Latest Crypto related questions

Let's suppose I encrypt something with AES-256 two times using 2 different keys wanting to achieve 512-bits of security. I know that this scheme will in fact give me only 257-bits of encryption strength due to Meet-in-the-middle attack.

Is there a lightweight method of preventing this without having to encrypt three times for achieving twice the strength of a single key?

I have been thinking on ad ...

TLS cipher suites use SHA256 as the hash when using AES_128_GCM and CHACHA20_POLY1305, but SHA384 when using AES_256_GCM.

The TLS Cipher Suite Registry contains no cipher suites that use AES_256_GCM_SHA256 instead of AES_256_GCM_SHA384.

According to RFC 8446, this hash is "to be used with both the key derivation function and handshake message authentication code".

What could be the motivation for u ...

There are several ways to decrypt TLS e.g. in an enterprise environment. I did not see using "backdoored" DH parameters being mentioned somewhere though according to my understanding it should work in principle: How does a non-prime modulus for Diffie-Hellman allow for a backdoor?

Would it be possible for a recent desktop CPU to decrypt traffic in (nearly) realtime? Does it depend on the ciphers o ...

Yesterday I made a PR to a python crypto library to support key sizes larger than 16 bytes for Shamir secret sharing scheme.

Currently it supports 16 bytes, as follows:

$$ K = \{ 0, 1 \}^{128} $$ $$ S_{128}(m, n, K) = s_1, ... , s_n $$

To not change underlying function, and to support larger keys, I decided to split the key and run the function as many times as needs and concatenate the shares. 32 byt ...

I've read that AES CTR is only safe if used properly. Therefore, I want to be sure that I use it properly.

1. The initial vector (IV) can only be used once, it doesn't have to be random. Is it secure to use a counter for one part of the IV, the other part is just some const text. The counter is transmitted to everyone in clear text, while the sensitive part of the message is encrypted. Is it a problem t ...

From Mihir Bellare's paper

Let $q$ be a prime such that $2q +1$ is also prime, and let $g$ be a generator of the order $q$ subgroup of ${Z^∗}_{2q+1}$. Suppose we are given input $q$, $g$, $g^a$ and want to output a pair $(C, Y)$ such that $Y = C^a$. One way to do this is to pick some $c \in Z_q$, let $C = g^c$, and let $Y = (g^a)^c$. Intuitively, KEA1 can be viewed as saying that this is the "only" w ...

I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

Here the Prover knows a polynomial of degree 3, 2 of the solutions of the polynomial are 3 & 4. He has to prove to the verifier he knows such a polynomial without revealing to the verifier the 3rd solution.

This is the polynomial they use as an example - $P(x) = x^3 - 7x^2 ...

This is a beginner's question related to general security, but it fits cryptography exchange because it's more specific to the action of cryptographic attacks and how they work.

Assume the following theoretical situation:

1. I do not know how attacks of all types work programmatically. From the aspect of this question, assume theoretically (hypothetical quantum computing algorithm for example) there is  ...

On the BFV fully homomorphic scheme, given a polynomial secret key, we can encrypt polynomial plaintexts and generate polynomial ciphertexts.

So, for example, if we have 2 ciphertexts, we can compare them with the less than function, which is 1 if the left polynomial coefficient is less than or equal to the right one, and 0 otherwise. HOWEVER, the result is also an encrypted polynomial, which whe ...

There has been a question on the BoardGameGeek forums that basically boils down to this:

1. There is a player character on a regular rectangle map at position (px,py).
2. There is one "AI" character that moves across this map according to some function or pattern (e.g. one field per turn (t), (ax,ay) = (ax0,ay0) + t * (vx,vy)).
3. The player needs to determine if the two characters are within (L1/Manhattan) d ...

For some prime p we generate two keys $k_{1},k_{2} \leftarrow Z^2_{p}$ where $Z$ is group and the message space of the MAC is also $Z$. We generate a tag for message m with the following function:

$MAC_{k_{1},k_{2}}(m) = k_{1} + m.k_{2}$.

The problem is to extend this construction to be existentially unforgeable under an unbounded number of queries.

It is easy to see that for any adversary, it is almos ...

There are several common principles and ideas in modern cryptography, which are generally accepted and taken into account. An example may be Kerckhoffs's principle:

1. The system must be practically, if not mathematically, indecipherable;
2. It should not require secrecy, and it should not be a problem if it falls into enemy hands;
3. It must be possible to communicate and remember the key without using writte ...

So I want to create a zero-knowledge proving system for numbers (think loans and bank accounts, I want to prove my paycheck is more than x dollars per month).

I was thinking about using a zero-knowledge proof for the preimage of a hash. So let's say my employer hashes my paycheck in such a way (e.g. using merkle trees) that my net received is hashed individually. I can use a preimage proof to pro ...

In Chapter 6 of Serious Cryptography, they write about the sponge function:

1. It XORs the first message block, M1, to H0, a predefined initial value of the internal state (for example, the all-zero string). Message blocks are all the same size and smaller than the internal state.
2. A permutation, P, transforms the internal state to another value of the same size.
3. It XORs block M2 and applies P again, and th ...

For example, this:

Are all those numbers like 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8... picked by hand somehow, or are they just selected out of a hat (like you write a script "give me 64 random integers between 0 and 15" and then whatever it outputs you use), or something else? What is the technique for selecting so many numbers?