Latest Crypto related questions

Are ideal functions and leakage collections the terms of UC security? Why I often see them in a simulation-based proof under stand-alone model? Some papers use the definition in Lindell's How to simulate it? while defining ideal functions (sometimes with leakage collections), which really confuse me a lot!

A vigenere cipher is just a ceasar cipher (ROT13) based on a SECRET word from my understanding. Are there variations of a vigenere cipher that are similar? I want to create a new type of vigenere cipher where the SECRET is used 2-3 times. Once forward for encrypting it once, then a second time encrypting it twice with the SECRET word backwards, and last encrypting it again with just the first letter of  ...

I've been given that an attacker has a 2-Key Triple DES Cracker that is capable of performing 10$^{24}$ encryptions per second and have subsequently been asked how long it must take before the attacker successfully finds the correct key.

This doesn't seem too hard however I'm caught between two different answers, here's what I've done:

My first attempt assumed that this would be a meet-in-the-middle att ...

I am studying about RP-algorithm from the book Algebraic Aspects of Cryptography by Neal Koblitz.

The following example is given in the beginning which is the Probabilistic Primality Test.

I understand the scheme of the algorithm but I am facing difficulty in understanding and deducing the probability that given the number $N$ passes the Fermat Strong Primality Test k-times, $N$ is actually prime. How ...

If we have a (possibly imperfect) cryptosystem that generates ciphertext $C$ from plaintext $P$ and key $K$, we have:

$H(C, P, K) = H(C | P, K) + H(P, K)$

where $H$ is entropy.

My question is why following is true:

$H(C | P, K) = 0$

It seems because each key and plaintext uniquely define a ciphertext but I want to prove this mathematically (theories in entropy).

I'm implementing a digital signature algorithm for academic purposes using elliptic curves. I am familiar with equations of the form $$y^2 = x^3 + ax + b$$, but the paper I am reading for implementing point addition and doubling uses the equation $$Y^2Z = X^3 +aXZ^2 +bZ^3$$.

I guess the $Z$ comes from representing the points using projective coordinates, but I'm not sure.

I'm not sure if I understood  ...

I want to know if there's any algorithm to find the embedding degree of elliptic curve? for example SECP256K1 curve has embedding degree 19298681539552699237261830834781317975472927379845817397100860523586360249056. this number is so large that it can't be found using brute force. So there has to be an algorithm to figure out the embedding degree in acceptable time frame.

I'm trying to implement impossible differential cryptanalysis on 3.5 round IDEA using Miss in the Middle Attack on IDEA and Khufu paper as a reference and I'm stuck on the first two steps of the attack:

In the paper the authors say that I should choose a structure of $2^{32}$ plaintexts $X^1$ with identical $X^1_{2}$ , identical $X^1_{4}$ and all the possiblities of $X^1_{1}$ and $X^1_{3}$ .

So i ...

Naively, when one applies rounding to a uniform random value one anticipates that the change is uniformly distributed. In lattice-based cryptography, is there a formal notion or proof of equivalence between learning with rounding and learning with uniform error schemes?

Secondly has anyone proposed a dynamic version of learning with rounding where the level of rounding is chosen to optimise the b ...

LWE Encryption Scheme by Regev is inefficient due to its public key sizes in $O(n^2)$. This led to the variant problem RLWE, defined in this paper :

Let $n$ be a power of two, and q a prime satisfying $q = 1 \mod 2n$. We define $R_q = (\mathbb{Z}/q\mathbb{Z})[X] / (X^N+1)$, which is the polynomials with coefficients in $\mathbb{Z}/q\mathbb{Z}$ considered modulus $X^N+1$ ($X^N = -1$). We choose

secp256k1 is an elliptic curve $E$ over a prime field $\mathbb F_p$, of equation $y^2\equiv x^3+b\pmod p$, with prime order $n$.

I noticed† that the different curve $E'$ over the prime field $\mathbb F_n$ with the same equation has order $p$. The roles of $p$ and $n$ are reversed in $E$ and $E'$.

That also holds for secp160k1 (not secp224k1 or secp192k1), and it's easy to come with other examples small ...

These days I'm generating some PGP keypairs, and I'm struggling to understand the correct terminology behind ECC keys. Moslty in the differences between ed25519/cv25519/ECDSA/EdDSA/ECDH. I tried to check RFC 6637 and this RFC draft without being sure of what I understood.

Let's take a practical example, with RSA first. Let's generate a keypair:

$ gpg --expert --full-gen-key

Please select what kind of  ...

I have a chat system where multiple clients communicate securely using Libsodium authenticated encryption. Every client have their own 32 byte key pair. If two clients want to communicate they first share their public key out of band and then use e.g. crypto_box_easy for encryption.

I want to create a service that allows a client to vouch for another clients public key using signing.

However, pub ...

I am writing to request information about the difficulty of finding z in Z/pZ (where p is a large prime) given z^l and l. I am working on a project that involves this problem, and I am interested in learning more about its complexity.

Specifically, I would like to ask for your insights on the following:

1. Is there any known efficient algorithm to find z given z^l and l?
2. Is the problem of finding z given z^ ...

I have an algorithm that encrypts large text. I want to test this algorithm on statistical tests. The ciphertext contains ~10,000,000 bits. I decided to test the algorithm in two different ways, I took the ciphertext and passed it to the input of statistical tests:

1. The first parameters were as follows: /assess 1000000 and How many bitstreams? 10
2. The second parameters were as follows: /assess 1000 ...

When I look up who developed SHA-2 family, the result I get is along the lines of

SHA-2 was first published by the National Institute of Standards and Technology (NIST) as a U.S. federal standard.

What I am really looking for is "Which individuals have developed SHA-2 family?". I understand, that most probably there are many induvial behind its development, but like any other scientific endeavor, som ...

I started studying CSIDH a few weeks ago and, seeing these papers [1] [2], I was wondering:

• Given $[a]E$ and $E$, find $[a]^{-1}E$.

I read that is easy to find $[a]^{-1}E_0$ knowing $[a]E_0$ by quadratic twisting, but I haven't found any resources explaining how to compute $[a]^{-1}E$.

So, is it possible to compute $[a]^{-1}E$ knowing $[a]E$ and $E$?

In simulation based proof of cryptographic scheme, if k parties are invovled in the scheme, then k simulators should be constructed for all the parties？

I know I should calculate the multiple inverse of plaintext with ciphertext $\pmod {26}$. However, the problem I have is that the plaintext is a $3 \times 4$ matrix which is not square, so how would I get an inverse?

Should I get the inverse of one side (left or right) of the plaintext or is there another way?

I'm having trouble testing a not-so-popular algorithm that I haven't found an implementation of, so I wrote it myself and now I'd like to test it with nist tests, but I have a suspicion that I'm doing something wrong.

I got encrypted file with ~10,000,000 bits. I tested my algorithm in the following wayю. I set the input parameter to 1,000,000, it will look like: /assess 1000000, then the amount  ...

I am new to this encryption scheme, so I may not be exactly sure of its implementation. I have a list of (u, v) ciphertext pairs to decrypt, each of them are 1-bit.

          { "u": [ 1, 19, 3, 2, 24 ], "v": 16 },
          { "u": [ 3, 20, 22, 26, 15 ], "v": 21 },
          { "u": [ 7, 3, 24, 26, 22 ], "v": 13 },
          { "u": [ 9, 20, 7, 25, 14 ], "v": 5 },
          { "u": [ 28, 11, 26, 22, 16 ...

Previous:
https://web.archive.org/web/20160102181336/developers.yubico.com/U2F/Protocol_details/Key_generation.html
https://www.yubico.com/blog/yubicos-u2f-key-wrapping/

$$ PrivateKey = \operatorname{HMAC-SHA256}(AppID+nonce, DeviceKey)\\ KeyHandle = nonce + \operatorname{HMAC-SHA256}(AppID, PrivateKey) $$

Now:
https://web.archive.org/web/20200514221105/developers.yubico.com/U2F/Protocol_details/Key_gen ...

I am reading a paper named Verifiable Random Function, written by Micali, Rabin, Vadhan in 1998. In Residual Pseudo randomness propoerty of a VRF, it is written that If T runs for at most s(k) steps, it succeeds in the experiment with probability 1/2 + 1/s(k). I do not understand the exact meaning of s(k). If it is polynomial, then the scheme is not safe. It is exponential, T cannot run s(k), because it ...

I am generating large prime numbers to create a cyclic group for ElGamal encryption, I can specify the bit-length n but want to limit the size because this will ultimately allow me to limit the amount of data passed through external channels.

Also the data being protected has an extremely short time-value vector meaning after a short amount of time the data will become useless to anyone who might ...

Im trying to learn more about cryptography and ran into a post, Is AES-128 quantum safe?, which asks if AES-128 is safe. From the articles and replies it seems that AES-128 (symmetric key) is safe even with the advent of quantum computers (for now). However, it seems that asymmetric keys are not safe?

So, assuming you have a TLS 1.3 (which uses symmetric AND asymmetric keys) would quantum computers be  ...

In my recent PSI project, I wanted to use Diffie-Hellman encryption to obtain ciphertext as OPRF input, but I could not find similar work related to it.

In my opinion, Diffie-Hellman ciphertext length is very long. Is there any performance or security problem if it is used as the input of OPRF?

I was reading about some way to imagine the signature of a message using the RSA problem :

Let $N$ be the product of two prime numbers $p$ and $q$. Let $s$ be the signature of a message $s$ (provided that such $s$ exists) defined as $s^x = x \bmod N$.

Later on the following requirement is made on $x$ : $x$ is prime with $\phi(N)$.

I do not understand this requirement. And why with $\phi(N)$ and not  ...

Given a cryptographic prime $p$ and a generator $g$ of $\mathbb{F}_p$, the Decisional Diffie Hellman problem asks us to distinguish $(g^a, g^b, g^{ab})$ from $(g^a, g^b, g^z)$ for random $a, b, z$. This is an easy problem, because the generator has Legendre symbol -1, which allows us to differentiate between such triples.

But the distribution of the Legendre symbol for $g^{ab}$ and $g^z$ for random ...

Is there an implementation of Shamir's Secret Sharing that can be regarded as a "canonical" (or "reference" or "standard") implementation, so that I can test other implementations to be "standard compliant"?

The above question is pretty vague. I have more details in mind, but some of them might be misleading or based on false assumptions. So possibly not all of them can be fulfilled or are relevant.

Some famous cryptographical protocols rely on the construction of graphs $G_i= (V_i, E_i)$ for $i=0,1$ that are not isomorphic. For the safety of this protocol, it is central that one can not easily verify that $G_0\not\cong G_1$. So, for instance, one could easily establish that $G_0\not\cong G_1$ if $|V_0| \neq |V_1|$, or if the iterated degree matrix of $G_0$ and $G_1$ differ.

As a non-rigid termino ...