Latest Crypto related questions

I am currently trying to do the cryptopals challenge 62, breaking ECDSA with biased nonces, with the help of those two links (1 2) that describe accurately the attack. However, after around 15 hours, I still can't have it working, and I have absolutely no clue where I made a mistake.

Here is how I did it (using Python 3.6): First, to generate the signatures with faulty nonces (I took the same model as  ...

I want to implement the following algorithm, but don't know what tools to use.

D - data

1. I generate some universal value for D - Y
2. I generate some random key - K, get a hash of D by this key - H
3. I want to be able to have a function - F: F(Y, K, H) = true if H is correct and false otherwise.

The main goal: to prove the validity of hash of data by some key using only some piece of original data.

U ...

I'm still reading about the Padding Oracle attack and Side Channel attack that can be performed to decrypt cipher text encrypted with CBC though it's still not clear to me.

But base on my little knowledge and understanding, all of this attacks can only be performed over the internet right???

Let's say I created a program that encrypt files in my computer/local drive and I used the CBC mode of encryption t ...

I'm trying to implement EC scalar multiplication in the fastest way possible (but still with a good curve) on a GPU.
I'm specifically looking to implement it based on https://github.com/Chair-for-Security-Engineering/ecmongpu and trying to use other curves like Curve25519 (or Edwards25519, I believe it's a representation difference).
I noticed all calculations on x and y coordinates are done modulo s ...

Problem

Let's say I receive a signature $(r,s)$, the corresponding public key and the message that was signed. I don't have access to the private key. I need to know what the recid (Recovery ID) is that corresponds to the public key. One thing I can do is recover the public key from the signature using a multitude of libraries and trying all the possible recid values (0 or 1, very rarely 2 or 3).  ...

I wonder if it is possible to break the encryption on a password by such encryption:

Where E is the encryption function that uses a known public key of the server.

This is basically a follow-up question to Hiding/Obscuring position information in a board game which technically answered the question, but raised some well deserved critique.

To quickly summarize the question: Consider a board game with a rectangular 10x10 grid, the player has a position $(p_x p_y)$ and a physical token on this grid. Additionally one or more AI opponents roam the board but have  ...

Recently I'm studying Diffie-Hellman key exchange protocol and I've noticed that the basic Diffie-Hellman can be attacked by Man-In-The-Middle attack. I've also read about the Fixed Diffie-Hellman which uses CA (Certificate Authorities) to prevent MITM attacks.

I'm wondering if there are serious vulnerabilities related to Fixed Diffie-Hellman & if there are, which attacks are used against the ...

I want to generate a random number using DRBG with below follow: Entropy source -> DRBG -> PBKDF

adding PBKDF is redundant ?

Suppose Alice and Bob choose a number face to face. Let's call it "97"

Alice's original message is "Where did you study?"

Suppose we have an artificial intelligence. Let this artificial intelligence produce 1000 meaningful messages

1. Message: "You were so good at school"
2. Message: "My uncle came to us. I told my uncle about you"
3. Message: "Has your illness passed? Are you better?"
.
.
.
97. Message: ...

I have system of linear equations $f_1, \ldots, f_m$ over binary variables $x_1,\ldots,x_n$ where $m$ is much larger than $n$. We know if all equations are correct, we can find solution easily using Gaussian elimination. Among those $m$ equations, 90% equations are correct. For the remaining 10%, constant terms are altered. So if the actual constant term is 0, it is given 1 etc. Can we solve the system ...

What does the symbol $\perp$ mean? I saw this on a paper where some entity outputs $\perp$.

For the SHA-3 family of hash functions, the output size $d$ is always chosen as $d=c/2$, i.e. exactly half the capcity. What is the rational for this?

Naively, I think that $d=c$ would make more sense because

• The collision resistance seems to be $\min(d/2, c/2)$ and
• The pre-image strength seems to be $\min(d, c)$.

So choosing $d=c$ would make attacks on the capacity equivalent to attacks on the ...

Let $R = \mathcal{O}_K$ be the ring of ingtegers of $K$, where $K$ is an algebraic number field, and $q$ a modulus. Let $\chi$ be some error distribution used to sample an element $e$. A primal RLWE sample has the form $(a,a\cdot s+e)\in R_q\times R_q$. The variant which takes $a$ to be invertible has been used (e.g. here) and the variant which takes $s$ to be invertible has also been used (e.g.