Latest Crypto related questions

Based on Differentia-addition on P I can understand (Xp,Zp) which is the base point, (Xq,Zq) which comes from Doubling, but I don't know what is the equation used to get P-Q to get X-,Z-.

So for example if I have P1(8,3,1) so it means (X⊖,Z⊖) = (8,1) and the value of (Xq,Zq) is from doubling? what about (Xp,Zp)?

Let's say I have three messages: A B C

And I run each of these through two different Hashing algorithms: MD5 and SHA1 for this example

MD5(A) = X
MD5(B) = Y
MD5(C) = Y

SHA1(A) = N
SHA1(B) = N
SHA1(C) = M

Notice the MD5 hash of B and C collide. And the SHA hash of A and B collide.

If I simply concatenate the digests, however, the results would be unique:

Combined Digest of A:  XN
Combined Digest of B ...

Assume $\phi(N) = (p - 1) (q - 1)$ as in the original paper. Suppose that we are using the same modulus $N$ for public and private key pairs $(e_1, d_1)$ and $(e_2, d_2)$. How can we get a multiple of $\phi(N)$ from these two pairs?

I was studying about the Microsoft exchange server data breach attack of 2021 as part of assignment case study. One of the tasks of the assignment it to find its relevance with IND-CPA, IND-CCA1, IND-CCA2 standards.

From my understanding the attack is seemed to be caused due to some logical bugs in the code base of certain versions of exchange server and attacker exploiting it with intelligently  ...

Short question: is there a particular reason why all standardized test data for the input message for 128-EIA3 is non-byte aligned?

Goldreich justifies why we work with the term negligible by saying among other things "events that occur with negligible (in n) probability remain negligible even if the experiment is repeated for polynomially (in n) many times.". Now I want to proof this statement. So I assume we have a problem with a verifiable solution and an algorithm solves it with negligible chances. And repeating this algorithm f ...

As several intermediate values are used as sentive data for side channel analysis (DPA), I don't understand why sbox input ^ sbox output is also wide-used and effective. This value does not applied in AES algorithm.

LMS is specially used for applications, such as code-signing (https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf). Given the parameter list in table 3, found here https://datatracker.ietf.org/doc/html/rfc8554#section-6.2, for which specific code-signing applications and environments ( ...

Im following these slides from "An Introduction to the Theory of Elliptic Curves" http://www.math.brown.edu/johsilve/Presentations/WyomingEllipticCurve.pdf, but I'm having some difficulty understanding how the ECDLP can be solved in anomalous curves.

On the slides it says: "If #E(Fp) = p, then there is a “p-adic logarithm map” that gives an easily computed homomorphism logp-adic : E(Fp) -> ...

How to give an example for collision in modified Mekle-Damgard construction that does not include input length, with two message that ARE multiple of the block length? (Assume the resulting hash function is only defined for inputs whose length is an integer multiple of the block length.)
It is easy to consider a counter-example in the case where two messages have lengths that are not an integer multip ...

This is sort-of a reply to the top answer given to this question, which states that whereas RSA-PSS, defined in terms of $H(r \ || \ M)$, only relies on target collision resistance and is secure even if MD5 is used (or at least was at the time of writing that answer), RSASSA-PSS, defined in terms of $H(r \ || \ H(m))$ is totally broken, because it relies on full collision resistance, which has been bro ...

I would like to know the security of using key size that is larger than the message digest (output) of a HMAC in one time pad encryption. One time pads for the message and the key of HMAC are different, scenario:

• A single message will be sent from A to B on insecure medium but is not known WHEN, in advance.
• Both A and B agreed previously on the one-time pads (which are randomly generated) for the key  ...

I am trying to understand what the Hybrid Argument is in cryptography and why is it useful.

By the definition of the Hybrid Argument we know that to prove that if two distributions $D = D_1, D_2, ..., D_k = D'$ can be distinguished, then $\exists D_i, D_{i+1} $ that can be distinguished.

Let:

1. $\alpha, \beta, \gamma \in \mathbf{N}$
2. $0 < \alpha < \beta < \gamma$
3. $g_1$ be a $(\alpha, \beta)$ ...

In the process of learning zk-SNARKs, I'm faced with this problem:

I understand why if the prover sends a polynomial $P$ that can be divided by $T$, the target polynomial, the prover knows a valid assignment. But I don't understand how the verifier makes sure that the prover actually sent a polynomial $P$ which matches the R1CS and not some polynomial multiplied by $T$ like: $P(x)=T(x)\times F(x)$

I've read the documentation of Crystal Kyber, but nowhere it is mentioned about good basis and bad basis.

Please explain how and where is the good basis and bad basis is used in crystal kyber.

Hi I have started studying on crystal kyber recently. Gained some knowledge regarding its algorithm and how it works. My doubt is why it is tough for attacker to extract secret vector from pk itself by predicting error vector since from pk we know mat_A,t. (B=As+e)

How can the attacker predict error from Gaussian distribution model. And how the error is randomly chosen from the region of high to  ...

I have some rudimentary cryptography knowledge but am by no means an expert.

I generally understand stream ciphers, such as such as ChaCha20-Poly1305, to be symmetric. I am wondering how age (https://github.com/FiloSottile/age) uses public and private keys to encrypt data with ChaCha20-Poly1305. Is it similar to how in some protocols asymmetric encryption is used to establish a shared symmetric key, or is ...

We know that in the black-box sense, we cannot use one-way functions to construct Collision Resistant Hash Functions.I feel that in my impression, I have never seen CRHF based on integer factorization problem or RSA assumption

Scenario:

1. There are 3 people: PERSON1, PERSON2, and PERSON3
2. PERSON1 and PERSON2 each have a 2-dimensional polygon on an x,y plane
3. It is PERSON3's job to assess whether the polygons overlap
4. However, PERSON1 and PERSON2 must encode their polygons in such a way that PERSON3 cannot identify the location of their polygons, nor is it possible for PERSON3 to decrypt the polygons.
5. Despite this, PERSON3 mu ...

From Ronald de Wolf's The potential impact of quantum computers on society:

The first is so-called post-quantum cryptography. This is classical cryptography, based on computational problems that are easy to compute in one direction but hard to compute in the other direction even by quantum computers. Factoring does not fit this bill because of Shor’s quantum algorithm, but there have been propos ...

Would a replay attack be possible in any of these scenarios? My understanding is that in only images 3 & 4 it is possible.

I know that it sounds like a very stupid question but if Shor's algorithm has a complexity of roughly $n^3$ why cant we just increase the bit size until the time for the algorithm to run is unfeasible on a quantum computer or would it just take too much memory and too much computation for RSA/ECC to be worth it?

I am running into the Goldreich Levin Theorem.

According to what I know a predicate $h: \{ 0,1 \}^* \to \{ 0,1 \} $ is a hardcore predicate for a function $f: \{ 0,1 \}^* \to \{ 0,1 \}^* $ if:

1. $h$ is deterministic and efficiently computable
2. It's hard to find $h(x)$ given $f(x)$ for any probabilistic time adversary

The Goldreich Levin Theorem states that a hardcore predicate can be found given any OWF ...

How can I create a "reverse" GHASH algorithm for GCM that allows me to compute an input value that generates a specific chosen output, given that I know the authentication key H? If this is possible, what is the process for achieving this?

Does it exist an upper bound for the advantage of solving the Gap Diffie-Hellman problem (possibly expressed in terms of the order of the group, number of queries to the oracle, time, etc.)?

On July 5, 2022, NIST chooses one KEM (Key Encapsulation Mechanism) as a PQC standard and 4 KEMs as four-round candidates. Why aren't there any key exchanges?

Similarly, KEMs are usually studied in literature. The post-quantum key exchanges in literature are very rare. Moreover, in those key exchanges, the message to be shared is generated by one party. I do not see any post-quantum key exchange  ...

I've been reading about Crystal kyber, and i read that the in the key generation process, the public key pk is computed using secret key s in such a way that the error e is added to inner product of random matrix A & secret key s.

It is said that an attacker trying to crack secret key from public key needs to solve Module-LWE problem to do so, which is computationally hard.

My question is how  ...

I know, that PBKDF2 uses HMAC with SHA2 function as PRF. But.. can I use many iterations of HMAC with SHA2 directly? Is this effective and securely? P.S I need the best function, but I can’t use bcrypt, argon, pbkdf2.

For Monero, the scheme for stealth addresses is pretty straightforward. (For example: https://monero.stackexchange.com/questions/1500/what-is-a-stealth-address) However, I haven't found any details on how the same functionality is done in Zcash, can someone provide more information on this?

According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown here:

https://medium.com/@SpiderOak/why-we-will-no-longer-use-the-phrase-zero-knowledge-to-describe-our-software-ddef2593a489

NordPass has yet to walk back its claim to a zero knowledge architecture:

https://nordpass.com/features/zero-knowledge-architecture/ ...