Latest Crypto related questions

I'm not sure if anyone explored this area before. Blockcipher encryption definitely fullfills IND-CCA, but what about its inverse? Is there a proof that shows blockcipher decryption is as secure as encryption? Or is there an counter-example? Or it's an open problem?

The notion of security considered here is privacy. Is there a secure two-party protocol does not rely on randomness at all when considering passive adversaries (or active adversaries)? If the answer is no, are there any proofs of this in the literature? I tried to find relevant information, but still got nothing.

TL;DR: Is encrypting data with AES CBC with random IV + PBKDF2 key using the username as salt safe?

I have searched the internet, but I could not find a proper answer that encompasses the "AES CBC and random IV with PBKDF2 same salt" dilemma.

The scenario
I am developing a client/server/DB system, and my users need to have their data encrypted and accessible from multiple devices.

1. Users log in w ...

I am following the procedure described on p. 319 of the fourth edition of Douglas Stinson and (since that edition) Maura Paterson's Cryptography − Theory and Practice (IBSN 978-1-03-247604-9).

The context is recovery of the nonce $k$ in ElGamal signature in $\mathbb Z_p^*$, assuming nonce reuse. We have two message/signature pairs $\bigl(x_1,(\gamma,\delta_1)\bigr)$ and $\bigl(x_2,(\gamma,\delta_2) ...

I'm working in an embedded system that uses TLS v1.2 protocol for network security and it acts as a client.

Now I want to test some TLS security functions that require connecting with a TLS server and see how a client interacts if the server tries to perform unexpected behaviors that can be configured by me. Some of behaviors are like below:

1. The server tries to send Server Hello with cipher suites diffe ...

I'm designing an authenticated encryption scheme for a noninteractive one-way radio telemetry system. A number of devices in the field send back telemetry to a base station periodically, but no communications are sent from the base station to the devices.

My requirements and threat model are as follows:

• The devices can only send telemetry, they cannot receive anything. Once they're deployed they will op ...

In the book The Design by Rijndael states that the design criteria for the S-box are nonlinearity and algebraic complexity. Can these two criteria be considered as two specific cryptographic properties of the AES S-box? if not is there any way to determine the cryptographic properties of AES S-Box ?

I don't have a deep mathematical background in cryptography. I am reading "The FFX Mode of Operation for Format-Preserving Encryption". Section D says the following.

Why feistel? The authors believe that, for FPE, there is, at present, no serious alternative to some form of Feistel. The approach benefits from being a classically known and extensively studied. For all their prescience in identify ...

As learning to be an electronic engineer, my lecturer has requested, based on the original Xtea, to develop the FPGA solution to run 128-bit block size and 128-bit key size cryptography. I have decided to solve it by dividing the 128-bit block into four 32-bit blocks and running as double encryption. I wanted to make sure mathematics was correct first. There is the Python code I have developed. However, ...

I'm learning provable security, and I'm a bit confused with the concept of reduction.

So, here's my understanding:

to prove a protocol/scheme/generic construction is at some level of security, there are three components: the scheme itself ---> a security proof ---> the scheme achieves a security property.

The security reduction is used as a way of security proof, meaning a procedure to show t ...

As I am studying ordinary (non-supersingular) binary elliptic curves in the Guide to ECC book by Hankerson (Section 3.1, page 81), for point doubling, the equations presented in the book are:

$x_3 = \lambda^2 + \lambda + a = {x_1}^2 + \frac{b}{{x_1}^2}$

$y_3 = {x_1}^2 + (\lambda + 1) x_3 $

$\lambda = x_1 + y_1/x_1$

I have some questions to confirm my understanding, and I really appreciate elaborat ...

I am currently writing a paper in my old age for the fun of it. I feel that the enigma machine had gotten a bad wrap for some of its flaws. I decided to write a machine simulation to see if I can correct some of these flaws. The part of the "not being able to encode a character unto itself" isn't as large a flaw as first presented. In my version, I eliminated that flaw. At least, that is what it looks l ...

In the IETF Draft Deterministic ECDSA and EdDSA Signatures with Additional Randomness, methods had been specified to seed RNG deterministically with external input, to securely obtain a nonce for use in signing formula. The external input is variable to mitigate certain side-channel that may occur with fully deterministic signing.

However, the draft seem to have expired, with several security-related  ...

I'm hoping to get some help regarding an old problem that has eluded me. I'm trying to figure out how the VB6 PRNG was used to generate a byte output from the two byte seed that the Randomize() function provided it. I'm trying to replicate the code in C and seed it with my own 2 bytes, something like 0x12FF.

I'm looking to create an 8 byte output, derived from 8x one byte outputs (as opposed to o ...

I want to ask about the confidence interval in NIST SP 800 22 so I can make sure I got it right. When evaluating the randomness of many binary strings, for example 1000 binary strings. In the NIST SP 800 22 document section 4.2.1, it is recommended to calculate the confidence interval given by the formula: $\hat{p} \pm 3 \sqrt{\frac{\hat{p}(1-\hat{p})}{m}} $, where $\hat{p}=1-\alpha$ with $\alpha ...

In the steps of “Append the padding bits” in SHA-512 system, the message is padded so that its length is congruent to 896 mod 1024. I'm new to cryptography and I can't figure out the difference between message-length field and message length. I'm not sure what is the correct value of SHA-512 message-length field..?

And "The message-length field is used to indicate the actual length of the mes ...

Good day,

I've a question regarding Gaussian distribution properties over lattices :

Let $\mathcal{L}$ := $ \mathcal{L}(\,b_{1}$,..., $b_{m})$ be a lattice over $\mathbb{R}^{n}$, and $W$ = span($b_{1}$,..,$b_{m}$)$^{\perp}$. define $\pi_{W}$ to be the orthogonal projection onto $W$.

If i sample a vector b from a Gaussian distribution of support $\mathcal{L}$, standard deviation parameter $s$ and cent ...

This arose from a recent question's comment. Why is translating to Welsh less secure than encrypting the King's English?

I always get stuck at those kind of exercises in my Cryptography class. I just don't understand how should I build these scenarios of "sending m1 and m2 and then somehow telling if it was m1 or m2 etc..." attacks. Can someone explain to me in simple terms how can I describe a scenario for this exercise: "Show that the CBC mode is not CCA-secure by describing an attacker A and name its advantage."

The section 4.4.1 of the RFC 8446 tells about Transcript-Hash.
My questions about the transcript-hash are:

1. Must a server hash (a) all own sent messages, enumerate in the section 4.4.1, or (b) own sent and received from client ?
2. Must a server send the calculated transcript hash in any message separately or the hash is used only while deriving a keys using HKDF-Extract/Expand procedures ?

I am studying TLS handshaking by example a program tlse, which uses libtomcrypt library.
I see that in line 5236 (link above) the program call libtomcrypt procedure ecc_ansi_x963_export(context->ecc_dhe, out, &out_len) .
I see that the procedure forms a ECC key in the buffer out and add it to client "key_share" extension in the line 5248.

My question is: what is the format X9.63 ? Does it specifie ...

I am wondering whether there are any current challenge problems for Discrete Logarithms.

Specifically in $\mathbb{Z}_p^\ast$ as well as in elliptic curve groups.

It turns out CERTICOM still has some ECC challenges, and it seems 131 bits is the smallest unsolved case. See the link here.

One concern I have is that given the 109 bit challenge was solved in 2004, is it the case that 131 bits is still out of ...

The terms "average-case", "worst-case" hardness are quite confusing.

1. What do they mean when they say certain problems (like lattices) have an average-case to worst-case relationship? Do they mean there is a polynomial reduction between two case of the problem? Because polynomial reductions are of our interest as they are practical.
2. If we call an instance of a certain problem has average-case hardness, ...

ChaCha20 also provides 256-bit encryption, i.e, 2^256 possibilities of keys. But ChaCha20 is very fast, I think it provides at most 2^256 multiplied by decrypting time. 256-bit AES provides 254-bit security due to biclique attack, i.e., 2^254 multiplied by decrypting time. Since AES is slower than ChaCha20 (decrypting AES ciphertext needs more time), I think even if biclique attack works, that 254-bit s ...

I have been reading a paper about accumulators (title of the paper: "Universal Accumulators with Efficient Nonmembership Proofs"). It mentions "auxiliary information" about a function, which I couldn't quite understand. Can anyone explain the term in this context?

For EC Pedersen commitment: The two generators are G and H. Two messages and randomness are $m_1$, $m_2$, $r_1$, $r_2$, so the two Pedersen commitments are $Gm_1+Hr_1$ and $Gm_2+Hr_2$.

When adding these two, I got a new Pedersen commitment as $G(m_1+m_2)+H(r_1+r_2)$ with message $m_1+m_2$ and randomness $r_1+r_2$. But then what if the message $m_1+m_2$(or randomness $r_1+r_2$) overflows?

For example me ...

This is https://github.com/kokke/tiny-AES-c The column mixing function in the AES algorithm implemented.

static uint8_t xtime(uint8_t x)
{
    return ((x << 1) ^ (((x >> 7) & 1) * 0x1b));
}

// MixColumns function mixes the columns of the state matrix
static void MixColumns(state_t *state)
{
    uint8_t i;
    uint8_t Tmp, Tm, t;
    for (i = 0; i < 4; ++i) {
        t = (*state)[i][0]; ...

I've been studying the Schnorr signature scheme and recently came across an example that uses the STROBE protocol. In the classic version of Schnorr signatures, the challenge e is calculated as e = H(m || r), where m is the message, r is an ephemeral value, and H is a cryptographic hash function. However, in the STROBE-based version of the Schnorr signature scheme, it seems that the challenge is generat ...

I'm looking for a mechanism for a type of cert/key signing, where multiple keys need to sign/encrypt something, and a final key/method does not product a valid confirmation unless all those keys did sign/encrypt.

So maybe something like

• raw data
• action by key1
• action by key2
• action by keyN
• action by final user/system

It's ideal if any of the Key1..N do not need to know about each other, or only know abo ...

Suggested by u/HolgerBier on reddit

Is it unpredictable enough or too difficult to manipulate (as in more than a few hundred million USD) to have a sequence of blocks?