Latest Crypto related questions

I'm trying as autodidact to read chapter 4 of Foundation of Cryptography by Oded Goldreich (just to let you "tune" your answers, I have engineering background).

If I'm correctly understanding, giving a perfect simulator $S_1$ the possibility to halt is not a problem because we can define a simulator $S_2$ which repeats $S_1$ let's say $n$ times, outputting the result of the first not-halting $S_1$

I started working as a developper in a cryptography company 3 months ago where the applications are for mostly windows applications. I found that I don't have enough knowledge concerning the topics listed in the table that is taken from Hurdles for Developers in Cryptography.

Indeed, these are the subjects that most developers find hard to grasp. Including me of course. I started looking for cou ...

There are 2 different definitions of special soundness in the literature:

(1) can be found in Damgard:

We say that a Sigma-protocol $\Pi$ satisfies special soundness, if there exists a PPT extractor $\mathcal{E}$, such that given any pair of accepting transcripts $(com,ch_1,resp_1),(com,ch_2,resp_2)$ with $ch_1\neq ch_2$, $\mathcal{E}$ can recover $sk$.

(2) can be found in Katz: Digital Signature ...

Let's say I wish to setup a classic username & password authentication strategy on a server. All communication is encrypted via TLS. But ideally, I still do not want the server to be able to read the passwords in plain-text, even temporarily. To that end the client could send the password that is hashed and salted with some key (for simplicity let's assume it's the username). Let's call this a d ...

Older RSA-4096 GPG keys generated when SHA1 still thought to be acceptable have public key self-signed with SHA1. Shall this considered to be weak key? And with what arguments? AFAIK, GPG key ids are still use SHA1. So, maybe this is not major issue either, because other party will have full public key anyway.

In the link below, the author uses the aes as a basis for his cipher. In his words: The thesis investigates and explores the behavior of the AES algorithm by replacing two of its original modules, namely the S-Box and the Key Schedule, with two other chaos-based modules.

One might ask: will this system at least will inherit the security I the aes? In addition, it is a common theme in chaos-based  ...

I know that in multiparty computation we may consider semi-honest or malicious adversaries. I can find papers that consider malicious adversaries, but the semi-honest term is only mentioned in MPC papers. Are those adversaries particular for MPC, or used also in other technologies, such as homomorphic encryption, differential privacy etc.

I need to implement X3DH Key Agreement Protocol according to Signal specification, in the document they suggest using either X25519 or X448 curves. I assume those curves have been chosen for this protocol for a reason. In the codebase elliptic curve public key cryptosystem has already been implemented with secp256k1. Would it be safe to generate the keys needed for this protocol using the existin ...

If I have a 16 bytes key and I encrypt a text block (1KB) with AES, and the attacker knows half of the key (let's say the first half), how does it weakens the encryption?

I found this post on Reddit and was wondering if anyone could provide a more detailed explanation/answer:

Lets say I find a hard drive in a trash can along with a sticky note that says "AES-128, good luck!". I'd setup a computer or if I'm really curious multiple computers to brute force using the AES algorithm. It'll probably take a while but I know for a fact that after a finite amount of time, I'd dec ...

Homomorphic multiplication of plaintexts in Paillier cryptosystem can be constructed as follow: Dsk(E(x1)^x2 mod N^2) = x1x2 mod N. So after the decryption, we get the result of multiplication x1x2. My question is, is it necessary for us to think about the situation : x1*x2>N which leads to an overflow? Or because the parameter N is quite large(usually 1024 bits or even 2048 bits) so in most usage sce ...

There a 2 examples:

A block cipher with 128 bits of block size taking a plaintext and a 128 bits key (AES-128).

A keyed hash function with 1024 bits of block size in its output, taking a message and a 1024 bits key (Skein-1024).

If I have a block or message M to process with a PRF and the key size is the same of output block, what are the chances of 2 or more keys among 2^N keys of keyspace generate the  ...

This is just a casual exploration of what could be effectively the worst possible block cipher, but I think it has some educational value on how ciphers work.

I've been reading about unicity distance and I am interested in a block cipher that has a decent-sized keyspace (2^8 or more?) that has the smallest unicity distance possible. If the plaintext effectively looks random such that no frequency analysis ...

With regards to SMPC with additive secret sharing, the protocol I am using involves a centralized node(the querier) orchestrating the share creation at client end via setting their random seeds. Now this allows the central party to reconstruct data. My question is does there exist an implementation with no member-member connections such that additive shares can be created without the central party knowi ...

For example, in case of using RSA blind signing in E-Voting protocol:

Is it possible to trace (Sx, x) to (Sb, b) if Signer and Tallier is the same person?

In this case, attacker has access to: blinded message b, signing of blinded message Sb, private and public key that allows to sign and verify messages, original message x and signing of the original message Sx. The only thing attacker don't kn ...