Latest Crypto related questions

I am given a set of $(u, v)$ values, matrix $A$, primary key vector, private key vector, error vector and prime $q$. I wanted to recover the binary value of each $(u, v)$ pairs using LWE decryption.

The formula I used to get that was: $\mbox{result} = v - s u$, where $s$ is the private key. I then compared the result with $q//2$. If result is more than $q//2$, the output is 1. If the result is less th ...

If I have 256 bits of handwavium "perfectly random data" and I hash this 256 bits of data with a secure hash function (possibly sha256) could the resulting hash be considered "perfectly random data" as well? I am assuming no, but don't know why.

What information / keywords would I use to find out more information about this?

Interesting seemingly related topics:

• Random Oracle Model
• Synchronous stre ...

Would it be technically possible to use hundreds of computer processors together to work on an algorithm like the Shor's algorithm and break RSA?

I've been reading about the crazy amount of qubits required to break RSA but what if hundreds of 64 bit processors work together towards the same goal? I would assume, if possible, it would be a very complex system and would require other algorithms to  ...

I have come across two supposedly identical definitions of lattices in the lattice crypto literature. There are mainly these two definitions of lattices, the first considers lattices as discrete additive subgroup and the second is the common vector space definition.

Definition 1: Discrete additive subgroup $$\forall x \neq y \in \mathcal{L}, ||x-y|| \geq \varepsilon, \quad \exists \varepsilon >0 \qu ...

I've been trying to use AES from OpenSSL and got to know that I need to use the EVP-based implementations rather than the AES_*.

I need to use AES-128 implementation to generate bitstreams, essentially passing various keys, and plaintexts to analyze the ciphertext generated for cryptanalysis of the algorithm. I went through the Question, How do I decide what mode to use? which linked to the NIST docum ...

I have the book "Handbook of applied cryptography". In there we have example for random tests.

I have bits sequence [11100 01100 01000 10100 11101 11100 10010 01001]*4 length on this sequence n = 160. And I need test this sequence in order to understand this sequence is random or not. And problem with understanding this example.

Runs test I understand how they got

$ e_i=\frac{n-i+3}{2^i+2}$

For  ...

This is from Alan Rosen's video on Interactive proofs - https://youtu.be/6uGimDYZPMw?t=1754

Here the proof is that

• the Verifier gets a random bit $b$ .

• If $b = 0$, then Verifier gets a random $y \in Z^*_n$ & sends $z = y^2$ to the Prover.

• if $b=1$, then the Verifier sends $z = xy^2$ to the Prover.

• Now if $z$ is a Quadratic Residue, then the Prover sends back $0$, else $1$

Now, doesn't this de ...

I'm curious if there's an encryption scheme where content may be encrypted to a public key where the associated private key can generate new decryption keys for the same content. The goal is to publish data that is encrypted with a server's public key and allow the server to produce new decryption keys as needed.

I know that if the input size in a pseurandom-function is larger than its output, many different inputs will generate the same output by the Pigeonhole principle (I also read an article related to that).

AES with 256-bits key size in CTR mode will generate many equal outputs per IV across all the possible keys of such a key space, because the IV capped to 128-bits, smaller than the key size.

Why  ...

I'm a computer programmer and I'm working on a truly unbreakable cypher and I keep going back to a book cypher (each letter of the message is referenced by a page,row,and column number in a random book where both the sender and receiver have identical copies.) In my update we use data files and auto lookup. here is my version:

Step 1) create a book

• generate a "book" of 5,000,000,000 characters writing t ...

It's difficult to implement AES securely and efficiently if the adversary can observe the timing and (approximate) location of memory accesses, unless you have dedicated hardware. The naive implementation uses lookup tables, which are vulnerable to attacks based on caches or on memory bus contention. Timing-invariant implementations exist (using bitslicing) but they're slower.

Are the other candidates  ...

Here, an user says about using a seed to generate a key that is larger than the digest size:

"Do not use hash chaining: that's a bad way of constructing a key derivation function from a hash. If the output is H(S) || H(S||H(S)) || H(S||H(S||H(S))) || …, then it's possible to reconstruct the whole output from the first n bytes where n is the length of the hash. How bad this is depends on how you' ...

I'm experimenting with the parameters for argon2, using argon2_cffi.

Whereas the iteration count or time_cost, and the memory_cost have obvious bearings on the speed and security of the result. I've not seen any guidance on a maximum for the parallelism parameter, other than enough for all the threads you have.

I have a 4-core i5, not sure if that counts as 4 or 8 threads. I am using time_cost=4, me ...

In the MixColumns step of AES, one multiplies each of the columns of the $4\times 4$ box of bytes by the polynomial $a(x)=\{03\}x^3+\{01\}x^2+\{01\}x+\{02\}$ (modulo $x^4+1$). But in this polynomial, the coefficient $\{01\}=1$ is repeated twice. Why is it acceptable for the MixColumns step of AES to have a repeated coefficient? Are there any known or conjectured attacks against AES that take advanta ...

FALCON is a cryptographic algorithm for digital signature, but is it slower than actuals algorithms (ECDSA)?

Assume a message protocol whereby one time pad messages are authenticated with a Carter Wegman type hash on the ciphertext, or some similar construct utilizing a unique authentication key per message.

Since this is a OTP system, there is a store of key material at both the sender's and receiver's ends. Some material is drawn to create the authentication tag and the message sent. It is then authen ...

We have a classic web application, and when a user sign in, we return a session token (UUIDv4). The user can choose if the session should expire when the browser/app is closed or if he prefer to always be connected (1 year at least).

If an attacker get the session token, I want a way to mitigate the possibility to uses it.

A solution could be to also add a One Time Password in each API client call.  ...

I just read about the SolarWinds attack and I have just been taught in class about the these standard but I am not able to understand if there is connect between SolarWinds attack and the above mentioned standards.

I have read about SolarWinds got some info that the company was following the NIST standard but I want to know if there is any connect between the IND-CPA, CCA1,CCA2 and SolarWinds.

I'm currently working on implementing digital signatures on the curve secp256k1 (for learning purposes only), and I'm having some trouble implementing ECDSA on curve secp256k1. As I understand it, this curve is a koblitz curve, which means it can't be written in the Montgomery form. Due to this limitation, I'm unable to use the Montgomery ladder.

Can anyone suggest how I can add and multiply poin ...

If we consider LMS with (SHA256 and LMS-OTS as the OTS scheme) as defined in sections 5 and 4 here:

https://datatracker.ietf.org/doc/html/rfc8554#section-5, they provide the following formulas for LMS-OTS (section 4.4):

In general, the LM-OTS signature is 4+n*(p+1) bytes long, and public key generation will take p*(2^w - 1) + 1 hash computations (and signature generation and verification will take app ...

Based on Differentia-addition on P I can understand (Xp,Zp) which is the base point, (Xq,Zq) which comes from Doubling, but I don't know what is the equation used to get P-Q to get X-,Z-.

So for example if I have P1(8,3,1) so it means (X⊖,Z⊖) = (8,1) and the value of (Xq,Zq) is from doubling? what about (Xp,Zp)?

Let's say I have three messages: A B C

And I run each of these through two different Hashing algorithms: MD5 and SHA1 for this example

MD5(A) = X
MD5(B) = Y
MD5(C) = Y

SHA1(A) = N
SHA1(B) = N
SHA1(C) = M

Notice the MD5 hash of B and C collide. And the SHA hash of A and B collide.

If I simply concatenate the digests, however, the results would be unique:

Combined Digest of A:  XN
Combined Digest of B ...

Assume $\phi(N) = (p - 1) (q - 1)$ as in the original paper. Suppose that we are using the same modulus $N$ for public and private key pairs $(e_1, d_1)$ and $(e_2, d_2)$. How can we get a multiple of $\phi(N)$ from these two pairs?

I was studying about the Microsoft exchange server data breach attack of 2021 as part of assignment case study. One of the tasks of the assignment it to find its relevance with IND-CPA, IND-CCA1, IND-CCA2 standards.

From my understanding the attack is seemed to be caused due to some logical bugs in the code base of certain versions of exchange server and attacker exploiting it with intelligently  ...

Short question: is there a particular reason why all standardized test data for the input message for 128-EIA3 is non-byte aligned?

Goldreich justifies why we work with the term negligible by saying among other things "events that occur with negligible (in n) probability remain negligible even if the experiment is repeated for polynomially (in n) many times.". Now I want to proof this statement. So I assume we have a problem with a verifiable solution and an algorithm solves it with negligible chances. And repeating this algorithm f ...

As several intermediate values are used as sentive data for side channel analysis (DPA), I don't understand why sbox input ^ sbox output is also wide-used and effective. This value does not applied in AES algorithm.

LMS is specially used for applications, such as code-signing (https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf). Given the parameter list in table 3, found here https://datatracker.ietf.org/doc/html/rfc8554#section-6.2, for which specific code-signing applications and environments ( ...

Im following these slides from "An Introduction to the Theory of Elliptic Curves" http://www.math.brown.edu/johsilve/Presentations/WyomingEllipticCurve.pdf, but I'm having some difficulty understanding how the ECDLP can be solved in anomalous curves.

On the slides it says: "If #E(Fp) = p, then there is a “p-adic logarithm map” that gives an easily computed homomorphism logp-adic : E(Fp) -> ...

How to give an example for collision in modified Mekle-Damgard construction that does not include input length, with two message that ARE multiple of the block length? (Assume the resulting hash function is only defined for inputs whose length is an integer multiple of the block length.)
It is easy to consider a counter-example in the case where two messages have lengths that are not an integer multip ...