Latest Crypto related questions

(Disclaimer: I am a noob in cryptography so please keep that mind in your answers).

In symmetric private key cryptography, an adversary $\mathcal A$ provided with encryption and decryption oracles $\mathcal O_{\text{Enc}},\mathcal O_{\text{Dec}}$ wins the IND-CCA game if it can consistently guess which of two plaintexts $m_0,m_1\in \mathcal M$ corresponds to a given (by some oracle $\mathcal O_{LR}$ ...

In the game-based definition, we say that $G: \{ 0, 1 \}^n \rightarrow \{ 0, 1 \}^{\ell(n)}$ is a pseudorandom generator if For all ppt distinguishers $D$, there exists a negligible function $\nu$ such that: $$Pr[D( r) = 1] - Pr[D(G(s)) = 1 ] \leq \nu(n) $$ Where $r \gets \{ 0, 1 \}^{\ell(n)}$ and $s \gets \{ 0, 1 \}^n$ are chosen uniformly at random. Now, $Range(G)\subset \{ 0, 1 \}^{\ell(n)}$. So th ...

Given a OW function $f:\{0,1\}^n\to\{0,1\}^n$ with hardcore predicate $h(x)$, you can build a PRG $G$ by setting $$G(s):=f(s)\Vert h(s), \quad s\leftarrow\{0,1\}^n.$$ The expansion condition for $G$ is trivially satisfied (the seed $s$ has length $n$, while the string $f(s)\Vert h(s)$ has length $n+1$). How can I show that $G$ is also pseudorandom, that is, for any probabilistic poly-time distinguisher  ...

Can anybody explain the proof of Rabin and Ben-or of secure multiparty computation?

The idea is that every player $i$, of $N<+\infty$ players, holds a secret say $s_i$. All of them want to share their information in such a way that a rule function $f(s_1,s_2,\cdots,s_N)=(a_1,a_2,...a_N)$ is shaped and every player at the end of the protocol will know only her own component $a_i$ and no other informat ...

Boneh et al. [1] describe an aggregate signature scheme, which allows signature aggregation of $n$ distinct messages from $n$ distinct users into a single short signature. In their description, they quite clearly state that it is necessary that the messages are different to the ensure the security of the protocol. (They also list other counter-measures.)

However, while the abstract of the paper may sugge ...

Say that there are two unrelated ECC keypairs ($Pub_1$, $Priv_1$) and ($Pub_2$, $Priv_2$). Alice claims that she knows both $Priv_1$ and $Priv_2$, but Bob doesn't trust her, and thinks that $Priv_2$ is only known to Eve, Alice's friend.

Bob asks Alice to prove that she controls both private keys. Now, Bob knows that if Eve really does control $Priv_2$, she'd willing to collude with Alice to generat ...

Taking a look in this economic paper they use cryptographic tools to implement correletaed equilibria in the case of two plaeyrs. They use permutations for the exchange of information between the players in order to construct through cheap talk the function that gives the (outpout) recommended strategy. In other words they share a secret by so as to build the correlated strategy $f(secrets)=(stochastic\q ...

Consider the following. I have a decentralized network of nodes that can talk to each other, and I'd like to encrypt their communications. I turn to asymmetric encryption, the way most of the internet works, and since I've used Google Tink and have some handy code already written out for it, I go for Hybrid Encryption in Tink.

The page on Hybrid Encryption says, "Hybrid Encryption only provides priv ...

I'm presently implementing a simple RSA-based encryption as follows in PHP (using openssl_public_encrypt):

// $sRawText is the text string to encrypt.
// $sPublicKey is the public key stored on the server.
openssl_public_encrypt($sRawText, $sResult, $sPublicKey, OPENSSL_PKCS1_OAEP_PADDING);
// $sResult is the encrypted result which is then stored.

I made sure to use the OAEP padding option, however the  ...

I have my x (0xca668a8b5f71e8724aada4b5343c28702a481787855cc42228b8fff97fe94d6a) and y (0x19dd3a603a55b3d8c5f62cbe177b9b63693fb8c91d76845bafc843a7aa19ea55) coordinates generated by ecdsa with a private key. But don't know yet how to get the public address from (x,y) coordinates and a compressed bitcoin address ?

I have a code for polynomial multiplication and it is written in C. I heard that whether a particular instruction is "constant time" can vary by architecture and by processor model and there isn't any official documentation for this behavior. How can I understand if my code is constant time or not?

Note: By "Constant time" I mean a software or code piece that are resistant to timing attacks. I us ...

I know that it is hard that find a small $x$ when we know $(A,Ax), Ax=f(x)$ if is GCK on the cyclic lattice.

Then is it hard to find small x_i when we know $(A,X)$ that $$X \leftarrow A_1\cdot x_1 + \cdots + A_n\cdot x_n?$$

I was just wondering how the following construction could be insecure. I can tell that known-plain attacks are possible, but I'm not sure about anything else.

Let the user pick a password and hash it a sufficiently large number of times with something with preimage resistance like SHA-256. XOR the plaintext with the hash. Hash the hash again. XOR the result with the next block of plaintext...and  ...

I've implemented classic Shamir Secret Sharing Scheme which looks like this:

• get password as input (any length)
• convert password text to big integer
• generate polynomial coefs (an ... a1)
• generate splits - pairs (xi, yi) with given threshold

It works great and this is how generating more shares of secret works:

• getting shares and threshold as input
• finding coeffs with gauss (so I know original poly ...

Are there references or prove to say that multiplying two points in the elliptic curve cryptography ECC is not allowed, as an example below? Multiply the public key PKA by a point (Z) on the ECC since these two parameters (the public key and the point) are both points on the ECC.

• $C=′\oplus h(Z.PK_A\mathbin\|T_1)$
• $Pk=[SK]P$
• $Z=[a]P$

where $P$ is a base point on an EC and $a\in\mathbb Z_q^*$.