Latest Crypto related questions

Edit: if anyone, inexperienced like me, lands on this question, it has been answered at the stackoverflow.

Why the Python code, see below, returns false?

More context: I am going through the FIPS 186-4 and on the page 43, there is a algorithm, A.2.3 Verifiable Canonical Generation of the Generator g, to generate generators. I wrote a Python code, see below, that encodes this algorithm. However,  ...

I have read ETSI TS 103 097 and EEE Std 1609.2 which gives me the security data structure defined in ASN.1 notation. I want to use mbed LTS to calculate the ECDSA signature. I understand that I should calculate the ECDSA signature and then put the results in the data structure with the data and then encode it. my questions are:

1. Can you please mention the steps of how to sign a CAM/DENM?
2. Is there any e ...

I'm working on creating a secure digital vault. I'm using mnemonic to generate a seed. The seed is used to generate a signing key pair for identity verification. However I want to also encrypt the contents of the vault for recovery purposes.

Can the same seed be used for signing, and for encrypting the data? (I can add a salt or some deterministic function if that helps).

This is related: Using a s ...

For doing exponentiation in a group for which inversion is trivially easy, such as elliptic curve groups, is there an algorithm for computing the $w$NAF ("$w$-ary non-adjacent form") array faster than $O(n^2)$? The standard algorithm is listed on Wikipedia as (translated to Python):

def wnaf(d):
    result = []
    for i in range(256):
        if d & 1:
            di = mods(d)
            d -= ...

Let's say I need performance on 64-bit machine, then SHA3-512 is the way to go.
SHA-512/256(x) is SHA-512(x) with output truncated to 256 bits, according to https://pycryptodome.readthedocs.io/en/latest/src/hash/sha512.html

Let H1(x) be SHA-512/256(SHA-512(SHA-512(x)))
Let H2(x) be SHA-256(SHA-512(SHA-512(x)))

Is H1 safer than H2?

Is there a way to truncate SHA3-512 like SHA-512/256 does that?
Is

The "birthday paradox" places an upper bound on collision resistance: if a hash function produces $N$ bits of output, an attacker who computes only $2^{N/2}$ (...) hash operations on random input is likely to find two matching outputs. If there is an easier method than this brute-force attack, it is typically considered a flaw in the hash function.

Is it mathematically possible that a hash function wi ...

I'd like to know if LWE (and its variants: RLWE and MLWE) can cipher messages bigger than 1 bit. Is it possible? I didn't find any reference yet. Could you explain it to me or give some good references about it?

Thanks in advance.

UPDATE: I read some papers and maybe my question should be a bit different: Are there schemes using LWE and variants that are not FHE (ciphering more than 1 bit each time)? C ...

I am given a private RSA key, which header indicates that it is AES-128-CBC encypted. Note that the last ten lines of the key are missing. (This is part of an educational task.)

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8B7CE35DB731727CEABA217FAE404DB8

... 37 and a half lines with 64 characters each

The task is to find out the passphrase of the key (is known to be a ...

Background

I understand the interactive version of Schnorr's protocol and I understand how the simulator can generate an output that is i.i.d to the output of the prover-verifier:

Question

What I don't understand is how does the simulator generate a correct transcript when we move to the non-interactive version of the Schnorr identification protocol? Page 4 of the 2019 CS355 lecture notes shows ...

Lets say there is mutual authentication between a client which connects to a server on an otherwise unsecured TCP channel. Both parties create a random challenge and the other side answers with a keyd-hash, based on a pre-shared symmetric key.

$$C\rightarrow open \,\, connection \rightarrow S$$ $$C\rightarrow challenge_C \rightarrow S$$ $$C\leftarrow challenge_S \leftarrow S$$

$$C\rightarrow H_K(chall ...

What is the Indifferentiability of Feistel Network?

Why is the concept of Indifferentiability useful and how it is applicable in the real world?

How is Indifferentiability compared to Indistinguishability?

I've stumbled upon many opinions, so I ask about them myself.

Let $H(x)$ and $F(x)$ be hash functions.

• is $H(F(x))$ or $F(H(x))$ safer than $H(x)$ or $F(x)$
• is $H(F(x))$ or $F(H(x))$ safe when $H(x)$ or $F(x)$ becomes vulnerable
• is $H(H(x))$ safer than $H(x)$

Background

Doing my own research, I found statements suggesting that combining H and F is a common practice to stay safe when one of them become ...

Popular RSA modulus sizes are $1024$, $2048$, $3072$ and $4092$ bit. How many random odd integers do we have to test on average until we expect to find one that is a prime? I know roughly every $\ln p$ integers has a prime. For a $1024$ bit $p$, $\ln p = 710$. On average, need to test about $710/2=355$ odd numbers before finding a prime. Is it true and can we extract the formula $(\ln p)/2$ for any arbi ...

The constructions of 1-out-of-$n$ OT for $l$-bit strings I've seen had communication complexity proportional to $nl$. I wonder, is it possible to do OT with active security and transfer less than $O(nl)$ bits (I'm ignoring the security parameter in $O$-notation here)? The important part for me here is making it cheaper than just transfering sender's input to the receiver.

Is there some inherent l ...

this is just a general question, Is there is a bug bounty from the NSA or anyone else for reversing a SHA HASH, specifically SHA-256?