Latest Crypto related questions

Assume that we have a symmetric encryption scheme $\Pi_s$ that is IND-CCA secure in the standard model. Does this imply that $\Pi_s$ is IND-CCA in QROM?

I am always hearing the term "mainstream cryptography", I am looking forward to more clarification on this concept.

What I the mainstream cryptography?

Is its definition subjective?

Is symmetric cryptography within the mainstream cryptography?

Are there good cryptography out of the mainstream? (Aside: If so, how can we judge snake-oil cryptography being out of the mainstream?)

General problem / Intro: encrypting the (computable) relation in between two random numbers which are members of a as small as possible set while anything except the order of execution is known to the adversary.
This question is about solving that problem with a concatenation of block-cipher.

Simplification:

• we only consider block-cipher which are similar to AES
• instead of $N$ different block-ci ...

It is known that $H(k || m)$ (when using SHA1) is an insecure MAC function since it is vulnerable to hash length extension.

But what about $H(k || m) \oplus k$? A normal hash length extension seems to be impossible now. Even if the same key is used several times, I see no problem as long as the output of $H$ is random enough. Am I right?

Is there a known hash function $H_k: X\to X$ such that: $\forall{x\in{X}},\exists{n\in{\mathbb{N}}}, n<k \land H^n(x)=x$

=== EDIT ===

By hash function I mean that any other way of finding the preimage of $x \in X$ than iterating $H_k$ is computably unfeasible or at least significantly harder.

My motivation is using such a function as sequential POW.

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives 1000 as the plaintext, which is correct. Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

So my question is the point of using NIZK for hash function. My reasoning is that if you want to prove you have a certain preimage, isn't providing the hash value of this preimage directly enough to prove that argument? Maybe I am missing something here. Thanks!

In Gentry's easy FHE intro, it is stated that

Researchers [1, 8] showed that if $\epsilon$ is a deterministic fully homomorphic encryption scheme (or, more broadly, one for which it is easy to tell whether two ciphertexts encrypt the same thing), then $\epsilon$ can be broken in sub-exponential time.

Side question: This answer mentions that any probabilistic PHE scheme can be made deterministic. This h ...

We are using RSA without OAEP, with a relatively small input domain.

Lets assume we have John and Bob connected on a line, and we are eavesdropping them. Bob first sends John his public key (e,n), then John encrypts his message m and sends it on the line encrypted. When we eavesdrop the line we get his encrypted message, for example 3211 4431 9938 ... (I'm using a low modulo just for the example)

 ...

The diagram above shows the standard HMAC algorithm. However consider the algorithm of HMAC without xoring the key with outer or inner pad. In other words let the structure of HMAC remain the same without xoring the key with outer and inner pad. Let the key go in as input alone at both points. Is it possible to commit existential forgery with this modified architecture ?

I understand that the standard HM ...

Suppose a collision has been found in a certain hash function, such that H(x1) = H(x2)

However, x1 and x2 are both a seemingly 'random' collection of bits which do not convey a coherent message, and cannot be interperted in a coherent way.

Does this collision make the hash function H not secure? if so how can it be exploited, even if the known collision doesn't convey a coherent message? thanks

I read about the provable cryptography in Wikipedia. The article referred to tense controversies around 2007.

Do these controversies still exist?

What is the substitution for the provable-security? Is not it sufficient? I think AES does not follow provable cryptography style, am I right?

Which is the accepted/preferred view in the Cryptography community?

Why did it started in the first place, Is n ...

I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

I have understood everything in the first 15 pages.

In 3.4 Restricting a Polynomial (Page 16)

We do already restrict a prover in the selection of encrypted powers of s, but such restriction is not enforced, e.g., one could use any possible means to find some arbitrary values

The Cipher Block Chaining algorithm for generating message authentication codes uses a 0 IV . So my understanding is that same messages will generate same MACs which seems to violate semantic security. An attacker may deduce that 2 messages are same by looking at the MAC. Is my intuition correct?

I am reading the book titled "Algebra for Cryptologists". The author defined the confusion and the diffusion as follows:

Confusion: Confusion is intended to make the relationship between the plaintext and/or the key on the one hand, and the ciphertext on the other, as complex as possible, or as stated by J.L. Massey: “The ciphertext statistics should depend on the plaintext statistics in a manner too ...