Latest Crypto related questions

I read the rfc5652, and I made enveloped data via openssl:

openssl cms -encrypt -in plain -aes256 -recip certificate.pem -outform DER -out enveloped-data.ber

Then, I check the public key. First, here is the certificate's public key.

And, it is the enveloped data's public key.

So, I understand that enveloped data contain the recipient's public key(certificate's pub key). Is it right?

Then, why are  ...

I'm trying to understand how secure S is from an attacker. Let's say in an instance where they have enormous hashing power available to them, as would be the case where they own cryptocurrency mining rigs.

In other words, the attacker must not be able to find out the secret S:

• S = "my secret phrase"

But the attacker has full knowledge of both:

• constant K = "a publicly known constant"
• a combined hash o ...

Suppose that we have a game with $I$ players and each of them has a private secret say $e_i$. Every player wants to share her secret with the rest of the players but in such a way that she will not be cheated. We have the following formulation

$$p_i:E_i\times Y_i\to X_i$$ where $|Y_i|\geq|E_i|$ and $p_i(\cdot,y_i)$ is bijective so that every pair $(x_i,y_i)$ is associated with exactly one $e_i$. More pre ...

Let's say that I want to encrypt the file plain.txt. The very first step is actually to turn the contents of that file (lets say it only contains the string "Hello") into an int. I see python codes like this:

from Crypto.Util.number import bytes_to_long
with open('plain.txt', 'rb') as f:
    flag = f.read()

m = bytes_to_long(flag)

However, I don't quite understand what is going on. Furthermore, wh ...

I am trying to design a VCS like program that determines if the files are the same by comparing their MD5 hashes.

Then I read about MD5 collisions here, and I wonder if I can work around that by doing a secondary check by hashing only parts of the file if the first check led to a collision.

What are some issues with this approach that can be foreseen already?

I am self studying using "Introduction to Modern Cryptography (2nd edition)"

I am trying to understand how the solution to the following problem is valid:

Prove that a scheme satisfying Definition 2.5 must have $|K| \geq |M|$ without using Lemma 2.4. Specifically, let $\Pi$ be an arbitrary encryption scheme with $|K| < |M|$ Show an $A$ for which $Pr[PrivK^{eav}_{A,\Pi} = 1] > \frac{1}{2}$

I've seen some people putting their public key's (I'd suppose they refer to a PGP PK) fingerprint on powerpoints and alike so that they can be reached out to using a safe channel.

From my POV, it's obvious that there should be a way to get the original PK from the fingerprint (if there wasn't, I don't really find the point of sharing the fingerprint).

However, I've read that the fingerprint is a hash ...

Essentially, I am looking for a way for user A to create a signed message that user B can 1) verify user A wrote (ie using ecrecover) and 2) the content of the message can be read by user B without needing user A’s private key.

I know it is possible for user A to use asymmetric encryption to sign a message that can be verified to be authentic, but I want user B to be able to read the content of ...

Im playing with implementing SSLv3 in Go according to rfc6101.

I can deserialize ServerKeyExchange until ServerKeyExchange.signed_params.

The cipher suite is TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003).

The Certificate signature algo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption).

According to the RFC the structs should look like this:

        struct {
            select (KeyExchangeAlgorithm) {
            ...

When I look at the Montgomery Ladder algorithm, I don't find anything that is specific to the Montgomery curve. We are dealing with the points all the time i.e. we are either adding two points or doubling a point. For all I know, those points can belong to any form of elliptic curve. Why is it that in many papers, it is claimed that the Montgomery ladder is fastest on Montgomery curves? What am I missin ...

I am quite confused about the security definition of blind signature schemes in the concurrent setting. I have found a paper as follows showing that most of the previous blind signature schemes cannot satisfy unforgeability property if they are deployed in the concurrent setting.

Benhamouda, Fabrice, et al. "On the (in) security of ROS." Annual International Conference on the Theory and Applicati ...

Why is $h(k,m)$ not second-preimage resistant? Let $E_k$ be a block cipher where the message space is the same as the key space. $$h(k,m)=E_k(m\oplus k)\oplus k$$

I've been reading about second preimage resistance and attempting to try this example.

What I currently know is that given an input $m$, and therefore the hash $h(k,m)$, I need to find another input $\hat{m} \ne m$ such that $h(k,m) = h(k,\hat{ ...

As far as I understood, in Regev's initial paper, the error distribution was first constructed as follows:

Then rounded in the following way:

Using this distribution, the reduction in the theorem below can be achieved:

I don't understand how in many applications in literature, they use the LWE problem with the usual rounded error distribution:

and still ensure security (or solid reduction), with

Three different versions of the Advanced Encryption Standard (AES) have been standardized, which use keys of bit length 128, 192, and 256 respectively. They also use different numbers of rounds: 10, 12, and 14 rounds respectively. But my understanding is that the three versions of AES are otherwise extremely similar.

1. How much additional information would need to be specified in order to create a new  ...

As part of an exercise in a cryptography course, I want to come up with a one way function for which it is "easy" to find a collision from a given OWF. To achieve this, I tried the following: given a OWF $f$ (it can be assumed to exist), construct $f'$ as follows: $$f'(x)=\begin{cases}f(y), &x=x^*\\ f(x),& \text{else} \end{cases}$$ for some $x^*,y\in \{0,1\}^*$. now an adversary might output ...