Latest Crypto related questions

Is it a security risk - or perhaps, how big of a security risk is it - if an attacker knows the length of the values of P and Q used when deriving a value for the parameter N in the RSA encryption algorithm?

I've been doing some reading on implementations of RSA and I see that some require P and Q to be the same length, while others have a minimum length for P or Q - so with this in mind, it is p ...

A bit of a background about me; Computer Engineer but during my studies I didn't dive too deep into the maths, especially the crypto maths that is used to make the blockchain and cryptography work.

I'm looking for advice from any senior or experienced researchers or practitioners in this field to give me some advice and point me towards the correct direction.

If you can outline exactly which math to ...

I am trying to answer this question. But I think I got it wrong. I am not sure why and how I can improve it.

This is the adversary I came up with. Is this correct?

Adversary A:
M <- 0^256; M' <- 0^256
C <- Enc(M)
C[0]C[1]C[2] <- C
h' = SHA256(M')
C'[0] <- C[0]
C'[1] <- C[1] XOR M'
C'[2] <- C[2] XOR h'
return C'[0]C'[1]C'[2]

The idea was I needed to forge a new ciphertext C' where I ...

If I understood correctly, the Signal protocol generates a new key after every message sent and forgets the previous one. Telegram, on the other hand, renews the key only after 100 messages or one week. Thus, is there a certain attack window (1 week / 100 messages) with Telegram's protocol?

Background: I'm developing an app that is based around registered users voting on stuff, and I want to create a heuristic that involves IP addresses as one way to flag accounts for further investigation of potential multiple account+vote abuse. In the interests of privacy/data minimization/GDPR obligations, it appears the best strategy is to store keyed hashes of the IPs, which would be sufficien ...

I wanted to do some practice on security reduction proofs, and I am stumped on this one from the Boneh-Shoup book.

If $F(k, x)$ is a secure PRF, then show that $F'(k, x) := F(F(k, 0^{n}), x)$ is a secure PRF.

What I have so far is:

Suppose $F'$ is insecure, with a distingisher $D'$. This means that $F$ is also insecure, with a distinguisher $D$. I will now show construct $D$ using $D'$.

1. $D$ rece ...

Compared with the common lattice-based PQC schemes, the modulus $q$ and dimension $n$ of homomorphic encryption are so large. For example, in Kyber, $n=256, n \times k = \{512,768,1024\}$, $q = 12289$ or $3329$, while in FV or other HE schemes, $n$ could be $2^{14}$, and $q$ might reach $2^{744}$. Both of them are based on lattice problem. Why are the parameters so different?

Edit suggested by fgrieu:

I have one hundred integers in $\{0,1,2,3,4,5\}$ which I suspect are consecutive values of $\lfloor x_n/2^{16}\rfloor\bmod6$ computed as $x_{n+1}:=a\cdot x_n+b\bmod m$, with $m=2^{31}$, and $(a,b)\in{(214013,2531011),(22695477,1)}$. How do I validate that hypothesis, find the $(a,b)$ used, and predict what follows in the sequence?

Question about "A competent implementation in a ...

Consider the learning with errors problem. Assuming LWE (or a variant of LWE, like ring LWE) is hard for polynomial time algorithms, can we construct a family of pseudorandom functions from there?

I understand the original O(n) implementation of a ring signature, but I'm trying to figure out where the state of the art is on signing a message as an anonymous member of an ad hoc group without revealing which member of the group signed it. It seems there are sublinear implementations, but I don't have a good grasp of their tradeoffs, and some have been shown to be insecure years later. For example,  ...

Firstly I know that what I'm asking about is not practical, so let's keep it theoretical.

Let $B[H](x)$ be balloon hashing with $H$ as it's underlying hash.
What happens if I do $B[H1](B[H2](x))$, where $H1, H2$ are distinct hash functions based on different construction, let's say blake2b and sha3?

Where do I lose security, and where do I gain it?

My intuition is that there should be benefit in prei ...

Most PSI papers usually use hash-to-bin to improve the number of comparsons.

For unequal set sizes in 2PSI, I have read CCS17, which designs a PSI protocol for unequal size. The party with fewer elements use cuckoo hash, The party with more elements use simple hash.

I want to know the reason why the party with fewer elements should use cuckoo hash rather than simple hash, and why the party with m ...

When trying to reverse a hash function, there is loss, e.g.

a+b=c
given c=5, try to go back to a,b (previous step)
(a,b)=(5,0),(4,1),(3,2),(2,3),(1,4),(0,5)

but, given any of the (a,b) pairs, we get c=5 in the next step, and each of these pairs have the same exponential growth applied when reversing them. Thus, it seems that every step back you take increases the number of possible values that lead to ...

I acknowledge that QROM differs from ROM (which can be considered as a specific QROM which performs a measurement to the input). For example, one can find a preimage for an arbitrary value with $O(N)$ queries to ROM while with $O(\sqrt N)$ queries to QROM by Grover's algorithm. However, this requires more than $O(\sqrt N)$ queries. What is the case when only one query is required? More generally, is there ...

When a Schnorr signature is created, the number $r$ is concatenated with the message to produce a new value which is then hashed to give a number represented by $e$. The number $e$, accompanied by some other data that is used during validation, will then be sent over to a signature verifier. The signature verifier will then try to recompute the number $r$ using the information given to them and once ...