Latest Crypto related questions

In his Paper "Authentication weaknesses in GCM" Ferguson describes, how some bits of the error polynomial can be set to zero, thereby increasing significantly the chance of a forgery.

Q: What does it mean in detail? That the resulting equations do not solve the problem of obtaining forgery completely, but the solution space is significantly reduced? So we can fix some bits of the error polynomial ...

Suppose in two RSA instances the same $p,q,N$ are used, but different public keys $a,b$ (and corresponding private keys)

Suppose now we have the two equations

$c_{1}=m^{a} \bmod N$

$c_{2}=m^{b} \bmod N$

Is it possibe to retrieve the original message $m$ with this information?

In the context of a host-proof storage service, is there an encryption scheme that allows me to prove to the server that I own the secret key to decrypt the ciphertext I am currently uploading but (indeed) without revealing the key nor the plaintext message?

Said differently, is there a way for the server to be sure that 1) an uploaded file is encrypted and that 2) the user owns the key to decryp ...

It is widely known, that using a GCM nonce twice or even more often can be used to disclose the authentication key H. I understand, why this is theoretically possible. However, I have no feeling about the computational effort behind obtaining polynomial roots in GF($2^{128}$). Is there a straightforward algorithm available or do we need to apply some brute-force methods to factor a given polynomia ...

I want to compare additive secret share to Paillier encryption. However, I haven't found out how to set the parameters in such a way that the security level is consistent. Additive secret share (explained in SecureML) just like this: $a_1 = a - a_0 \mod 2^l$

Can the Discrete Logarithm ZK be implemented on elliptic curves? It seems that such an implementation should look like the following:

1. $Y = \alpha G$
2. Random pick $v$
3. $t = vG$
4. $c = H(G, y, t)$
5. $r = v - cx$
6. Check: $t = rG + cY$

If yes, can I use ed25519 for this purpose and how can I select $G$?

According to Fiat–Shamir heuristic there are two parameters of the algorithm: big prime number $p$ and primitive root $g$. Thus several questions arise:

1. How big should the prime number $p$ be? How to select $p$ so that, for example, Pohlig–Hellman algorithm or other known algorithms could not break it?
2. How to select the primitive root $g$? As far as I know, it is an NP problem
3. Is it safe to u ...

For validating the ChaCha20 encryption/decryption algorithm written in VB.NET, I am looking for more ChaCha20 test vectors that are based on the final spec for ChaCha20 that can be found here. See the test vector in sub-chapter 2.3.2. This test vector validates my code which provides the exact result specified in the test vector. (there is an almost identical vector later in on the document, two blocks wi ...

In a quest to better understand randomness extractors (in the context of TRNG post-processing), I read some papers about the von Neumann Extractor and Santha-Vazirani (SV-) sources. The von Neumann extractor is a simple algorithm that works on independent, biased sources such as a biased coin. However, available physical sources of randomness are imperfect and are biased and correlated. Santha and Va ...

The Key Schedule in the TLS 1.3 RFC starts like this:

             0
             |
             v
   PSK ->  HKDF-Extract = Early Secret
             |
             +-----> Derive-Secret(., "ext binder" | "res binder", "")
             |                     = binder_key
             |
             +-----> Derive-Secret(., "c e traffic", ClientHello)
             |                     =  ...

I have been studying various crypto attacks, and one of the attacks that I have recently studied was the padding oracle attack. Now, I mostly understand it, but there is one aspect of the padding oracle attack that different teachers from different sources have confused me about:

Let's say I have a URL:

http://somesite.com/place?ciphertext=aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd ...

This is a follow-up to a prior question Does matrix multiplication of hash digests admit manipulation of the result?; this formulation failed because it admitted singular matrices and therefore degenerates to the zero matrix after enough elements are multiplied. The answerer suggested using a field like $GF(256)$ instead of a ring and rejecting singular matrices, which is what this question explo ...

Just want to make sure that my understanding is correct whether there is only one public key for any private key, and vice versa.

I know that there are many algorithms, and this may not be a property of all of them (or is it?..), hence the tagging of RSA only.

Suppose, we have a circuit which outputs a sha256 hash of a concatenation of Alice's input and Bob's input (where Alice is the garbler and Bob is the evaluator).

I am trying to understand what methods can Alice resort to when garbling the circuit maliciously to leak at least one bit of Bob's input into the output. (It is not as important in my case that the circuit's output will be wrong, only th ...

We already know many examples of post-quantum cryptography for asymmetric, symmetric and digital signature algorithms, but is there any risk for hash functions to be attacked with quantum computers and are there any examples of post-quantum hash functions?