Latest Crypto related questions

Is there a hash function $H$ and operation $\otimes$, which fulfill the following property?

$$ H(A) \otimes H(B) = H(A \otimes B) $$

$A$ and $B$ are two byte blocks of identical length, if necessary restricted to a fixed length (e.g. 128 bytes). $H$ should be a cryptographic hash function, in particular, it should be pre-image and collision resistant.

Idea

One idea based on a system of equations using  ...

https://github.com/tna0y/Python-random-module-cracker Here, when we get 32*624 bits of outputs from Mersenne-twister we can recover Mersenne twister. My question is when we get the parts of the bits, how can we recover Mersenne twister? For example function getrandbits from python random module gives only part of the bits. Is it available to untwist it?

In MD5, if M=100, how can we perform padding on it and how many blocks are needed in each round?

These are general questions for understanding padding and rounds.

While The cofactor of Edwards curve is chosen 4, the cofactor of twisted Edwards curve is chosen 8. I cant understand this reason. Can we choose cofactor 4 for twisted Edwards curve?

If $A$ is an efficient algorithm that solves the Computational Diffie-Hellman problem for $\frac{1}{2}$ of the inputs and returns a special symbol for the rest, how can I use $A$ to construct another algorithm B which solves $CDH$ with a higher probability ($1 -\frac{1}{2^k}$) ?

I recently started reading RFC 6979. I'm curious why it needs so many loops.

This post asks a similar question: "RFC 6979 - Why not simply hash the message & the private key for deterministic ECDSA?", but my doubts are still unanswered.

Why can't the $k$ used in ECDSA be just like $k = SHA256(sk + HASH(m))$ ?

Is it just because HMAC_DRBG has a better security proof ?

I have a Bluetooth device that sends a small package periodically (without receiving). I want to encrypt and authenticate the data using AES-128. It has an embedded random and unique key which is burned to the memory at production and it is known to the receiver. I have the following message structure:

Counter is not encrypted  ...

I've been conducting some research into general-purpose MPC protocols and have been unable to pinpoint the exact security offered by the BMR protocol. The reference I've been using for the majority of my research is “A pragmatic introduction to secure multi-party computation" by Evans et al., which states that BMR is able to achieve security "against any $t < n$ number of corruptions among ...

It is well known that a true random generator exploits the randomness occurs in some physical phenomena. Also, the output of a true random generators can be either biased or correlated. Therefore, de-skewing techniques are required.

My question is that if we have two true random bit generators whose outputs are not passing the test-suite of NIST, can we combine these outputs to obtain a random bi ...

There are cryptographic protocols being developed for non-abelian groups. For some protocols it is necessary to know whether the group has an efficient representation as a matrix group (say, a matrix group over a field $\mathbb{F}$).

What should I do to find out whether a semidirect product of finite groups can be represented as a matrix group efficiently?

Particularly, say semidirect products of the fo ...

I have to construct a key recovery attack on symmetric key encryption using a publicly known permutation $\Pi$ in $O(2^\frac{n}{2})$ time using $2^\frac{n}{2}$ queries to an encryption oracle.

The encryption is done as $ \Pi ( m \oplus K) \oplus K $, where $K$ is the key. Both $m$ and $K$ belong to ${0, 1}^{n}$

I do not know how I can use the queries to do the key recovery attack in that time. I can ...

I'm trying to figure out MS CryptoAPI to generate a symmetric key on one computer then an RSA key on another, send over that public key to use to export the symmetric key to that other computer. I'm looking at their example here and it appears to create a session (symmetric) key of RC4 with a bit length of 1024 and then an RSA (AT_KEYEXCHANGE) of 1024 bits. Which then makes me wonder, how does RC4-1024 ...

I was wondering that what actually is cipherText-only attack and how the One Time Pad Encryption cant be broken by this attack?

So as I understand Argon2 is a memory-hard function, in other words it has to use a certain amount of memory, thus making it effective against GPUs.

So would this in theory, make Argon2 useless against an adversary with infinite memory?

But also if this is the case, then why does giving Argon2 a higher memory requirement also make it slower? Shouldn't it just take the same time but with more memory? ...

Let ($Gen,Enc,Dec$) be an LHE scheme with security parameter $\kappa$ and message space $M$. Assume that a multiplication operation exists in $M$, i.e., is a finite ring. Let $F : \{0, 1\}^s × L → M$ be a pseudo-random function with seed space $ \{0, 1\}^s$ ( $s=poly(κ)$) and the label space $L$.

I understand what $\kappa$ is as the security parameter of the encryption scheme, but I'm unfam ...