Latest Crypto related questions

Imagine a situation where there are many high-value public keys around, using the same Elliptic Curve group, say $k$ in the millions public keys¹. Can an adversary reasonably find one of the matching private key at much lower cost that finding the private key for a particular one?

What's the best feasible² method? What's it's cost relative to the best known feasible method for one key (that is, I b ...

Consider two sets:

The "big set" contains all integers between $0$ and $2^{160}$ exactly once.

The "small set" contains all integers between $0$ and $2^{32}$ exactly once.

Given that the number of members in the "big set" is greater than those in the "small set", there can't be an injective function $f(n_b) = n_s$ mapping any input being a member of the "big set" $n_b$ to an output that's a membe ...

This set membership proof is used in P2P networks, when one party possesses a private value, and the other party possesses a set. They would have to broadcast some data associated with the value and set through the network, and any third party is able to confirm that the value belongs to the set. No parties should be able to obtain the set or value from the broadcasted data.

Using hash functions  ...

I know that the standard DH and ECDH key exchange algorithms require the client and server to agree on a large prime number and a generator (in the DH algorithm) or a curve and a point (in the ECDH algorithm), but if I inspect the SSH packets there is no sign of these shared seeds. How do they get them then?

I checked the packets and the only messages, after the "Key Exchange Init" and before the

Secure permutation can be used in Sponge and Duplex constructions to build hash functions and encryption. To potentially use them in public-key cryptography, some arithmetic properties is desired.

Can modular exponentiation with a public index be considered a secure permutation? What public attacks are available? Are there constructions proven to be insecure?

I'm learning about Ed25519. It depends on a bunch of magic values: The finite field of order $2^{255}-19$, the specific elliptic curve over that field, a specific point on that curve. This is in contrast to Diffie-Hellman or RSA.

Why is that? And conversely, why doesn't DH fix the prime number & the generator, or RSA fix, say, the $n = pq$ value?

I suspect that in case of DH & RSA it's very easy  ...

I've been researching a bit and found that the mixColumns step could be expressed as matrix multiplication like this:

But I'm not sure what's the mathematical proof for it and I can't find an example for the ShiftRows step.

Any hints? (thanks in advance)

I'm working on a project that needs an OTP based on counter value and needs some advice.

Suppose we encrypt the counter value C in this way and let's say our sending packet is P = AES(key,C). If counter value C is leaked, will this cause a security problem? I tried to find some papers regarding this but failed.

Thank you!

I'm working on a challenge at school on Internet, to learn programming and all security issue: "An api request is protected by checksum" and we have to bypass this. The checksum format is really weird; I've never something like it before. I think it convert all the string in an array of bytes, after that I don't know.

I search the algorithm to calculate the checksum.

Input : "a" --> "86896971335564 ...

We are looking to perform all the calculations for a Schnorr signature, more precisely EC-FSDSA, (BIP340-Schnorr), inside a secure element, to the exception of the Hash operation that is not supported and must be performed outside of the secure element.

Assuming the signature is the following: d=private key R = k.G = Q (unique random key, TRNG sourced inside secure element, can only be used once) ...

In the paper [LPR12], I've learned that ideal lattices are ideals in algebraic number fields. However, I can't understand why we define the dual lattice of an ideal lattice with $\operatorname{Tr}$: $$ {L}^{\vee}=\{x \in K: \operatorname{Tr}(x {L}) \subseteq \mathbb{Z}\} $$

In detail, I mean, for any algebraic number field $K$, there's an embedding that embed it into space $H$. For $K=\mathbb Q[\zeta]$ ...

HElib contains the CKKS and BGV, SEAL contains the BFV and CKKS, is there some concrete performance data about these two lib?

There is a concept of attackers gaining some information before attacking a system and those attackers being called non-uniform attackers. How do the security proofs for cryptographic primitives in the case of uniform attackers and non-uniform attackers differ?

This question is in reference to this paper.

I am using CryptoJS AES 256 encryption:

CryptoJS.AES.encrypt(realData, generateKey(passphrase), {iv: iv});

The secret is generated through:

function generateKey(passphrase) {
  const salt = CryptoJS.lib.WordArray.random(128 / 8);
  const key256Bits = CryptoJS.PBKDF2(passphrase, salt, {
    keySize: 256 / 32,
    iterations: randomNumber,
  });

  return key256Bits;
}

Im new to this and wondering  ...

Private Information Retrieval (PIR) protocols have been studied for years. The following question only regards to the single server scenario.

Assume there are $N$ items in total on the server side, according to the security definition, it seems that all $N$ items should be "touched" (either in terms of communication or computation) for security reasons. But since $N$ is usually large, someone may a ...