Latest Crypto related questions

I am studying a cryptography video on Coursera here titled: Modes of Operation: Many Time Key (CTR).

I have just two simple questions:

1. At around 4:30 in the video they show 2^48 without saying where this number came from, perhaps it forms part of the AES specification?

2. They then go on to explain that they plugged in the value 2^48 into the underlined equation on the line above, to calculate how ma ...

I have a device that needs to communicate with another host and exchange fixed-length messages. All traffic should be encrypted and authenticated, and it should be resistant to replay attacks. Unfortunately relying on TLS is not an option, so I need to implement some custom protocol. I have control of both devices so I can securely generate and distribute a shared key $k$.

I thought to use AEAD with  ...

If a piece of software is running in FIPS mode and using FIPS-certified cryptographic modules, is it permitted to execute any non-FIPS algorithms even if the security of the system is not uniquely dependent on them?

Example: lets say you have a system that exchanges two ECDH key pairs: one curve25519 key pair and one NIST P-384 key pair. Key agreement is performed using both key pairs and then th ...

$h'(x) := h(a_1 \parallel x \parallel b_1) \parallel h(a_2 \parallel x \parallel b_2) \parallel h(a_3 \parallel x \parallel b_3) \parallel \dots \parallel h(a_k \parallel x \parallel b_k)$

$a_i$ and $b_i$ are known prefixes and suffixes.

If $h$ is MD2 or MD4, how much work would it take to find a second-preimage to $h'$?

Just to be clear: The output of $h'$ is relatively long, $k$ times longer than  ...

The TLS 1.3 RFC, section 7.1 lists this as the last part of the key schedule:

https://datatracker.ietf.org/doc/html/rfc8446#section-7.1

            ...
   0 -> HKDF-Extract = Master Secret
             |
             +-----> Derive-Secret(., "c ap traffic",
             |                     ClientHello...server Finished)
             |                     = client_application_traffic_secret_0
     ...

According to Wiki there is a possibility of non-interactive Zero-Knowledge Proof of discrete logarithm if challenge $c$ is computed via a hash function. But what is the purpose of $c$? Why can not I always set $c=1$? Does it make the system vulnerable?

I did try to prove the interactive proof system and generalized interactive proof system are equivalent. According to both definitions are in the pictures. However, I still struggling to do it. Please help me solve this.

A large number of SCA papers that talk about ECDSA mention the need for blinding/randomisation of the signing process, typically with a single-sentence comment about replacing the projective coordinates (X,Y,Z) with randomised ones (lambda^2X,lambda^3Y,lambda*Z) and declaring the problem solved, but nothing really seems to provide any detail of what specific steps are required. In particular looking at  ...

Keccak - as used in SHA-3 / SHAKE amongst others - can also be used for authenticated encryption.

However, there already seem multiple schemes defined for it, including their own implementations:

1. Ketje:

   1. Kejte Jr;
   2. Kejte Sr;
   3. Kejte Minor and
   4. Kejte Major

2. Kravatte (excluding the deprecated/broken schemes):

   1. Kravatte-SANE and
   2. Kravatte-SANSE (SIV)

3. Keyak:

   1. River Keyak;
   2. Lake Keyak;
   3. Sea Keyak;
   4. Ocean Keyak  ...

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $\#E$ points on $Z_p$ where $\#E=p+1-t$, then the quadratic twist curve has $\#E'=p+1+t$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist c ...

good day. I am asked to design the a simple algorithm to generate random session key id of block length of 8 and change continuously every time it refreshes. Is there any simple algorithm to create random session key id encrypt and decrypt it? I would prefer not to use library supported in python module.

Please kindly advise.

I have created a hash function. If I am asked whether it conforms to the definition of a hash function, I only know that it should have a fixed-size output. I use multiplication and adding of every plaintext character with the random number I assigned.

Aside from the fixed-size output, what other characteristics must a hash function have, and why?

I have been studying the DC of DES. As a beginner, I completed the general structure of DES and began DC. I understand the idea of attack, how to find different characteristics for differential cryptanalysis of des-like systems?

Can someone explain them to me or point out a good explanation on the Internet?

I’m trying to get a good understanding of how data encryption and signing work. I imagine these vary a bit depending on the software being used.

In particular, I am wondering about this: how much data can be verified by an electronic signature?

I searched but found nothing except the original paper, and I can't wrap my head around it. Can you help me by giving an overview and then if possible, a short explanation of the algo?