Latest Crypto related questions

I have been scratching my head for a while why TLS 1.3 does not include any encrypt-then-MAC (EtM) modes. All the previous problems in TLS have been caused by MAC then and encrypt. Whereas encrypt then MAC avoids all the issues caused by padding in the past since a receiver can verify the message integrity without having to first decrypt the message and then handle mangled padding correctly.

What ...

Let's suppose we have a protocol X (symmetric or assymetric codec) and it encrypts a message M and the only way to get decode M is to use the hidden information and impossible otherwise to crack. To what class of complexity theory does such a protocol belong?

I'm trying to wrap my head around going from a seed to a SigningKey, and also obtaining a PrivateKey (encryption key). I'm using NaCl / libsodium.

I created the code below and the results are interesting. Turns out pk1.private_key and pk2.private_key match roughly 3% of the time. However public key matches 100%, all are generated starting with the same seed. What is going on here?

• I obtain pk1 by us ...

I would like to understand what the following notation means:

let $A$ be a polynomial-time algorithm and say $X(a,n)$ is a probability ensemble where $a\in\{0,1\}^*$ and $n\in\mathbb{N}$.

What does the notation $\Pr[A(X(a,n))=1]$ mean?

Given the Keccak-f[1600] permutation I am interested in the following property: What bits in the output are influenced by what bits of the input? That is, if I change for example say the second bit of the input, what bits of the output are influenced by this?

Put another way: Assume I have the first 256 bits of the output of the Keccak function. Then, because Keccak-f[1600] is bijective, there ar ...

I understand that during a brute force attack on a cryptosystem, an attacker is left with many, many, junk files, some which are partially readable (depending on the crypto algorithm used), and 1 which produces completely readable plaintext. A human must then search through these junk files and pick out the one that has readable plaintext.

Are there any algorithms which can be used to reduce this ...

What is the difference between the classic secret sharing schemes that are used in the protocols of Ben-or and Rabin, Ben-Or, M., Goldwasser, S., Wigderson (that is the Shamir's secret sharing scheme) with the homomorphic secret sharing schemes? Could anybody provide a paradigm? Can we use a homomorphic secret sharing scheme to design a protocol of communication? I would like some reference for the lat ...

In the context of the NIST PQC standardization process, NIST has defined the following five security categories:

1. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES128)
2. Any attack that breaks the relevant security definition must require computationa ...

I've recently been learning about Confusion and diffusion related to encryption functions. For the most part I get the gist of what they are but I was wondering if there are any functions with Poor confusion

Is there a reason why we can't combine private key MAC with digital signature to get a hybrid authentication scheme?

Is it because of the computational assumptions that digital signatures have?

Edit: (Clarification) I don't intend to combine them, it's a problem on a past final that I am doing as practice but I don't know how to explain why we can't combine them.

Is the claim "If there is an efficient algorithm that solves SIS, then there is an efficient algorithm that solves decisional LWE" is sufficient? or, Is the claim above is equivalent to the fact that an instance of SIS is a polynomial-time reduction to an instance of decisional LWE?

Please suggest an answer with suitable references (if possible).

Is there a no-dealer secret sharing scheme that allows a threshold $k$ of $n$ parties (where $k<n$) to collaborate to reconstruct a secret, but in such a way that none of those $k$ parties are able to collaborate anonymously to reconstruct it?

Imagine a scenario where a group of people agree to keep a secret encrypted until a specific time in the future. They can't be prevented from reconstructing t ...

Taking into account the vast literature of secure multiparty computation and secret sharing, there is a specific assumption that is made for the calculation of a rule function. The latter function takes as inputs the individual secrets of the agents and gives as outputs individual instructions based on the rule that the agents want to mimic. Recall again that, every player $i$, of $N<+\infty$ playe ...

In my home, I have a coin. I can use that coin to generate random bits. These bits are mostly secure unless someone is watching me flip it. They're also only random-ish... maybe I'm a "bad flipper"?

I also have a computer. I can use it to generate bits that are sort of random, but not really. These are secure if you trust the algorithm and the machine. /shrug

I'd like to generate random number ...