Latest Crypto related questions

What's the exact meaning of 'Argon2 uses BLAKE2b'? Does it based on BLAKE2b? like chacha20 based on salsa20 kind of meaning or does Argon2 use the BLAKE2b with 12 rounds hash function at the end to generate a hash value? thank you.

In an application, a curve25519 private key is the only stable identifier for an individual. I don't have readily have access to the corresponding public key.

Would it be safe to generate a public identifier by hashing this private key? E.g.

ID = argon2id(K_curve25519_private)

In the proof that RSA successfully decrypts the message $x$, we show that $x^{e^{d}}\equiv x \pmod N$. However, I am wondering whether it is a problem that we don't recover $x$ exactly, but merely a number congruent to it in mod $N$. Does this cause problems as far as decrypting the message successfully?

Also, the text teaching me RSA says we may assume "$x$ is an integer mod $N$". Does this mean

I need to enable hybernation to the LUKS-encrypted drive. My /boot partition is unencrypted hence it stores all kernel images as well as kernel parameters in unencrypted form. For hybernation to work I should specify where the swap file starts off on my drive where the system can write hybernated data to. For this Linux kernel has "resume_offset" parameter and the same-called /sys variable.

https: ...

Given a password as a seed for a Psuedo Random number generator and Fisher Yates Algorithm to shuffle bytes of a string to random places like Hello World to ldWoeHor ll, is it practically and/or theoretically impossible to break such cipher if plaintext contains enough words like >100?

Like for example, a string is shuffled and cipher generated is tca, if cryptanalysist tries to find dictionary ...

While working with serial division/remainder method of finding factors, I have found that using knowns such as the known factors of a comparative number, or the difference between a number to be factored and its comparison number, then dividing into each number with the knowns and summing the remainders, the two original numbers will eventually be factored. This applies to many forms of cryptography, b ...

My question is very basic one. Suppose there are two independent boolean variable $X_1$ and $X_2$. It is given that $X_1$ is biased towards $0$ and $X_2$ is biased towards $1$ with same amount of bias. Now will their XOR variable be biased or unbiased ?

My try: Since their bias is same, probability that $X_1$ takes $0$ value is same as the probability of the $X_2$ variable taking value $1$. If we ...

The JSON Web Encryption RFC 7516 says:

Encrypt the CEK with the recipient's public key using the RSAES-PKCS1-v1_5 [or RSAES-OAEP] algorithm to produce the JWE Encrypted Key.

Assuming a client/server architecture here where the server generates JWE tokens, does this mean that the client must initiate the JWA creation process by creating a public/private key pair and sending the public key to the ser ...

For the NTT I know the following preconditions, which must be fulfilled for the primitive $N$-th root of unity:

$$ \omega^N \equiv 1 $$ $$ \sum_{i=0}^{N-1} \omega^{ik} \equiv 0 \quad k=1,\ldots,N-1 $$

These are derived from the DFT and adapted to the modular arithmetic of the NNT. So far clear.

But what about this condition:

$$ \underbrace{1+1+\cdots+1}_{N} \not\equiv 0 $$

What if

$$ \underbrace{1+ ...

There are attacks that can extract some information from lookup table access that depends on a secret value, e.g. if we access a[0] or a[255] depending on some property of the secret, and a[255] causes a cache miss. But what if only the order of access changes depending on the secret value? E.g. we could have the a[0], a[1], a[2], a[3] or a[3], a[0], a[1], a[2] pattern. The order is different, but  ...

I have implemented a ring signature in a Python program, To keep it simple, I have Alice and Bob. Based on this ring equation:

$$ v = E_k(y_s⊕E_k(y_i⊕v))$$

I will get:

$$ y_s = E_k^{-1}(v)⊕E_k(y_i⊕v) \pmod{n_s}$$ where $y_i$ is the private key of the ring signer

However, after calculating, I did not get a value that equals $v$ after completing the ring equation. Given their public keys,

I am trying to solve a challenge regarding a RSA oracle which allows me to encrypt/decrypt any plaintext/ciphertext I want, but there are a few checks that I have to bypass, and my goal is to decrypt the given flag. The strategy I am using is basically trying to get the N by making the oracle encrypt some small numbers, and then just adding this N to the encrypted flag to bypass the check:

if c ==  ...

I am trying to fully separate RSA key pairs by breaking down $(N,e)$ for public part and $(N,d)$ for private part. From my understanding of RSA signature process, the message to be signed is digested at first (using e.g., SHA256) and the digest is then encrypted using private key. The receiver of the message then calculates the exact same digest and could verify the source by using a public key to ver ...

I've come across a site that boasts they are an "Unrivalled" media encryption service. While it is hard to find exactly what they do differently, it appears they use AES encryption to encrypt media files, which can then be directly downloaded as a .crypt file onto a device. This effectively renders the downloaded file useless, with no way of getting access. Is this correct? If not, what flaws could compr ...

I am not sure whether "linear decomposition" is appropriate to summary my question: We know that the traditional symmetric encryption/decryption algorithm (like AES, TDES) can be written as:

C = FUN_enc(key, P) P = FUN_dec(key, C)

Where FUN_enc is the encryption function/algorithm, FUN_dec is the decryption function, C is ciphertext, P is plaintext. For AES, FUN_enc and FUN_dec are AES encrypt and d ...

The MACsec standard (IEEE 802.1AE-2018) states "The number of SCIs (and hence the number of SSCIs) is ultimately limited by the maximum number of current members in a group CA that MKA can support (less than 100) but is likely to be further limited by the port-based network control application (see Clause 7 of IEEE Std 802.1X-2010)."

An SCI (Secure Channel Identifier) is defined as "comprising a  ...

We can prove the security of a cryptographic scheme in standard model and non-standard model.

Standard models like using some computational assumptions, on the other hand, non-standard models like random oracle, generic group model. Right?

I've seen in a paper [CGKV18 ,page 10] the term $\color{blue}{static}$ computational assumption:

The question is: What does the adjective static mean in "static c ...

How to prove that Niederreiter Crypto System not secure against Chosen-plaintext attack (CPA).

I am trying to understand the design rationale of in place NTT in Dilithium. I know that how the splitting of polynomials is done but I cant seem to map this approach to the precomputed table of zetas that is present in the authors code. I have attached the array of values as well. Specifically speaking, is there a way to calculated these values by ourselves? If yes, then how can this be done? Any help  ...

Let's imagine two entities: Bob and Alice. Bob's public key is $B = bG$. Alice's public key is $A = aG$.
Alice encrypts her number $n$ with Bob's public key so Bob could decrypt it ($n$ is small enough to be brute-forced):
$$E = nG + r_0B$$ $$R = r_0G$$ where $r_0$ is a random nonce. Alice sends $(E, R)$ to Bob.
Bob decrypts $(E, R)$: $$D = E - bR$$ $$D = nG$$ Then Bob gets $n$ by brute-forcing $D =  ...

If I have some set of n objects and I'm given a vector of encrypted probabilities [E(p_1), E(p_2), ..., E(p_n)] where the sum of the p_i == 1, is there a way to sample an object without revealing any p_i?

I'm decently new to cryptography and am trying to wrap my head around zero-knowledge proofs and applications. One use case that I am trying to figure out a strategy for is the following:

I have some plaintext that I'm going to encrypt and give to someone. They can't decrypt the ciphertext but want to verify the hash of the plaintext.

This seems like a place where a zero-knowledge proof is applicable ...

As I was reading on some encryption schemes the other day, I stumbled upon the Blum–Goldwasser cryptosystem and read that it is vulnerable to adaptive chosen ciphertext attack.
I searched for some actual example but could not find any, so I thought asking here for anyone willing to provide a simple proof of concept chosen ciphertext attack on the Blum–Goldwasser cryptosystem. Thanks in advance!

According to Wikipedia, tropical cryptographic protocols are built upon tropical algebras, i.e., a semiring $(\mathbb{R} \cup \{\infty\}, \oplus, \otimes)$ where $x \oplus y = \min \{x,y\}$ and $x \otimes y = x+y$. Recently, several tropical algebra-based cryptographic protocols have been proposed, and they rely on some tropical algebraic-based problems that are claimed NP-hard (such as the multiple expon ...

I read somewhere that TRNGs are better than cryptographic algorithms that generate pseudo-random numbers (PRNGs) because these algorithms are more energy intensive than TRNGs.

By low power devices, I mean things with limited computational capacity or limited power. Like a small IOT device.

Would there be any benefit to using TRNGs in those? If we don't use TRNGs in them, why is that? And if we do, w ...

Are cofactor $4$ and $8$ ECC schemes widely used in practical deployments such as those in cryptocurrencies?

Can you name some practical settings where there curves are used and cryptocurrencies where these are used (I checked bitcoin and it uses cofactor $1$ ECC and so I was not sure if other cryptocurrencies also use cofactor $1$ ECC)?

I have found an unusual method of finding the factors of numbers. I can't be sure it always works, since I don't understand it fully. It involves using two numbers, which are products of at least two factors each, in a comparative way, creating a lookup system having columns of pairs that are remainders of division by sequential numbers. Can anyone explain why it works, or help find all the ways in w ...

Could anyone please help me explain this?

I am reading the article about TFHE (Guide to Fully Homomorphic Encryption over the [Discretized] Torus).

On page 31:

I don't understand why we need to scale to module 2N. What is the meaning of "multiplicative element of Zn[X]" and why is X of order 2N?

I've been searching but have not managed to figure it out. I have the latest version of GnuPG installed from Homebrew and I want to generate a key pair which does not expire and also uses the ed25519 algorithm. I'd also like it to be password protected.

Can anyone point me in the right direction, please?

in the following pdf, several attacks on double key length triple des are deemed feasible at 2 to the power of 88/89 des calculations.

if we take the record of cracking des at 2 to the power of 56 calculations in 23 or so hours as the example, according to my estimate, this should take hundreds of years and definitly isnt feasible.

what am i overlooking?

link: https://www.researchgate.net/publication/30 ...