Latest Crypto related questions

I've this requirement to 'derive' a session key from an AES key that is stored inside a HSM. I don't want to mention which HSM since what I intended to do is to make the system HSM neutral.

The initial idea is to use any existing KDF algorithms but since the AES key is in hardware, the KDF is only possible if the HSM supports it. But again I don't want to tie down to particular HSM.

Therefore the id ...

A couple years ago, I devised some primitives for block ciphers and block cipher modes of operation; I was partly inspired by CAESAR. What these designs all had in common is that the encryption/decryption process would produce a bit string $T_i$ for each block and all of these bit strings would be combined together to make the authentication tag $T$.

Today I remembered some of the reasons why encrypt-the ...

Alice wants to send Bob a message. Both have well known public/private EC keys (PA, b, PB, b). Both have well known public keys tied to an identity.

Alice computes a shared secret with Bob (PBa), and uses the x coordinate to tweak her private key, creating a new public/private keypair (PAx, ax).

Alice computes a shared secret between ax and PB, and encrypts a message for Bob this way (using ECIES, ...

I think it should have APIs for polynomials, FFT and bilinear mapping if KZG commitment scheme is used.

Can any encryption scheme that is CCA (Chosen Ciphertext Attack) secure be considered to achieve perfect secrecy?

I am new to RLWE, would like to ask whether what I am thinking make sense
Suppose I have a message e.g.: x=5
And I have a lattice based encryption scheme, e.g.: BGV
could I encrypt x with BGV by treating x as a polynomial ring with constant coefficient=5, and other coefficient =0?
Thanks

A Diffie Hellman style approach is proposed in https://mathoverflow.net/questions/408757/diffie-hellman-cryptography-based-on-graph-isomorphism but is broken easily.

Two graphs are isomorphic iff there adjacency matrices can be permuted to each other. GI has only quasipolynomial algorithms.

I wonder if there is a toy scheme (I know GI is not known to be average case secure) to illustrate with PK and SK ...

Assume integer factoring, discrete log are classical safe and LWE, McEliece etc are quantum safe. This question is only about SHA and hash families in general on why we need them if we have pkc primitives.

1. What role does SHA256 or other hash families play? Why are they needed when we have LWE, McEliece etc?

2. What happens if only SHA2 family including SHA256 is broken? Will we still have online finance ...

My question is essentially the same as this one.

The random oracle is a black box that does two things.

1. Maintain a lookup table for any query that has already been asked.
2. For all new queries, toss a bunch of coins to obtain a sufficiently long uniformly random bitstring.

As far as I can tell, 1. sounds straightforward. For 2., why not use randomness from a quantum measurement outcome to achieve the coi ...

I am reviewing the ZKP course, represented by the university of Berkley (https://zk-learning.org/). In pages 44 of lecture 6 that is attached below (https://zk-learning.org/assets/lecture6.pdf), the instructor explains the Poly-commitment based on Bulletproofs scheme.

I am a little confused that why the verifier compute com', g', and v' when it just checks v=v_L+v_R u^(d/2). Does the verifer need com' and ...

I am reading Section 4.1 (An offline algorithm: SmallDB) of The Algorithmic Foundations of Differential Privacy by Dwork and Roth. I am stuck at the proof of Proposition 4.4, which is about the utility guarantee of the small database mechanism (Algorithm 4 in page 70).

Proposition 4.4. Let $\mathcal{Q}$ be any class of linear queries. Let $y$ be the database output by SmallDB($x,\mathcal{Q},\epsilon,\ ...

Consider a ZKP anonymous credential scheme where each tuple of (x, identity_secret, merkle_root) corresponds to a unique nullifier computed as Hash(x|identity_secret). The prover can use this tuple repeatedly along with proving other statements.

x is designated on a per-session/app basis. And for a specific triple, a user can be blacklisted with the nullifier, and can not generate any new proofs w ...

I'm testing my server application (TLS 1.3) using s_client program from the openssl library and I need to force the s_client generating my "random" values in it's ClientHello. Could you tell me, how can I do it using command line options - where I should point my random sequence to be generated ?

I haven't found much info on the internet about the weakness of modes to chosen plaintext attacks, but from what I understand of them, there seem to be some trivial attacks, so I'm a bit confused. For example, let's encrypt 2 blocks of plaintext with value 0 with CBC:

C0=Ek(P0+IV)=Ek(IV)

C1=Ek(P1+C0)=Ek(Ek(IV))

But then we have a double encryption of IV, which should be subject to a Meet in the Middle  ...

Can the error in LWE or ringLWE schemes be from $\{0,1\}$? If not why and what is the best attack in this case?

First layer of each AES round is the Byte Substitution layer. It is the only nonlinear element of AES. What would happen if this layer was not in the path? And the lack of it would create a problem in the design goals?

I designed my TRNG with FPGA. My TRNG has a good entropy performance with a value of 0.99x over several test times. But for the NIST800-22, during several run times, sometimes my sequence passes all the tests, and sometimes it fails one or two tests. (my sequence length is 100.000.000 with the number of run-time for each test is 100). I check the failed sequence result, mostly my sequence failed at Nono ...

RSA factoring challenge is a famous one and is still not completely solved.

Are there similar challenges for

1. Discrete log over $\mathbb Z_p^*$?
2. Discrete log over Elliptic curves?
3. LWE?
4. LPN?

I'm still kinda new to Galois theory so I apologize if this question is very obvious to some people.

Basically I'm reading this paper by the NTRU Prime team and in section 2.5 it's explaining how cyclotomic fields should be replaced with prime degree fields with "big Galois group", namely because how structures within cyclotomic fields (e.g. subfields and automorphism) can potentially lead to an a ...

I don't really know what should be the correct title for this and the community can correct it after reading.

I was the author of PKDSA (Searchable on github).

I have the idea to do it because I feel like shifting from a password based scheme to challenge and respond with digital signature as much as possible might be good in the long run.

I would like to ask for help from the community in providing un ...

Looking at https://github.com/tbuktu/libntru/blob/master/src/ntru.h, there are some functions that deal with having multiple public keys with the same private key. I don't believe I need such functionality but it makes me suspect that it might be required. Basically, I want to know if it is OK to reuse the same keypair in NTRUEncrypt for a number of different key exchange operations.

In 186-2rsatestvectors.zip/SigVerRSA.rsp

n = bb5784794f27bfab90a19bcc20bb10ac3d1d432d90651dace6235e34560abd733a0c3b693ea3802707c0e22e81603a6e2b82812a0027ece2d974a5a5190df89d636f7ab200849065fe412fe85e41aceb0d68b10cdd07e42ea16184c974f58c10c560aa444f64b41e932ab25355648b510b1feedca780cfb68f11ac9fc98ab15b

p = bda227ead8dc178121176abe07d036b3615a14e2badf195deba2082bf086c5eef4d40dc3ae3b57827359e90564fe4b ...

I am researching the Xorshift128 PRNG. I am particularly interested in recovering the state given a set of outputs that have the remainder taken with different values.

A common way to take a unsigned 32-bit output from Xorshift128 and produce a value that ranges from 0<=n<50 is to take the remainder of the output and 50.

Say I have been given 25 consecutive outputs which have modulos in the ra ...

In short, my question is:

What exactly do people mean when they say that "The more you apply the Rabin-Miller test to a number, the more certain you can be that the number you're testing is prime."?

To clarify what I'm asking, let's look at an example I was working through:

Testing if N = 78007 is prime or not (spoiler, it is).

Rabin-Miller procedure:

1. Find N - 1 = 2^K * M

In this case, 78007 - 1 = 2 ^...

I have been given a DES encryption assignment. I was given the Cipher text, the Plain text and the "passphrase". The passphrase consist of a 4 byte hex string. I have studied several different tutorials on you-tube about the workings of DES but I still can't seem to be able to figure out the key. I have tried to add nulls between each character to create a 64 bit key and I have reversed the characte ...

The ME-600 key generator was developed in the early 1990s for generating truly random one time key streams. That's not exactly World War 1 or 2. I don't know how long it was used, or whether it still is.

Now with quantum computing on the horizon, people are looking at post-quantum cryptography. We also don't yet know the cryptographic dangers of artificial intelligence. (See "Silicon Valley" comedy

I hope this question is not too speculative.

Applebaum, Nir and Pinkas have a new paper which has an $n-$party secret sharing scheme with:

• reconstruction complexity of $O(n)$ additions
• constant share size
• sharing complexity of $O(n)$ additions
• is a blackbox secret sharing scheme

The shamir scheme has complexity $n \log |F|$ where $F$ is the domain of the private key which is the exponent of some group ...

I am looking for guidance on implementing a protocol where a BLS private key is split into 2 out of 3 shares using Shamir's Secret Sharing, and signatures must be obtained without revealing the original message to the other parties.

Here's my current approach:

Alice has a BLS private key. She splits this private key into 3 shares, $s_a$, $s_b$, and $s_c$, using Shamir's Secret Sharing. Alice then send ...

I'm trying to understand the security of the Montgomery ladder algorithm in the context of timing side-channel attacks. I'm looking at the algorithm from wikipedia

While I know that the algorithm ensures a constant number of operations in each branch of the if statement, I'm unsure about its overall safety. The Montgomery ladder iterates over all bits of a secret scalar, which makes me question i ...

First of all, I know that I should not be using RSA in 2023, and that I'm better off with Elligator2 + ECIES for a variety of reasons.

However, I am thinking about whether RSA-KEM can be used for PURB-like constructions with long lived public keys. For it to be viable, the RSA ciphertexts should not be distinguishable from random noise. I think that it can be formulated like this: given 2 sets of ...