Latest Crypto related questions

NOTE: This question is based on my assumption that $X$ is a "truly random number" if and only if it's length measured in bits is equal to its entropy measured in bits. In other words, when every bit of $X$ has been generated by a random coin toss.

Suppose I have a truly random number $R$ of size 256 bits (256 bits of entropy), and a truly random number $S$ of length $n * 256$, where $n$ is some natural  ...

This is about the paper Protecting AES with Shamir's Secret Sharing Scheme by Louis Goubin and Ange Martinelli which describes how to use Shamir Secret Sharing to obtain masked implementations of AES.

The end of section 3.1 suggests that the $\text{GF}(2)$-affine transformation $A$ involved in the definition of the AES S-Box is compatible with SSS in the sense that if $(x_i,y_i)$ is an SSS sharing of

For a 32-Bit variant of Mersenne twister, if the outputs Should be a 5-Bit integer(word size) then what is the value of recurrence according to the k-distribution?

Recently, I read this paper NEURAL NETWORK BASED CRYPTOGRAPHY. Under the section 3.1 it said:

The aim is to improve the randomness of the random numbers generated by any algorithm using an NN. In order to improve pseudo-random numbers via a neural network, random numbers are generated by a modified subtract with borrow algorithm in MATLAB. The random numbers generated by the modified subtract with bo ...

Given the popular Private Set Intersection (PSI) protocol first described in [1]:

• Alice choose a random $a$, and sends $\{H(x_i)^{a}\bmod p\}| (i=1,...m)$ to Bob.
• Bob choose a random $b$, and sends $\{H(y_i)^{b}\bmod p\}| (i=1,...n)$ to Alice.
• Alice computes and sends $\{H(y_i)^{ba}\bmod p\}| (i=1,...n)$ to Bob.
• Bob computes and sends $\{H(x_i)^{ab}\bmod p\}| (i=1,...m)$ to Alice.
• Each party locall ...

I wanted to make a little example for anonymization evaluation using l-Diversity. For that I'm using the following formula for Entropy l-Diversity ($E$ is the equivalence class, $S$ are all possible values for a sensitive attribute, $s$ a specific value):

$$ \operatorname{Entropy}(E) = - \sum_{s \in S} p(E,s)\cdot \log(p(E,s)) $$

In the paper they never defined which logarithm is used. It ...

It should be a secure two party protocol against malicious adversary.

P1's input is X in Zp* (p is a prime number); P2's input is nothing. P1's output is rX+r'. r,r' are random numbers from Zp* P2' output is r and r'.

Is there any efficent protocol to realize this functionality other than by using homomorphic encrytion? If only HE solves this problem, which is the most efficent one?

Thanks for help!

If $H(k, Μ) = τ$, in the context where $τ$ is an $n$-bit tag produced as a mac on a key, $k$, and a message, $M$, through a keyed-hash function, $H$, is there a function $F(τ) = T$ that transforms $τ$ into a group element, $Τ$, of some group, $G$, of order $2^{\frac{n}{2}}$, such that:

• The chance of producing any $T$ ( where $F(τ') = F(τ) = T$; and $τ' ≠ τ$ ) is given by $≈2^{\frac{-n ...

While nowhere near being broken, AES has known attacks like reading from the substitution table, memory-based attacks, etc.

If we keep getting better at breaking ciphers and we eventually get close to taking AES down, what would (in your opinion) be the requirements for a cipher of an era where even Rijndael isn't safe enough?

I'm talking about:

• key sizes
• data sizes
• design (stream/Feistel/PSN, or s ...

If I have a "truly random number" $K$ of $L$ bits (whatever "truly random" means... is it a value from a normal distribution a truly random number, or only uniform distributions are considered "truly random"?), and a "truly random number" $T$ of $M \le L$ bits,

which arithmetic/bitwise algorithms among $K$ and $T$ can generate new truly random numbers? If $M=L$, is $K + T$ or $K\ xor\ T$ a truly random ...

There is some https traffic from a specific server (which I have the certificate and private key) that I need legitimately be able to read.

This traffic doesn’t come via browser so besides the ephemeral protocol being used using a pre-master secret key is not an option.

Is there any way it is possible to decrypt and analyze the traffic without downgrading the cypher suite to some deprecated RSA no ...

We have a body we want to encrypt using CBC, and we add to that body one block of known text to both sides. newBody = body + knownBlock now we encrypt newBody using a key known to both sides, then we transfer the encrypted text on a wire to person B. cipherText = encrypt_using_cbc(newBody) If person b decrypts the cipherText and get identical last block, can he trust the data he decrypted (data integrit ...

Does combining a CPA PKE (public key encryption) scheme with a one-time strong signature construct a CCA PKE scheme? More specifically, let $(Enc,Dec)$ be a CPA PKE scheme, and $(V,S)$ be a one-time signature, i.e., one cannot forge a valid signature even for once-queried messages without $S$.

Then, constructing a new PKE scheme:

$Enc'$ algorithm on $(pk,m,s)$: $$c1 = Enc(pk,m),$$ $$c2=Sign(s,c1),$$

Why are SHA3 algorithms considered more secure than their SHA2 counterparts? Surely in part, it is due to their resistance to length extension attacks. But specifically, when considering collision resistance they have the same O(n) attack times.

Is it because they are more resistant to preimage attacks?

Current computers cannot break reasonably strong hashed passwords, for example 14 CSPRNG-generated alphanumeric characters ($\approx$80 bits of entropy).

Grover's algorithm applies to hash functions as I understand it (mentioned e.g. in this answer), meaning that given any MD5 output of 128 bits, it can find the input (or a collision thereof) in $\sqrt{2^{128}}=2^{64}$ evaluations of the algorithm,  ...