Latest Crypto related questions

For example is it harder to break one 256 bit encryption than two 255 bit encryption for RSA and AES?

For example, I understand that 256 bit RSA can be cracked in one minute according to this article [1] So would two independent 255 bit RSA message take thirty seconds each, and four 254 bit messages take 15 seconds each, etc... or would two 255 bit messages take 1 minute total on average?

[1] htt ...

When I want to encrypt a 16 byte long message with AES-128-CBC using int TLS 1.2 do I need to add a 16 byte block of padding or can I just encrypt the message without padding ?

From the PLONK paper.

On pages 19 & 20, the paper describes the prescribed permutation check in PLONK.

---------------------------------------------

My question is about the Step 3 in the protocol which I have marked in red

I am interpreting $1 \le j < i$ as $j =1$ to $j = i-1$

So the $\prod$ equation becomes $Z(\mathbf{g}^i) = \prod_{j=1}^{j=i-1} f'(\mathbf{g}^j)/g'(\mathbf{g}^j)$

I think th ...

Could anyone explain me the difference between "key_share" extension and "server_key_exchange" message in TLS (1.3) ? If I understood right, these "packets" of data are used to send a key material to generate premaster keys. But what's the difference ? In which case a server must use one or another

I have some questions about the setting of the one-way authenticated key exchange of Kyber.AKE as defined in section 5 of the paper.

1. How does $P_2$ authenticate itself to $P_1$? It is not obvious to me in the paper how it is ensured that $P_1$ really communicates with $P_2$. So how does $P_1$ know that it can actually trust $P_2$? I would have expected something like a certificate authority here.

    ...

When attacking RSA with Square&Multiply, one can figure out the secret key by looking at the exponentiation algorithm itself. To prevent this in software, we could use dummy multiplications after each square.

Yet, there are attacks like correlation power analysis on AES, which is vulnerable to it by definition. How can such attacks be prevented on a software level, without using any noise mas ...

Here is a CTF crypto challenge likes(its write up is public on https://ctftime.org/writeup/15438): $$N = p*q\\ c1 = (2*p + 3*q)^{e_{1}} mod N\\ c2 = (5*p + 7*q)^{e_{2}} mod N$$ After i transform these: $$(c^{e_2}_1)\equiv (2p)^{e_1e_2}+(3q)^{e_1e_2}\pmod{N}\\ (c^{e_1}_2)\equiv (5p)^{e_1e_2}+(7q)^{e_1e_2}\pmod{N}$$ After product $5^{e_1e_2},2^{e_1e_2}$ to cancel p from two equations,I can solve this proble ...

Suppose that Peggy(prover) and Victor(verifier) are running some zero knowledge proof protocol that does not rely on hidden verifier secrets. The verifier generates randomly chosen challenge values only. Such protocols can be Fiat-Shamir transformed into NI(non-interactive)ZKPs.

There is significant work on NIZKPs. Using them as-is in contexts where deniability is necessary would be nice, but as- ...

I am constructing a two-party OR gate and trying to do this with oblivious transfer. Yet I am very new to oblivious transfer, wishing to know whether the following construction makes sense.

Goal: Alice inputs a random bit $a$, Bob inputs a random bit $b$, and Bob outputs the logical OR bit $a\oplus b$.

Construction via 1-out-of-2 OT: Alice inputs $m_0 = a, m_1 = 1$, Bob inputs $c = b$, and finally B ...

How do we know that hash functions cannot be reversed? An example is often given of two primes and their product, but any composite number that is the product of two primes has, by definition, exactly 2 natural factors. In the case of hash functions, things are different.

Have there been attempts to reverse hash functions, and if so, how many have been successful? Are there any theoretical works  ...

Given some group in which both discrete logarithms and the computational Diffie-Hellman problem are hard. Furthermore, two random, unrelated group generators $G_1, G_2$, and a third generator defined by $H = G_1 + G_2$. Can you compute $xG_1$ if you know only $G_1$, $G_2$, and $xH$?

My guess: I would assume it's hard, because otherwise it would be easy to compute $xG$ knowing only $xH$ for any two unr ...

The CEO of the organization XYZ decides to hold a vote to decide whether employees should be allowed to work from home (WFH) either one, two or three days a week.

All 4 employees of XYZ (excluding the CEO), need to vote either “WFH one”, “WFH two” or “WFH three”. To ensure privacy, the CEO asks employees to send their votes by emailing them to the CEO. Furthermore, the CEO tells them  ...

Do you know a blockchain that does not use at all cryptographic primitives standardized by USA or other countries? It is strange to me that the security of many cryptocurrencies is based on ciphers, hash functions, elliptic curves, etc. from American standards.

It is normal when a cryptographic product contains standardized primitives of a certain country to be sold in this country. However, cryp ...

From the PLONK paper.

On pages 19 & 20, the paper describes the prescribed permutation check in PLONK.

In the last step of the proof, these are the checks

a) $L_1(a)(Z(a) - 1) = 0$
b) $Z(a)f'(a) = g'(a)Z(a \cdot g)$

In (a), I think checking $Z(a) - 1 = 0$ & doing the (b) check as written is enough. What purpose does multiplying this by the first Lagrange Polynomial ($L_1(a)$) serve?

Can  ...

It is a bit stupid question, but I am so confused. Please examine my explanation. What is the space that exponents the generator $g$ of a cyclic group $G$ of prime order $p$?

I think it is $\mathbb{Z}_p$ since $|G|=p$, so that $G=\{g^0, g^1, \ldots, g^{p-1}\}$. Thus the space that the exponents live is $\mathbb{Z}_p$, which is a field.

But here is what I am confused. By Fermat's little theorem, $\f ...

I store the ciphertext and the nonce in a SQL database.

If I decrypt the ciphertext change it and encrypt it again I generate a new nonce, so that I do not encrypt two different plaintexts with the same nonce. After encrypting the updated plaintext I store the ciphertext and the new nonce back to the database.

My question is: Should I keep track of the expired nonces so that no other plaintext is ev ...

I was wondering whether quantum-computers really break Schnorr's signature scheme. Schor's algorithm works via the quantum Fourier transform, which reveals the cycle time and thus phi. However, with a multiplicative group mod $q$, a prime, everyone knows the cycle time, but that isn't the problem (unlike RSA). The problem is in finding a specific value.

Unlike in RSA, where you must FACTOR a number,  ...

Use Case:

Web application accessed in browser. Registered users can store personal notes in the application, these notes are stored in a SQL database on a online server. The user can store unencrypted notes and encrypted notes. For unencrypted notes the process is trivial, just store the notes in the database. For encrypted notes the storage gets complicated (for me).

Frameworks:

• scrypt: https://github.c ...

I have built a small password manager desktop app using python. This app falls under the master-password model.The app connects to two databases stored locally. The first database stores the users username for my app and the hashed (sha256+salt) master password it also stores an email for password recovery puprpose. The second database stores username,password and optionaly email for the app the user wa ...

In a POST consensus mechanism with no starting stake needed, I may have found a way to sync with the correct chain without a.) trusting checkpoinnts or b.) downloading the whole chain (or even part of it). Simply, make a tiny POST proof, hashes of you address plus a nonce at the end. Once you find a successful POST proof, upload it to the blockchain as a "sync fee." You can do this (and should do thi ...

I am simply wondering what the bit-length in the algorithm variant in the table below refers to? For the hash functions I assume that this refers to the ouput length in bits. For instance for SHA3-256 this means the hash will be of 256 bits in length. Is this correct?

But, then, what does the 256 mean for the XOF SHAKE256? The desired output length here is $d$.

I am hoping that there is something obviou ...

Normally I use Argon2 to generate an encryption key, and then use AES to encrypt data with that key. Can I just set the hash size to be equal to the data size, set the associated data to a random value, and then just use Xor on the Argon2 output to encrypt/decrypt the data instead? Or are there some cryptographic properties that make it insecure to use it this way?

Hello I am trying to understand why the Sidelnikov-Shestakov attack doesn't work for McEliece cryptosystem based on Goppa codes whereas it works when based of GRS codes.

I understood how the attack works but I don't see why it fails with Goppa codes since they are quite similar than GRS codes.

On the 2007 paper https://www.degruyter.com/document/doi/10.1515/JMC.2007.009/pdf by D. Engelbert, R. Overb ...

I'm currently working on a distributed consensus-based system. I currently give the system a private key through a threshold encryption model, and I want to be able to take some data encrypted with the network's public key and re-encrypt it with an arbitrary public key without any member of the network knowing what the data was.

I know proxy re-encryption is a good solution if the person who orig ...

I recently took an exam where one of the questions was roughly the following:

You need a specific way for sender S to send a large file M to a receiver R with their secret-public key pair, without interaction. You cannot use interactive key exchange protocols. The receiver’s public key is assumed to be authentic. The sender does not have her own public key pair. In addition to the strongest sec ...

On an exam I recently took, one of the questions was:

Consider the following signature scheme. The public key is $(p,g,g^x)$, where $p$ is a large prime number. $g$ is a generator of $\mathbb Z^*_p$, and $x$ is a random number in $\mathbb Z_{p-1}$. The secret key is $x$. The scheme also uses a public hash $H(M)$ that maps arbitrary messages to $\mathbb Z_{p-1}$. The signature algorithm signs message ...

I have a request in which I get a series of data in clear (nothing encrypted) and a MAC / authentication tag.

The question is whether the MAC should be validated first or if the fields are filled in or are numerical (or similar validations). I have always considered that the MAC must be validated first, however, I can think of no arguments for the case where the text is in clear, for the cipher  ...

Suppose we sign and verify messages with a DSA scheme. Before signing the first message the necessary parameters $(p,q,h,g,x,y)$ are initialized, including the nonce $k$ as an integer between $(1,q-1)$.
For each message, this value is increased by a fixed amount $b$. Therefore it grows linearly .
How can I prove that this approach is as vulnerable as using the same value of $k$ for every message?

I'm having problem proving the following, I intuitively think this is correct but can't formally prove why.

given a PRF $F_k(x)$

proove that the following is also a PRF

$$ F'_k(x) = \begin{cases} F_k(x)&\text{if }k\neq0\\ \\\text{const(some const value)}&\text{if }k=0 \end{cases} $$

I found my mistake, I did not use the probability axioms correctly here is the full solution

I recently read the article on the threshold signature scheme “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” and I have a question.

In the key generation section, each player $P_i$ selects $u_i$ and then performs a $(t, n)$ Feldman-VSS of the $u_i$ value. In this case, other participants can make use of Lagrange interpolation to construct the polynomial related to $P_i$, and they can ...