Latest Crypto related questions

JavaCard 3.1 introduces this KDF as part of this release. Can someone help me in understanding this topic clearly? (KDF ANS X9.63). I need some parameters informations. What is shared secret and shared Info, differences between them, how they are generated etc.. How to validate and corresponding code in Java ? to assert the outputs from Javacard & Java to be the same.Some unit testing to be done fro ...

I'm looking for the simplest and most inexpensive hash with the following properties:

Input: A 32-byte Curve25519 EC point containing approximately 125 bits of non-uniformly distributed entropy (created as a result of an ECDH exchange).

Output: 1 byte containing 8 bits of entropy, uniformly distributed.

I want to use a secret sharing scheme, where every player $i\in N$ has to share a pair of secrets $(l_i,\nu_{l_i})$, where $l_i$ is a unique code (positive integer) for every player, but $\nu_{l_i}$ is a secret like a statement. For example when player $i$ reports to the other players $\nu_{l_i}$ is like making a statement of the form "My name is $i$ and I know the information $\nu_i$."

My initial ...

I'm reading about lattice based cryptography. In my reading I read of gram–schmidt orthogonalization. Which allows for turning a bad basis into a good basis, or at least an orthogonal one.

Now I'm reading that in the GGH encryption scheme a good basis is used as private key and a bad basis is used as public key.

However my thought is that if the public key is known we can apply gram-schmidt orthog ...

How is the multiplicative inverse calculated in the following? Please explain with details.

Note: I understood how polynomial value 283 is calculated.

I am trying to understand the following pseudorandom function constructed by Banerjee, Peikert, and Rosen in this paper, assuming the hardness of LWE. Consider the following LWE/LWR based pseudorandom function:

$$F_{A, S_1,\dots, S_k}(x_1,\dots,x_k) = \left\lfloor A\prod_{i =1}^k S_i^{x_i}\right\rceil_p,$$

where $A \in \mathbb{Z}_q^{m\times n}$ and each $S_i \in \mathbb{Z}_q^{n\times n}$.

I had some q ...

Fully Homomorphic Encryption lets us operate over encrypted data. Is there something analogous that let us operate over plaintexts directly, without knowing the circuit?

For example, let's say that I store AES of the user's password, and I want to be able to change the user's password to password +1 at my will without interacting with him. The user would be able to send me a circuit that decrypts the AE ...

I have two question re ideal functionalities in the UC model.

First, is whether the functionality can ask a party for an input (the party doesn't need to be corrupted). Assume a functionality $F$ is called on input $x$ by a party $P$. Could $F$ ask party $P'$ to provide additional input $x'$? (whether $F$ asks $P'$ or not may depend on $F$'s state and $x$).

Second, could a functionality call take va ...

Is it possible to do a key agreement with ECDH ephemeral-ephemeral without requiring an initial handshake first?

Is it possible to have the key agreement in the same message as the encrypted data with ECDHE?

I know this is possible with ECDH ephemeral-static but that does not have perfect forward secrecy. And with ephemeral-static you need to have a secure way to store the static private key.

I think I've understood properly, but I want to make sure as this will involve money.

1. Password requirement is a minimum of 16 characters and must contain one of each [Upper, Lower, Digit, Other]
2. My salt is Crypto RNG generated 64 bytes
3. I convert salt to Base64 (without the trailing ==)
4. I then get the UTF8 bytes of concatenating (SaltString + Password)
5. I then SHA512 those bytes in a loop 100k times

I am really stuck with the following question:

$G: \{0,1\}^\lambda \to \{0,1\}^{2\lambda}$ is a secure pseudorandom generator, and $\lambda$ is a security parameter.

Is the following a secure pseudorandom generator? $$G'(s_1,s_2) = (s_1 \oplus 1^\lambda, G(s_1))$$

What confuses me about this is the use of the security parameter in the $G'$ function. Can the security parameter be used in this way? I ...

Given a safe prime $P$ and a generator $g$ which generates all values from $1$ to $P-1$ with $$g^n \mod P$$

1.) Is there now a function $f$ which assigns a unique value to a range of members

$$f(g^{i-a_i},...,g^{i+b_i}) = f(g^i) = v_{ia_ib_i}$$

2.) Given such a unique value $v_{ia_ib_i}$ the offset to the next $g^{q_i}$ and previous $g^{-q'_i}$ can be computed/approximated in a quite fast time (hours)

Is it possible to include a hash digest visibly in an image, such that the hash of the image itself is that same digest?

When we draw the text of the hash in the image, we will of course change the hash of the image at the same time, because as we know, small changes to the input of a hash function produce significant changes in the output.

I am also aware that hash functions are irreversible.

I thought ...

Some block cipher modes of operation use only encryption processes, such as CFB, OFB and CTR.

If doing multiple encryptions using them, will these encipherment schemes be vulnerable to Meet-in-the-middle attacks?

I'm asking this because there is no decryption process in these modes, so I can't imagine a Meet-in-the-middle happening because an inverse process (decryption) is needed

Chaskey (https://eprint.iacr.org/2014/386.pdf) is a a secure, compact and efficient MAC for embedded systems and has won many benchmarks. It is built using an Even-Mansour block cipher. This block cipher XORs a plaintext with a key, applies a public permutation function, then XORs the result with the same key to create the ciphertext. The paper unfortunately only discusses the MAC use case, and not t ...