Latest Crypto related questions

Is it possible to derive a secure cryptographic key from an array of sorted bytes, assuming the bytes themselves were generated in a secure manner (say, from quantum phenomenon)?

What would be the best approach to this issue?

Let F be a PRF defined over F:{0,1}n×{0,1}n→Y.

1.We say that F is XOR-malleable if F(k,x⊕c)=F(k,x)⊕c for all k,x,c∈{0,1}n.

2.We say that F is key XOR-malleable if F(k⊕c,x)=F(k,x)⊕c for all k,x,c∈{0,1}n.

Clearly an XOR-malleable PRF cannot be secure: malleability lets an attacker distinguish the PRF from a random function.Show that the same holds for a key XOR-malleable PRF.

Remark: In contr ...

There is a one time pad which works as follows: given message "hello" and key "asdfg", it produces "hwoqu". It only works with the 26 english letters. The output is (h(7) + a(0))%26 = h(7), (e(4) + s(18))%26 = w(22) etc.

So I have two ciphertexts created as above using a single key for both ciphertexts. I'm supposed to be able to crack the plain texts without needing access to the key.

What is the p ...

Consider an architectural security measure intended to prevent stack buffer overflow attacks where, instead of storing the return address on the stack, the CPU stores the difference of the stack pointer and the return address. Specifically, the call and ret instructions now behave as follows:

• call: Let n be the address of the next instruction. Instead of pushing n onto the stack, the call instruction ...

This question arises because I couldn't find any official paper for the Schnorr identification scheme, but only for the Smart-Card implementation of it. Also, it seems that everyone, when talking about the SIS links the paper for the Smart-Card implementation. So I'm kinda confused, especially 'cause English isn't my native language and I can't figure it out by myself. I don't understand if they are the ...

I started learning cryptography and tried to work through this problem: consider one-time pad where $\mathcal{M}=\mathcal{C}=\{0,1\}^n$ and $\mathcal{K}=\{0,1\}^n\setminus 0^n$ (call this scheme $\Pi$). Find $\Pr[\text{PrivK}_{\mathcal{A},\Pi}^{eav}=1]$.

My attempt: $\Pr[\text{PrivK}_{\mathcal{A},\Pi}^{eav}=1]$=$\frac{1}{2}\Pr[\text{PrivK}_{\mathcal{A},\Pi}^{eav}=1\mid b=0] + \frac{1}{2}\Pr[\text{ ...

I've been tasked with building a Web Assembly site that implements E2EE. I was thinking of using ElGamal Encryption to encrypt the message and Diffie-Hellman to establish the key. After doing further research, I'm having trouble understanding the practical use cases of using ElGamal vs Diffie-Hellman.

If I'm understanding correctly. Diffie-Hellman and ElGamal both rely on the discrete log problem ...

Let $p,q$ are primes and $n = pq$ as in every RSA setting and now use a random $e$ that holds the following properties

• $gcd(e, \phi(n)) \neq 1$
• $(e^{-1} ~\text{mod} ~\phi(n))^{4}\cdot3 < n$
• $e^{-1} ~\text{mod} ~\phi(n) < \sqrt[3]{n}$ (integer square root), where $\sqrt[3]{n} \in \mathbb{Z}$

where $\phi$ is euler's totient function. This $e$ is used as the public exponent for the public ke ...

Reading through the wikipedia entry for HMAC I see that SHA-3 can be used with the HMAC algorithm to give HMAC-SHA3-512.

I also know that there is KMAC, which from my understanding is a MAC construction designed specifically for KECCAK, basically SHA-3 and it makes use of CSHAKE.

Question now is what would be the difference between HMAC-SHA3-512 and KMAC? And when should one be used over the other? ...

note: I am not a crpytographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.
I did a lot of research in the last few days and came out with this:

Signature Issuing Stage

1. Get the public key; exponent $e$, modulus $n$
2. Generate a random number $r$ that is les ...

Hello,
I have a question regarding time complexity of meet in the middle attack on textbook RSA encryption. Let's suppose that I try to encrypt symmetric keys of different length with no padding using RSA algorithm. Example keys:

• 56 bit DES key (with parity bits): DA13511CAB329E32 (without parity bits can be factored: BC6AF11×12864009)
• 80 bit Skipjack key: 54C22E82E4E2F5FD9A5D (can be factored: 3 ...

I noticed that the wikipedia page for 'block cipher modes of encryption' states, "The disadvantage of this method is a lack of diffusion.", referring to ECB mode for block cipher encryption.

From some reading, ECB takes identical plaintext blocks to identical ciphertext blocks, as long as the key does not change. (making it insecure to use in general, as illustrated with the image of Tux the penguin ...

According to keccak strengths you have:

Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does not need the HMAC nested construction. Instead, MAC computation can be performed by simply prepending the message with the key.

Meaning I can get a MAC of a message by just computing $\operatorname{SHA-3-256}(KEY \mathbin\| message)$. If this is the case, why then does

I am thinking about CPA-security for symmetric encryption.

So $A$ gets access to an encryption oracle, and it can keep asking queries (training phase). In this training phase, he asks $m_i$ and receives back $y_i$. He can also check if he can find a key which decrypts to the same message he encrypted, just check if $\Pi.\mathsf{Dec}(k, y_i) = m_i$ for some $k$ that $A$ guesses. He can also do the sam ...

Is it possible to decompose the public key into its own subgroups? Suppose we know the order P with which the public key was generated (Qx, Qy)

How can the public key (Qx, Qy) be decomposed into subgroups of small orders?

I saw in SageMath it is possible to work with Elliptic Curves

M = EllipticCurve (GF (p), [0.7])

I am just getting familiar with SageMath and am having a hard time working on creating a  ...