Latest Crypto related questions

If we keep the IV secret, does that increase the complexity of finding the correct key? My first thought is that it increases complexity, but in real world, I can see that IV's aren't kept secret. We can assume that we have reasonable amount pairs of (x,y) plaintext-ciphertext.

I have implemented Paillier Cryptosystem. Lets say, I have an encrypted array E(x) = [2,4,5,10,0,20] and I want to find that if 0 exist in that array. Due to the limitations of Paillier cryptosystem I cannot multiply two ciphertext. Is there any other way to find it?

Given an ordered set $S$ of positive integers (eg. $S=\{503, 503, 520, 551...N\}$) I want to be able to reveal the percentile rank (eg. 503 is in the top 10th percentile) for each element of a contiguous subset of $S$ (ie. $\{s_i,s_{i+1},... s_k\} \;|\; i \ge 0, k \lt N$). However I don't want to leak information that can be used to efficiently deduce $N$.

Using the formula for calculating a perc ...

Given a group where the computational Diffie–Hellman (DH) assumption holds and generator G.

Say there is a set of private randomly selected keys {a, b, c, d, e,...} and corresponding public keys set {A, B, C, D, E,...} calculated as A=aG. Each public key is publicly linked to its corresponding user/owner.

Alice can use its private key a and the public key of Bob, B, to calculate K=aB. This K is  ...

Hello,
I am wondering why it is stated that double encrypted message with 2 DES keys is possible to break in worst case in $2\times2^{56}$ time using meet in the middle attack.

Here is my reasoning:

1. Example plaintext & ciphertext pair: AAAAAAAAAAAAAAAA & 35E16A5E44161DB8 (keys to break: BABABABABABABABA & CDCDCDCDCDCDCDCD), additional plaintext & ciphertext pairs to check in step 4 becau ...

In "A Boolean Circuit for SHA-256" by Steven Goldfeder, the author gives a Boolean circuit for SHA-256. I find this method very complicated.

May I ask how to construct a Boolean circuit for a hash function? I mean, given an algorithm of a hash function, how to transform it into a circuit as in the article?

I've this piece of .NET code that is based on a Microsoft sample on how to generate a key and sign using HMACSH256.

But I've altered the key generation a little bit and also decided to use Base64 to transport the key as a string:

Key generation:

byte[] secretkey = new Byte[64];

using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
    rng.GetBytes(secretkey);
    using (SHA512 mySHA ...

I do not know if it is allowed to ask this question.

I have been told that "most of the papers on chaos-based cryptography are appearing in fee/generalist journals, whose focus is not security"

However, I found that journals like Springer and Elsevier are filled with these papers.

I thought that these journals are well regarded as good resources. Many great books on cryptology are published by Springer ...

In the NTRU Prime submission, principle author, the well-known DJB is adamant that

[the] primary objective [of NTRU Prime] is to eliminate unnecessary complications in security review

So much so, to the extent that the idea of pure cyclotomic ring, module, decryption errors, etc. are exterminated from the design.

I think this is good, as NTRU Prime serve as a model alternative to the other design ...

Recently, I have been wondering whether you can turn any PKE scheme into a signature scheme and, if so, how (is there a general construction, or is this scheme-specific?). I have found several posts that seem to suggest this is the case (e.g., this post, and this post); however, they don't really elaborate on how.

For some context:
I started wondering this (for some reason) when looking into Sabe ...

I want to know what is the difference between the Key Recovery Attack and the Key Extraction Attack, especially in WhiteBox Cryptography? I guess key recovery is for the BlackBox and key extraction is for the WhiteBox.

FF1 and FF3 both are Feistel-based FPE schemes with r=10 rounds and 8 rounds respectively. The other difference I got to know is that the FF1 considers the right half of the message bigger while FF3 considers the left half input to Feistel network bigger. Is there any other difference in the construction of FF1 and FF3?

How should the adversary behave in order to perform a successful side channel attack against Argon2d?

I'm trying to understand the scenario that Argon2i tries to resist against.

The R1CS constraints are expressed over finite fields. Many proofing systems, such as zk-SNARK, use prover keys such as $g^{\alpha^0}, g^{\alpha^1}, ..., g^{\alpha^n}$ where $\alpha$ is a field element. Are these field elements actually integers?

If the RSA numbers are odd, how can they be factorized by two primes, since a prime is only divisible by itself and 1?