Latest Crypto related questions

​I have been thinking about this question: if I directly replace the hash function with the message in the BLS signature, does the security of the BLS degenerate from existential unforgeability(EUF) to selective unforgeability(SUF) under the known message attack(KMA)?

The modified BLS signature scheme is defined as below. $\cdot BilinearGen\to pp:=(G_1,G_2,G_T,e,p,g_1,g_2)$ where the paring type i ...

In federated learning using homomorphic encryption, all participants in most schemes share the same pair of keys, which can easily cause key leaks and lead to data privacy leaks.

After research, I found that someone proposed to use a multi-key homomorphic encryption algorithm to solve the above problems. But I wonder why no one has added a key management scheme, such as secret sharing, to the exi ...

I wonder if there is any scheme or algorithm to generate HMACs that verify with multiple keys.

Suppose I have the secret keys K1, K2 and K3 and I have a message M1. Is the following possible?

• Generate an HMAC1 with M1 that can be verified with K1 and K2 but not with K3

• Generate a HMAC2 with M1 that can be verified with K2 and K3 but no longer with K1

• Generate an HMAC3 with M1 that that can be ver ...

What is there to say about using a power basis or a tensor basis or some combination of them for the RSIS problem in lattice cryptography? Restricting to dimension 3 for illustration, usually the basis is $(1,x,y)$ for uniform $x,y\in R$. I'm instead wondering about power basis $(1,x,x^2)$, and tensor basis $(1,x,x^2)\bigotimes(1,y,y^2)$. More generally, I'm wondering about higher powers and higher  ...

How long time does quantum computers take per operation when search the key of Kyber? Grover's algorithm weakens 256-bit AES to 128-bit security, quantum computers at most take 2^128 operations to find AES key, but it must take some time per operation; as mentioned https://www.ambit.inc/pdf/KyberDrive.pdf : Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum securit ...

In adversarial context of MPC, the corruption behavior refers to the assumptions about the corrupted parties’ deviation level from the protocol specification. Three main types of corruption behaviors are: semi-honest, malicious, and covert.

In practice, dealing with semi-honest corruption behavior is considered more feasible while malicious and covert corruption behavior are more challenging be ...

Hi everyone I am trying to implement the Basic skeleton of the PQC Kyber Algorithm. Until now I have obtained t=As+e and s after performing point-wise multiplication (Frequency to Time domain). Now I got stuck at encode12 algorithm which is required to obtain pk(12xnxk/8+32 bytes) and secret key(12xnxk/8 bytes). Can you please help me out with this?

So basically we have designed Kyber768 variant  ...

I have a question about the decryption in Kyber [1]. I will first give important statements of the paper and then ask my actual question with an example.

In the paper it is stated:

... decrypt to a 1 if $v-s^Tu$ is closer to $\lceil \frac{q}{2} \rfloor$ then to 0, and decrypt to a 0 otherwise.

On the other hand, when decrypting, it is stated in Algorithm 3:

retrun $Compress_q(v-s^Tu,1)$

And note th ...

Suppose $N$ many messages has been sent from $A$ to $B$ in this format:

• $\operatorname{HMAC}(K, C(i)) \mathbin\| C(i)$.

Where

• $C(i)$ is some cipher-text encrypted with some secure algorithm using some key
• $K(i) \ne K$ for any $i$ in range $[0, N-1]$.

There is no implication whether $K(i) = K(j)$ for any $i \ne j$.

Thus, it is just "some" encryption algorithm but encryption key used to encrypt  ...

As stated in RFC8032 and FIPS 186-5, Ed25519 signatures uses the following encoding method:

A curve point (x,y), with coordinates in the range 0 <= x,y < p, is coded as follows. First, encode the y-coordinate as a little-endian string of 32 octets. The most significant bit of the final octet is always zero. To form the encoding of the point, copy the least significant bit of the x-coordi ...

Let me start by saying that I have a mathematical background, and have very little experience with cryptography. I only know the very basics.

With that said, I recently read about Homomorphic Encryption (HE), and thought that it was a very interesting concept. What one really cares about, though, is Fully Homomorphic Encryption (FHE), which allows you to (essentially) perform an unlimited amount of ...

Consider following simple RBG where SHA-256 of random noise (more than 200Bytes of 4 bits entropy per byte) is computed to produce 256 output bits

$\text{output} = \operatorname{SHA-256}(\text{randomNoise})$

Is security strength of collision resistance or pre-image resistance applicable to it i.e it provides 128 or 256 bit security?

According to NIST SP 800-90A section 10.1

The maximum security s ...

Hypothetically,

1. IF we were to create a SSL/TLS or QUIC ciphersuite from a single (unkeyed) permutation operating in sponge mode to provide hashing and duplex mode to provide AEAD cipher,

2. AND IF the permutation is wide enough, and the capacity in both modes are large enough,

3. THEN, to what extent can capacity make-up for mathematical weakness in the permutation? AND by how much?

The inspiration w ...

I'm relatively new to the field of security.

I'm working on an IoT system with WiFi-connected nodes (Bio-sensing devices) communicating with a server for centralized monitoring.

I need to authenticate each device when connecting to the server. So, each device has a unique certificate with a signature (ECDSA).

However, I'm unsure how the server selects which certificate to present for each device.

Is SHA-3 normally used with a LUT or hash table?

Let us consider a hypothetical situation.

What would be the implications if there is a method by which one can calculate the public keys for incremental private keys, with the help of only the public key?

For instance, one is given a public key only. (that public key has the private key as 1001) and he is asked to calculate the public key of the next private key or the 10th one or any incremental pr ...

If we do not encrypt a message, we can use a checksum to check data integrity. For authenticated encryption, we no longer need the checksum because we use the authentication tag to verify data integrity.

The above is about error-checking. Now, for error correcting (like Hamming code), is there an encryption scheme that

1. Can check for integrity,
2. Can correct one or two bit flips of the ciphered text, and

on the wiki page of Rustdesk, it states "the connection is unecrypted, please do not send us issue about this." for local direct IP.

BUT, Rustdesk is intended "Virtual / remote desktop infrastructure for everyone! ", (so not localdesktop)

While Rustdesk claims Rustdesk is encrypted between client and server, which seems to be a more complicated task has completed, BUT they can not do local p2p conne ...

Certain number-theoretic cryptographic hash functions, such as $x^2\bmod N$, are known to be broken by a quantum computer. For example, one could use Shor's algorithm to factor $N$ into its product of two primes $(p_1,p_2)$, and use these primes to find collisions at-will. It's also been a long-open problem to find a hash that satisfies a version of Simon's promise; if such a hash could be found, th ...

I'm trying to find a way to have multi party hash computation, more specifically for SHA256. I want for two people to be able to compute a hash so that none of them knows the pre-image but when they get together they can reconstruct the pre-image.

Is there any known way to do it in general or any hack that can be used in the SHA25 specific case?

I came across the following enterprise encryption scheme. I laughed when I first saw it, but I'm not a specialist and I'd like to know how bad it really is.

• 3DES-CBC
• k1=k2=k3 for 3DES
• IV for CBC is repeated every 256 messages. Every communication party has a different set of 256 IVs but they are all predictable and similar in many places. IV has a fixed part unique for each communication party and an 8 ...

I noticed that it seems the original Plonk paper introduced that there were two extensions with state width = 3 or 4 (as described in https://github.com/matter-labs/proof_system_info_v1.0/blob/master/README.md). I recently reviewed some code and they set the state width = 5 and set the verification key as follows.

uint256 constant STATE_WIDTH = 5;

    struct VerificationKey {
        uint128 dom ...

I am going over the paper https://verifiable-timed-signatures.github.io/web/assets/paper.pdf and on page 5, it says the following:

Suppose I have a t-out-of-n threshold sharing scheme for the secret $\sigma=H(m)^\alpha$. The first $t-1$ shares are defined as $\sigma_i = H(m)^{\alpha_i}$, where $\alpha_i$ are sampled randomly in the field.

Then, for $i \in \{ t, t+1, \dots, n \}$, we defined the s ...

I designed 8 bit lfsr in vhdl. According to mathematical theory, I xor processed the outputs of registers 1, 4, 5, 6 and 8 and connected them to the input of register 1. theory says that if I give the inputs the polynomial "10111000", I get the repetition of (2^8)-1.

I tried some more. And I tried the circuit without connecting the output of the 1st register to the xor gate. interestingly I got t ...

In Openssl, is there a way to systematically generate a private key such that every time you perform this key derivation, you produce the same private key?

It seems like every openssl command that generates private keys does so randomly. So, if you lose your private key file for whatever reason, there's no practical method of recovering it. I know you can control some parameters of RSA key generatio ...

I have a cipher algorithm that doesn't seem to be one of the "well known" ones I could find. I expect someone has already come up with this and I just don't know the name. Hoping one of you can point me in the right direction.

I don't think this falls foul of Should we allow questions about amateur ciphers? - but happy to be corrected.

Concept

Difficulty in recovering the original document from a com ...

Hi I am currently developing a research project, but it seems that my implementation of Pedersen commitment is not efficient.
I wonder if there are any efficient implementation of Pedersen commitment in c++?
Or if using things like ECC would boost the efficiency(seems number of bits could be smaller), or does anyone try the NTL(number theory library)?
TIA

EDIT: What I am using now is based on the mpz_p ...

I need to encrypt some user's data. However to make it more apparent to the user what data is stored in each key, I was thinking to also store the length of the actual data along the cipher.

E.g.

user_1_secrets = [
  {
    "key": "mysecret"
    "encrypted_data": b"abf4c2",
    "length": "10",
  },
  {
    "key": "myothersecret"
    "encrypted_data": b"g3d532",
    "length": "24",
  },
]

Is this safe from ...

We use DES in cipher feedback mode (CFB) to encrypt a plaintext $m = m_1\mathbin\|m_2\mathbin\|\ldots\mathbin\|m_{100}$ into a ciphertext $c_1\mathbin\|c_2\mathbin\|\ldots\mathbin\|c_{100}$, where each $m_i$ is 8-bit long. The ciphertext is sent to Bob. If $c_{15}$ and $c_{25}$ are missing and $c_8$ and $c_{88}$ are received as $c_8'$ and $c_{88}'$ wrongly, what $m_i$s can B compute correctly from the r ...

I am having a prime field of large size (assume it of the type GF(2**18)) and I need to find linear complexity of a sequence (of some specified length) defined on this field. I am using the inbuilt berlekamp_massey function to get the linear complexity (the degree of minimal polynomial) of the sequence. Current Work:

from sage.matrix.berlekamp_massey import berlekamp_massey
F = GF(2**18)
.
.

#Function ...