Latest Crypto related questions

The final SP800-186 outlines mappings between Twisted Edwards and Montgomery curves, and between Montgomery and Weierstrass curves.

These mappings are defined in Appendix B. Relationships Between Curve Models.

There are two types of mappings outlined:

1. Standard maps between curves on these different models (both in B.1 and B.2), and
2. Specific maps between Edwards25519 and Curve25519 (and E448 and Curve44 ...

I keep hearing CBC with fixed IV mode is bad because it has similar issues to the codebook breakdown of ECB mode. However, people seem quite willing to recommend AES-GCM-SIV for deterministic encryption. Why is GCM-SIV superior to claim CBC with fixed IV?

So there’s LadderLeak.

RFC6979 produces uniformly random nonce $k$.

There are other techniques, such as hash-to-curve standard (draft-irtf-cfrg-hash-to-curve-16 section 5), which allows to produce uniformly random scalars. They mention it’s OK to use 128 additional bits of entropy, e.g 48-byte hash to produce 32-byte private key, when targeting 128-bit security level. The bias is still there b ...

Recently, I began researching fully homomorphic encryption. I'm reading the "Efficient Fully Homomorphic Encryption from (Standard) LWE" paper by Brakerski and Vaikuntanathan and came across this piece where they are multiplying two symbolic functions together where the function is defined as:

$$ f_{a,b}(x) = b-\langle a,x\rangle \mod q = b - \sum_{i=1}^{n}a[i]x[i] $$ and the multiplication: $$ f_{a, ...

I'm learning about the padding oracle and had a question about a modified padding oracle. Essentially the only difference is the length of the original message is prepended to the message as a 4 byte string. It is then padded and encrypted as normal. How would the approach to this scheme be different from the standard padding oracle attack?

When is it generally acceptable, if ever, to generate RSA keys without encrypting the PEM output with another encryption algorithm?

I am working on a CI/CD process and want to leverage asymmetric encryption, but not entirely sure whether or not it is safe to generate the RSA keys without encrypting the output. At the moment I am generating the private key and extracting the public key using the f ...

Please detail secp256k1 and its role in a public key cryptography. Please explain can we use it into a post-quantum cryptography and how can we do it?

Is PoA persistent against quantum attacks? If not, How can we make it post quantum?

I mean the PoA used with blockchains that delivers comparatively fast transactions through a consensus mechanism based on identity as a stake. In a PoA based blockchain network, machines earn the right to generate new blocks by passing a strict vetting process, which is discussed in detail in the next section. As  ...

Let's suppose that there is a filter generator which based on $n$-size LFSR.

Denote a feedback polynomial as $g(x_1, x_2, \dots, x_n)$ and nonlinear filter function as $f(x_1, x_2, \dots, x_n)$.

Let $a = a_1, a_2, \dots, a_k$ be filter generator output sequence.

Attacker knows $f$ and $a$.

1. What are boundaries for $k$ to recover $g(x_1, x_2, \dots, x_n)$?
2. How to recover $g(x_1, x_2, \dots, x_n)$?

I am looking for a scheme for dynamic threshold public-key encryption, which includes dynamic distributed key generation. Namely, the number of parties that participate in DKG is bounded, but unknown. The list of public keys of each party is known, but we don’t know who will participate and who won't. So the number can be in the range $1,\dots,N$ (where $N$ is the total number of parties).

We want the  ...

I have been trying to understand the method of recovering the MSD of the nonce proposed by Fan et al. (section 4.2), in their attack targeting wNAF implementation for scalar multiplication in the OpenSSL implementation of ECDSA. They assume that the value of $L_0$ is known. I can see that using Flush+Reload, one obtains $L_{AD}$ - but (why) does this also hold for $L_{0}$?

I have a problem in combining encryption with a host software tool based on LibTomCrypt sources, then decryption with the hardware BEE (Bus Encryption Engine) of an i.MX RT1062 NXP processor. I am using AES 128 CTR with KEY = 0xdc5301d107837268e68ffc887df29528, IV (nonce) = 0x73793afe52944a1b61fae8bcaa6d3cf9, and for comparison purposes, trying to decode a sequence of 0xff. I have tried also with

In "Memory Leakage-Resilient Encryption based on Physically Unclonable Functions" (ASIACRYPT2009), the authors use a construction based on a PUF and a Fuzzy Extractor and argue that this yields a Memory-leakage resilient encryption.

The definition of a Fuzzy Extractor is the following:

A $\left(m,n,\delta,\mu_{FE},\epsilon_{FE}\right)$-fuzzy extractor $\mathsf{E}$ is a pair of randomized procedures, "ge ...

Grover, a quantum algorithm, weakens AES and ChaCha20. Is it possible to use multiple symmetric keys to encrypt a message multiple times to achieve 256-bit security for quantum computers?

I currently have a DER-encoded X.509 ECC SECP256K1 public key, also known as SubjectPublicKeyInfo (SPKI) from AWS KMS. How do I convert it to a 66 hexadecimal compressed public key string?

I'm troubled by a system of equations presented in the paper "Provably Secure Partially Blind Signatures" Masayuki ABE and Tatsuaki OKAMOTO.

In lemma 1 the authors define $t_2=w_j-c_i$ however $c_i$ following the signature protocol creates a feed back loop as $t_2$ is defined and used as input in a secure hash function.

Why is it true that the equations always have a solution?

Hi I am trying to calculate the abs or a float number $x$, however, I want to apply this operation when $x$ is under fully homomorphic encryption (typically CKKS Scheme). So I come up with the idea that if we can use only addition and multiplication (some constant value like $2^k$ could be involved) to get abs, then we can just encrypt the whole operation and thus get an abs for encrypted data.

Note ...

I'm trying to understand the definition of a partially blind scheme that is described with Game A presented in

Abe and Okamoto paper

1. In line 5 is $msg_0$ correct or should it be replaced by $(info_0,msg_b,sig_b)$? similarly for $U_1$. I'm confused since if $msg_0$ is always on the private tape of $U_0$ then S can always guess b correctly by checking if $sig_b$ verifies $msg_0$.

I'm missing the p ...

Assuming there is a lattice basis $B=\{b_1,...,b_n\}$, we use $B^*=\{b_1^*,...,b_n^*\}$ to denote the Gram-Schmidt orthogonal basis, where $b_i^*=\pi_i(b_i)$ and $\pi_i(b_i)$ denotes the projection of $b_i$ on the orthogonal complement of the space $span(b_1,...,b_{i-1})$. We use $\|b_i^*\|$ to denote the Euclidean norm of $b_i^*$. I want to know how $\min_{1\leq i \leq n}{\|b_i^*\|}$ changes after  ...

I read in an introduction to a paper that if $e$ is small enough and we were given secret key $d$ in RSA, then there is an efficient deterministic algorithm to factorize $n$. I've searched about that and I've found the probabilistic one: Algorithm to factorize $N$ given $N$, $e$, $d$

I guess, the fact that $e$ is small must play some role here. But I was able to come up with something. Do you kno ...

What's the difference between UOWHF and CRHF and why are UOWHF useful?

As far as I understand, Universal One-Way Hash Functions are an alternative to CRHF. While for CRHF it is hard, given randomly chosen hash function parameters, to find any collision of the hash function; for UOWHF it's hard to find a collision where one preimage is chosen independently of the hash function parameters.

How does th ...

I hope this is not offtopic.

Since NIST has rather recently announced the winners of its PQC competition I was wondering how significant this development is. Does that mean that CRYSTALS-Kyber will become the new standard for general encryption?

Im creating a super increasing knapsack encryption scheme. Im supposed to ask the user to key in the size of the super-increasing knapsack. My question is - is there a minimum number of elements that the user need to key in?

Based on my research, because ASCII is using 7bit encoding, I need to have at least 8 elements. I would like to understand why this is? or is it correct at all?

Thank you.

I am learning about various digital signatures and came across DSA. In DSA, the $s$ part of the signature has a hash of the message $H(m)$. I was wondering, why can't we just use the message $m$ instead of using the hash? I understand that performance might be a part of it since the hash will ensure a certain fixed length. But any other security issues?

I'm working on a protocol that uses zero-knowledge proofs. I'm looking at systems of polynomial equations as cheap solutions for checksumming data. Note, I'm not looking for trapdoor functionality here; I don't care if an adversary can determine the pre-image from the output.

In a zk proof I can compute $m$ multivariate quadratic equations (in $\mathbb{F}_p$ where $p \approx 2^{254}$) with $n$ variable ...

Related to this question. I'm trying to find a way to use this fingerprint system without a second pre-image attack.

Assume I have a set of elements $V = [v_0, v_1, v_2]$ in $\mathbb{F}_p$. Assume the elements of $V$ are randomly distributed over the field.

I have two random values in the field, $R_0$ and $R_1$, both non-zero.

I consider the fingerprint to be two points in the field defined by:

$P_0(V)  ...

For example, Threefish has a key length of 1024 and a very long number of rounds (80). but, I have not heard much about Threefish-1024 being particularly secure, so what symmetric key ciphers are there that are secure not because of their large number of rounds or long key length, but because of their intrinsic cryptographic operations? And why is that symmetric key cipher secure?

translator user ...

I am very interested in encryption algorithms, especially AES encryption algorithm in symmetric encryption. To this end, I have studied a lot of theoretical knowledge about AES encryption algorithm and the code samples I can obtain.

I wrote a 512-bit encryption algorithm after referring to AES-CBC-256 mode in detail.

I named this mode SZQ-CBC-512, but the output result is almost the same as that of  ...

I have seen multiple sources claim that the Merkle-Damgård transform is able to build a collision-resistant Hash-function $H$ for arbitrary-length inputs from a compression function $h : \{0,1\}^n \to \{0,1\}^\ell$ (with constant-length inputs). See, e.g., [1].

However, the construction relies on suitably padding the input $x$ to $H$ in order to:

• Ensure that the length of the string $x_{\text{pad}}$

I am looking for some cryptographic algorithms suit to the below usage scenario.

$A$ has a set of data, e.g., $\{x_1,x_2,...,x_n\}$. $A$ publish those data in ciphertext (maybe that they are encrypted by different public key, I do not know).

Then participants $\{P_1,P_2,...,P_m\}$ come to pick the data belonging to them from ciphertext list, but without decrypting all the encrypted data. "belonging to the ...