Latest Crypto related questions

I'm a layman trying to deepen my understanding of crypto and private messaging by building a (proof-of-concept) centralized, end-to-end encrypted messaging "platform".

Messages are sent by devices to the "server" (running on my Pi inside my home network) where they are stored and from whence they can be retrieved by the recipients via an api call. The server knows just the bare minimum to distrib ...

I have a protocol that operates in the malicious setting which involves parties sending each other group elements $u\in \mathbb{G}$ of a specific form (For example, these are messages of the form $u=g^{\alpha}\cdot h^{\beta}$ with generators $h,g\in \mathbb{G}$ and $\alpha, \beta \in \mathbb{Z}_q$ for some prime $q$).

Additionally, these parties attach non-interactive zero-knowledge proofs of kn ...

for $A\in{Z_q^{n*m}}$ and $A^{'}\in{Z_q^{m*n}}$,we have

• $det{({\land}_q^{\bot}(A))}{\le}q^n$ and $det{({\land}_q(A^{'}))}{\ge}q^{m-n}$
• if q is prime,and A,A' are non-singular in the finite field $Z_q$,the above inequality are equalities.

where ${\land}_q^{\bot}(A) = \{x{\in}Z^m|Ax=0{\bmod}q\}$ and ${\land}_q(A)=\{y{\in}Z^m|y=As{\bmod}q\}$

The above content comes from D. Dadush's lecture note( ...

Is AES-CBC still vulnerable in TLS1.2 Or does the vulnerability only work for lower TLS versions? If not, why was it deleted in TLS 1.3?

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

Actually, I am working on a project to combine symmetric and asymmetric cryptographic algorithms.

The shared secret key for AES will be generated through the Elliptic Curve Diffie Hellman Key Exchange (ECDH) Method. I have one question that ECDH will generate a shared secret key of 256 bit or more length key. For AES-128 I need a secret key of 128 bit but ECDH is not generating the 128-bit key.

So h ...

Background. All MKDF (memory-hard KDF) algorithms that I know (Scrypt, Argon2, Balloon) don't really require all the memory at every moment during the run time of algorithm's implementation, but instead require a hefty computational penalty when less memory is used.

Roughly, the memory usage against time graph looks like this (of course, better MKDFs will have more adjacent spikes): _{(Image from}

In a previous question, it was made clear that in the case of GCM, there is no distinction between "no AAD" and "zero-length AAD". Since I have noticed "zero-length AAD" in several implementations, my question is, does that render such AE schemes less secure?

In the various papers that treat AE security, I think the paper Reconsidering Generic Composition by Namprempre, Rogaway and Shrimpton might have  ...

Is there a cryptographic reason for using an irreducible Goppa polynomial $g$ in the McEliece scheme? One doesn't need irreducibility to define a usable code, so I assume there is some structural attack against reducible polynomials? [One caveat is that the presentation I've seen for Patterson decoding uses irreducibility, but one doesn't need to use that algorithm (and it isn't used in e.g. the  ...

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with his own private key, Alice uses Bob's public key to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

What are the recent developments in Attribute-Based Encryption (ABE) using Pairings assumptions?

Is pairings the most viable assumption while designing ABE. What other assumptions are used for ABE schemes and are there any advantages it gives over pairings assumption?

I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

Here he has a polynomial $p(x) = x^3 − 3x^2 + 2x$

and the homomorphic encryption defined as $E(c) = g^c \bmod 7$

It's a little unclear as to where the polynomial is defined over $Z$ or is it defined over $Z_7$ - it's left a little ambiguous in the text.

This matters in the st ...

Which block cipher mode of operation does TLS 1.3 use? I assume it is a block cipher mode that provides authentication (like GCM).

I came up with the following question:

Given a hash function H() and a hash value h that is in the codomain/range of outputs of H(), can you determine if h can be produced by H() (i.e. is h in the image of H())?

Can the question be answered? Does it contradict to the preimage resistance property?

Is there any benefit you can think of for a hash function having the above property (that you can/can't  ...

I have recently been studying up on the lorawan protocol for IoT devices.

LoraWAN has a handshake, and then communication can commense. Messages are encrypted and MAC'ed. When encryption and MAC's are made, the values FCntUp and FCntDown are mixed in. FCntUp is used for Uplink messages, while FCntDown is for downlink.

Both of the values start at 0, and increment with every message, and then reset every s ...