Suppose I have a set $S$ containing $n$ bit strings, where $n$ is on the order of about 10. Consider

$$\mathfrak{S} = \{ R : R \subseteq S, |R| \geq 2 \},$$

the collection of subsets of $S$ with two or more elements.

Does there exist a hashing function which outputs the same hash for any member of $\mathfrak{S}$?

A potential relaxation in which we order the elements of the subsets in $\mathfrak{S}$

In Privacy-preserving machine learning, GC is usually used for privacy operation such as ReLU(x) where sign(x) needs to know. However, binary secret sharing also supports such computation via comparators($[x]_{encryted}$ > 0)(this paper). While compare the performance, binary secret sharing is usually way faster than garbled circuit. But why is garbled circuit still used in many related works, for

For example, if you have say, 3 distinct paragraphs of clear text a, b, c and you only know hash(a), hash(b) and hash(c), and then you have a clear text d, which claims to be the concatenation of a, b, and c, is there any way to use hash(a, b, c) to demonstrate that d either is or isn't a+b+c?

Not beng a math person, I'm guessing there is a brute force way, depending on the length of a, b, and c  ...

I am familiar with any algorithm that is based on the number of bits in a key (n-bit) and how to restore a key, such as the Discrete Logarithm Problem or Factorization.  When I use any algorithm for encrypting and decrypting images, such as RSA, how can I estimate this algorithm's security and work efficiently with image encryption.

Despite working with AES-GCM and other AEAD algos for a few years, I've struggled with the concept of 'authenticated' in the term 'AEAD'. In my own experience (of Unix, PKI and blockchain) authentication means being able to attribute actions towards a particular entity (eg, a user account). In the simplest case, say authentication on a Linux box, logging in would use the pam_unix Pluggable Authentica ...

I'm trying to understand the security proof of Shamir's Secret Sharing method, as I want to adapt the polynomial creation a bit, and I've found the proofs I had available to be surprisingly vague or holey.

Some nomenclature

Given a secret $S$ in the finite field $\mathbb{F}_p$ for a $(k,n)$ threshold scheme the Shamir's Secret Sharing method generates coefficients

$a_1, \dots, a_{k-1}$ randomly a ...

Context

I am trying to build a simple protocol for key derivation. I want to use SHA-3 family hash functions, which (as far as I understand) should not be combined with HMAC because their security properties make HMAC redundant. Thus, HKDF — which uses HMAC — would also be unsuitable for key derivation using SHA-3 family hash functions.

Proposed Protocol

Suppose that Alice and Bob derive a sha ...

The $(t,n)$ Shamir’s polynomial based secret sharing scheme is $(+,+)$-homomorphic in which the addition of two polynomials secrets equals the Lagrange’s interpolation of the sum-of-shares for the same subset of shares.

My question is: Does the two polynomials need to have the same degree to satisfy the SSS $(+,+)$-homomorphic property? Specifically, suppose that polynomial $P_1$ defines secret

Basically, I need to find the probability that DES(p, k1) = DES(p, k2) = c

My guess is that probability = 1 / 2^64 since that's the total number of possible outputs, but honestly I have no clue about crypto. Thanks in advance for any help!

I'm new to cryptography and having a hard time understanding PRGs and PRFs.

Question: $G'(x)$ and $G''(x)$ are two different secure pseudorandom generators, and $G(x)=G'(x) \mathbin\Vert G''(x)$.

Is $G(x)$ still a secure

I thought $G(x)$ is secure at first, since $G'(x)$ and $G''(x)$ are secure, their outputs are uniform.

But I think it's not supposed to be correct later, since concatenation of them doe ...

I have short (8-byte) messages which are effectively true random numbers, and I want to encrypt these messages with a (pre-shared) key....

I'm using AES-CTR for this purpose -- but with the SAME IV each time (which is seemingly contrary to best practice).... but since EVERY message that I'll encrypt with this key is unique, do I really have a security issue?

I was taking a look at the PRESENT lightweight cipher presented here. You can see an implementation of it in Python here. It is basically a Substitution-Permutation (SP) cipher with ultra-lightweight encryption and lightweight decryption.

The algorithm for encryption is the following :

generateRoundKeys()
for i = 1 to 31 do
    addRoundKey(state, k_i)
    sBoxLayer(state)
    pLayer(state)
end for
addRo ...

I'm a bit confused regarding the bilinear pairing operation. Let's say I have a Public key of a receiver $P_r = P^x$ and I want to create a symmetric key using KEM with a pairing operation. If I chose $R = rP$ and compute $V = (Pr, P)^r $which results into $V = (P^x, P)^r = (P^x, rP) = (P^x, R)$. Here, I am confused about how can I solve $(P^x)$?

So, basically, my question is If $e(aP, bP) = e(P,  ...

The Argon2 specs claim that Argon2 can be used both for password hashing and key derivation.

I want to generate from a single password both a hash for authentication and a secret key to use for encryption. (It would be nice if this could be generalized to any (reasonable) number of hashes and keys.)

From the specs, it is not clear to me why Argon2 can be used for key derivation; nor what related secur ...

ECDSA works by computing the hash of a message and then computing the signature for it. ECDSA uses the signature:

$$s = k^{-1}(h + rp_{pr})\,\textrm{mod } n,$$

where $n$ is the order of the group, $k$ is a randomly sampled nonce, $r$ is the projection onto the $x$ axis of $kg$, where $g$ is a group generator.

If you are only provided $r,s$, then I don't see any obvious way this would leak any bits of

Does anyone happen to have a link to a way to implement FFS without a trusted center? I'm positive that a modified version forgoes the trusted center (at the expense of efficiency), but am turning up nothing in my search for the paper(s) discussing this version.

I have two private-key encryption ($Π$ and $Θ$) and their concatenation $Π\#Θ$. For example:
$$ Enc_{Π\#Θ}( \ ⟨k_Π, k_Θ⟩, \ ⟨m_Π, m_Θ⟩ \ ) = ⟨ \ Enc_Π(k_Π, m_Π),\ Enc_Θ(k_Θ, m_Θ) \ ⟩; $$ (Same for Gen and Dec)

I need to prove that if $Π\#Θ$ is secure against passive adversaries, then both $Π$ and $Θ$ are.

Actually I have proceeded by reduction, so I can prove that: ...

In modern cryptography, IND-CPA is the lowest security we want. We want at least IND-CCAx security from encryption mode. Their relation can be found in

• 2007 Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm, Mihir Bellare & Chanathip Namprempre

All classical block cipher modes of operations (CTR,CBC,OFB,CFB,PCBC), as stated confidentiality only mo ...

I'm wondered about what arithmetic operations are supported from FHE.

I want to know for 2nd Gen(BGV,BFV), 3rd GEN(GSW,CGGI), 4th GEN(CKKS)!

• Is 3rd can support more than and/or/not? I heard it is for a bit.

Thanks

Imagine a scenario whereby Alice and Bob have a symmetrical messaging system for talking with each other. It's effectively two polystyrene cups joined by a piece of string. Crucially, there is no central server, and nobody logs into nothing. They do though both have the same messaging application. Also imagine that their architecture transmits an IV, cipher text and HMAC as three separate parts of an En ...

I have two linkable ring signatures, each signed with the same key pair. Therefore, the signer's public key will appear in each of the rings. However, the set of other public keys appearing in each ring are different.

Is it possible to tell that the same person signed both rings, or can this only be known if each ring contains exactly the same public keys?

Let we have $G_1 \times G_2 \to G_t$

let $g_1 \gets G_1, \\g_{2.1} \gets G_2, \\g_{2.2} \gets G_2$

$$e(g_1^a,g_{2.1}^b) = e(g_1, g_{2.1})^{ab}$$

$$e(g_1^a,g_{2.2}^b) = e(g_1, g_{2.2})^{ab}$$

Is it working?

I was wondering out of the functions (MD5, SHA-1, SHA-256, and SHA-512), do all provide 128-bit pre-image resistance and 128-bit second-image resistance?

Also, out of these hash functions, do only SHA-256 and SHA-512 provide 128-bit collision resistance? (Due to $l/2$ bits of security)

I'm working in a context where it is cheaper to calculate pow(a,b) via modular exponentiation (modexp(a,b,m)) than to do exponentiation directly. For this I need the minimum modulus value such that the function returns only the exponentiation part of the function call.

Is there an efficient algorithm that exists to calculate the bit-length / highest bit set of a^b, where we just know these values  ...

I noticed that when using AES-256-CBC with a 128-bit IV, the ciphertext is always at least 16 bytes long (size of IV).

I also noticed that when using AES-256-GCM with a 96-bit IV, the ciphertext size can be smaller than the IV.

Normal? Why?

A lot of writeups, books & webpages say that to get 112 bit security (i.e $2^{112}$ steps), you need to use RSA or DH with 2048 key size or ECDH with 224 key size. In reality, I think what is meant in most of these cases is modulus size or group size rather than key size, but for some reason it's always referred to as key size?

I think the modulus size requirements are thus for 112 bit security ...

I want to encrypt a private key $sk$ (it's actually an RSA private key in PKCS#8 format) with another person's (and/or my) public key $pk_A$ for secure storage. With JWE, it is possible to use hybrid encryption: we generate a random symmetric key $k$ to encrypt $sk$ and then encrypt $k$ with $pk_A$.

I would use AESGCM+RSAOAEP, though I've read that AESGCM should not be used for Key-Wrapping... but th ...

Suppose the highest level is $L$. There are 2 ciphertexts from 2 different messages under the same secret key but in different level, one is in level $\ell$: $\mathsf{ct}(\pmb{m})\in\mathcal{R}_{Q_{\ell}}^{2}$, one is in level $k$: $\mathsf{ct'}(\pmb{m}')\in\mathcal{R}_{Q_{k}}^{2}$, and $k<l-1$.

We want to calculate homomorphic multiplication of $\mathsf{ct}$ and $\mathsf{ct'}$. Should we move

I am wondering does AES-GCM which uses Authenticated Encryption provide us with all 3 properties (Authenticity, Confidentiality, and Integrity), or does it not provide integrity?

I'm curious to hear of algorithms that use this new standard (there is a new IRTF CFRG Draft for it, for instance). It's useful for verifiably deterministic signatures on elliptic curves, but what else?