Latest Crypto related questions

In David Wagner's article A Generalized Birthday Problem, he said and I quote:

Our algorithm works only when one can extend the size of the lists freely, i.e, in the special case where there are sufficiently many solutions to the k-sum problem.

1. Does that means that the generalized birthday attack only applies for the problems with multiple solutions?
2. Why is it not suitable for the problem with on ...

In the Noise protocol, is it safe to reuse static key pairs in different handshake patterns? Like using XK to communicate between client and server, and KK to communicate between clients, but with the same static keys.

Let $K,X$ be sets and let $F:K\times X\rightarrow X$ be a function. For each $k\in K$, let $f_{k}:X\rightarrow X$ be the function where $f_{k}(x)=F(k,x)$ whenever $k\in K,x\in X$. Assume that each $f_{k}$ is a bijection.

Suppose that $F$ is the round function for some cryptographic function such as AES-128 or some cryptographic function.

If $F$ is a cryptographic function, then I do not expect for

is $F_{k_{1}}(m)||F_{k_{2}}(F_{k_{1}}(m))$ always a PRF? when F is a PRF

As an intuition it seems to me that the answer is "NO" as the two halves of the output depends on each other

Let's say I want a certain level of security (eg 128 bits) when using ECIES but I also want to minimise communication, does the elliptic curve used matter on the size of the public key? If it does matter, what is the current state of the art elliptic curve and how does it compare with popular elliptic curves such as Curve25519 or secp256k1?

Some cryptocurrencies use fixed values in some positions in the resulting hash, like a fixed amount of initial zeros. What fixed positions and fixed values are Facebook Diem using?

I am curious at how "good" is computational zero knowledge? Consider Pedersen Commitment $z = g^x h^y$. There exists perfect ZK protocol (based on Schnorr's) to prove that one knows the secret $x$ and $y$. But how about the following "relaxed" one:

(1) The prover sends $G = g^x$ and $H = h^y$ (and the verifier needs to verify $G\times H = z$); (2) The prover runs two instance of Schnorr's protocol to pro ...

I have a distributed application with many participants. The participants can be in different groups (channels). Is it possible for all data sent in all channels to be accessible as encrypted data, all participants to be able to verify the integrity of the data but only those who were part of the specific channel can actually decrypt the data?

I'm working on a node crypt module that will signing/verifying. I have managed the verifying module:

'use strict';

const crypto = require('crypto');
const fs = require('fs');
const path = require('path');

const publicKey = fs.readFileSync(path.join(__dirname, 'key.pub'));
const encryptDataPath = path.join(__dirname, 'encryptData.txt');
let encryptData = fs.readFileSync(encryptDataPath).toString() ...

I am a newbie in Cryptography and have trouble to solve the following question.

Let $G: \{0,1 \}^n \rightarrow \{0,1 \}^{l(n)}$ be a PRG and $x \epsilon \{0,1 \}^n$. Determine if the function $Z: \{0,1 \}^n \rightarrow \{0,1 \}^{(l(n)+n)}$ s.t. $Z(x) := G(x)||x$ is also a PRG.

My first assumption was that it is a PRG, because the concatenation of the PRG Output G(x) as pseudorandomstring with a u ...

It seems there are attacks that work more effectively on AES-256 than AES-128, which makes it less secure in some cases. But the bigger key size should add some safety margin on the other hand, for example making it immune to even quantum computers. And I have heard some people say that more rounds make it less secure, and others say that it makes it more secure.

Such as the following relation: $\mathcal{R} = \{(C,g;r): C = g^r \vee C = g^r h^2 \}$

Let $H^f$ be a hash function designed using Merkle-Damgård construction on $f:\{0,1\}^{2n}\to\{0,1\}^n$. Write an algorithm that makes approximately $2.2^{n/2}$ many queries to $f$ and find four messages that all hash to same value under $H^f$.

I get an idea to use length extension and 2 birthday attack to get four collision. But I am not able to write the appropriate solution. Can anyone help m ...

I wanted several videos by Computerphile on Elliptic Curve Diffie-Hellman, digital signatures and TLS.

For the most part I understand everything but something is bothering me. Computerphile made a video explaining using RSA with ECDHE to ensure nobody is messing with the messages in the middle. The video is titled Key Exchange Problems. I don't understand how introducing a cryptographically signe ...

Considering the huge amount of RSA certs which have been generated, wouldn't there probably be a small number of certs where one of the primes which may have actually been a composite? Has this ever been a problem in the wild?

I think RSA with such a p & q will fail signature verification & decryption. So in these cases, I don't think the tools would give a proper error message & this ...