Latest Crypto related questions

The UC framework [Can00 (version of 2020-02-11)] defines security (defn 9) as for all adversaries there exists a simulator such that for all environments the environment output is indistinguishable in the ideal and real model. $\forall A \exists S \forall E$: $$EXEC_{\varphi,S,E} \approx EXEC_{\pi,A,E}$$ where $EXEC_{\pi,A,E} = \{EXEC_{\pi,A,E}(k,z)\}_{k \in \mathbb{N},z\in\{0,1\}^*}$. This means ...

Recently, I have an idea to construct an public-key encryption scheme which contains five algorithms:

1. Setup($1^k$): generate public parameters $pp$ and a master key $mk$.
2. KeyGen($pp$): take $pp$ as input and generate public key $pk$ and secret key $sk$.
3. Encryption($msg, pk$): take $msg, pk$ as inputs, output ciphertext $c$.
4. Decryption($c, sk$): take $c, sk$ as inputs, output message $msg$.
5. Global ...

Attacker has to win following game by distinguishing that output was updated by a certain function or not?

1. Attacker queries an oracle for the output.

2. Oracle generates fresh 4 random bytes $a$, $b$, $c$, and $d$ and one random bit $x$.

3. if $x=0$, Oracle outputs values of $a$, $b$, $c$, and $d$.

4. if $x=1$, it first updates the values using following equations (applied sequentially) and then outputs updat ...

I have a query please , I want to know how to generate random numbers using ANSI_X9.31 algorithm for RSA Algorithm please . Thank u

Imagine a situation where there are many high-value public keys around, using the same Elliptic Curve group, say $k$ in the millions public keys¹. Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

What's the best feasible² method? What's it's cost relative to the best known feasible method for one key (that is, I b ...

Consider two sets:

The "big set" contains all integers between $0$ and $2^{160}$ exactly once.

The "small set" contains all integers between $0$ and $2^{32}$ exactly once.

Given that the number of members in the "big set" is greater than those in the "small set", there can't be an injective function $f(n_b) = n_s$ mapping any input being a member of the "big set" $n_b$ to an output that's a membe ...

This set membership proof is used in P2P networks, when one party possesses a private value, and the other party possesses a set. They would have to broadcast some data associated with the value and set through the network, and any third party is able to confirm that the value belongs to the set. No parties should be able to obtain the set or value from the broadcasted data.

Using hash functions  ...

I know that the standard DH and ECDH key exchange algorithms require the client and server to agree on a large prime number and a generator (in the DH algorithm) or a curve and a point (in the ECDH algorithm), but if I inspect the SSH packets there is no sign of these shared seeds. How do they get them then?

I checked the packets and the only messages, after the "Key Exchange Init" and before the

Secure permutation can be used in Sponge and Duplex constructions to build hash functions and encryption. To potentially use them in public-key cryptography, some arithmetic properties is desired.

Can modular exponentiation with a public index be considered a secure permutation? What public attacks are available? Are there constructions proven to be insecure?

I'm learning about Ed25519. It depends on a bunch of magic values: The finite field of order $2^{255}-19$, the specific elliptic curve over that field, a specific point on that curve. This is in contrast to Diffie-Hellman or RSA.

Why is that? And conversely, why doesn't DH fix the prime number & the generator, or RSA fix, say, the $n = pq$ value?

I suspect that in case of DH & RSA it's very easy  ...

I've been researching a bit and found that the mixColumns step could be expressed as matrix multiplication like this:

But I'm not sure what's the mathematical proof for it and I can't find an example for the ShiftRows step.

Any hints? (thanks in advance)

I'm working on a project that needs an OTP based on counter value and needs some advice.

Suppose we encrypt the counter value C in this way and let's say our sending packet is P = AES(key,C). If counter value C is leaked, will this cause a security problem? I tried to find some papers regarding this but failed.

Thank you!

I'm working on a challenge at school on Internet, to learn programming and all security issue: "An api request is protected by checksum" and we have to bypass this. The checksum format is really weird; I've never something like it before. I think it convert all the string in an array of bytes, after that I don't know.

I search the algorithm to calculate the checksum.

Input : "a" --> "86896971335564 ...

We are looking to perform all the calculations for a Schnorr signature, more precisely EC-FSDSA, (BIP340-Schnorr), inside a secure element, to the exception of the Hash operation that is not supported and must be performed outside of the secure element.

Assuming the signature is the following: d=private key R = k.G = Q (unique random key, TRNG sourced inside secure element, can only be used once) ...

In the paper [LPR12], I've learned that ideal lattices are ideals in algebraic number fields. However, I can't understand why we define the dual lattice of an ideal lattice with $\operatorname{Tr}$: $$ {L}^{\vee}=\{x \in K: \operatorname{Tr}(x {L}) \subseteq \mathbb{Z}\} $$

In detail, I mean, for any algebraic number field $K$, there's an embedding that embed it into space $H$. For $K=\mathbb Q[\zeta]$ ...