Latest Crypto related questions

I am reading this paper, which in the introduction, tells about two main types of key recovery SCAs :

• Reaction_type SCAs, which uses a decryption failure oracle
• Message-recovery-type SCAs, which uses a plaintext-checking oracle

I don't understand the difference between these two oracles. In this presentation, the authors categorize three different oracles, including these two.

My understanding is th ...

On some lecture slides regarding to RSA-Encryption, the formula for calculation of the private key is given as $d = e^{-1} \equiv e^{\phi(N)-1} \mod \phi(N)$. The second equation is justified by the fact that $gcd(e,\phi(N))=1$.

My questions:

1.How does the second equality come about? I know, that Eulers Theorem shows, that $a^{\phi(b)} \equiv 1 \mod b$ for coprime $a,b$. So why we dont need to write

I am beginning my journey into Cryptography, having studied a theory-heavy master's degree module, and I have also read The Code Book by Simon Singh, among many other online resources.

What puzzle books would the community recommend, just so I can get into the mindset of code-breaking? I noticed that certain newspapers have puzzles that are just like the Playfair Cipher. This is something that sh ...

The padding fix by Albertini et al. for AEAD key commitment (pp. 3292 and 3301-3302) involves prepending a block or two of zeros to the plaintext before encrypting. After decryption, these bytes are checked to be zero to verify that the same key was used for decryption.

The Counter-then-Xor (CX) construction by Bellare and Hoang (pp. 25-26) involves encrypting a nonce padded with zeros concatenate ...

Lets say entity A sends a secret "token" to anybody that they trust.
The token itself is the proof and its sent equally to everybody and it has or needs to be derived from application specific data.

Entities B, C and D get the same token and want to publish a timestamped event for proof, but they don't trust anybody, each of them separately, salt&hash the secret and publish it to the outer world. ...

I'm currently going through the book "Guide to Elliptic Curve Cryptography" by Darrel Hankerson, Scott Vanstone, and Alfred Menezes. In the book, the authors state that

[…] there is no mathematical proof that the ECDLP is intractable. That is, no one has proven that there does not exist an efficient algorithm for solving the ECDLP. Indeed, such a proof would be extremely surprising. For example, the n ...

I haven't seen Threefish widely used. For example, I've seen Twofish used in file encryption software, even though it was not standardized, but I've never seen Threefish. Are there security issues?

For context, I'm making a non-production grade reference implementation of the balloon hash function using the Web Crypto API. In order to make it less susceptible to certain attacks on common memory hard KDFs, the number of memory blocks should be reduced, meaning their size should increase. I am however restricted in the choice of cryptographic functions to the functions defined in the SubtleCrypto inte ...

I'm looking for a general comparison of encryption algorithms in regard to Confusion and Diffusion (as defined by Claude Shannon), and if possible, specifically for their SAC and BIC quality.

For example, xor-streaming ciphers have no (0, zero, zilch) diffusion - you switch 1 bit in the ciphertext, you know which single bit in the plaintext after decryption will be flipped.

Most ciphers, especially blo ...

Consider a single hash table containing digests from about 10 different 256 bits cryptographic hashing functions, like SHA256, SHA3, KECCACK256, BLAKE2, BLAKE3, etc...

Is such table still considered collision resistant?

I am inclined to think so, but I might be missing something.

Consider the following two verifiable encryption schemes for Discrete Logarithm.

FS01: “One Round Threshold Discrete-Log Key Generation without Private Channels” by Pierre-Alain Fouque and Jacques Stern, Section 3.2, "A Proof of Fairness".

CS03: “Practical Verifiable Encryption and Decryption of Discrete Logarithms” by Jan Camenisch and Victor Shoup.

They both rely on Paillier Encryption and ...

I'm trying to find a MD5 hash collision between 2 numbers such that one is prime and the other is composite (at most 1024-bit). I'm using fastcoll with random prefixes for each iteration.

For this I wrote this script:

import subprocess
from Crypto.Util.number import bytes_to_long, isPrime
import string
import random

won = False

N = 10

while not won:
    # Run the fastcoll executable to generate ...

Because of the need of the project, I want to develop a simple public key cryptography algorithm, but I have doubts when generating the key pair.

I have learned about the key generation process of RSA. It is to prepare two coprime numbers (p, q), multiply them to obtain N, and then calculate L (that is, L=lcm (p-1, q-1)), calculate the public key (pk is a number larger than 1 and smaller than L,  ...

Consider the following paper based OTP

1. Plaintext has 11 possible symbols 0-10.
2. $C_i = M_i + K_i\ mod\ 11$.
3. $K_i$ comes from a pre-shared key material which is never reused.

How to introduce data integrity/ MAC in it which can be calculated using pen & paper.

Following the book Pairing for Beginners, the Tate pairing computation requirements are:

1. Let $P$ be an point on the $r$-torsion subgroup in $E(\mathbb{F}_q)$.
2. Let $f$ be a function whose divisor is $(f) = f(P) - r(\mathbb{O})$.
3. Let $Q$ be a point of $E(\mathbb{F}_{q^k})$.
4. Let $D_Q$ be a degree zero divisor that is equivalent to $(Q) - (\mathbb{O})$, with disjoint support to the one of $(f)$.

The  ...

In ECDSA, when parsing the public key a test is made to ensure the public key really lies on the curve. What vulnerabilities appear if one does not do this?

I am following this paper Encryption from Learning with Errors for the generation of errors e1 and e2 to retrieve the ciphertext u and v as described below.

u = Ar + e1
v = br + m (q/2) + e2

For this text:

We require for this algorithm to work that the χ distribution has a mean of zero and, with overwhelming probability falls into the range [−q/4, q/4]. If we require perfect correctness, then we can ...

My question might be a duplicate but I wasn't able to find a similar question.

I recently developed a wallet-like app and I am trying to implement some MPC features.

I searched a little and even asked ChatGPT about how I can achieve that.

I know how ECdsa and how Shamir’s secret sharing work but I can't find a way to combine their functionalities.

I need functionality similar to this:

n parties have ...

I'm using AES-256-CBC to encrypt password for a set of users, and for each user in the database we gotta generate and store the password in the database. The database has constraint that the name of the user must be unique, so I was wondering if using the name of the person as the initialization vector was okay, because names are sufficiently random for a cryptographic perspective, if I encode it to ...

I am working on using the Hadamard transform as a way to map randomly generated values and then apply statistical tests as defined by Nist or other institutions. One resource online I found particularly helpful, yet I do not seem to have the mathematical intuition to understand some parts. The python code and the text are found on quant at risk.

2D matrix of $x_{\text {seq }}$ holding our signal ...

I am attending the video lectures from Prof Dan Boneh. He gives the following example.

Let $G:\mathcal K\longrightarrow \Bbb Z_2^n$ be a PRG with the property that from the last $\frac{n}{2}$ digits of $G(k)$ we can easily compute the first $\frac{n}{2}$ digits of $G(k)$. We want to show that $G$ is predictable for some $i\in\{0,\dots,n-1\}$.

Well, it is clear that we should use the contrapositive ...

I'm a novice reader of Introduction to Modern Cryptography, where it states:

Let $G$ be a pseudorandom generator with expansion factor $\ell(n) > 2n$.
In each of the following cases, say whether $G′$ is necessarily a pseudorandom generator. If yes, give a proof; if not, show a counterexample.
(a) Define $G'(s) = G(s_1, \ldots, s_{\lfloor n/2\rfloor})$, where $s = s_1, \ldots, s_n$.

I thoug ...

Cant you look at the algorithm used to encrypt and find the private key from the public key that way? As an example, here's a simple python algorithm that encrypts an input:

rnd.seed(int(pasc))
return [(tran_ltn[content[i]] + rnd.randint(400, 1400)) for i in range(len(content))]

This is obviously symmetric. However, if I wanted to make it so that a different passcode decrypts this output, I could writ ...

I recently read a paper that proposed a matrix-DDH which is a matrix variant of DDH assumption. The brief definition is follows:

Let $G$ be a group of prime order $q$. Then, the matrix-DDH says that it is hard to distinguish between two distributions: $\{[A], [A\cdot w] \} \approx \{[A], [u], u\leftarrow \text{random} \}$.

Here, the bracket notation $[x]$ denotes the group element with discrete logarit ...

I am working with hardware that can only encrypt with AES. The problem with this is that the message must be publicly verifiable, without the encoding key being exposed. This is the textbook use-case for asymmetrical keys, yet the hardware does not support this. I cant come up with a method myself where a message is encrypted with AES and decrypted with an asymmetrical public key. Is there a way to do t ...

In the encryption process, the ciphertexts c1 and c2 are added to errors e1 and e2 each to get noisy ciphertexts u and v.

c1 = A * r
c2 = b * r + m * (q/2)

u = c1 + e1
v = c2 + e1

However, choosing a random value for e1 and e2 would cause u and v to not match to its message m. Wikipedia and several research papers suggest using discrete Gaussian distribution to choose e1 and e2 that match with m. The e ...

In TCS, functions need to be converted into boolean circuits.

So is this Boolean circuit a combinational logic, i.e. a directed acyclic graph, satisfying the topological order?

I would appreciate your answer. Thanks!

Due to protocol limitations, I can put in 24 bytes of data only for tx (excluding headers), if I use AES_GCM for encrypting my data, I understand I don't need to worry about padding.

For instance, if my data is 22 bytes, I would be getting a 22 bytes encrypted output. So, I had zero-ed in on AES-GCM or AES-CTR. However, I have observed AES-CTR stream cipher is not available in Microsoft crypto li ...

In Crystal Kyber specification, page no10, there are 3 algorithms namely KYBER.CCAKEM for making the CPA-secure Kyber into CCA-secure one.

Q1: How is the shared key K being generated in KYBER.CCAKEM.Enc & KYBER.CCAKEM.Enc related to the CPA-secure algorithms ?

Q2: Is the shared key K used as input parameter of sorts, for the CPA-secure algorithm ?

When I try to generate decimal numbers in the range 0-18446744073709551616 using a hash function I always get big numbers like this:

$ A=$(date | b2sum -l 64 | awk '{ print $1 }'); echo $(calc 0x$A)
16324260068905187599
$ A=$(date | b2sum -l 64 | awk '{ print $1 }'); echo $(calc 0x$A)
5500525113920202581
$ A=$(date | b2sum -l 64 | awk '{ print $1 }'); echo $(calc 0x$A)
2795550665156396173
$ A=$(da ...