Latest Crypto related questions

I recently had a situation where I needed to derive a secondary Curve25519 private key from an existing one programmatically. The obvious solution was to use a KDF, but I wondered at the time about deriving the second key via some algebraic operation on the scalar value, which of course would (at least for some transformations) also make the secondary public key derivable from the original public key. M ...

In this paper ("Strong key insulated signature schemes" by by Dodis, Katz, Xu, Yung (2002)), I understand most of the proof for Lemma 1 (pg. 9); I struggle with how some of the probability is calculated though.

No need to read the paper, I think, all you need is the following:

Context

• Adversary $A$ breaks (the "new") scheme $\Pi$
• Challenger $A'$ wants to break the underlying scheme $\Theta$ usin ...

Exercise 3.6 from Cryptography and Engineering Consider a new block cipher, DES2, that consists only of two rounds of the DES block cipher. DES2 has the same block and key size as DES. For this question you should consider the DES F function as a black box that takes two inputs, a 32-bit data segment and a 48-bit round key, and that produces a 32-bit output. Suppose you have a large number of plaintext- ...

File-A is hashed with CRC32, MD5 and SHA-1.

How easy is it to create a fake file-B that has the same hashes of file-A? CRC32, MD5 and SHA-1?

Can an average PC with a GPU calculate a triple hash collision of file-A? And how long would it take?

As an example to my question, I post the ECDSA signing algorithm for reference (from wikipedia) to sign a message $m$:

1. Calculate $e = H ( m )$.
2. Select a random integer $k \in [ 1 , n − 1 ] $
3. Calculate the curve point $( x_1 , y_1 ) = k × G $
4. Calculate $r = x_1$ mod $n$. If $r = 0$ , go back to step 2.
5. Calculate $s = k ^{− 1} ( z + r d_A )$ mod $n$. If $s = 0$, go back to step 2.
6. The signatur ...

Assume I have a physical RNG module that generates $n$-bit random numbers that pass randomness tests such as the Dieharder suite. As it is a black box device with an unknown source of randomness, let us also assume it has potentially been partially compromised: an attacker who knows the workings of the RNG module, given a single previous state, can correctly guess the next state in $2^{n-m}$ steps for ...

Lots of cryptography algorithms rely on pseudorandom number generators. Sometimes, given a plaintext, you need to generate a pseudorandom number from it. What are some fast algorithms that do so?

I've seen one that uses SHA256 and other that uses AES, but I couldn't find any literature about them or some implementation that I can use. They should be fast because processors nowadays have hardware  ...

Public-private key signing generally works like this:

1. I announce my pubic key.
2. I encrypt something with my private key.
3. If people managed to decrypt (2) with (1) then (2) is from the owner of (1).
4. People then can encrypt things to me using the public key in (1).

Signing can also be done using hashing or symmetric cipher algorithms, but the verification happens when the person publishes his old r ...

Could you help me better understand how the key-pair works in Asymmetric encryption?

I'm studying cryptography at the surface level first. While reading multiple texts and talking with colleagues I'm still not sure about two things.

1. After generating a key-pair can we pick which key will be private or public? My first assumption was that we can, but after reading about the algorithms it looks like we can ...

According to https://crypto.stackexchange.com/a/8800/53007:

Start with the entire domain [M] and range [N]. Call y←N/2 our range gap. Now using our key k we generate some pseudorandom coins and give them to our HGD sampling routine along with y, M, and N. This gives us an x≤y that describes the number of points of our order-preserving function less than y.

What does the HGD sampling does exac ...

Imagine you are building a shared remote storage system where you send everyones files to a central storage, but you want to de-dup the files between multiple users so we don't store the same file more than once. At the same time you want to encrypt the data so the service provider or anyone who doesn't have the file can't decrypt the file.

In this case you can imagine deriving a symmetric encry ...

Seen this, but it's sort of useless as it allows for trivial solutions by increasing the size of the output's space up to a point any hashing function will achieve non-collision.

This question is trying to be the less useless version of that. I.e. to be about the case where the output range is small. Say that my outputs space is $\mathcal{S} = \{0, 1, \ldots, 10^{6}\}$. Here, collisions by using h ...

I received a public key by JSON.

For the example, I have 4 keys: 2 public keys and 2 private keys.

public A : co2D0pNxZJIeQ4RZlCRJYBDzNXSLluETdztid0M+HGzN1uGJ4JWZsenjWgRrmkLh3yqHQqzOBMl/wHVH97A6+g==

private A : TXxii5Ka8LMvuc9arHu63qTmNKxGlgti+wpR3YhBGew=

public B : nUblC+OKdl94iBiWk0941wmYBiMt7C90CjOJPI2BPr8K7xGuC1XsR5DtwFCoM3Iew2BjBG+5SqrYwAPTJF7gdA==

private B : sm6V7+hChvkFSeLNoR+5tItiX8gH5tT47 ...

I was reading the paper PlonK and in the Round 1 of the claim to achieve zero-knowledge by adding random multiples (of degree one) of the polynomial $Z_H = x^n - 1$ to the secret polynomials.

Here, $H$ is the set containing the $n$-th roots of unity and tipically described as $$H = \{\omega, \dots, \omega^{n-1}, \omega^n = 1\},$$ where $\omega$ is a primitive $n$-th root of unity.

So, the setting is  ...

I have a single password which is random bytes that encrypts a database. Right now I am using an encryption scheme of https://gist.github.com/jbtule/4336842. To summarize, we take our one password, generate a salt for an auth key and a crypt key, run PBKDF2 with 10,000 iterations to generate the keys, then use AES to encrypt and HMAC to authenticate. The salts are then stored next to the ciphertext ...