Latest Crypto related questions

I'm trying to implement a Cramer Shoup cryptography system in C but I've run into problems with generating the keys.

From what I have found on the wiki and in other papers, to generate keys for Cramer Shoup you must generate a cyclic group G of order q with generators g1 and g2, then take 5 values between 0 and (q-1) and with that you can easily generate the keys.

I initially tried doing this manual ...

Let's say parties A and B have a common secret $k$. Is there a protocol where both the parties jointly release a commitment to $k$ so that later on, neither A or B can deny what the common secret was?

Edit: Specifically, I am interested in the scenario where one of the parties can be malicious and we need to prove to a third party C that a commitment $\Phi$ is actually that of the common secret $k$

the following equation is used to prove the Shannon's theorem by showing the existence of two messages $m_0, m_1$ if $|K| < |M|$ but I'm unable to visualize/understand the probabilities. Especially the $Pr$ over $K$ thing doesn't get into my head. Anyone able to explain it?

• $\mathcal{K}$ is the keyspace
• $\text{Pr}$ means probability
• $m_0$ and $m_1$ are messages from the message space $M$
• $c$ i ...

I was reading the comments of an article about a proposed new implementation of /dev/random in Linux today, and someone remarked that it must be bothersome to go through 43 revisions and still not have your patch landed. A few comments down the line and someone seemingly implies that this new implementation would be FIPS 140-2 compliant, and that this is controversial with "a developer of one famous V ...

I am relatively new to cryptography, but I've been programming for a while. Here's a story that sets well the problem I'm trying to solve:

Alice has a digital passport that's signed with her government's private key. Each property is signed separately, and it would still be verifiable that, for example, her first name is "Alice", without saying that her last name is "Smith".

From here, knowing that  ...

I have some code, which can crack a discrete logarithm problem in ~ O(0.5n) time. However, this only works if, in the following, N is less than P:

G^N (mod P). To be clear, my program can figure out the value of N based on G and P as long as N is in between 1 and P (inclusive and exclusive respectively).

This would be helpful for cracking something like Diffie-Hellman, but I have one question: In mo ...

The root hermite factor corresponding to an bit-security level, such as 1.0045 corresponding to 128-bit security. What is the root hermite factor corresponding to 100-bit, 160-bit, 180-bit security?

root hermite factor: 1.0045 ? ? ? bit-security : 128 100 160 180

Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save  ...

PRNG is a mechanism to produce randomness from an initial random seed, so basically a way to derive more secrets from one secret.

Looking at the Wikipedia entry for KDF you find

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a main key, a password, or a passphrase.

Which sounds to me like what PRNGS a ...

https://link.springer.com/content/pdf/10.1007/3-540-49649-1_18.pdf

In class I, why (4) implies $g\equiv 1 \mod q$

Also even though I get $p$ and $q$ it still can't get $ord_n(g)$ without trying out different possibilities or is there a way to do all forgery?

Why do we not define modes of operation for public-key encryption just like how they are defined for block ciphers?

When encrypting data, I want to verify that the correct key was entered without hashing it. Is it safe to decrypt the ciphertext and compare the hash of it with the stored one or can the plaintext (which could be very long) be read from the hash?

I got the idea of this proof, that since PRG expands from n to 2n, it cannot project to all {0,1}^{2n}, only to a neglible part which we can abuse to make a good distinguisher just by telling if A succeeds finding a preimage in X. A random string from U2n has very likely no preimage in X. Thus we can distinguish U2n from G(Un). But I think I do not understand the construction f well. What's the pur ...

Suppose that we have the usual problem of secure communication, where each of the $I$ agents have a private signal $s_1,s_2,\dots,I$ and they wish to compute any function $f(s_1,s_1,...,s_I)=(x_1,x_2,...,x_I)$ in such a way that no party learns more than their input $s_i$ and output $x_i$.

Although I have seen many cryptographic protocols designed to be secure and in order to solve the problem th ...

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C₁ = C⁴⁹ , C₂ = C₁⁴⁹, etc. He will find C_j = C for 1,2,5 or 10

I do not understand how they figured out they will have M = C_j-1 in at most 10 steps? They  ...