Latest Crypto related questions

As far as I can see, generating a private key from two prime numbers p and q, having calculated n = pq, starts with calculating λ(n) = lcm(p-1, q-1). This is the detailed explanation given in the wikipedia article for RSA, it's also the implementation I've found in most Python cryptography libraries, and, searching through the openssl source code, it's also how they seem to do it, so I'd say this lo ...

If someone says that the decryption of an ElGamal ciphertext is "x", how can I be sure that the real value is "x" and not "y", even if he is the owner of the respective private key?

Depending at the cryptographic function used applying it $i$-times to a given input can be computed in different complexity classes (based at their input size).

$$f^i(m_0) = c_i$$

For example for most block-cipher it takes (even with knowing the secret key) about $i$ times the time as applying it just once (at least as far as I know). Same for $i$ steps backwards. Finding $m_0$ for given $c_i$ also take ...

Page 8, Paper: "Efficient Group Signature Schemes for Large Groups" by Camenisch and Stadler

(1) I was trying to understand membership certificate part. I am have only basic knowledge of math, but there seems to be quite some math behind it. Can somebody help me understand this part? "e" and "y" are not secret. Why is it infeasible to construct a triple (x, y, v) without the help of Group manager?

 ...

While reading Katz & Lindell's textbook (2nd edition) I stumbled over the chapter about the asymptotic approach. In the first part there is explained, why the concrete approach is not good. Then the asymptotic approach is introduced. A negligible success probability is defined over a function, that is asymptotically smaller than any inverse polynomial function.

My question: Why was it defined over  ...

Like other research areas of cryptography, quantum computing consists of hidden and open fractions. Apparently, we can't say certain things about governments' capabilities where academical or industrial developments in quantum computers relatively public.

In this context, what is the current developments in quantum computers? Is it serious threat to current cryptographic algorithms in the near fu ...

Why is there so little response (e.g. implementation in crypto libraries, programs...) after the end of the CAESAR competition? As far as I can see, there is no shift from AES-GCM to any of the CAESAR algorithms. The response to the Password Hashing Competition, for example, was greater, at least in my perception. Is there a reason for that?

I have a really simple ProVerif problem. My current proverif code looks like this:

(* communication channel *)
free c:channel.

(* trying to create a mac scheme *)
type mkey.
fun mac (bitstring , mkey): bitstring.

(* Symmetric encryption *)

type skey.
type coins.

fun internal_senc(bitstring , skey , coins): bitstring.

reduc forall m:bitstring , k:skey , r:coins;
   sdec(internal_senc(m,k,r),k)  ...

In order to provide authenticity of a sent message, we use certificates as fingerprints. But how do I know that the certificate is not stolen by someone? If the certificates are made public, why cant an attacker just take someones public certificate and identify himself as someone else?

Bit operations, such as bit addition/multiplication, are quite efficient from computation point of view. But in MPC, for example, if we use beaver triples for bit multiplication, 2 parties have to exchange intermediate values which leads to network communication. So, although the meaningful data we exchange is not that much (1 bit from each direction), are we consuming too much extra costs (network late ...

Imagine that, On an Elliptic Curve cryptography scheme where $P=a\times G$, Bob shares his public key $P$ with Eve (the devil who wants to know secrets he is not supposed to). Bob has also revealed a clue about $a$ accidentally. The clue can be one or a combination of items from the following list:

1. The number $a$ is ODD/EVEN integer.
2. The number $a$ is GREATER/SMALLER than half of the group order

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't g ...

Lost a LUKS-encrypted laptop at the end of 2019 and now trying to figure out the odds of a very sophisticated attacker being able to break in.

The LUKS container was created mid-2017 with LUKS1 default settings.

The CPU I used back then was a Intel Core i7-6700K which I still have.

I ran some benchmarks with cryptsetup benchmark which produced the following value for PBKDF2-sha1.

PBKDF2-sha1      ...

I want to generate a public key that I can use to sign messages and receive messages (using ECDH for exemple).

I want to do so to have the smallest payload to share.

Is it possible and proved secure ?

I once read/heard that one could generate a cryptographically secure pseudo random number generator based on two cryptographically secure hash functions.

The algorithm goes this way:

• Let $f$ and $g$ be two independant cryptographically secure hash functions of block size $s$.
• This algorithm outputs blocks of $s$, the block $n$ is defined as: $output[n \times s; (n+1) \times s] = f(g_{n}(seed))$
• The  ...