Latest Crypto related questions

Lets assume we know the last-round key of AES.

For AES-128, the whole key can be reconstructed using the last-round key since every WORD in the key schedule is based on the previous 128-bit entry.

For AES-256, it cannot be reconstructed, as we only know 128-bits. However, the reconstruction of the 4 WORDS would take us $2^{128}$ steps (bruteforce).

Now the question comes for AES-192, since we do  ...

Consider a probability distribution $D$ over $n$ bit strings. Denote $U$ to be the uniform distribution over $n$ bit strings and $U_{n}$ to be the uniform distribution over integers $\{1, 2, \ldots, n\}$.

Consider the following two equivalent statements (they are equivalent by Yao's theorem):

1. There is no uniform polynomial time next bit predictor $A$ such that $$ \underset{X \sim D \\ M \sim U_{n} }{\t ...

Context: an encryption game from overthewire (the link to it: https://overthewire.org/wargames/krypton/krypton6.html, also good for more info) where given the ciphertext, one must obtain the plaintext.

On this level, we have access to a binary that encrypts any file by stream cipher, using a key from a file we do not have access (keyfile.dat) and a random number. We also have a hint: 8 bit LFSR.

My qu ...

What would happen if one would set the AES Sboxes to always output 0? Could one retrieve the key by doing so? Or what would happen if there were no Sboxes?

If I feed the output of H back into H will it cover the entire output space of H before repeating?

Consider the following scenario:

A=1;
While(){
   A=H(A);
   print(A)
}

Will there be short cycles? E.g. Are there values of A that H(A) = A (a cycle of 1) Values of A where H(A) = B and H(B) = A (cycle of 2)

Is there a way to prove that either no such cycles exist for a given hash, or to put a low ...

I have an elliptic curve y² = x³ -x + 3 over a finite field of 127. I am trying to compress a point using the X9.62 standard. I know for the key compression you are supposed to check if the y value is even or odd to determine which side of the curve it is on. For most points on the curve the upper point is even and the lower point is odd. However, for the pair (16, 20) and (16, 107) and a few others,  ...

I am new to cryptography and I am trying to understand something. I searched it on the internet, though the question is probably a simple one, couldn't find an answer. So, please don't judge me by that. Here is my question: Without considering the efficiency, speed, or optimization:

Can everything that can be encoded by other encoding methods (such as using binary or bits and bytes or Unicode) is ...

I am new to cryptography and I am trying to understand something. I searched it on the internet, though the question is a simple one, couldn't find an answer. So, please don't judge me by that. Here is my question: When a string like "Hello World" is encrypted, do the algorithms convert this string into binary or ASCII? Are there examples where strings are encrypted by using ASCII codes? Also, if this i ...

Let $G$ be a cyclic group with the generator $g$ and of prime order $p$ such that the discrete-logarithm problem is hard in $G$.

A hash function is homomorphic if $H(a\ast b)=H(a)\cdot H(b)$ (where the operations $\ast$ and $\cdot$ depend on the groups). Here we do not expect the hash function to be compressing, but collision-resistance (CR) and efficiently computeable.

Now the question is, if the ...

The "standard" book (Dwork & Roth, 2014) defines Privacy loss as follows (p. 18)

The quantity

$$ \mathcal{L}^{(\xi)}_{\mathcal{M}(x) || \mathcal{M}(y)} = \ln \left( \frac{\Pr[\mathcal{M}(x) = \xi]}{\Pr[\mathcal{M}(y) = \xi]} \right) $$

is important to us; we refer to it as the privacy loss incurred by observing $\xi$. [...] As always, the probability space is over the coins of the mechanis ...

To the extent of my knowledge, hash functions are based on computational complexity (and not on physical laws of quantum mechanics). So they can not provide unconditional security.

But, are there hash functions which provide unconditional security?

Are there quantum hash function which provide unconditional security?

In a lecture, by Chris Peikert (link 40:20), he showed more efficient cryptosystems that have the secret be drawn from the Gaussian error distribution $\chi$. In the lecture he said "some applications which really really need secrets to come from the error distribution and they don't really work so well if they come from uniform distribution" and he adds "for some strange reason this is the form i ...

The discrete logarithm problem over prime cyclic groups consist of finding $x$ satisfying $g^x\equiv h\bmod p$ where $g$ is generator of multiplicative group $\mathbb Z/p\mathbb Z$ at a large prime $p$.

There is no known algorithm to find $g$ in polynomial time.

1. So how does practical Discrete Logarithm systems get set up?

2. How do we know $g$ in fact generates the multiplicative group?

I am util ...

We are designing a web app where users can share documents with each other. The ultimate goal is to achieve zero trust needed by the users, i.e. client-side encryption makes sure that the servers (or any middlemen) are not able to see any plaintext data. (I am aware of the potential shortcomings of a browser-based encryption solution. We have ideas to counter some of the problems, I may ask about them h ...

I want to show that $F(x) = x^{-1}$ in $\operatorname{GF}(2^{n})$ is differentially 4-uniform for even $n$, and is differentially 2-uniform for odd $n$, without looking at the Differential Distribution Table.

My attempt:

Let $\alpha, \beta \in \operatorname{GF}(2^{n})$ and $\alpha \neq 0$

$$(x+\alpha)^{-1} - x^{-1} = \beta$$

$$\Rightarrow \frac{1}{x + \alpha} - \frac{1}{x} = \beta$$

$$\Rightarrow \be ...