Latest Crypto related questions

I know one of the advantages of hash functions is that they are fast. However, I read somewhere (I don't know where exactly) that the speed is a disadvantage for password hashes when storing them in databases, but why is this so ? Would someone explain to me if being fast is a disadvantage for password hashing and why is this so ? (If possible could you also write some links to websites/papers describi ...

Started reading up on Cryptographic Accumulators recently to incorporate them in a project. Using this survey to understand what features the accumulator needs to offer it seems I am looking for a Dynamic Universal Strong Accumulator that only supports addition. This paper lists reference [23] as having the above characteristics in Table 1, but reading the paper it turns out those accumulators also su ...

I think I found a small error in the security proof Link end of page 37. It states that

$ \sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q +1)q/2+2}{p - (3q +2)^2 /4}$.

But shouldn't it be

$\sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q+1)q/2+2q}{p - (3q +2)^2 /4}$ ?

I think that the proof still works, since we want to show that you need $\mathcal{O}(\sqrt{q})$ queries to succe ...

This (https://en.m.wikipedia.org/wiki/Discrete_logarithm) Wikipedia article confuses me. If you have the equation a = g^n (mod P), and g, P and a are all known, then how does a brute force solving for n algorithm run in exponential time, as this article states. Shouldn't it be linear, or am I reading this article wrong?

I am trying to implement a cramer-shoup cryptosystem but I don't understand how to work with the plaintext I want to encrypt.

From what I understand, the plaintext needs to be converted to an element of the cyclic group G, which was generated with the key. I've checked multiple resources, from the wiki to several papers, and none of them seem to take the time to explain how to convert a plaintext ...

I'm trying to implement a Cramer Shoup cryptography system in C but I've run into problems with generating the keys.

From what I have found on the wiki and in other papers, to generate keys for Cramer Shoup you must generate a cyclic group G of order q with generators g1 and g2, then take 5 values between 0 and (q-1) and with that you can easily generate the keys.

I initially tried doing this manual ...

Let's say parties A and B have a common secret $k$. Is there a protocol where both the parties jointly release a commitment to $k$ so that later on, neither A or B can deny what the common secret was?

Edit: Specifically, I am interested in the scenario where one of the parties can be malicious and we need to prove to a third party C that a commitment $\Phi$ is actually that of the common secret $k$

the following equation is used to prove the Shannon's theorem by showing the existence of two messages $m_0, m_1$ if $|K| < |M|$ but I'm unable to visualize/understand the probabilities. Especially the $Pr$ over $K$ thing doesn't get into my head. Anyone able to explain it?

• $\mathcal{K}$ is the keyspace
• $\text{Pr}$ means probability
• $m_0$ and $m_1$ are messages from the message space $M$
• $c$ i ...

I was reading the comments of an article about a proposed new implementation of /dev/random in Linux today, and someone remarked that it must be bothersome to go through 43 revisions and still not have your patch landed. A few comments down the line and someone seemingly implies that this new implementation would be FIPS 140-2 compliant, and that this is controversial with "a developer of one famous V ...

I am relatively new to cryptography, but I've been programming for a while. Here's a story that sets well the problem I'm trying to solve:

Alice has a digital passport that's signed with her government's private key. Each property is signed separately, and it would still be verifiable that, for example, her first name is "Alice", without saying that her last name is "Smith".

From here, knowing that  ...

I have some code, which can crack a discrete logarithm problem in ~ O(0.5n) time. However, this only works if, in the following, N is less than P:

G^N (mod P). To be clear, my program can figure out the value of N based on G and P as long as N is in between 1 and P (inclusive and exclusive respectively).

This would be helpful for cracking something like Diffie-Hellman, but I have one question: In mo ...

The root hermite factor corresponding to an bit-security level, such as 1.0045 corresponding to 128-bit security. What is the root hermite factor corresponding to 100-bit, 160-bit, 180-bit security?

root hermite factor: 1.0045 ? ? ? bit-security : 128 100 160 180

Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save  ...

PRNG is a mechanism to produce randomness from an initial random seed, so basically a way to derive more secrets from one secret.

Looking at the Wikipedia entry for KDF you find

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a main key, a password, or a passphrase.

Which sounds to me like what PRNGS a ...

https://link.springer.com/content/pdf/10.1007/3-540-49649-1_18.pdf

In class I, why (4) implies $g\equiv 1 \mod q$

Also even though I get $p$ and $q$ it still can't get $ord_n(g)$ without trying out different possibilities or is there a way to do all forgery?

Why do we not define modes of operation for public-key encryption just like how they are defined for block ciphers?

When encrypting data, I want to verify that the correct key was entered without hashing it. Is it safe to decrypt the ciphertext and compare the hash of it with the stored one or can the plaintext (which could be very long) be read from the hash?

I got the idea of this proof, that since PRG expands from n to 2n, it cannot project to all {0,1}^{2n}, only to a neglible part which we can abuse to make a good distinguisher just by telling if A succeeds finding a preimage in X. A random string from U2n has very likely no preimage in X. Thus we can distinguish U2n from G(Un). But I think I do not understand the construction f well. What's the pur ...

Suppose that we have the usual problem of secure communication, where each of the $I$ agents have a private signal $s_1,s_2,\dots,I$ and they wish to compute any function $f(s_1,s_1,...,s_I)=(x_1,x_2,...,x_I)$ in such a way that no party learns more than their input $s_i$ and output $x_i$.

Although I have seen many cryptographic protocols designed to be secure and in order to solve the problem th ...

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C₁ = C⁴⁹ , C₂ = C₁⁴⁹, etc. He will find C_j = C for 1,2,5 or 10

I do not understand how they figured out they will have M = C_j-1 in at most 10 steps? They  ...

Lattice-based cryptography is being used for several primitives and applications.

I know there are newer works for PIR, PSI, ORAM that have seen tremendous improvements due to FHE. In some cases, FHE is the only tool that can be used for practical constructions of these primitives.

My question is which other such primitives have seen improvements (in performance or security)?

I'm reading the paper "Why and How zk-SNARK works" to learn zkSNARK, and I suffered some problem in section 4.4, when prove the ability of single operation.

In this section, it tries to come up with a protocol to verify that the prover have the ability of doing multiplication. It gives two number $b$ and $c$ and tries to verify the result of multiplication. The prover construct to polynomials $l(x)$

The parameter of a lattice signature scheme DAZ19 with tight reduction can be choosed to make the underlying hardness problem intractable. How to estimate the parameter of a lattice signature scheme ESLL19 with lossy reduction? is there any relation between the reduction and parameter?

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

I believe I am misunderstanding something about the bounds derived for the key switching error in CKKS. I will refer to the initial paper, but similar bounds have been derived in all variants I have looked into.

My particular point of confusion is with $B_{\mathsf{mult}}(\ell)$ (on page 12, as part of lemma 3), which is defined to be $P^{-1}q_\ell B_{\mathsf{ks}}$, where $B_{\mathsf{ks}} = O(N\sigma)$

I know that Bitcoin uses a 32bit nonce that miners iterate over trying to hit the target number of prefixed 0's in the hash. If they run through all 2^32 combinations they then change something else in the block (either the 32bit extraNonce field, or by adding and removing transactions, changing the timestamp of the block slightly etc.)

I am implementing my own cryptocurrency from scratch and my  ...

If I try to do MD5(SHA256(input)), what is the strength of this so-called double hashing approach?

Is it as strong as SHA256, or as strong as MD5, or as strong as SHA256 + MD5?

This is not a homework question btw, I am asking because of a real issue in my project. By right, I only need to do SHA256(input) on the input, and store it in a column in one MySQL table. But my practical concern is: SHA256 is o ...

when reading [BDLOP18], I run the lwe-estimator with the recommended parameters in Table 2 , but the result of hermite factor is 1.007, this result is bigger than the recommended hermite factor 1.0035

My question is a little difficult to describe, so let me first start with an analogy

In an elliptic curve over a finite field, there are 2 groups - the first group is a finite field over which the elliptic curve is defined. The 2nd group is the group which is formed by all the points of the elliptic curve. These are the 2 different groups.

My actual question:

In AES256 we use a polynomial to represen ...

In Is Diffie-Hellman less secure when A and B select the same random number? , the possibility of Diffie-Hellman key exchange producing identical peer keys and the vulnerability of it against passive attackes was brought up, again - as a duplicate.

But is there a equivalent in *-LWE family of lattice-based key exchanges? My question being, without considering CCA-hardening such as Fujisaki-Okamoto t ...