Latest Crypto related questions

This is sort-of a reply to the top answer given to this question, which states that whereas RSA-PSS, defined in terms of $H(r \ || \ M)$, only relies on target collision resistance and is secure even if MD5 is used (or at least was at the time of writing that answer), RSASSA-PSS, defined in terms of $H(r \ || \ H(m))$ is totally broken, because it relies on full collision resistance, which has been bro ...

I would like to know the security of using key size that is larger than the message digest (output) of a HMAC in one time pad encryption. One time pads for the message and the key of HMAC are different, scenario:

• A single message will be sent from A to B on insecure medium but is not known WHEN, in advance.
• Both A and B agreed previously on the one-time pads (which are randomly generated) for the key  ...

I am trying to understand what the Hybrid Argument is in cryptography and why is it useful.

By the definition of the Hybrid Argument we know that to prove that if two distributions $D = D_1, D_2, ..., D_k = D'$ can be distinguished, then $\exists D_i, D_{i+1} $ that can be distinguished.

Let:

1. $\alpha, \beta, \gamma \in \mathbf{N}$
2. $0 < \alpha < \beta < \gamma$
3. $g_1$ be a $(\alpha, \beta)$ ...

In the process of learning zk-SNARKs, I'm faced with this problem:

I understand why if the prover sends a polynomial $P$ that can be divided by $T$, the target polynomial, the prover knows a valid assignment. But I don't understand how the verifier makes sure that the prover actually sent a polynomial $P$ which matches the R1CS and not some polynomial multiplied by $T$ like: $P(x)=T(x)\times F(x)$

I've read the documentation of Crystal Kyber, but nowhere it is mentioned about good basis and bad basis.

Please explain how and where is the good basis and bad basis is used in crystal kyber.

Hi I have started studying on crystal kyber recently. Gained some knowledge regarding its algorithm and how it works. My doubt is why it is tough for attacker to extract secret vector from pk itself by predicting error vector since from pk we know mat_A,t. (B=As+e)

How can the attacker predict error from Gaussian distribution model. And how the error is randomly chosen from the region of high to  ...

I have some rudimentary cryptography knowledge but am by no means an expert.

I generally understand stream ciphers, such as such as ChaCha20-Poly1305, to be symmetric. I am wondering how age (https://github.com/FiloSottile/age) uses public and private keys to encrypt data with ChaCha20-Poly1305. Is it similar to how in some protocols asymmetric encryption is used to establish a shared symmetric key, or is ...

We know that in the black-box sense, we cannot use one-way functions to construct Collision Resistant Hash Functions.I feel that in my impression, I have never seen CRHF based on integer factorization problem or RSA assumption

Scenario:

1. There are 3 people: PERSON1, PERSON2, and PERSON3
2. PERSON1 and PERSON2 each have a 2-dimensional polygon on an x,y plane
3. It is PERSON3's job to assess whether the polygons overlap
4. However, PERSON1 and PERSON2 must encode their polygons in such a way that PERSON3 cannot identify the location of their polygons, nor is it possible for PERSON3 to decrypt the polygons.
5. Despite this, PERSON3 mu ...

From Ronald de Wolf's The potential impact of quantum computers on society:

The first is so-called post-quantum cryptography. This is classical cryptography, based on computational problems that are easy to compute in one direction but hard to compute in the other direction even by quantum computers. Factoring does not fit this bill because of Shor’s quantum algorithm, but there have been propos ...

Would a replay attack be possible in any of these scenarios? My understanding is that in only images 3 & 4 it is possible.

I know that it sounds like a very stupid question but if Shor's algorithm has a complexity of roughly $n^3$ why cant we just increase the bit size until the time for the algorithm to run is unfeasible on a quantum computer or would it just take too much memory and too much computation for RSA/ECC to be worth it?

I am running into the Goldreich Levin Theorem.

According to what I know a predicate $h: \{ 0,1 \}^* \to \{ 0,1 \} $ is a hardcore predicate for a function $f: \{ 0,1 \}^* \to \{ 0,1 \}^* $ if:

1. $h$ is deterministic and efficiently computable
2. It's hard to find $h(x)$ given $f(x)$ for any probabilistic time adversary

The Goldreich Levin Theorem states that a hardcore predicate can be found given any OWF ...

How can I create a "reverse" GHASH algorithm for GCM that allows me to compute an input value that generates a specific chosen output, given that I know the authentication key H? If this is possible, what is the process for achieving this?

Does it exist an upper bound for the advantage of solving the Gap Diffie-Hellman problem (possibly expressed in terms of the order of the group, number of queries to the oracle, time, etc.)?

On July 5, 2022, NIST chooses one KEM (Key Encapsulation Mechanism) as a PQC standard and 4 KEMs as four-round candidates. Why aren't there any key exchanges?

Similarly, KEMs are usually studied in literature. The post-quantum key exchanges in literature are very rare. Moreover, in those key exchanges, the message to be shared is generated by one party. I do not see any post-quantum key exchange  ...

I've been reading about Crystal kyber, and i read that the in the key generation process, the public key pk is computed using secret key s in such a way that the error e is added to inner product of random matrix A & secret key s.

It is said that an attacker trying to crack secret key from public key needs to solve Module-LWE problem to do so, which is computationally hard.

My question is how  ...

I know, that PBKDF2 uses HMAC with SHA2 function as PRF. But.. can I use many iterations of HMAC with SHA2 directly? Is this effective and securely? P.S I need the best function, but I can’t use bcrypt, argon, pbkdf2.

For Monero, the scheme for stealth addresses is pretty straightforward. (For example: https://monero.stackexchange.com/questions/1500/what-is-a-stealth-address) However, I haven't found any details on how the same functionality is done in Zcash, can someone provide more information on this?

According to a Reddit post I am participating in, SpiderOak “repented” of its incorrect usage of the term “zero knowledge” in 2017, as shown here:

https://medium.com/@SpiderOak/why-we-will-no-longer-use-the-phrase-zero-knowledge-to-describe-our-software-ddef2593a489

NordPass has yet to walk back its claim to a zero knowledge architecture:

https://nordpass.com/features/zero-knowledge-architecture/ ...

Recently, I was reading the paper One Hot Garbling published on CCS 2021. I noticed a sentence in it:

In this work, we forgo the standard GC notation of garbled labels in favor of garbled sharings of cleartext values held by G and E. This will be convenient for handling vectors and matrices of bits.

I don't understand what garbled sharing is, how to construct 2PC protocol through garbled sharing? what i ...

I have been reading Vitalik's series on STARKs recently (Part 1, 2 and 3). It is a nice and very understandable read for a layman like me.

Brutal summary of my current understanding

Vitalik outlines the following technique to prove the correctness of some arbitrary computation:

• Encode the computation trace in the values of a polynomial P(x).

• Define a constraint checking polynomial C(z) such that, if ...

I am learning about Elliptic curve and I reached to Montgomery curve with XZ coordinates with this equation: b*y2=x3+a*x2+x and regarding the information from this link: XZ coordinates add and doubling

and I made this small code in matlab to understand the concepts:

% Define the elliptic curve parameters
a = 1;
b = 1;
p = 23;
% Define the base point
X1 = 8;
Y1 = 3;
Z1=1;
%Doubling
X3 = mod((X1^2-Z1^2)^2 ...

I was going through this simulation tutorial.

For example, let x and y be lists of data elements, and let f be a functionality that outputs an independent random sample of x ∪ y of some predetermined size to each party. Now, consider a protocol that securely outputs the same random sample to both parties (and where each party’s view can be simulated). Clearly, this protocol should not be secure. In  ...

I know that there are previous questions on the subject e.g. here, however I would like to ask it for my particular (simple) case.

I have an application firmware that is downloaded to a microprocessor through a bootloader firmware that is taking care of decryption and signature verification.

The signature is implemented through RSA. The bootloader has only one public key to authenticate the application  ...

I am studying Lybashevsky's ID-scheme from the article Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures(https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf) by Vadim Lybashevsky.

I am trying to work trough the soundness and completness of the ID-scheme through the four steps offered in section 3.1. In step 1 it is claimed that the completness (probability t ...

I was going through some text related to designated verifier signature (DVS). I came to know that DVS can be thought of as the two party ring signature. Can we extend this concept and say that ring signature is nothing but multi user DVS.

Many cryptographic protocols are parameterized by a uniformly random reference string (e.g. the commitment key for Pedersen commitments). Our goal is to publicly generate the random values of this string (in a finite field), and to do so using the simplest and fastest seed-expansion process (measured I supposed in `bytes per cycle').

In this scenario, we may have a set of public and random seeds,  ...

I want to use TweetNaCl.js for encrypting user data that is stored in LocalStorage. Therefore, I want to prompt the user to provide a PIN/password that shall be used to derive a key that is then used as a secret key for TweetNaCl's secretbox.

Looking for a modern scrypt implementation in JavaScript, I couldn't find any implementation that is actively maintained / worked on in the past 4 years and that d ...

I'm reading through the EDHOC draft spec and they talk about passing just the X portion of the (ephemeral) public key across in message 1. I've only ever heard of EC public keys (in this case the curve is P-256, if it matters) having both an X and a Y. The implication is, I guess, that you can derive the Y from the X? Is this true? If so, how?