DO G. $$ T = 19, H = 7, (T + H) \bmod 26 = 26 \bmod 26 = 0 = A.\\ \cdots\\ (D + O) \bmod 26 = R. $$ Ciphertext: AUCMSKSLDBGZKLLXRG.

Then I'm trying to decode the c ...

In the ZeroCoin paper, it uses a zk-proof from Camenisch's dynamic accumulator that shows a Pedersen commitment hides an element of an RSA accumulator (https://link.springer.com/content/pdf/10.1007/3-540-45708-9_5.pdf). However, it looks like that the proof can also be used to prove that a subset of elements belong to the accumulator.

Now the question is: how does ZeroCoin prove that the Pedersen commitm ...

In the LWE symmetric encryption scheme, a ciphertext encrypting a message $\mu \in \{0,1\}$ under the secret key $\mathbf{s} \in \mathbb{Z}_q^n$ is $(\mathbf{a}, \mathbf{b}=\mathbf{a} \cdot \mathbf{s}+e+\frac{q}{2}\mu)$, where $\mathbf{a} \in \mathbb{Z}_q^n$ is a uniformly sampled vector and $e \in \mathbb{Z}_q$ is a noise.

My question: Using the ciphertext as a commitment and $(\mu, \mathbf s)$ as r ...