Latest Crypto related questions

I understand roughly (without details of GF algebra) the scheme of GCS/GMAC:

IV is to be put into Counter-0, so initializing counters.

It is known, that using a IV twice can not only reveal the plain text but also the AES-Key itself.

I understand neither the first nor the second:

Q1: Why is confidentiality of the messages lost when using the same IV twice? Does it mean the plaintext can be inferred? Or  ...

I am currently thinking about how to prove that the algorithm presented in Bleichenbacher's paper (http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf) actually terminates.

I know that in each round the intervals in $M_i$ become smaller as we increase $s_i$, and that $m$ must be contained in exactly one interval from $M_i$. Since the intervals are intersected, it follows that the inte ...

all, I am working on federated learning and here goes my question:

Suppose there are two participants to do the federated learning. For some of the models (e.g. Logistic Regression models, assume one party has some features $X_1$ and the label $y$, the other has some other features $X_2$. The coefficients are denoted as $W_1$ and $W_2$, respectively), the schemes use "full encryption/mask", which ...

According to Wiki there is an approach for proving knowledge of $x$ such that $g^x = y$. How can I prove that I know $x_1, x_2$ such that $g^{x_1} = y_1, g^{x_2}=y_2$. Of course, I can make these proofs separately but I would like to combine them into a single one. My idea is to prove that I know such $x = x_1 + x_2$ that $g^x = y_1 y_2$. But is it safe? Does not it make the system vulnerable?

Circular security notions for PKE schemes capture the security of (PKE) schemes when encrypting the secret decryption key.

Is there an analogous notion but for encrypting the randomness used for the encryption? i.e. what if one first fixes the random coins $r$ to be used for for the encryption, and then computes the ciphertext for this $r$: $c := E_{pk}(m; r)$, with $m = r$?

It's clear that using the private ECDSA key $x$ as an additional input into the hash algorithm, as specified in RFC 6979, doesn't harm security (assuming HMAC_DRBG is a PRF).

But is it necessary?

Would there be any problem with allowing the signature algorithm to have the same output of $k$ for the same message regardless of the key used? Per Is it safe to reuse a ECDSA nonce for two signatures if the ...

Introduction

Earlier this year Claus Peter Schnorr claimed to have "broken RSA". The original paper was discussed in Does Schnorr's 2021 factoring method show that the RSA cryptosystem is not secure?. A revised version of his paper was posted on the iacr about a week ago and as per @fgrieu's comment, someone attempted to start a discussion around it: Is “Fast Factoring Integers by SVP Algorithms, cor ...

Rsynccrypto allegedly uses AES-CBC with a twist: If the last few bytes of plaintext meet a condition*, then stop, pad the current block and start encrypting new block from the current position in file while reusing the IV. Better example might be in pseudocode:

if (trigger(buffer, i)) {
  encrypt_next_block(buffer, i);
  init_encryption(iv);
} else if(is_block_boundary(i)) {
  encrypt_next_block( ...

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC.

This paper estimates the concrete number of bit operations required to perform the May–Meurer–Thomae (MMT) information set decoding (ISD) attack. It shows that this is significantly less than for any of the other ISD variants considered, including the B ...

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC.

For these cryptosystems, it seems that an attacker can use a "decoding one out of many" strategy as described here to decrypt one out of a list of $n$ ciphertexts, for a cost of approximately $\sqrt{n}$ times less than the cost of attacking a single ci ...

I am trying to send AES keys from one computer to another, but I need to provide some form of attestation of the key's provenance. How should I go about doing this?

I am using sodiumoxide, a Rust binding to libsodium that provides a function named sealedbox that requires the receiver's public key. However, they also mention that the message is encrypted with an ephemeral public key.

Does that mean that the sealedbox provides forward secrecy, or do I need to implement forward secrecy myself?

The idea of blockchain is clear to me - If we reach consensus and all participants have the same state, it is easy to verify transactions. But new mechanisms (like Z-Cash) allow this without the transaction information be publicly readable by all participants. How is this even possible?

1. Does BLS12-381 still provide 128bits security level?
2. How about BN12-254? 112bits? Is there any references about the security level on pairing?

A bunch of silicon Physical Unclonable Functions (PUFs) designs rely on variations of the propagation delay (due to process variation) of signals in different path. In many cases, a challenge selects the paths (e.g. using a muxer) to be compared and the response bit(s) compare the two paths (e.g. which signal arrived first or the number of oscillations in ring oscillators).

For example, here is a ...