Latest Crypto related questions

In the Kyber specification the parse function (algorithm 1 on page 6) takes as input a non-terminating byte stream. Although unlikely, an unlimited number of bytes from this stream can be used in this function.

In Kyber.CPAPKE.KeyGen (algorithm 4 on page 8) the parse function is called on line 6 using the output of an extensible output function for the byte stream. On page 11 it is stated that SHAKE- ...

In Dan Boneh's PLONK Video - https://www.youtube.com/watch?v=vxyoPM2m7Yg he refers to the Prod Check Gadget

$\omega \in F_p$ is a primitive $k$-th root of unity ($\omega^{k-1} = 1$)

$H = \{1, \omega, \omega^2, ..., \omega^{k-1}\} \subseteq F_p$

Prod Check Gadget is used to prove that $\prod_{a \in H} f(a) = c$

I was trying to construct a polynomial $f(x)$ which there is true.

I used $p=17$ i.e $f  ...

After thinking a lot about 64-bit block ciphers, I ask a question here.

Most proposed block ciphers these days seem to have a block size of at least 128-bits.

Also, I know that when using a 64-bit block cipher with an operating mode (e.g. CBC or CTR), there is a high probability of a collision when about $2^{32}$ blocks of data are encrypted (by the birthday bound).

This is where my troubles begi ...

I'm trying to implement an IV that won't need to be stored on it's own. I'm considering 3 options:

1. Since I'm using PBKDF to generate a key I could use some bytes from the generated hash
2. I could use some bytes from the randomly generated salt and split it somehow
3. I could generate a random separate IV, and stick it to the generated password bytes

Are there any safety guidelines of what should and sho ...

Reading another user's question, a doubt came to me.

Suppose an RSA oracle exists, with which it is possible to interact to encrypt and decrypt some text. The oracle output is not the decrypted text of the sent ciphertext, but the last n-bits.

The decryption takes place according to the law $ (C^e\bmod N)\bmod 2^n$, having indicated the number of bits with $n$.
If we wanted to recover the plain-text ( ...

Since NFS runs in essentially $n^{1/3}$ time, and RSA-240 is a composite of two 120-digit primes, shouldn't this have taken at least $10^{40}$ operations, not including any overhead? Even if you could do say $10^{20}$ ops / s as modern supercomputers can almost do, this still should have taken essentially $\infty$ years. So what is this massive speedup I'm missing?

Recently I started implementing basic skeleton of crystal kyber. Right now I got stuck at NTT, where I am not able to understand how values has to be fed (twiddle factor, actual data which has to be converted into NTT form).I am referring ntthelper.py from python implementation and parametric ntt from HDL implementation .Here I was not able to figure out how that zetas(twiddle factor values) and k valu ...

If i store sensitive stuff (e.g passwords, salted passwords, Internet protacel adresss(so i know its not tamperd with), private keys(the keys are using a portion of the key on multiple disks in diffrent places for security and i want to make sure there in th write order y storing the hash insecurely(eg on ipfs)) *) *salted(I.E. non salted, salted) is it possible to reassemble at least 10% of the data ( ...

We say two states $\sigma, \rho$ are computationally indistinguishable, if for efficient quantum algorithm $\mathbf{A}$, $|P(\mathbf{A}(\rho)=1)-P(\mathbf{A}(\sigma)=1)|$ is negligible. I want to show if the trace distance between above states are negligible then they are computationally indistinguishable.

In the classical case, it is known that the statistical indistinguishability implies computat ...

In many books on Cryptography, we refer to probability distributions over the key space $\mathcal{K}$, over the plaintext space $\mathcal{M}$ and over the ciphertext space $\mathcal{C}$.

Then, we let $K$ be the random variable denoting the value of the key output by $\mathsf{Gen}$, so for any $k\in \mathcal K$, then $\mathrm{Pr}(K=k)$ is the probability of the event that after, running $\mathsf{Gen}$

I am trying to implement scalar multiplication for elliptic curves using projective coordinates and the short Weierstrass equation. Specifically, I am using the Montgomery ladder algorithm with addition and doubling functions that take and return projective points.

However, I am encountering issues as the result I get from the algorithm is incorrect. I have tested my addition and doubling functio ...

Suppose we have intercepted a public key exchange (via Diffie-Hellman protocol). In addition to the keys A and B, the generator g and the module p are known.

Assuming that it is possible to exchange keys with client B, once it has finished the conversation with A, how can I obtain the private exponent of B?

I had thought about the "Small subgroup confinement attack", but I'm not sure it's the best way. ...

Suppose we have an RSA-Oracle that can encrypt and decrypt our input. The the decryption output is equal to: $ (C^d \mod N) \mod 2^n $.
How can I extend the LSB oracle attack, using the using knowledge about the last n-bits of the plaintext?

I have a cypher text with I know encrypted two times with Autokey Cipher with same lengths of keys. I am following the statistical cryptanalysis in here when it is ciphered with one time with Autokey and it works but I could not come up with any cryptanalysis solution when I cipher the text with Autokey cipher but two times. Anyone have any recommendation to that?

I have done some research on HKDF but I am still not sure about the security properties in different scenarios.

Which properties are fullfilled, when IKM and the salt are random and secret, but not uniformly random? Are the output keys uniformly random?

Which guarantees does HKDF give, if (a.) IKM or (b.) salt got leaked?

Is it also uniformly random, if no salt is provided at all?

Furthermore, is the ...

Having recently learned of coding based cryptography, it seems that they key size for post-quantum security might be a lot larger than what is required by Regev PKE (in the former keys include several large matrices), which is also post-quantum secure. Is this a correct observation? Ether way - what are the pros and cons of these two methods?

Rotational Cryptanalysis of ARX show that rotational probability of an ARX primitive can be computed by $p^q$ where $p$ is rotational probability of modular addition and $q$ is number of modular additions in ARX primitive. Similarly, Rotational Cryptanalysis of ARX Revisited extends it to chained additions.

How to calculate rotational probability/ extend above cited probabilities to ARX primitives  ...

As asked, I suppose this must have been answered before, even if not in the form asked here. The most notable AEAD schemes GCM-AES and ChaCha20-Poly1305 do this. Also, even outside AEAD, ad-hoc constructs such as CBC+HMAC also require separate keys. So:

Q1: Why use separate keys in authenticated encryption? As in

1. what security hole does it avoid,
2. what heuristic benefit (non-security or not-strictly-secu ...

Some statements are expensive to prove. If I need to make a proof for such kind of statement repeatedly (generate new proof $\pi$ for each new verifier), I think it might be a waste of time (as well as computation resources).

• If there is a proof $\pi$ that I generated in a non-interactive way, can I reuse it?
• What problem would cause if I try to show it to several verifiers?

If this proof $\pi$ ...

I've recently heard about coding based cryptography and it seems very close to the LWE assumption in that it is based on the idea that the error is hard to identify. They are both post-quantum schemes too.

Is there a direct link between the two? (e.g., coding based can be seen as an instance of LWE under certain assumptions) or is there absolutely no relation?

In GlobalPlatform specification for smartcards, I came accross this rather strange scheme* ISO/IEC ISO/IEC 9797-1 MAC Algorithm 3:

To calculate the Message Authentication Code, we take some original data (a host cryptogram and a padding), then we apply multiple chained DES calculations, as shown in the image attached.

We use a 2-bytes S-MAC key (noted S-MAC = K1K2, where K1 and K2 are 1 byte long). I ju ...

If we look at the WebAuthn specification, then, during the "registration" ceremony, the authenticator generates a new key-pair and a unique user-id. Then the public-key and the unique user-id are sent to the relying party (server), together with some attestation statement. The relying party will store the public-key and the user-id in their database and associate them with the user's account.

Late ...

Let's suppose I hash a 384-bits message with a cryptographic hash function and generate a hash digest of 128-bits. I know that due to the pigeonhole principle, many inputs of same size will result in the same 128-bits hash digest.

How is the estimated number of 384-bits messages that will produce the same 128-bits digest in a cryptographic hash function? Is there a simple formula to estimate how man ...

I've spent some time learning about DIDs but have some questions about key rotation:

The way I understand it is that a DID and DID doc are generated from a public key derived from a private key. Subsequently, if the owner wants to rotate the keys (the private key really), they can make a new DID doc which will include the new public key, and the doc will be signed with the old private key.

1. At this point ...

I am looking at some secret encryption method that apparently uses CBC and a block size of 256 bytes. I can do a chosen-ciphertext-attack. When I modify a single byte in the ciphertext a complete block of 256 bytes in the plaintext is corrupted, plus a single byte at the same offset in the following block. That leads me to the conclusion, that this is using a 256 byte block size which is huge.

Ad ...

I am working through a textbook on crypto, currently on DES section. What bothers me is that there was no explanation about where do we get initial 64-bit key from. This question is also very hard to google, because you get straight away redirected to all sorts of articles about key schedule, where the existance of the initial 64-bit key seems to be always preassumed, as in the book. I'd really appricia ...

GPUs or dedicated hardware can calculate most things much much faster than regular computers ever could. There are password hashing algorithms such as scrypt and argon2 that make the difference smaller, but a powerful dedicated argon2 machine/cluster is still much more efficient than an old budget smartphone is.

My thought was that requests over the internet is something that is not much faster f ...

Just started learning about RSA cryptography so forgive me if I made any mistakes or misunderstandings.

n = 1024-bit integer (product of two large primes p*q)
e = 65537 (standard exponent)

However I also have some ciphertext all encrypted with the same keys.

c₁ = m₁^e MOD n
c₂ = m₂^e MOD n
...
c_k = m_k^e MOD n

Among these there is a particular ciphertext.

c = m^e MOD n
m == c
m == m^ek MOD n
So e^k - 1

In a message exchange with RSA, an unusual public exponent $e = 65536$ is used.
Since $N$ is easily factored, I am able to derive $p$ and $q$. Consequently $ \phi(N) = (p-1)*(q-1)$.
However, since $2^3$ is present among the factors of $ \phi(N), \gcd(e,\phi(N)) = 8$. It is not possible to compute the private exponent d directly.
I tried to reduce the problem to the calculation of $d = (\frac{e}{8})^{ ...

I have a checksum scheme that uses a simple polynomial summation as described here.

Basically I'll take a random value $R$ and a set of inputs $[v_0, v_1, v_2]$ and checksum it like $v_0*R + v_1*R^2 + v_2*R^3$. This was designed to get simple collision resistance with incremental checksumming.

I'm trying to change this algorithm to be resistant to chosen inputs. e.g. an adversary should be allowed to  ...