Latest Crypto related questions

Kerberos (and I assume other Trusted Third Party protocols) use (hash) an existing shared secret key to create a session key used for authentication. I read that this authentication secret key can then be used to create another secret key to be used as the session key for message encryption.

"If a message integrity or confidentiality key is required, a Kerberos sub-key or a Kerberos session key  ...

I want to generate some tokens for client as http cookie

can I md5 them with salt and then use "<random token>"+"<md5>" as the token for they can be verified in a cheap way

is it safe?

I referred to the explanation of encryption mode from Wikipedia, but I'm confused now, and I went to find some books about Cryptography, but it didn't solve my confusion.

The CTR mode uses Counter to participate in encryption.

But in Wikipedia, the encryption process is as follows:

It can be seen that both Nonce and Counter are encrypted by the block cipher encryption, so how are Nonce and Counter c ...

What are some approaches to find (ideally many/all) pairs of numbers $(x, y)$ with $ x \in [x_{\text{low}}, x_{\text{high}}]$ and $ y \in [y_{\text{low}}, y_{\text{high}}]$ such that the following holds:

$$a \cdot x \equiv y \pmod{m}$$

• Exhaustive search is not feasible since the intervals are each greater than $10^{30}$.
• $m$ is not necessarily prime.

Edit: added a numerical example:

m=10000000000 ...

I'm working on a project that involves broadcast (uni-directional) streaming and requires non-repudiation. Essentially, a device broadcasts a data stream over the air, and any receiving station needs to be confident that the data was actually transmitted by the claimed device.

My initial thought is that the broadcaster has an X.509 certificate and, every N bytes in the stream, transmits a header w ...

In LWE, the error term $e$ is "classically" obtained from the discrete normal distribution. Why is it so often found that this distribution is used? Are there other possibilities for distributions?

The secret $s$ is often uniformly distributed, this makes sense, if one wants to "hide" just the secret in the (uniformly distributed) matrix $A$. But would LWE remain safe if $s$ did not result from a unifo ...

I have a file with an EC Public Private Key Pair and curve parameters:

openssl ec -in keyfile.pem -noout -text
read EC key
Private-Key: (256 bit)
priv:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
pub:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:c ...

Suppose I have a 2048 bit prime number p. Now for the group $Z_p$, could someone please tell me an efficient algorithm to check whether a randomly chosen number is a generator for the group or not

My Main Question:

Do we always require to be sure that the inputs of the parties in a secure multi-party computation are independent? i.e., one party's inputs do not have dependency on the other parties inputs? (this paper claims that the inputs must be independent)

Explanation and subquestions:

If this is the case, isn't it in contrast with the power of malicious adversaries who can select their ...

From what I have understood of naive RSA (without padding) so far, it seems that A and B must first decide on the prime factors in order for B to generate its private key to decrypt A's message. I do understand that the RSA system helps in the establishment of a secure "channel", rather than having to rely on creating a new secure channel everytime between A and B, but isn't this a circular argument?

I'm trying to design a zero-knowledge protocol for the creation of a shuffled deck of cards for use by two players. Naturally this requires that neither player knows the order of the cards after the shuffle, nor what card was drawn by the other during play, but I'd also like to be able to do this without needing a trusted third party as well.

My best efforts so far only require a trusted third pa ...

Say we have an element $g=H(m)$ in a group (this element may or may not be a generator of the group).

Are there signature schemes that enable to sign this element, and then to be able to derive a signature of $g^a$ for a chosen $a$ without the presence of the signer?

Thank you for your help.

any paper mentioning the performance decreases with N? why when N is increasing, the performance decreases? any papers?

BR

Hey there guys and gals,

so I am right now studying topics regarding pseudorandomness.

1. I was wondering why, for example with CBC-MAC oder a regular CBC blockcipher, we use padding instead of a PRG. If the block size is not a whole multiple of the clear text m, we could just use a PRG with the seed as the last block of m ? Or would that be "deterministic" since the seed is not selected truly random ? ...

Point on curve y^2=x^3+2 (to be found/result): Q2 = E2(68702062392910446859944685018576437177285905222869560568664822150761686878291, 78930926874118321017229422673239275133078679240453338682049329315217408793256)

Known parameters are:

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

E2 = EllipticCurve(GF(p), [0,2])

Point on curve y^2=x^3+7 (to be transformed): (538610160 ...

Assume I have a PRF $F$, with polynomial key length $s_{F}(n)\geq n$, and output length $l(n)$.

I need to construct a PRF $F'$, with key length $s_{F'}(n)=n$ and output length $l(n)$.

I thought about the following construction: $$F'(k,x)=F_{F(k',0)F(k',1)...F(k',m)}(x)$$ where $|k'| \leq |k|$ is an output of $s$ for some $n$, such that it will be possible key for $F'$, even if means discarding of some  ...

We all know that block Korkine-Zolotarev (BKZ) algorithm is essentially a deterministic lattice reduction algorithm. However, in the actual implementation, the BKZ algorithm contains some randomization, For example, the actual algorithm will do some random unimodular transformations on the lattice basis in order to obtain a better reduced basis. I wonder if this subtle change will make a big diff ...

I am trying to run the github code in windows 11. I don't know what all I need to install in my laptop to run the C++ code. It would be a great help if someone can point out the steps to run the code.

I wrote a command line application for encrypting/decrypting files to your local machine. The idea is you have an asymmetric key pair where the private key is stored encrypted and the public key is stored in plain text. This way you can encrypt data without having to "unlock" the application (decrypt your private key), but you must run the unlock command and provide your password to decrypt anything.

I am trying to implement the Schnorr’s identification protocol in C. I need a safe prime in order to be able to find a generator of the cyclic group efficiently. The problem is that my program takes too much time to find the safe prime. I am using Libsodium for generating random numbers and GMP for arbitrary precision arithmetic:

#include <stdint.h>
#include <stdio.h>
#include <std ...

Is there any (k,n)-threshold encryption scheme, such that the decryption process is non-interactive, i.e., the decryption can be processed "in a line" where each party "in the middle of the line" receives a partially decrypted ciphertext, perform partially decryption itself, and then pass it on to some other party?

It can be assumed that the key generation is interactive.

If we talk about the security of public key encryption in Regev's lwe system, if attacker would have knowledge of $(u,u'):[\mathbf u=A\mathbf r, \mathbf u'=\mathbf b^t\mathbf r + \mu q/2, \mathbf r\in\{0,1\}^m]$ and $\mathbf b$, then value of $\mathbf r$ in $\mathbf u'$ can be guessed easily by the knowledge of $\mathbf u$ and $\mathbf A$ and so the value of message($\mu$) from $\mathbf u'$, so how is thi ...

There is this cool paper https://eprint.iacr.org/2017/395.pdf exposing a side channel protected implementation of keccak, in particular Domain Oriented Masking for the Chi function. The Chi function is a 5bit S-Box, so can also be seen as a lookup table of 32 5bit values. My question is, in an hardware implementation with no cache allowing a cache attack (I guess), why bother implementing the masked  ...

If both communicating sides end up with the same secret 3000-bit key, is it enough to XOR each byte of the messages with each byte of the secret key to make it secure?

Wikipedia says it is, but I wanted to ask if this is still the case nowadays.

That would mean each message can be up to 375 bytes in size, so that each of its bytes can be XOR'd with each of the secret key's bytes, then each byte of t ...

In a course I'm taking the following question came up:

A 51% attack means:

  A. 51% of the nodes are bots 

  B. 51% of the nodes are hackers
 
  C. 51% of the nodes are offline or disabled 

  D. 51% of the nodes agree on something

I had answered D, but the correct answer was given as B.

As far as I am aware, I believe that it was required (in a proof of stake system) to acquire 51% of the staked c ...

The Python secrets module claims to produce cryptographically secure random numbers. I did some research on which random number generator is used when you call the secrets module on Windows. I found the following:

->secrets uses random

->random uses os.urandom

->os.urandom uses _PyOS_URandom() from Python/bootstrap_hash.c

->_PyOS_URandom() uses the Windows CryptGenRandom algorithm.

How ...

It seems like every CCA-secure KEM¹ has some sort of check that the decapsulator performs. Sometimes failure will result in rejection ("explicit rejection") or the decapsulator will simply return a random value ("implicit rejection", like in Fujisaki-Okamoto without aborts). But in any case, the decapsulator knows when a decapsulation fails.

Is this necessary? Is there a CCA-secure KEM where decrypting  ...

My understanding is that an elliptic curve $E$ over a finite field $\mathbf{F}_q$ has a bit security of $\sqrt{q}$ assuming Pollard rho or Baby-step giant-step. In this thread, it is explained that the field $\mathbf{F}_{2^{256}}$ has a bit security of $128$, but the field $\mathbf{F}_{2^{256^{2}}}$ supposedly only has a bit security of $\approx60$. I struggle to understand why this is.

Thank you ...

Do $\exists $ keys $k_1, k_2$ which given any (128-bit) message $m$ are related to each other by being

• commutative to each other with $AES(AES(m,k_1),k_2)=AES(AES(m,k_2),k_1)$ $\forall m$ and generally $AES(m,k_1) \not= AES(m,k_2)$
• or $k_2$ is equal to applying $n$-times $k_1$ with $AES^n(m,k_1)=AES(m,k_2)$ with $AES^n(m,k_1) = AES(AES^{n-1}(m,k_1),k_1)$, and $k_1 \not= k_2, n > 1$,
  target si ...

Passkey is nice. The math is nice. The tech is nice. https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

What I still dont see after sooo many hours: what software creates the passkey. User autonomy is important and it is a (private) key question (pun intended). I do not really see this answered anywhere.

Of course it is created on the device. But is it the pass manag ...