Latest Crypto related questions

I recently came across this fascinating paper, and was wondering about whether the GL-SPHF that the paper constructs can be used to create a witness encryption scheme for algebraic branching programs. That is, if Alice could derive the appropriate parameters $\Gamma$ and $\theta$ for the GL-SPHF for a given algebraic branching program, then she could derive a symmetric key from the hash $H$ computed f ...

I have a question about ChaCha20. As far as I know ChaCha20 is a cipher algorithm that uses 4 inputs:

1. Key (secret)
2. Constant (not secret)
3. Block Number/Counter (keystream block number)
4. Nonce (random number per encryption/key & considered non-secret)

My question is how do I store a 12-byte (96-bit) ChaCha20 Nonce on a Cipher-Image/CipherText, specifically a BMP file?

I want to do this so that th ...

I have a good understanding of stream ciphers and one time pad. I also know the dangers of using the same key in a PRG for a stream cipher.

However as far as I can tell, the Feistel block cipher uses the same key for every block of plain text (which is expanded into keys for each round). If this is true, why is this not a problem? Is it because the function F and specifically the S boxes used are ...

In the applied cryptography book by Boneh and Shoup, Chapter 6 on MACs, it is stated that an adversary that is also capable of requesting the challenger for verification queries (in addition to signing queries) is not stronger than an Adversary that can only ask for signing queries. I do not understand why a verification query cannot be emulated by the signing query Adversary by generating the pair (mi, ...

Before I state my actual question, let me first five some terminology so we are all on the same page:

Let $U=\{k_1,...,k_u\}$ the universe of possible keys, $|U|=u$. We use a hash table $T$ with $m$ cells, counting from $0$ to $m-1$. We use a family of hash functions $H$, such that each $h\in H$ has the likelihood $1/m$ that two distinct keys $k$ and $k'$ hash so the same value, i.e., $P(h(k)=h(k'))=1 ...

I was learning about iO from this paper when I noticed the different new types of PRFs. I wanted a clear understanding of the following.

1. What are Puncturable PRF (PPRF)? Why is it defined in the way it is? Applications?

2. What are Statistically Injective PPRFs and their need?

3. What are Extracting PPRF and its applications?

Please Explain the need of introducing the following types and the addit ...

I am currently attempting to perform AES encryption in Python on a larger size file for simulation purposes. At the moment, I have been trying to use AES.MODE_EAX, as mentioned in the documentation for AES:

https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html

I wanted to check what the correct way of approaching encryption of the file would be.

At the moment, I am dividing the file into  ...

I have developed an application that reverses some expressions used in hash algorithms. The application does not reverse the entire algorithm, but does reverse some parts. This application reveals that some expressions in the algorithm can be reversed. Does this pose a risk to hash algorithms using similar expressions?

Below is the application output and test code of an expression formed from fre ...

I'm being asked to provide a solution for my internal customer. All network communication is internal and no applications nor their servers are accessible via the internet.

• REQUESTOR application will have a list of SSNs for 1000+ people that they need information for (different list of 1000+ each day).
• REPORTER application can run SQL queries and provide formatted output.
• DATAOWNER application has the  ...

Fully Homomorphic Encryption without Bootstrapping describes considerations for large (exponential in the security parameter) integer plaintext spaces in Section 5.4, "More Fun with Funky Plaintext Spaces". Has anybody implemented these techniques in code?

Does it is possible to implement the components of a SBOX tables using lookup_tables. For example for a 4-bit SBOX it is possible to obtain the component 3 using SAGE in the following way

sage: from sage.crypto.sbox import SBox
sage: S = SBox([7,6,0,4,2,5,1,3])
sage: f3 = S.component_function(3)
sage: f3.algebraic_normal_form()
x0*x1 + x0*x2 + x0 + x2

But I need to use that component several times (li ...

I have read digital signature with Big Brother but don't understand the sequence.

One approach to digital signatures is to have a central authority that knows everything and whom everyone trusts, say Big Brother $(BB).$Each user then chooses a secret key and carries it by hand to $BB$'s office. Thus, only Alice and $BB$ know Alice's secret key, $K_A$, and so on.

When Alice wants to send a signed plaint ...

Short version: Is it a common practice (and a valid practice) to hardcode an element $d \in \mathcal{L}$ of a language into a simulator? (making the simulator non-uniform and non-constructive)

Long version:

I have a prover $P$ that does the following: it takes a bit string $d \in \mathcal{L}$ for some languages in $\textsf{NP}$, then it encrypts $d$ using a CPA-secure encryption to obtain an encryption

Hello,
I was wondering whether it is theoretically possible to use Grover alrogithm to break AES in CBC mode. Assume that I have ~1000 plaintext/ciphertext pairs and key length is 128 bits. I thought about it this way:

1. For each pair of plaintext and ciphertext use only first 16 bytes of plaintext and first 16 bytes of ciphertext. (They will be labeled as P_n, C_n where n is n-th pair)
2. Write down s ...

While reading papers on cryptography, a lot of time I have seen that people pick random elements $x\in \mathbb{Z}^*_q$ to do something (like setting secret key and all). How does one randomly pick elements in reality. I mean in practical implementation, what procedure do we follow? Do we use some CSPRNG?