Latest Crypto related questions

I see lots of mention that zk-STARK proofs that are being developed notably for use in blockchain networks are labelled as "quantum resistant". Many articles and reports that state this, claim such based on the idea that zk-STARKs rely on collision-resistant hashes. My understanding though is that there can never be a perfectly collision-resistant hash - and that it would be trivial for a quantum comput ...

I came across this paper "Hybrid Key Encapsulation Mechanisms", were three methods are defined that allow a secure combination of a classical key encapsulation with a post-quantum key encapsulation.

In terms of security and performance all three of them seem to be equally good.

For the second method, called "DualPRF Combiner", it is written:

OurdualPRFcombiner is inspired by the key derivation in ...

Mellisa O'Neil tested Xoroshiro128+ with 512 terabytes (2^49 bytes) of data. And finally it failed. Would AES fail PractRand with enough data?

When we can expect that AES will fail? Maybe with $2^{64}$ of data?

Someone told me recently that using CBC mode with a predictable (e.g. all 0) IV is reasonably secure if a key is only used for encryption one time. I've gone through a couple of examples of chosen plaintext attacks against CBC mode with a predictable IV and it does seem that they assume that the key that is used for the attacker's encrypted text is the same as the key used for the attackee's encrypted  ...

I'm working on a cryptographic data store where blobs need to be identified and referenced via a hash of the encryped data. Think Merkle tree with encrypted nodes. In such a setting where the hash already establishes authenticity (assuming the hash function itself is not broken), is there any value in using an AEAD rather than just using the cipher directly?

I believe this is different from the c ...

I have seen the FF1 and FF3 Format preserving encryption. There are certain differences with respect to a number of rounds and while using the unbalanced Feistel network. What makes it different for FF3 attacks to work also on FF1?

In Durak et al. paper 2017 they mention the attack specific to only FF3. Why is it so?

Paper reference: https://eprint.iacr.org/2017/521.pdf

I am looking for a ZK PoK of a digital signature. I have seen constructions that work for ElGamal signatures (see this older paper), but need to work with Waters signatures, as described here.

Has anyone seen a construction that could work in this case?

For any $v$ many $b$-bits vectors $(\mathbf{x}_0, \mathbf{x}_1, \ldots, \mathbf{x}_{v-1}) \in \{\{0, 1\}^b\}^v$, what's the fastest way to combine $\mathbf{x}_0, \mathbf{x}_1, \ldots, \mathbf{x}_{v-1}$ into a single number, such that the operation is order-sensitive?

E.g. say that $\hat+$ is some method of combining numbers (not necessarily addition, but we can define it however we want). The goal is to ...

I'm wondering if knowing the form of both factors (p and q) of a RSA modulus N is a significant help for factoring or not.

For instance: p of the form 4k+3, so (p-3)%4 = 0 and q of the form 4k+7, so (q-7)%4 = 0

Is the following cryptosystem possible:

There is an encryption function:

encrypt (k1, k2, T1, T2) = M, where

T1, T2 - two plain texts, with the same number of characters, k1, k2 - encryption keys of the same length, M - cipher text, the length of which is equal to the length of the input text. The length of the key is generally much less than the length of the input text

and accordingly the decryption fun ...

I am designing an web api which needs to grant access to various client apps via an api key sent as http header. I know, not really how it should be done but I have no control over this part.

My current design for api key: have 16 bytes for the app id (a guid) in the database + 16 bytes randomly generated (keybytes). Due to company policy I was asked not to store api keys in the db so I store a s ...

Does breaking the computational Diffie-Hellman problem in a group also always break discrete logarithms in that group?

I am trying to analyse a "uniqueness" game around Schnorr signatures. The game is described in $\textbf{B.}$ and I try to provide in $\textbf{1.}$ and $\textbf{2.}$ some incomplete answers to resolve it. Is it possible to fully solve it? I have not used in my analysis a reduction to the DL problem; maybe is there a way to reduce the game to it? Apologies for the lack of cryptographic rigour and thanks a l ...

This is very basic, but what I'm wondering is: I have a few notations of hashing/RSA encryption that I'm unsure of when reading.

PKE(PW, K) With PW representing a password, K representing a 128-bit string and PKE representing RSA, how would this be interpreted? Do I combine the string and password then encrypt that or something else?

Same goes for this, ssk = H(K,NB,NA), where ssk is a secret shared ...

Imagine I want to hash a private key K (i.e hash(K)), but what if I hashed a concatenation of the key K and the username let's say the following hash : hash("john cena" + K )

Suppose everyone (even the hacker) knows that "john cena" is used to do the hash : can it help hackers to reverse the hash?

In other words, is there a difference in security of doing hash(K) or hash("john cena" + K ) (where " ...