Latest Crypto related questions

Using a block cipher with using either CTR or GCM mode gives us a stream cipher, the only difference being that CTR does not include a MAC tag or AAD but GCM does. I think these are the most commonly used modes of operations for block ciphers because ECB is insecure and CBC is not parallelizable.

Does this not reduce the effective algorithm block size to 1 bit as one bit gets mapped to another bi ...

In IKEv1 (RFC 2409), preshared secret is involved to key derivation where IKEv2 (RFC 7296) use it for only authentication. When we consider post-quantum security, this property makes IKEv1 suitable if preshared key has sufficient entropy. Therefore post-quantum extension of IKEv2 proposed in (RFC 8784) which is basicly adding an additional secret that is shared between the initiator and the responde ...

Background info:

I need to encrypt files in a enterprise workspace with several users. The goal is to encrypt files directly from browser to be saved on a server and each user could decrypt files for viewing.

Technical solution:

Create an random generated key Kw for the workspace for encrypting files with AES. This key won't never be stored either in database or in user session.

For each user, generate an ...

The common wisdom is that increasing the number of rounds of a block cipher can make it more secure. This is quite true if we consider the linear and differential attacks.

The Tiny encryption algorithm supports this theory. It has a simple round, and it becomes secure after 32 rounds. Even Schneier et. al has the support this theory in their TwoFish Paper.

However, with enough rounds, even bad round fun ...

Could you help to find an example of where the next kind of proof is performed, please? "if we can distinguish the randomly generated bits of a PRNG from a random sequence, then we can distinguish the underlying block cipher/permutation from a random permutation"

In Sage, there is a function: gen_lattice() that can generate a basis $$S \in \mathbb{Z}^{m \times m}_q $$ of a lattice $$\Lambda^\bot_q(A)$$, where $$A \in \mathbb{Z}^{n \times m}_q$$ is a random.

Therefore, $$AS = 0 \pmod q.$$

The question is: is there any method that can further obtain a matrix $$A \in \mathbb{Z}^{n \times m}_q.$$

(i.e., the TrapGen algorithm in AP09.)

The MuSig paper (2018) describes a Schnorr signature key aggregation scheme which lets a set of individual public keys to be merged into a single, "aggregated" public key.

In the protocol each individual public key creates an own signature which can be merged into the "aggregated signature". The aggregated signature will verify with the aggregated public key like the signature was created by only one ke ...

In Bleichenbacher's paper (http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf, section 3.1) he concludes that if m*s is PKCS#1 v1.5 compliant we get the following interval:

$2B \leq m\cdot s \bmod n < 3B$.

(k is the length of n in bits, $ B = 2^{8*(k-2)}$)

Given those bytes in the range, 3 to 11 may not contain any zero bytes, and at least one zero bytes follows from byte 11, ca ...

I have been messing around with cryptography (for recreational use) and I have created my own function that encrypts things for me. Now, with that being said, I freely admit that I am by no means an expert on cryptography and I know that rule 101 of cryptography is to not do it yourself. However, I am genuinely interested if my encryption function is secure. So, although I am not entirely sure if this i ...

I understand there are already few question here which are similar but mine is a bit different in that I want to split AES 256 bit into two 128 bit key and then use a different AES key of 128bit to encrypt the two 128 bit key for transport of the key between two processor. is this secure to do? I am currently limited due to the design of my system. Following is what I require:

• I need to transport the ...

Discussions from highly respected sources (details below) emphasize the importance of the implementation of cryptographic software to the effective security provided, with one particular case being sensitivity to timing attacks.

Clarification - Context is cryptographic signing of non-secret messages

@poncho's initial answer notes that attackers don't always have the luxury of determining the "user's" im ...

The obvious way for computing the trace of curve is counting the number of curve point and then compute the trace of the curve by $t=p+1-\#E$. Are there any faster way for computing the trace of the curve? The above way is very slow. This question is also following up the Finding of proper $d$ for Edward curve. I hadn't been receive the proper response for it.

It is known that AES is extremely secure, with its highest standard(AES-256) being able to protect the national secrets of most governments. Due to the nature of its steps, there's the question about its cyclicality, or how many full encryptions with the same key would it need to yield the plaintext back, supposing that the variation is AES-ECB-128 NoPadding, with only one full block of plaintext.

In an answer of here someone mentions:

if you have a hash-function-with-oracle-powers, then it is rather easy to generate a pseudo random stream from a secret key, by hashing K||n where K is the secret key and n is a counter. By XORing this key-dependent pseudo-random stream with the data to encrypt, you have a stream cipher.

In the same post there is also this part regarding using cryptographic has ...

I need a way to map some printable text to other printable text. E.g.:

Ian Boyd → Kcp Zbas

Notice some of the important requirements:

• uppercase is uppercase in output
• lowercase in input is lowercase in input
• spaces (and anything else outside of A-Z0-9) are left alone

The additional requirement is that it be deterministic, that is the same input always gives the same output:

• Ian Boyd → Kcp Xbas ...