Latest Crypto related questions

I am currently reading SPDZ: https://eprint.iacr.org/2011/535.pdf. The MPC protocol uses an encryption scheme $\operatorname{Enc}_{\operatorname{pk}}(x,r)$ based on Brakerski, V. Vaikuntanathan (Gentry) (e.g. https://link.springer.com/chapter/10.1007/978-3-642-22792-9_29) in the offline phase. Here $\operatorname{pk}$ is the public key, $x$ the message, $r$ the randomness used in the encryption. I ...

Suppose I have a basis $B$ of an $n$-dimensional lattice $L\subseteq\mathbb{Z}^n$ and $B$ has $n$ vectors. Now I take another $v\in \mathbb{Z}^n\setminus L$ and I define a new lattice $L'=L+\mathbb{Z}v$. The set of vectors $B':=B\cup\{v\}$ generates $L'$, but since $L'$ is $n$-dimensional, it's rank is at most $n$, so $B'$ is too big. So there must be some other basis that generates $L'$. How do we  ...

I'm looking at a protocol which adds the IV (used for the encryption) into the AAD.

If the IV (which is part of the message) was incorrect, decryption would fail anyway.

Why is it useful to add the IV to AES256-GCM's AAD?

Is it actively harmful?

How does this code calculating the AES S-Box work? I don't understand the overall calculation procedure. Code is attached below:

function generate(irreducible_poly){
    try{
        p = parseInt(eval(irreducible_poly.replace(/x/g, '10')), 2);
    } catch(err){
        console.log('Irreducible Polynomial invalid');
        return;
    }

    let t = new Uint32Array(256);
    for (let i = 0, x = 1; ...

Let's suppose I encrypt something with CTR mode and keep the key and IV secret.

Does keeping the IV secret together with the key increase strength of encryption?

I think I have an understanding of the Pohlig-Hellman attack on elliptic curves. From page 31 of Pairings for Beginners:

• Find the group order $\#E(\mathbb{F}_q)$, call it $n$, and factor it. Example: $966 = 2 \cdot 3 \cdot 7 \cdot 23$
• For each prime factor $p_i$, above: multiply the generator $P$ and target point (not sure what the term is), $Q$, by $n/p_i$ (the cofactor)
  • This particular exampl ...

I am following the discussion in Koblitz in the second paragraph in the RSA section (page 94 on my edition).The goal is to show that knowledge of an integer $d$ such that $$m^{ed}\equiv m \mod n$$ for all $m$ with $(m,n)=1$ breaks RSA.The problem is that I'm no mathematician and I need some help to untangle myself at various points.

He first states that this is equivalent to $k=ed-1$ being a mult ...

I've been trying to improve my understanding of elliptic-curve cryptography; I'm currently trying to understand the extent to which curves are interchangeable.

Examples of curves: P-256, Curve25519
Examples of algorithms: ECDH, ECDSA, EdDSA

Of the curves I listed, I've read that both are used with ECDH, but I've only read of P-256 being used with ECDSA and Curve25519 being used with EdDSA. Why can both c ...

Example:

1. I send an email from [email protected] to [email protected]
2. Using only the email I received in [email protected], I'd like to prove to a 3rd party that I also own [email protected]

Edit: assume I don't own neither domain1 nor domain2, just have email addresses in both (gmail and hotmail, for example)

Are there established ways to achieve this?

Handbook of Applied Cryptography gives two resources for the OFB mode

1. 1980 FIPS 81. This doesn't give any references, unlike NIST.
2. 1983 ANSI X3.106, unfortunately pay-walled.

Who is the inventor of the OFB mode of operation?

I was doing some introductory challenges at CryptoHack and one of the challenges, more precisely it was Favourite Byte, XOR with a single byte.

I did my solution with XORing given string and single key iterated over 256 integers till I find something that looks like "flag".

Then I looked for submitted solutions and one of the solutions was:

input_str = bytes.fromhex('73626960647f6b206821204f21254f7d69 ...

Imagine there is 256-bit uniform input from CSPRNG. Suppose there is a curve like secp256r1 whose curve order is slightly less than 256 bits.

We cannot just mod(input, curve_order) because it will introduce modulo bias. What if we trim 256 bits to 255 bits which is less than curve order? Then all values within 255 bits will have an equal chance of appearance.

ed25519 seems to do exactly that, with their ...

Suppose I want to encrypt $mssg$ using One-Time-Pad, and I want the $mssg$ to be encrypted twice.

Once with $k_1$ and second with $k_2$

Is it still possible to detect my $mssg$?

lets say:

• $c_1 = mssg \oplus k_1$
• $c_2 = mssg \oplus k_2$

$c_1 \oplus c_2 = k_1 \oplus k_2$

I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

From Section 3.5

Because verifier can extract knowledge about the unknown polynomial $p(x)$ only from the data sent by the prover, let us consider those provided values (the proof): $g^p$, $g^{p'}$, $g^h$. They participate in the following checks:

$g^p = (g^{h})^{t(s)}$ (poly ...

I have been reading the book Mastering Bitcoin written by Andreas. It was the process of compressing public keys that hurt my mind. Specifically, a public key after being generated from a private key fundamentally comprises the resulting coordination of x and y.

The book said that since y value can be gained from x via the function: $$y^2\bmod p=(x^3 + 7)\bmod p$$We can reduce the size by just storin ...