Latest Crypto related questions

As I understand,

1.The security strength is specified in bits according to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

2.Security strength is depend on the length of entropy input when generating random number

So, in the signature generation function, if the random k is an input parameter (not generate random k in this function)

How to check valid k? security strength of  ...

What hash based digital signature algorithms exist that have reasonably small signature sizes?

• By reasonably small, I mean not much bigger than what you would get with a 256-bit ECDSA (which I believe has a signature of about 64 bytes). If nothing close exists, then what's the smallest signature size I can get?

• I want 128 bit security or better (although its not a hard requirement).

• I will be si ...

I AM an amateur (for some reason, I have originaly written "I am not"... embarassing, sorry) in cryptography so this might be a very basic question.

I am interested to know if there exist ciphers such that if I encrypt a message with it and then lose first say 300 bits then I can't recover any information from the message even if I have the decryption key?

My problem is basically that I don't have a ...

TLS is the standard cryptography protocol on the internet, and many websites use it to secure their communications. However, for personal use, most people use other protocols like PGP, instead of using TLS keys/certificates.

There doesn't seem to be any reason to not use TLS for these things, or at least the encryption/signing part. The transport part of TLS isn't always needed, since people have ...

I read on the page 16 of On the Security of Hash Function Combiners that

the classical combiner for collision-resistance simply concatenates the outputs of both hash functions $Comb_{\mathbin\|}(M) = H_0(M) \mathbin\| H_1(M)$ in order to ensure collision resistance as long as either of H0, H1 obeys the property.

Consider H, a secure internal hash function with 256-bit inputs and 128-bit outputs

Can multiple signatures of the same message with the same private key (different nonces) lead to a private key trace?

How can I transform a complete twisted Edwards curve $ax^2+y^2 = 1+dx^2y^2$ with not square $d$ and square $a$ into an isomorphic Edwards curve $X^2+Y^2 = 1+DX^2Y^2$ with a square $-D$ i.e. $D = -r^2$?

I tried to set $X = \frac{x}{\sqrt{a}}; Y=y$, but $-\frac{d}{a}$ is also a non square (at least for Edwards25519). This answer is not working as well (i.e. $-1/d$ is not a square), because $-1$ is squ ...

1. Let $L$ be an $[n,k]$ code. A $k\times n$ matrix $G$ whose rows form a basis for $L$ is called a generator matrix for $L$.

2. A linear $[n,k,d]$ code with largest possible minimum distance is called maximum distance $d$ separable or MDS code.

I want to find a generator matrix for MDS code using SageMath or in another way, is there any SageMath code to check a matrix is a generator matrix for the MDS ...

Let us consider the following verification protocol based on Feldman. Assume, $c_0,\cdots,c_k$ represent the coefficients of the polynomial $p()$ in $\mathbb{Z}_q$. For verifying share $(i,p(i))$ and public parameters group $G$ of prime order $p, q|p-1$ and generator $g$, the share generator provides $(g,d_0,\cdots,d_k)$ where $d_j=g^{c_j}, j \in\{0,1,\cdots,k\}$. The receiver of the share $s$,checks wh ...

IBM CEO Arvind made a talk in HBO's Axios program. It seems that there are misconceptions/misleading/flaws in reasoning etc.

What are those!

Some of the details of the speech is given as;

IBM says its new Eagle processor can handle 127 qubits, a measure of quantum computing power. In topping 100 qubits, IBM says it has reached a milestone that allows quantum to surpass the power of a traditional comp ...

In the paper of "Reaction Attacks against Several Public-Key Cryptosystems" CiteSeerX link, reaction attack is defined informally as "Obtaining information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key."

Is reaction attack explicitly defined in literature? What is the difference between fault attack and reaction attack -as defin ...

Can someone throw light on the differences between tokens and secret keys? I understand that "tokens" are crypto artefacts "introduced" into a system by an external party in order to authenticate whereas keys can be either generated on the device (for. eg a key pair in case of asymmetric cryptography & corresponding public key can be used externally to authenticate) or a secret symmetric key can be ...

I am working on a project that is using a bit-commitment concept to authenticate information.

I need to select a combination of objects securely from a secure hash, then distribute that hash later. Then a client knows that only the authenticated server selected that combination of objects before distribution of the hash the combination derived from. In other words, I need to select a combination  ...

Lets say I have a message that needs to be signed by two keys that were generated using ECDSA

Is it possible to make a signature that accounts for both keys, meaning I can verify with both and see they are valid?

An example, if we need a cryptocurrency example:

Address 1 has 10 coins Address 2 has 10 coins

Both inputs are in the transaction, and now need to be signed. Is it possible to make it so only one ...

Two dimensional patters are omnipresent in information transactions. QR codes, images are most common. I want to know if there is a concept analogous to the well known concept of Linear Complexity of periodic sequences, for two dimensional patterns?

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

3. Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and

Suppose I have a k-dimensional secret $\langle x_1,\cdots,x_k \rangle$ which I share using a packed Shamir's secret share $(t,k,n)$ where $t$ is the threshold and $n$ is the number of shares as follows: Construct a polynomial $f$ of degree $t+k-1$ such that $f(-1)=x_1, \cdots, f(-k)=x_k, f(-k-1)=r_1, \cdots, f(-k-t)=r_t$ where $r_1,\cdots,r_k$ are randomly sampled from the field. Now the n shares are gene ...

To encrypt a group element $P$ with public key $K$ and randomness $r$ using ElGamal on elliptic curves with base point $G$ we do the following $(c_1, c_2) = (r\cdot G; P+r\cdot K)$.

When we want to encrypt a free-form message $m$, we have to convert it to a group element $P$ first. For that, we can either use scalar multiplication $P=m\cdot G$ (additively homomorphic) or map the message $P = map(m) ...

I know that generally it's infeasible to find the private for any given public key. But I also came across the question "Find ECDSA PrivKey to PubKey = 0", in which it was explained that the private key for a public key 0x0000...0000 can be easily derived.

From the answer to that question it appears that public key 0x0000...0000 is the only public key for which this is the case, but haven't understoo ...

One way of interpreting matrices in RLWE is that they are a subset of standard integer matrices that have special structure. For example, rather than using a random matrix $A\in\mathbb{Z}_q^{n\times n}$ (as we might in LWE-based constructions), we can replace this a matrix with a matrix where the first column (or row) is random, and the rest have a cyclic rotation structure:

$$\begin{pmatrix} a_1 & ...

Say I have two values $x$ and $y$ of slightly different lengths. They can be passwords or keys or any other critical value, and I want to deterministically map them to two values of the same length.

Would using a secure hash function to achieve that purpose introduce any weakness into the system? We can assume the the output length of the hash function is not too small compared to the original inputs (e. ...

I understand that PRNG are Random Number Generators that uses a deterministic algorithm based off of a seed.

I also understand that CSRNG are PRNG that are cryptographic-ally safe to use for generating random numbers.

And by cryptographic-ally safe, I believe this means that even if an attacker knows the deterministic algorithm and the seed, they would not be able to predict the next random number.  ...

I have a question regarding the internal wiring of the rotors of the Enigma machine.

I'm trying to understand some details about the original Enigma machine. To the best of my understanding, each rotor is nothing but a monoalphabetic substitution cipher - except that the rotors can rotate. Yeah. But the rotation is just an additional offset. The actual substitution table is encoded by the internal wiring ...

I get stuck in the proof of decryption correctness in RLWE based Cryptosystem. To state where I am , let me show the full scheme first. The image is from chapter 3.2 of this paper.

And the decryption correctness proof of the scheme follows

In this proof , I can get the second last equation in decryption procedure , i.e. $$\mathbf{m} + (t/q)(\mathbf{v}-\epsilon \cdot \mathbf{m}) + t\cdot \mathbf{r} $$ ...

Each mobile SIM card has a four-digit number ($b_1$,$b_2$,$b_3$,$b_4$) called PIN code. Each digit $0 \le b_i \le 9$ (for i = 1, 2, 3, 4) is generated using a random 16-bit sequence as follows: $b_i=(r_{4i-3} + r_{4i-2} .2 + r_{4i-1}.2^2 + r_{4i}.2^3)\pmod {10} $. How we can calculate the antropy of PIN code? I know the entropy relation but I have no view.

I do not quite understand the UC framework. Given a protocol to be proven, now I just know firstly we should write down the ideal functionality, and then the concrete protocol, then proving the protocol security realizes the ideal functionality by constructing several simulators. May I ask if it is true that we can tell if a protocol is UC-secure just from its ideal functionality?

Besides, in pag ...

Can I know just from a Bitcoin public key if the private key is odd or even?

[moderator note] That is, can we find parity of the private key from a secp256k1 public key?
For the original dump of digits, see here.

So I guess https://github.com/google/wycheproof "tests crypto libraries against known attacks". It appears to mainly be intended for Java crypto providers but can it easily be adapted to be used for other languages?

For non timing attacks you could probably just loop through the *.json files in the testvectors directory but it's not clear to me what some of the data in there means.

Consider ecdh_sec ...