Latest Crypto related questions

One experienced user of this forum said: "The key is the input of the hash function to build up a fast internal hash table. The key is hashed again to perform the lookup.".

If I hash a data such as a 262144-bytes seed (as SMhasher does) is passed through a hash function to build up a fast internal hash table, can the secondary lookups include different data such as a counter appended to the seed again? I ...

Is it insecure to sign the plaintext 0 with ElGamal signature algorithm? Can this leak the private key, give the possibility to forge other signatures or does provide any other attack vector?

As detailed in the paper Statistical test suite for random and pseudorandom number generators for cryptographic applications by NIST, the first test is given as a basic significance test, it uses a bit sum and calculates the p-value and test statistic. But I do not have the clearest understanding of why $S_{obs}$ is defined as the sum of the sequence divided by the square root of the length of the s ...

Recently, I encountered a secret retrieval problem. In my scenario, two parties each holds a secret share of index $i$, and they want to get $bucket_i$ together. I found that CCS17 paper Floram is quite good, they observed that computing PRG with general 2PC method like GC can be avoided when generating FSS correction words, which is a very neat idea. However, they needed to decrypt that encrypted

I am using Montgomery ladder with Montgomery curve $by^2=x^3+ax^2+x$ using XZ coordinates and I recovered the $X$ value using $X3=X1/Z1$, but I don't know how to recover the $Y$ coordinates.

for Double and add ladder I am using this:

      A = X2+Z2
      AA = A2
      B = X2-Z2
      BB = B2
      E = AA-BB
      C = X3+Z3
      D = X3-Z3
      DA = D*A
      CB = C*B
      X5 = Z1*(DA+CB)2
      ...

I was recently trying to perform a AES-128 CTR Encryption and Decryption.

I had a observation that if a AES-CTR encrypted value is encrypted again (with same key and Iv) it results in the plain text that was in encrypted in first place.

Just want to the reason behind this and does any other AES scheme support this similar behaviour ?

Thanks!

In a perfectly secret encryption scheme, any ciphertext c can be decrypted in |K| ways and it should decrypt to any message with equal probability (assume messages are uniformly distributed over message space). Does this imply that |K|(size of key space) is always divisible by |M| (size of message space) for perfect secrecy?

Suppose the correctness requirement of private-key encryption scheme is now relaxed to require only that $$ \Pr[Dec_k(Enc_k(m)) = m] \ge \frac{1}{2} + \epsilon. $$ Prove of disprove that if an encryption scheme satisfies the perfect secrecy and the relaxed correctness, then $|M| \le 2|K|$, where $M, K$ are the message space and the key space, respectively.

The following is my thinking. Assume $|M| > 2 ...

In the AES proposal, the last sentence on page 30 it is said:

To be resistant against LC, it is a necessary condition that there are no linear trails with a correlation coefficient higher than 2^(n/2)

I know that the correlation coefficient can have values in the range [-1,1]. Moreover, In the same proposal, they mentioned that

we prove that there are no 4-round linear trails with a correlation above 2 ...

I'm having trouble understanding how time complexity of trial division is exponential.

If it takes $\sqrt n$ tries to factor $n$ in the worst case scenario then time complexity is $\mathcal{O}(\sqrt n)$, which I thought would mean that the number of operations grows slower than the increase in the number of inputs. So how would that be inefficient if polynomial time is considered efficient?

It makes s ...

If understood right, CMAC is not quantum-safe because it relies on AES-128 (which isn't considered as quantum-safe), while HMAC is, because it relies on SHA3 (which is considered as quantum-safe). Did I understand this right?

I'm implementing impossible differential cryptanalysis on AES and I've started with implementing it on mini-AES to fully understand the process using R.Phan's paper as a reference.

But I don't understand the initial pairs preperation step:

In the paper the author say to obtain $2^{13}$ plaintext $P$ and another $2^{13}$ plaintext $P^{'}$ which are equal in the second and third nibble and from those plai ...

An adversary is able to insert a random string (which he does not control: he can only randomly generate it and insert it). The random string is parsed by the victim as an ECDSA public key. This public key is used to verify a signature (the adversary can insert whatever signature he chooses). Is this a vulnerability? E.g. what are the chances the random string ends up corresponding to a low order curve  ...

Bob has two detectors + and x. You can see it in the picture I sent. Alice sends a photon with vertical polarization and Bob uses the + detector and the detector is detecting Alice's photon.

Bob's + detector detects when the polarization of the photon from Alice is either vertical or horizontal. (because it is + detector)

Bob can only tell if his detector is detecting a photon or not, if it is detec ...

Let $\mathbb{F}_q$ be a finite field of odd characteristic. I know that a constant-time implementation of the square root extraction $\sqrt{\cdot} \in \mathbb{F}_q$ is used in the context of hashing to elliptic curves (see Appendix I of the draft).

Are you aware of other cryptographic contexts in which a square root $\sqrt{\cdot}$ must be computed in constant time to be protected against timing a ...

We have the RSA function: $c = m^e (mod n)$. I would like to know the proof that there is not an $m_1$ and an $m_2$ message that produce the same $c$.

My thoughts:

We know that $m \le n$, so $m_1 \ncong m_2 (mod n)$. We also know that if $a \cong b (mod n)$, then $a^k \cong b^k (mod n)$. So if $m_1 \ncong m_2 (mod n)$ then $m_1^e \ncong m_2^e (mod n)$?

In SMhasher, it seems that data (keys) are read one by one sequentialy, and not splited and:

MiB/sec: The average of the Bulk key speed test for alignments 0-7 with 262144-byte keys. The higher the better.

/\ This is written in its README.

The author said that are the output of hash functions that is measured.

Take a fast hash function tested by SMhasher, for example Blake3, it has 1288.84 MiB/S  ...

I was reading this paper, where I came across the following statement on Pg 4 under the Homomorphic Commitments:

A witness encryption scheme, associated with a NP language, consists of an encryption and a decryption algorithm: Anyone can encrypt their message µ under an NP instance and the decryption algorithm can obtain µ using the witness to this instance. We use witness encryption as follows: T ...

In public-key encryption, we have a pair of private key, public key for each user.
In functional encryption (like Identity-Based Encryption (IBE), Attribute-Based Encryption (ABE) and ...), we have public parameters, master secret key, public key and secret key for each user or functionality.
Asking about terminology,

Why the term "master secret key" was not called "master private key"?
Is t ...

From section 4.4 of this book https://www.ic.unicamp.br/~rdahab/cursos/mo421-mc889/Welcome_files/Stinson-Paterson_CryptographyTheoryAndPractice-CRC%20Press%20%282019%29.pdf

I'm confused on how the differential trail is formed given they don't know the round key. I would love if someone could give a clear example of how this attack actually works. They mention you can calculate the output xor without knowi ...

I was reading this paper, where I came across the following statement:

We consider the problem of unbounded MPC with security against semi-malicious adversaries in the dishonest majority setting. In our communication model, parties publish their first message through a broadcast channel which is immediately delivered to all participants. At any point in time, any subset S of participants (with a  ...

I'm having troubles in interpreting the output of the SUPERCOP benchmarks of some digital signature schemes.

Precisely, I don't understand how to read the number of cycles for the key generation. This should be found in the line of the SUPERCOP output file with the keyword "keypair_cycles". However, I find three such lines, with significantly different numbers. Below the three lines from the benc ...

I am making an implementation of Niels Ferguson's paper: Single Term Off-Line Coins in Python.

In the Coin withdrawal protocol, in the last steps, Alice checks that the signatures she received are correct. She checks if she needs to adjust the signatures by making corrections. When I run the program I get most of the times that $S_{b}^{v} = C^{U}B$ but not that $S_{a}^{v} = C^{k}A$. I try to find c ...

Several texts talk about malicious/dishonest verifiers in a zero-knowledge interactive proof but none of them properly detail how a dishonest verifier can gain extra knowledge over an honest verifier using some examples like "Quadratic Residue Interactive proof" or "graph 3 colouring Interactive proof".

I went over the proofs for these 2 examples for honest verifier where obviously no knowledge is  ...

Given two field elements as input of Arithmetic Circuit (consists of adding gates and multiplicating gates only), how could I output the bigger one? Or, how to place the gates in order to distinguish which one is bigger (using Arithmetic Circuit)? Could you please describe the method in picture?

In Zero-knowledge Proof, the statement to be proved would be described in a standard form first, such as Boolea ...

I would like to use JWT but one thing I'm still thinking is ¿what is the best length for the secret?

If I'm using HS512 as a signing method the secret should have a length of 512 bits as far as I understand and I imagine that 512 bits are 64 characters (of 1 byte) because the secret is a string, as far as I understand.

But what I noticed Is that I could use any length I want for the secret, 1 chara ...

I want to encrypt Bluetooth Beacon data. I was wondering if having very little entropy in the clear text would make the key easier to guess? The maximum data length is 31 bytes

An example of the data (packed struct): where sequence monotonically increases, all other measurements have small variations between readings (nature of what's being measured, think 25.00 -> 25.01 -> 25.02 -> 25.0 ...

Given two numbers $x_1$, $x_2$ and their respective binding numbers, $b_1$ and $b_2$, let's take their Pedersen Commitment to be $C(x_n, b_n)$ $\forall n=1,2$.

What is $C(x_1 * x_2, b_1 * b_2)$?

On 6 March, Yi Lee sent over the NIST mailing list an announcement of their submitted paper that found a flaw in the original security proof for Dilithium. In their manuscript, they fix the proof on paper, and they also verified whole proof using EasyCrypt. URL: http://ia.cr/2023/246

In Section 3.2, paragraph "The ‘Program once’ game hop", they bound the distance between $\mathcal{A}^\textsf{Pr ...

Is there a non-deterministic encryption scheme that is vulnerable to a CPA? I got asked this in an interview and I answered with no but the interviewer said that my answer is wrong. Would somebody clarify if this is possible?