Latest Crypto related questions

I read the Blake2x paper: https://www.blake2.net/blake2x.pdf

It says Blake2x can be used to build a "DRBG" (CSPRNG): https://csrc.nist.gov/glossary/term/deterministic_random_bit_generator

"An algorithm that produces a sequence of bits that are uniquely determined from an initial value called a seed. The output of the DRBG “appears” to be random, i.e., the output is statistically indistinguisha ...

when reading theoretical materials, it is often seen that "a common input 1^n..." what does it mean? Are there any similar questions and answers previously in StackExchange?

In many sources, included Wikipedia, we read:

Any pool that achieves 51% hashing power can effectively overturn network transactions, resulting in double-spending.

My question is: Why do we talk about 51% attack?

If my understanding is correct, we could also say 50.1% attack or 50.01% attack.

More simply, wouldn't it be wiser to use "50% attack" idiom?

[ECDSA][ECDH] Due to Insufficient Entropy in Operating system of MCU

=> Could not generate random number by using BN_rand() function (security strength fail, and RAND_bytes fail)

Below is my solution:

1. An external noise source file from TRNG

Eg: (80 bits), this data passed all tests

2. Connect (1) to OpenSSL by Engine

3. Invoke BN_rand() again (gather entropy -> seed -> PRNG)

Is this appr ...

Consider a simple Merkle Tree with leaves alice +100 and bob +50. Using the SHA256 hash algorithm, the digest of the respective strings are:

# alice +100
dc2cac4a8aaeccc0199eeb77df68b22eaa6e319d3f2b425d078dbd73419e28ac

# bob +50
7e15e5bc1b84f458db7ced4df762ba70204f19e3a613738756f9b00653f0aee1

Being a hash function, SHA-256 is deterministic, so it doesn't matter which programming language we're  ...

The Fiat-Shamir heuristic is assumed to substitute public-coin messages from the verifier by hashes of the prover's messages until this point, i.e.: $$H(\alpha_1) = \beta_1, \\ H(\alpha_1, \alpha_2) = \beta_2,\\H(\alpha_1, \alpha_2, \alpha_3) = \beta_3,\\\vdots$$ where the $\alpha_i$'s are the prover's messages.

I understand why the Fiat-Shamir heuristic is proven to be secure in the ROM, however, in pra ...

Is is possible to split a private key into shards and distribute the shards to Key Holders such that (1) k of n key shards are required to recover the private key and (2) the private key holder does not know what the key shards are?

I am thinking about a situation where a number of Key Holders are trusted to keep their key shard secret. Then if a key shard is leaked we want to know which Key Hold ...

Assume $c$ is a secret number in $Z_p$ and $c = a + b$. Alice has $a$ and Bob has $b$. Is there any methods to convert the modulo $p$ to some $q$, ($c<q$, $c<p$)? That is to say, $c = a' + b'$ in $Z_q$ and $a'$, $b'$ are known by Alice and Bob respectively.

I'm trying to figure out when using DKIM it signs all of the email including the body message and the from address , and with pgp it uses a unique key while in dkim is a general key ... but with both encryptions the email can still be changed ? they can just inform me wether the email has been changed but they can not prevent it from being changed ?

thanks

I am trying to understand Hybrid encryption. When I first came across the term I though it is used to describe a scheme where the message is encrypted using a symmetric key, and the symmetric key is then encrypted using the receiver public key. Both (encrypted message and key) are then sent to the receiver.

But it seems I might be mistaken. I came across ECIES (Elliptic Curve Integrated Encryptio ...

In case multiple stream ciphers exist, I'm refering to this specific instance in which you generate a key that is just as long as the msg, M, as a function of a nonce and a smaller key K.

My textbook classifies this as computational secure. But why is that?

I would say that it was unconditionally secure since assuming the adversary is able to find a long key O_2 that when XOR'ed with the ciphert ...

If I have a message that has a fixed unknown length $L$, and we add to it's TLS encryption a random sized padding $0\leq n \leq N$ so the sent message if $L+n$. I'm also able to make the target re-encrypt and send the message over and over again.

How many times do I need to make the target send the message over and over again, until I reveal whether the original length is $L$ or $L+1$?

I think that  ...

I came in contact with a ciphertext, which is:

        KCCPKBGUFDPHQTYAVINRRTMVGRKDNBVFDETDGILTXRGUD
        DKOTFMBPVGEGLTGCKQRACQCWDNAWCRXIZAKFTLEWRPTYC
        QKYVXCHKFTPONCQQRHJVAJUWETMCMSPKQDYHJVDAHCTRL
        SVSKCGCZQQDZXGSFRLSWCWSJTBHAFSIASPRJAHKJRJUMV
        GKMITZHFPDISPZLVLGWTFPLKKEBDPGCEBSHCTJRWXBAFS
        PEZQNRWXCVYCGAONWDDKACKAWBBIKFTIOVKCGGHJVLNHI
        FFSQESVYCLACNVRWBBIREP ...

I'm using PBKDF2 to generate an ED448 signing key, and I'm trying to figure out the optimal salt size for SHA-3. I recall reading a recommendation to use a salt size equal to the PRF's internal-state block size, for PBKDF2. My understanding is that Keccak/SHA-3 doesn't use blocks the way SHA/MD hashes do. So how do I pick or calculate the salt length based on the Keccak parameters? Should iterations be  ...

While I expect to get flak for the term "best", some algorithms are widely considered better than others for essentially all purposes. For example, DES is no longer considered secure.

My particular problem is that I want to use keytool to generate a Java keystore, containing an asymmetric key, and don't know what algorithm to use. There's a list here: https://docs.oracle.com/javase/8/docs/technotes/g ...