Latest Crypto related questions

In many proposed lattice PKE schemes, the plaintext is encoded or modulated in a simple fashion, e.g. using Kyber-ish notation:

• key gen: $pk=(A, t=As+e)$, $\quad sk=s\quad$ ($A$ random, $s$, $e$ small random)
• encrypt: $u=A^tr+e_1$, $\quad v=\langle r,t\rangle +e_2+\tilde{m}\quad$ ($m$ message, $r$, $e_1$, $e_2$ small random)
• decrypt: $v-\langle s,u\rangle=(\langle r,e\rangle+e_2-\langle s,e_1\rang ...

I'm learning about AES. According to the book The Design of Rijndael refers to the design criteria S-box $S_{RD}$ as follows:

Design criteria for $S_{RD}$. We have applied the following design criteria for $S_{RD}$, appearing in order of importance:

1. Non-linearity.

   a) Correlation. The maximum input-output correlation amplitude must be as small as possible.

   b) Difference propagation probability. The ...

Let $(X, Y, Z)$ be a set of binary strings of length $n$. Let random $X$ be the private key for encoding (or decoding) message random $Y$ as $Z$. Let the encryption algorithm $m$ be a matching function, i.e., for $m(X, Y) = Z$, if $x_i = y_i$, $z_i = 1$, otherwise $z_i = 0$. Now, $m$ is clearly not a one-way function: given output $Z$, it is trivial to define some string pair such that $m(X, Y) = Z$

I saw a statement that the probability of finding a key $k'$ to simulate 3 keys $k_1$, $k_2$, $k_3$ is neglectable: $\mathrm{Enc}(k_3,\mathrm{Enc}(k_2,\mathrm{Enc}(k_1,x))) = \mathrm{Enc}(k′,x)$

When not considering MITM attack, the probability of brute forcing triple DES is $1/2^{168}$. According to the statement, does that mean the probability of finding $k'$ is also $1/2^{168}$ so it is negli ...

After tinkering with cryptographic hash functions, I started wondering if they do have counterpart functions that would imitate their cryptographic properties but with a lower level of strength in terms of their time/space complexity.

For instance, if I were to test certain collision algorithms in a simplified version of SHA1, which let's call SHA1-light, and it took X minutes to generate a colli ...

In Authenticated Encryption, we use an authentication tag to make sure the message is not tampered. The authentication tag can prevent any random bytes sent by the attacker being decrypted by the receiver.

The question is: what sorts of attack (other than sending lots of meaningless random bytes) is the authentication going to prevent? If all the attacker does is to send random bytes, is it possible ...

Say that I have a random oracle function $H$. This function outputs a value in $\mathbb{F}_{p}$ where $p \approx 2^{256}$. $H$ can accept either one or two inputs (outputting a single value in both cases).

I can hash two elements $x$ and $y$ using either

case 1: $H(x, y)$

case 2: $H(x) + H(y)$ (using modular addition)

How does the security of these approaches differ?

In case 1 there must be collision ...

My guess is:

1. Known attack algorithms only work on 2 primes factorization, they don't work on 3+ RSA primes.
2. More than 3 primes is cpu waste time, better is to increase key length. So 3 primes will be the optimal number.

Example of my program (open source) generating a 30k bits RSA key.:

• Enter rsa NUMBER of primes: 3
• Enter rsa (3 primes) key length in bits (0 = defaut = 4096): 30000
• RSA (N primes) ...

I am trying to implement a basic Diffie-Hellman key exchange using ECC and HECC of genus 2 and 3 and compare them. However, I am a bit confused about the concept of key size in HECC.

In ECC, from my understanding so far and considering I am new to the field, the private key size is basically the bit size of the prime that is used to define the prime finite field, where the elliptic curve is defin ...

In other words, what does ZKP brings on top of the practice of not reusing addresses?

From my research, ZCash is currently a state of the art example of ZKP application, but what extra benefits does it bring to the scenario where let's say a bitcoin holder created new addresses for each tx it was receiving and not reusing when spending it? Also assuming everyone in the network does the same.

How thi ...

Can someone please point me to or give me stepwise example of VSH hash function. I couldn't find an example or a reference implementation. I tried to go through original publication but it seems way too cryptic to me.

I remember reading a previous stack exchange post (unfortunately was unable to find the link, if someone knows the link that would be great!) about a method to make password checking time for the server be on average less than that for an attacker. Essentially, when the password is first created a random number between, for example, 1 and 100 is added to the salt and plain-text password. This result is  ...

Unfortunately, I don't have any references, but I remember people mentioning that some large integer libraries can be unsafe to use for writing cryptographic algorithms such as the RSA.

That made me curious if anyone knows of any examples of vulnerabilities that would be introduced by an unsuitable implementation of a large integer library.

To me, it is somewhat difficult to imagine how that would w ...

I want to get feedback on the security of a modified merkle tree data structure. Using the image above as a reference assume I have a random oracle function $H$. Assume $H$ outputs a value in $\mathbb{F}_p$, and all math is happening in this field too.

The standard approach to calculate $D$ is

$B = H(A, C)$

$F = H(E, G)$

$D = H(B, F)$

The approach I'm considering alternates between hash function and p ...

In the paper of BGV, I find an interesting sentence as below:

One may view our new scheme as a very powerful SWHE scheme in which this dependence on degree has been replaced with a similar dependence on depth. (Recall the degree of a circuit may be exponential in its depth.)"

The author says that BGV scheme relys on the depth of circuit and previous scheme relys on the degree of circuit, and says t ...

This is a hypothetical question. Is it possible to use a stream cipher instead of a block cipher for an OCB type single pass AEAD?

The xor of the plaintext blocks for the authentication tag can't work because a change in the ciphertext doesn't change the plaintext enough so maybe the answer is no.

Binary extension and prime field-based elliptic curves are used in Elliptic curve cryptography (ECC). From the performance point of view, ECC using Binary field are faster and easy to compute on hardware platforms than the prime field. However, ECC using prime field is in use extensively and many standards and many new elliptic curves are in place. Why is that? Does ECC over the prime field more secure  ...

I am dealing with the bounding of compression and decompression functions in CRYSTALS-Kyber, see the lemma in this post or the original reference KYBER, section 2.2 topic "Compression and Decompression".

I have not yet found a formal proof of the assertion and have tried to construct my own proof at this point.

As for the proof itself, I must note that I would like a correction. There are one or two ...

I am going through Dan Boneh's video on PLONK - https://www.youtube.com/watch?v=LbpPCN-f_XA&t=952s

At around 19 minutes, he gets to the Prod Check Gadget.

Background:

$\omega \in F_p$ is the primitive $k$th root of unity (i.e. $\omega^{k} = 1$)

$\Omega = \{1, \omega, \omega^{2}, ..., \omega^{k-1}\}$

Then he sets $t \in {F_p}^{(\le k)}[X]$ to be the degree-$k$ polynomial such that

$t(1) = f(1)$

Currently every LWE-based cryptographic schemes analyze their security using lattice estimators and lattice estimators analyze the security of standard LWE even though the actual scheme is based on Ring-LWE or Module-LWE. As far as I know, there is no specific attack algorithm on Ring(or Module)-LWE exploiting the ring structure(or, structure of ideal lattice rather than standard lattice) exists.

$\vec{u_0} + \vec{u_1} = (M_0 + M_1)\cdot (\vec{v_0} + \vec{v_1})$

$P_i$ gets $(\vec{u_i}, M_i, \vec{v_i})$ where $M_i$ is a matrix , $\vec{u_i},\vec{v_i}$ are vectors, with all entries uniformly distributed over $\mathbb{Z}_{2^k}$

The statement is false. We show this by providing a counter-example.

Define

• M = {a, b},
• K = {k1, k2},
• C = {0, 1}.

Let Enc(k, a) = 0 and Enc(k, b) = 1 for k = k1, k2.

Dec algorithm will return an on input ciphertext 0 and b on input ciphertext 1. Clearly, the scheme is correct.

Pr[C = 1∣M = a] = 1 ≠ 0 = Pr[C = 1∣M = b],
thus showing that the scheme is not perfectly secret.

Why Pr[C = 1∣M = ...

I want to put some personal info like name and email in e.g. some program that I release to the public but I don't want anybody be able to retrieve those personal info and only when I want they can verify that.

The first and simplest way is to hash my personal info and put the hash in the project, like:

sha265('[email protected]')

But that is not very secure because of brute-force and guessing at ...

[Say I want to outsource the computation of $y=f(x)$ without revealing information about $x$, $y$, or $f$. I thought I'd have to combine homomorphic encryption with some obfuscation $\mathcal{O}$, passing along encrypted data $\mathsf{enc}(x)$ and obfuscated program $\mathcal{O}(f)$ to be homomorphically evaluated $\mathsf{eval}(\mathsf{enc}(x),\mathcal{O}(f))$.

However, the following comment from ...

I've been trying to understand the multiple keys thing in RSA. I'm quite sure that multiples private keys are possible:

• In RSA, why are there multiple possible private keys, and even the public key itself that can be used to decrypt the message?
• More than one private key for RSA
• Do equivalent RSA keys exist?
• Will publishing two or more public keys of the same RSA private key cause a security risk? ...

I'm trying to create some test cases for a TLS library for the Key Derivation outlined in RFC 8446 7.1.

I tried to get this information from openssl using the following:

# Generate a ECDH private key

# generate the key to pem format
openssl genpkey -algorithm X25519 -out x25519.pem

# Connect using the private key and log the traffic secrets and display handshake messages
openssl s_client -connect go ...

Suppose we have a function $F = f_{s}(x)$ with a key $s \gets \mathbb{Z}_q$ that on input $x$ outputs modular exponentiation $x^s$, where $\mathbb{G}$ is a cyclic group of order $q$ where DDH is hard. If $x$ is selected uniformly at random from $\mathbb{G}$, then modular exponentiation $F$ behaves like a weak PRF (Naor et. al "Distributed Pseudo-Random Functions and KDCs").

However, what happens whe ...

In the Kyber specification the parse function (algorithm 1 on page 6) takes as input a non-terminating byte stream. Although unlikely, an unlimited number of bytes from this stream can be used in this function.

In Kyber.CPAPKE.KeyGen (algorithm 4 on page 8) the parse function is called on line 6 using the output of an extensible output function for the byte stream. On page 11 it is stated that SHAKE- ...

In Dan Boneh's PLONK Video - https://www.youtube.com/watch?v=vxyoPM2m7Yg he refers to the Prod Check Gadget

$\omega \in F_p$ is a primitive $k$-th root of unity ($\omega^{k-1} = 1$)

$H = \{1, \omega, \omega^2, ..., \omega^{k-1}\} \subseteq F_p$

Prod Check Gadget is used to prove that $\prod_{a \in H} f(a) = c$

I was trying to construct a polynomial $f(x)$ which there is true.

I used $p=17$ i.e $f  ...

After thinking a lot about 64-bit block ciphers, I ask a question here.

Most proposed block ciphers these days seem to have a block size of at least 128-bits.

Also, I know that when using a 64-bit block cipher with an operating mode (e.g. CBC or CTR), there is a high probability of a collision when about $2^{32}$ blocks of data are encrypted (by the birthday bound).

This is where my troubles begi ...