Latest Crypto related questions

Sorry if this is a duplicate but, to be honest, I don't even know how to search for an answer to it.

I'm working in an environment in which I cannot use streams to encrypt data (React Native using the react-native-aes-crypto module).

Unlike Java where I can use something like cipher.update(buffer) (where cipher is an javax.crypto.Cipher instance) here, I will have to encrypt each part individually. ...

The proof of Lemma A.1 of the paper "FHE over the Integers" (Page 21-22) states that the absolute value of the rightmost term of

$c=p\cdot (kq_0+\sum_{i\in S}{q_i})+(m+2r+k\cdot2r_0+\sum_{i\in S}{r_i})$

is at most $(4\tau +3)2^{\rho}<\tau 2^{\rho+3}$.

We have $|k|\leq\tau$ and $|r_i|\leq 2^{\rho}$.

In addition, it is mentioned in the paper that $-2^{\rho'}<r<2^{\rho'}$ and $m\in\{0,1\}$. ...

Does it work if we try to construct a device (e.g., for counting purpose in several remote branches of a company) using a self-containing digital signature key enclosed in a tamper-proof hardware to make sure that the operations transcript of that function could be verified? (the transmitted report/transcript of the counting will be signed by the internal tamper-proof hardware)

Is there any conce ...

I am planning to encrypt multiple values using a 16 byte IV that I'm generating from the below scheme. My seed is a 32 byte value generated from hashing a password and salt is an 8 byte counter (i.e. salt is easy to predict for an outside observer).

iv = sha256(seed, salt)[0:16]

Intuitively this should be equivalent to randomly generating IVs, as I am mapping 32 + 8 = 40 bytes of possible values seed/sal ...

I want to encode my plaintexts as points on some given elliptic curve $E$ defined over a finite field $F_q$. Suppose I want to use Koblitz's method. Does the size of the message I want to encode matter? Can I encode the message in the size I want? What should I do with very long messages?

The definition of Bilinear pairing is shown here

Could you given an simple numerical example of Bilinear pairing? It would be very helpful for me to understand

can someone explain to me why django saves the hash in the database asargon2$argon2id$v=19$m=102400,t=2,p=8$... and not $argon2id$v=19$m=102400,t=2,p=8$...?

I've found this question from 2014 on Key Whitening: How exactly does key whitening manage to increase security? where is said that AES applies key whitening internally by adding a sub-key prior to the first round and after the last round.

Isn't key whitening applied to each round in AES?

I had an idea to make XEX mode parallelizable at CPU level.

Let's suppose I take an IV, XOR with random data, encrypt, XOR again with another data, and XOR on the plaintext

Would this encipherment scheme be valid? Would it be secure?

About Rabin Signature link

According to this paper, the person who wants to sign a message M first appends a random byte string U.
=> M_new = MU Then uses a compression function to get c = Compression_function(MU)
Then solves the equation for x, x(x+b) mod n = c mod n.

Then the signature is (U,x) pair.

My question is why cant we just use c as a signature?

I Assume that 'compression_function' is ...

I am currently trying to reverse engineer a piece of software that uses a seemingly-custom encryption algorithm.

After disassembling the decryption part of the code, I've come up with the following code that decrypts the data file just as well as the original software:

void decrypt_one_run(uint8_t* four_bytes_to_decrypt, uint8_t* four_bytes_key) {
    uint8_t local_buffer[4] = { 0 };

    for (int i = ...

In trying to implement mental poker, can all players agree on a standard set of 52 points on the curve corresponding to each card, and then to "encrypt" a card you just multiply it by a scalar which is your encryption key? (and to decrypt, multiply by the scalar's inverse modulo the group size)

Suppose I want to take advantage of hardware accelerated symmetric encryption like AES and use it to compute a “hash”. How collision resistant would it be if I’d take the IV + last N blocks of an AES CBC transformation and use it as my hash. What would be good Values for N?

In my hypothetical use case I am not immediately concerned about adversarial inputs / pre image attacks.

I wasn't sure if this question is more suited for SE.Math or not; please tell me if I should move it.

For its mpz_nextprime() function (find the next pseudoprime following the given number) GMP uses an interesting variation of the Sieve. In order to weed out multiples of small primes before applying slower tests (Miller-Rabin and Lucas), it first generates a table of residues of the "base" number. The b ...

I'm having a problem in a RSA challenge. I already had p, and q is calculated based on p.

(100000000**(p-1) -1)%p

q is the nearest prime to this number.

I knew that my comp will take a huge time too compute this (Don't know what time it would take). So can you guys suggest some ways to deal with this large number. Many thanks!

Given two functions f,g we have to construct h; such that h is one way function. Either f or g is a one way function. We don't know which one is a one way function. Both f and g are defined over X-> Y

OK, so I know that this is somewhat really basic in "post-quantum discourse", but unfortunately I did not find any textbooks/entry level papers specific to the topic of reductions in the quantum setting. It seems that there are two main caveats regarding quantum adversaries:

1. The possibility to ask a "superposition query" => hence, no "off-the-shelf" way to lazy sample functions.
2. The inability to clone ...

LFSR-12 with poly $x^7+x^2+1$ and LFSR-19 with poly $x^{11}+x^5+1$ are used to produce 8 bit of output each, output is then added together modulo FF

(LFSR-12+LFSR19)mod FF

I know first 8 bytes (-> 8 cycles of registers) of this sum. I am pretty sure there is better solution than just brute force - which is currently running on my pc;-)

I would appreciate any hints on this.

Though about algebraic at ...

I am wondering how to use and expand keys during the Decryption.

Let’s say we have an initial key (128bits): 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70

So we get: w[0] = (61 62 63 64), w[1]=( 65 66 67 68),w[2]=( 69 6A 6B 6C),w[3]( 6D 6E 6F 70)

Then with the g () function, we get:

• Circular byte left shift of w[3] = 6E 6F 70 6D
• Byte substitution using the SBOX
• Adding round constant for the rou ...

I've been reading this set of notes on some topics in MPC and am having difficulty understanding the transformation the authors make in order to reduce the round complexity of the GMW protocol through applying garbled circuits. In particular, the goal is to make the round complexity of GMW independent of the depth of the circuit being evaluated and instead let it be dependent on $\kappa$, the securi ...

I have this couple of deterministic functions $G_1$ and $G_2$. Suppose at least I of them is a PRG. Take $G^*=G_1(x)$ xor $G_2(x)$ with the same $x$. I have to show whether this is still a PRG. I thought about this counterexample: if $G_1=G_2$ then $G^*$ cannot be a PRG but my teacher said then $G^*$ isn't interesting.

What should I do?

I have some questions about the Kyber paper, especially about Theorem 2 on page 6, which I would like to ask here. First of all I quote the following theorem from the paper and ask my questions afterwards.

Theorem 2. For any adversary A, there exists an adversary B such that $Adv_{Kyber.CPA'}^{cpa}(A) \leq 2 \cdot Adv_{k+1,k,\eta}^{mlwe}(B)$.

1. My first question is about the definition of $Adv_{ ...

AES-256 in XTS mode has 32x16 (512) bytes of blocksize but there are some other wide-block modes of operation such as WCFB which accepts any block size.

My question is:

What is the maximum acceptable block size for disk encryption? "Acceptable" is ways of not having too much cons.

I have a question about Cryptocurrency wallets like Metamask (soft) or Ledger (hard).

How is a 12 or 24 word seed phrase enough to show the same crypto addresses in any crypto wallet that supports the same standard (ie. BIP-39). Can someone unravel this for me / us?

Would it be this:

• seed phrase with its 2048^(12 or 24) combinations is used to encrypt a private key
• that private key can decrypt yo ...

A user of this forum answered in one of my questions and said that if the IV is kept secret in multiple encryption with CTR mode, the cost of breaking the scheme is $${2^{2 l_{key}}} 2 \cdot {2^{l_{iv}}}$$

Can the encryption operation in multiple-encryption with CTR mode be replaced by a non-cryptographic operation assuming the IV is kept secret?

I'm questioning this because I took a look in the  ...

For my own project and the fun of it I have created an algorithm that turns plain text into cipher by interacting between entered text and a given password. My question is, in this instance, does the password count as what is known as a key, or is a key something entirely different?

In mpz_nextprime(), after some sieving with small primes, an MR test function is called, with the number of trials set to 25 (https://github.com/alisw/GMP/blob/master/mpz/nextprime.c#L118):

      if (mpz_millerrabin (p, 25))
        goto done;

But then in mpz_millerrabin(), for large enough candidates (candidates bigger than $31\times2^{46}$), the number of trials is suddenly reduced to 1 (https://githu ...

so i have function to decrypt aes ctr. but when i tried to decrypt, the result i got from plaintext is type bytes. i want to get the result of plaintext using decode, because when i encrypt it, i was encode it first.

here's my encrypt func:

def encrypt(key, pt):
    plaintext = read_file(pt)
    if isinstance(plaintext, str):
        pt= plaintext.encode("utf-8")
        print(pt)
        print(type(p ...

I'm reading the fourth edition of "Cryptography: Theory and Practice" by D.R. Stinson and M.B. Paterson. In the book, they have mentioned the concept of "collision-resistant hash" and I've stumbled upon the following question from another source:

Is there a collision resistant hash function $h(x)=h_1(x)\oplus h_2(x)$ so that $h_1$ and $h_2$ are not collision resistant?

It seems interesting to thin ...

So I get how it works for inputs shorter than $512$, but as for larger inputs "In the case where the remaining input data is exactly $448$ bits long, an entire extra block would need to be added for the padding." what do they mean by the 'remaining' input data is exactly $448$ bits long? if input was like, lets say $500$ bits, $1024-64=960$, $960 - 500= 460$, so $500 + 1 + 459$ zero's, followed by the ...