Latest Crypto related questions

I am right now studying Pseudo Random Functions. I have a couple of constructions made of a safe PRF F:{0,1}^l x {0,1}^l -> {0,1}^l. I am unsure of wether these are safe ( in terms pseudorandomness ) or not. I will try and reason. Correct me if I am wrong.

1.) F1 = F(k,x)||k

F1 is not safe, since the concatenation of k will always happen. Since the k is fix it should be the same for two different ...

I'm reading Rivest et al.'s "How to leak a secret", but I'm having a hard time understanding step 4 of the generation procedure. This could be because of my own lack of knowledge regarding operations on ring but the following:

makes very little sense to me. How am I supposed to solve this equation? I've tried looking for examples and I stumbled upon this other question, but sadly this only ended ...

Is there any study that has looked into what is the minimum number of ciphertext characters one needs to have to do a reliable frequency analysis? It would be nice to know the evolution of the accuracy of the analysis as the number of characters considered increases, but I haven't found any well done study.

In Regev's publication "The Learning with Errors Problem", a naive algorithm is given on page 3 that can be used to tackle the LWE problem. This is the statement:

Another, even more naive algorithm is the following: keep asking for LWE samples until seeing $poly(n)$ equations of the form $s_1 \approx . . . $ (i.e., a pair $(\mathbf{a}, b)$ where $\mathbf{a} = (1, 0, . . . , 0))$, at which point we can rec ...

Problem

Suppose there is an entity with some users. The users are split into subsets (determined by the entity) and the entity needs to create public commitments to these subsets such that only a user can determine which set they are in. The sets need to be some minimum size, $m$.

More formally

Let $U$ be a set of user IDs--we want some flexibility here so the definition is left loose for now. On ...

In https://crypto.stackexchange.com/a/27828/79037, it's indicated that one can "save space" by using something globally-unique, like an application-wide "pepper", together with something locally-unique (e.g, a user-id field, unique per-user). In other words, by simply "deriving" a salt (from some other fields/values/etc already there), instead of having to explicitly store a completely random full G ...

I'm following the discussion in the question about RSA and what if we set $p<q$.

So, what if we mistakenly let $p<q$ and proceed with the private keys creations; that is, we pick up $p, q, e$ and derive from them: $dP,dQ, qInv$ (I'm using the CRT key structure in PKCS#1).

So, by trying to create those private-key elements, and forcing $p<q$, I see that they differ from those created when

In these two papers the authors mention the "quality" of a trapdoor

• [GPV] https://eprint.iacr.org/2007/432
• [MP] https://eprint.iacr.org/2011/501

But the best detail on this matter I could find was "The quality of a trapdoor S roughly corresponds to the Euclidean lengths of its vectors — shorter is better."

I wonder where could I find a more formal treatment on this matter. Thanks!

In the realm of secure Multi-Party Computation (MPC) schemes, there exist two fundamental concepts known as the covert adversary model and security with abort. From what I understand, both of these concepts involve situations where if a corrupted party engages in dishonest behavior, the honest parties have a reasonable chance of detecting this misconduct. However, I am having difficulty grasping the pre ...

I'm reading through a paper called Unconditionally Secure Signatures (https://eprint.iacr.org/2016/739) and to generate keys, the authors select $\epsilon-ASU_2$ functions, such that:

1. For any $m \in M, t \in T, \vert \lbrace f \in F : f(m)=t \rbrace \vert = \vert F \vert / \vert T \vert$
2. For any $m_1, m_2 \in M, t_1, t_2 \in T$, such that $m_1 \neq m_2, \vert \lbrace f \in F : f(m_1) = t_1 \land ...

In Rabin-Miller primality test, let N be the number you're checking for primality. Here N = 78007. Let m be the number you get after dividing (N - 1) by 2 several times until you can no longer do so. In this case, m = 39003.

The next step is to pick an A, here we pick A = 3. Now we calculate b₀ = A^m mod N. Now, if that A's b₀ turned out to be (N-1) or 1, then the algorithm says "N is probably pri ...

What would be recommended way to make deterministic password based file encryption?

I can use SIV mode, but KDF (like Argon) takes salt for which I could use SIV tag, but I cannot make it because I need key first.

I could use hash of file contents as salt, but that would make it 3-pass. If I would use some other single pass authenticated mode with IV generated with KDF, it would be 2-pass. Is there  ...

In a cryptocurrency with privacy e.g., zcash, where does proof generation take place? Can it happen in the client's device every time a transaction is performed?

If it happens in client's device, are there possibilities of malware compromising the privacy?

Given y = g ^ x is discrete log hard on some finite field, is y = g ^ (kx) also equally secure if the value k is a publicly known value which was randomly selected from a uniform distribution ?

To my understanding, if k and x are independent and chosen randomly, then the security of the discrete logarithm problem is not significantly affected as an attacker still needs to compute the discrete loga ...

Andreas Antonopoulos effectively states: an input of 256bits of entropy into PBKDF2-HMAC-SHA512 will ONLY output a 64 byte hash containing ~128 bits of entropy. He states the algorithm essentially ignores the extra entropy going in, and it is "wasted" entropy.

IS THIS TRUE? Can anyone explain why?

Source: (starts at 14:10 mark and goes for a few minutes)

https://www.youtube.com/live/U0T49duRt74?feature=sh ...

The prover has $n$ group elements $g_1, ..., g_n$ and wishes to demonstrate the knowledge of the discrete logarithm to base $g$ for each of them, i.e, for each $i \in [1,n]$ she knows some $e_i$ s.t. $g_i = g^{e_i}$. We know that by applying Fiat-Shamir to the Schnorr's protocol, we can get $n$ non-interactive proofs in the form of $(R_i, c_i, s_i)$ where $c_i$ is the hash of $(g_i, R_i)$.

The qu ...

According to a Lecture from Lecture notes of a Professor of Purdue University "Diffusion means that a change in any plaintext bit must propagate out to as many ciphertext bits as possible." I can't clearly understand how S-box introduces this diffusion in DES. Can anyone explain with an example? Is it because a change in a single input bit of S box will result in a different number being chosen as out ...

I create this question from here. I am working on a project with C# backend and mobile apps using Java and Swift. I found this documentation to use RSACryptoServiceProvider.SignData method to sign using private key. But I don't have idea on how to verify and decrypt it on Java and Swift. From my understanding, it's signed using Private key and then it needs public key to be verified on Java and S ...

I'm using ECDH for generating shared key for STM32 MCU. Which encryption/decryption algorithm should I use? I looked at RSA and AES project samples provided by STM32 but where do I provide shared key with message to encrypt?

With the current implementation shared key size is 64 bits.

In evp.h, BytesToKey() generates the key from the passhphrase, IV and the MD5 digest in order to decrypt information used by the public/private keypair generation using AES-256-CBC. I am trying to isolate all the EVP_* functions into a standalone implementation for an embedded system. Does anyone have the actual function or what exactly it does?

KEY DERIVATION ALGORITHM The key and IV is derived by conc ...

This question is relevant for both crypto stack exchange and infosec stack exchange. I thought I'd ask here to get answers from a cryptography perspective.

If two systems use the same public key signature system, is it reasonable to re-use keypairs from one system on the other?

For example, both Matrix and the Solana blockchain use ED25519 keypairs.

Potential benefits of re-using keypairs would be: ...

Suppose the circuit is a hash function with the input being the pre-image (private) and the output being the digest (public). If one knows of a collision can they create 2 different proofs that are equal bit-for-bit by inputting the 2 different pre-images that give the collision?

It seems such a SNARK does not exist at the moment because when the Fiat-Shamir transform is used there is an opening  ...

Assuming I have single-key Even-Mansour with single $2n$-bit permutation in wide-pipe Merkle-Damgård specifically with Matyas-Meyer-Oseas mode outputting $n$-bit hash.

What security can I expect against collisions and preimages?

Am I wrong to expect $2^\frac{n}{2}$ for both?

In AES, the MixColumns operation involves a linear transformation from GF(2^8)^4 to GF(2^8)^4. The branching factor for this transformation in the original AES is 4, and it is considered secure against differential cryptanalysis with 4 rounds, where the differential probability falls below 2^(-128).

If we replace this linear transformation with a linear transformation having a branching factor of ...

They say the security of Diffie-Hellman depends on the factorization of (N-1), where N is the big prime number you feed it.

More specifically, (N-1) itself has to have a big prime factor, such as (N-1)/2 also being prime.

My question isn't about why that's the case or how to tell if it has a big prime factor or not, I've seen those on here already.

My question is: HOW BIG of a prime factor does (N-1) need ...

Assume we have a central issuing authority that sends each participant a share that reconstructs in key $P_k$. I.e. Shamir Secret Share with $2$ out of $N$ format where $N>3$.

This central authority also broadcasts public key $P_a$ so every participant guaranteed to receive same $P_a$.

Is it possible to generate such a proof, that participants can be sure that shares they receive indeed reconstruct i ...

In your opinion, is the correlation between the length of the ciphertext and the decrypted text (even if it is approximate) a cipher vulnerability? Or is there a solution to this problem outside of it? After all, if the attacker knows the approximate size of the message, he has some information about what type of information the victim transmitted.

Let's say I encrypt a message with some secret and store it in a database. Later, I want to securely share that secret with someone, so that they can read the message as well. Even later, I want to further expand the group of people who know the secret by adding another person.

Basically, I want end-to-end encryption, but with two differences:

• New parties can be spontaneously added
• Those parties have to  ...

Suppose that there are $n+1$ parties - $B,A_1,A_2,...,A_n$ that want to share a secret key

The protocol of exchanging is roughly the same as Diffe-Hellman

Chose a group $G$ with an order of $p$ - a prime number and a generator element $g$

• Each $A_i$ generates a random number $a_i \in \{1,...,p\}$ and send $B$ the value $X_i \leftarrow g^{a_i} $
• B generates a random number $b \in \{1,...,p\}$ and s ...

In theory this is what I have :

• Around 10 000 offline machines
• Each machine will generate around 10 000 ids
• I can program the machine in any way I want, but I prefer a low memory and low cpu
• They all will be generated in a short timeframe (1 day)
• It should not have id collision
• It should not be possible to determine when and which machine has generated it.

How could I do that ?