Latest Crypto related questions

I have a custom network and I want to implement a symmetric key exchange and key derivation mechanism with ECDH.

I know that I need to use KPP API and ECDH helper functions, but I can't find any code examples in Github or elsewhere (kernel documentation is a bit confusing for me, I'm new to this), so I started to think that it's not practical to use ECDH.

If it's not practical, what other algorithms shou ...

I've came across a Stackexchange question about the Chaum-Pedersen Protocol which is based on the generalised schnorr protocol. As I understand it, it uses discrete logs and cyclic groups of prime order q to prove knowledge of a secret value x, which in this scenario is an equality proof for the discrete log.

The paper referred to in the question is https://www.cs.umd.edu/~waa/414-F11/IntroToCrypto.pdf

I am currently taking a course in university where we are working with a KeePass 2 database file. I am still very new to everything which has to do with encryption.

First I am going to provide the information which was given to me:

A Keepass 2 database file contains different headers, the important ones are the following:

• end of header (after this header follows the encrypted database)
• master s ...

I have been examining the Gazelle paper, which focuses on secure inference protocols. One section constructs a Garbled Circuit using inputs cx, sx, and sy to compute the ReLU function in neural networks. Here, sx represents the server's share of the input and cx stands for the client's share of the input data. The paper defines sx as x - r (where r is a random sequence used for masking x) and cx as r.

Recently a friend of mine showed me a "puzzle" he created with edwards curve ed25519

It is based on adding and multiplying points on the curve

You supply four arguments to the program

1. The 'public key'
2. The 'private key'
3. additional data
4. static point value

He considers the puzzle as solved if the following 'equation' applies:

hash = sha512(public key + data)[:32] // first 32 bytes

private key * ed ...

let's look at the public key in this post as an example: https://crypto.stackexchange.com/a/35105

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB

when I decode this base64 string using an online tool, I get a public key with some funny ...

It's possible to use a hash function as an encipherment scheme if used in counter mode.

Let's suppose I take a 64-bytes (512-bits) seed/key and hash it concatenated with counters, and use it as a encipherment scheme. But the hash function has its digest output size of 32-bytes.

Some hash function such as Blake2 and Blake3 have options for specifying an counter, but counters can be used with any (cri ...

For security against Chosen Plaintext Attack (CPA), we need randomized algorithms for encryption. But in some schemes (maybe almost all of them) take decryption algorithm deterministic. This procedure occurs in functional encryption, that its security definitions are more complicated than ordinary public encryption, too. This is a little confusing.

1. Is using a deterministic algorithm for decryption eq ...

The Pinocchio paper contains a description of the GGPR protocol (Protocol 1), and states that verification requires "8 pairings for the $\alpha$ terms, and 3 for the $\beta$ term". However I can't figure out how to verify the $\beta$ term with 3 pairings, it seems to require 4.

For context, the proof is given as:

$$ ( g^{v_{mid}}, g^w, g^y, g^h, g^{\alpha v_{mid}}, g^{\alpha w}, g^{\alpha y}, g^{\al ...

I would like to let the receiver has the ability to check the sender's authenticity when he gets the message.

Also, I want to protect the message's confidentiality and integrity.

Should I use aes gcm + hmamc or just aes gcm?

I heard aes gcm provides messages authentication suing Ghash. But ghash is not a mac, so I am confused how aes gcm achieve message authentication

In SEAL library, I want to multiply a BFV ciphertext ct with an integer inverse. Here are what I do:

1. Compute the integer inverse as follows:

uint64_t inverse = invert_mod(pow(2, log_total_item),enc_params_.plain_modulus());

2. Encode inverse to BFV plaintext using the following code:

Plaintext inverse_pt(to_string(inverse));

3. Compute multiplication as follows:

evaluator.Multiply_plain_inpl ...

From the PLONK paper.

Page 23, 6 Constraint System

The constraint system $C = (V, Q)$ is defined as follows.

• $V$ is of the form $V = (a, b, c)$, where $a$, $b$, $c \in [m]^n$. We think of $a$, $b$, $c$ as the left, right and output sequence of $C$ respectively.

• $Q = (q_L, q_R, q_O, q_M, q_C) \in (\mathbb F^n)^5$ where we think of $q_L$, $q_R$, $q_O$, $q_M$, $q_C \in \mathbb F^n$ as "selector vectors".

My train of thought went, OTP is very secure if key is unknown because I am guessing the original message. AES on the other hand tells me I gave it the wrong key, and if I did I can just switch using another key without having to worry about if the decrypted message using a key that's not the original key was the original message. So now I am just guessing 256bit instead of however long OTP is, plus giv ...

I know it's possible with ECDSA. How bout RSA?

I am studying openssl 3.0 (Windows, C++) in order to encrypt data using RSA. More specifically, I need to sign a CertificateVerify server message in TLS 1.3.
The questions are:
1) how can I define padding mode (PSS) for RSA encryption for this aim ?
2) Should I to create EVP_PKEY_CTX* ctx or I need EVP_MD_CTX* mdctx only ? What's a difference between them ?
Code without padding definition is: `

// encryp ...

If we use the following notation:

$$C = E(P, K_e)$$

$$P = D(C, K_d)$$

Where: $$E(), D(), C, P, K_e, K_d$$ are the encryption algorithm, decryption algorithm, ciphertext, plaintext, encryption key and decryption key respectively

The only difference between symmetric and asymmetric encryption is:

$K_e = K_d$ for symmetric and $K_e \neq K_d$ foy asymmetric.

So in theory we could use the same E() and D() ...

The integer factorization decision problem (does integer N have a prime factor = k?) is known to be an NP problem. Analogous to this, can we say that the decision problem for finding the private key of an Elliptic curve (Is r the number of times base point was added to come up with target point) is also in NP, but not NP-complete?

I have a group of subscribers who are subscribed to a message broker in an IoT setting, let's say to the topic 'sensor/temperature'. Now, I want to create a public/private key pair in such a way that only the subscribers are capable of generating the pair, while the broker remains unaware of it. The publisher will encrypt the message using the public key, broadcast the encrypted message with the assista ...

I've generated a key using an HSM Thales PayShield and i have share it with a counterpart. I followed these steps:

• i generated key usign KG console command

• i use FK to form ZMK from clear components (received by the counterpart)

• i exported key key under ZMK (KE command)

Now, in this particular case the counterpart wants the key in clear format and no under ZMK. We are in test environment so we  ...

All the knowledge I have learned about encryption algorithms tells me that the AES encryption algorithm uses three key bit lengths of 128, 192, and 256 to encrypt data, and these three key bit lengths correspond to 10, 12, and 14 rounds of encryption, respectively.

But the question is, why?

Why not 11, 13, 15? Why not 14, 16, 18? Why not...
And it must be 10, 12, 14?

I have studied the C source cod ...

So the problem I'm exploring is basically how to run a paper exam (such as the SAT) in such a way that participants can be sure that their exams were graded fairly, meaning the exam hosts can't change the answers or questions of the exam after the exam is conducted without the examinees finding out.

So we have a test which consists of $n$ strings that are questions each of which are multiple choice w ...

Can anyone explaine how to find the every 15 round key by the 64 hex digit master key of AES 256 please. I will be really greatfull

Anyone can explaine to me how does the round key in aes256 work please, why is the round key 32 digit while 1 block only have 16 digit? how can 32 digit key XOR 16 digit block? Is it like two digit of round key XOR 1 digit in block?

In Kyber the following estimation is given for a quantum adversary:

Theorem 4. For any quantum adversary $A$ that makes at most $q_{RO}$ many queries to quantum random oracles $H$ and $G$, and at most $q_D$ many (classical) queries to the decryption oracle, there exists a quantum adversary $B$ such that $$\text{Adv}_{\text{Kyber}}^{\text{cca}}(A) \leq 8 q_{RO}^2 \cdot \delta + 4q_{RO} \cdot \sqrt ...

Does anyone know what are the family relationships in the paper "How to Explain Zero-Knowledge Protocols to Your Children"

The authors are: Jean-Jacques Quisquater, Myriam Quisquater, Muriel Quisquater, Michaël Quisquater, Louis C. Guillou, Marie Annick Guillou, Gaïd Guillou, Anna Guillou, Gwenolé Guillou, Soazig Guillou, Thomas A. Berson

I suppose its Jean-Jacques Quisquaterm, Louis C. Guillou ...

In the paper Dual system encryption: realizing fully secure IBE and HIBE under simple assumption (free PDF), the authors said "there is an apparent paradox in this strategy since it seems that the reduction algorithm could simply answer the challenge ciphertext". In the paper An efficient IBE scheme with tight security reduction in the random oracle model, the authors said "Nevertheless, a private k ...

The NIST Kyber KEM spec. defines an encryption scheme, KYBER.CPAPKE, that's a variant of the so called Lyubashevsky, Peikert, Regev ("LPR") encryption scheme [1]. While LPR encryption is typically defined over subrings of cyclotomic number fields, KYBER.CPAPKE is instantiated over an $R_q$-Module where the base commutative ring is $R_q := \mathbb{Z}_q[X]/ \langle \Phi_{512}(x)\rangle$ and $q = 3329$

Update:

In Lipton and Regan's blog, Scott Aaranson and Craig Gidney have commented that the results are not unexpected and also not a deal-breaker in that dealing with this type of noise is already part of the way QC is implemented, including the use of physical measures as well as error correction for making quantum computing work.

Original Question:

An interesting recent paper by Jin-Yi Cai is sug ...

In ECDSA, if Alice wants to send a message to Bob, she computes $s=k^{-1}(z+rd_A)$.

I was thinking that the formula could simply be $s=k^{-1}zrd_A$ and the algorithm would work just as well, and the verification would be simpler, because the recipient would just have to calculate $X=s^{-1}zrQ_A$ instead of a sum $X=s^{-1}zG+s^{-1}rQ_A$.

Is there something I'm missing?

I was wondering if changing modes or primitives could affect security. For example, let's say you have encrypted data with AES-128 with CBC mode and you want to change it to AES-128 GCM, or to ASCON. What I mean by that is that you decrypt the messages then encrypt them again with the new scheme. Does that affect security in any way?

From what I've read, sometimes it affects security: if you go f ...