Latest Crypto related questions

I am currently reading the paper: Efficiency Tradeoffs for Malicious Two-Party Computation. The paper describes a $k$-leak model and gives an example that leaking 1 bit could turn Yao's garbled circuit from semi-honest resistance to malicious resistance.

At page 14, it says that Alice gives it garbled output to Bob --- the garbled circuit creator. But won't Bob re-construct all Alice input by Alice's gar ...

There exist two EC private keys $x_1$ and $x_2$, where their corresponding public keys on the well-known base point $G$ are $X_1=x_1G$ and $X_2=x_2G$ respectively. The order of the cyclic group generated by $G$ is $\ell$.

Those private keys have been chosen such that the distance $d=|x_1-x_2|\ (mod\ \ell)$ is less than $2^n$, for a declared value of $n$.

Given $X_1$, how can we determine $d$ more  ...

Let’s say person A encrypts a message. Now I want both person A and persons B, C, D – A as a single individual – and B, C, D only as a group, to be able to decrypt the encrypted message. The multiparty decryption process should be designed in a way, that it requires no secret sharing between B, C, D. Also the secret that A uses to encrypt/decrypt the message is completely unknown to B, C, D and th ...

Assume that one uses two private keys $x_1$ and $x_2$ to generate two public ECDSA keys $y_1$ and $y_2$ (e.g., used as public key for Bitcoin address). The distance between $x_1$ and $x_2$ is small (e.g., less than ${2^{20}}$). What's bad about it?

I know that if one breaks $x_1$, it certainly leads to the breaking of $x_2$ with a small effort search. But let's assume that except $|x_1 - x_2|$ is a s ...

Assume $g$ is generator of multiplicative group modulo prime $p$.

Assume we know $g^X\bmod p$ and $g^{XY}\bmod p$ and assume we can have access to a Diffie-Hellman oracle.

Can we find $g^Y\bmod p$ in polynomial time?

If we know how to compute $g^{X^{-1}}\bmod p$ then we can use the oracle to compute $g^Y\bmod P$.

So I believe the problem reduces to computation of $g^{X^{-1}}\bmod p$ given a Diffie-He ...

The standard DDH assumption states that given $(g,g^a,g^b,g^c)$, it is hard to determine whether $c$ is $ab$ or not.

A variant of DDH assumption is: given $(g,g^a,g^b,g^c, g^{ab} ,g^{bc},g^{ac})$, it is hard to whether the last three terms are random or not.

Is the variant still secure? If then, how to prove this?

Ideal cipher is a random permutation for every key in its key space.

And, ideal encryption scheme is the one which has perfect secrecy/indistinguishability. For an encryption scheme, random permutation from plain text space to cipher text space seems to be a stronger property and is not always needed

I do not understand the rationale :

1. Why would having just perfect secrecy/indistinguishability (a ...

Suppose you are given $DES_k(m)$ for some unknown $k$ and $m$, where DES() is the usual DES scheme. With what probability can you predict, for example, the 12-th bit in the output of $DES_{\bar{k}}(\bar{m})$. Here $\bar{m} (resp. \bar{k})$ denotes the bitwise complement of m (resp. k).

In this question, as we know that we are using Feistel cipher with $n=32$ $r = 16$ but how to evaluate the prediction of ...

How can we analyze the time and space complexity of meet and middle attack on a Triple-DES?

I've had this problem that I've been trying to figure out for a while. Can a SPN cipher be broken by a chosen-plain text attack if the permutation for the SPN is just the identity permutation? For example would we be able to do this if the block length is 128, and the key length is also 128, the number of rounds is 16. I had some ideas of how to approach this but I'm not sure, would we be able to figure ...