Latest Crypto related questions

On Wikipedia:

https://en.wikipedia.org/wiki/Salsa20#cite_note-5

they wrote Salsa20 offers speeds of around 4–14 cycles per byte in software on modern x86 processors. But is it implemented that way, it performs some operations in parallel? If so, how many cores ares used, four?

I'm not sure I have a full understanding of JWT when it comes to the signature. The signature, as I get it, validates to the server that the header/payload that was transfer from the client is legit.

So if I get it right it goes (almost) like this:

Say I'm Allison and I just logged in a server and was successfully authenticated. The server will generate a token (JWT) for which I'm going to use to co ...

I was reading "TFHE Deep Dive" from Ilaria Chillotti, and I am a bit confused over the sample given in 31:08 In the above toy sample, isn't it possible to directly eliminate noise by shifting ciphertext by $\Delta$, then by Gaussian Elimination yielding plaintext?

In general, while intuitively original LWE hardness make sense (errors taken from $D_{L,r}$ with $r\geq \eta_\epsilon(L)$, so support of er ...

Asking this question here since it has a flavor similar to some cryptographic protocols. How likely are two integers which are smaller than some threshold, mod by some prime number to have the same result? For example, what is the probability that $n_1 \mod p = n_2 \mod p$ if p is randomly picked from the first $N$ primes, and $n_1$ and $n_2$ are some integers smaller than say $2^N$.

Given this plaintext: 101010101010, and the block is 3, with a IV = 000 and the key as k = |1 2 3| |2 1 3| What are the required steps to get the same result like these in ECB mode: c1 = Ek(m1) = 011, c2 = Ek(m2) = 100, c3 = Ek(m3) = 011 et c4 = Ek(m4) = 100. c = c1||c1||c1||c1 = 011100011100.

Note: It is not a homework/ test, I just making some preparation.

Full exercice and its solution are bellow:

I am working on Matlab Jacobian coordinates, I want a jacobian coordinates example with numbers include doubling and additions based on k value to test the code if works properly? I tried to search in google to find any example, but I didn't find.

Can anyone refer to me a clear example includes numbers with answers to test my code

Thanks for all

Suppose that I've solved the Discrete Logarithm problem. Can someone explain to me in terms of the example below how to arrange values of Elliptic Curve secp256k1 in a reverse form so that I can calculate a private key from a public key?

Here is the minimal example: $5^x \bmod 17 = 13$ . Then I'd be able to calculate that $x = 4$.

I understand that compressing encrypted data and compressing digital signatures are not efficient because they are most likely incompressible. But in my application encrypted data and digital signatures (post quantum crypto) are stored in a sqlite database along with metadata like crypto algorithm name , iv . If LZMA compression is applied, the sqlite database itself is compressible. Actually i use sqlite ...

FHE typically has large ciphertext expansion factor, meaning that the ratio

$$\frac{|\mathsf{Enc}_{pk}(m)|}{|m|}$$

is typically quite large --- in standard schemes it is $\omega(1)$. Even getting $\Theta(1)$ seems to take some work, not to mention the end goal of expansion factor $1 + o(1)$.

To this end, I have seen some work on FHE-friendly block ciphers --- do these help reduce the ciphertext expan ...

I am trying to understand how to find a generator of Zp. How to find generator $g$ in a cyclic group?.
I have heard that we can pick random a Zp and for each primitive d| p-1 check wether:
a^[(p-1)/d] != 1 .If it holds it is a generator, otherwise it is not.

Why does this hold? If a is of order q | p-1 then all I can see is that from Fermat's theorem:
a^(p-1) = a^(q* p-1/q) = 1 mod p

Jean-Philippe Aumasson' "Serious Cryptography" says: "Without MixColumns, changes in a byte would not affect any other bytes of the state. A chosen-plaintext attacker could then decrypt any ciphertext after storing 16 lookup tables of 256 bytes each that hold the encrypted values of each possible value of a byte."

What would that attack look like? I can't beat the fact that SubBytes in non-linear ...

In a system that relies on decentralized identity, is it possible to prevent duplicate uses of the same real-life identity, i.e. same real-life person creates more than one user entity (each is associated with its own copy of identity keys) -- while remaining decentralized? E.g. without creating a list of signed-up identities, because that would mean that we have some central collection of privat ...

Following this question ed25519 attacks and also this paper on degenerate curve attacks https://eprint.iacr.org/2015/1233.pdf, I tried to implement my own attack: Given a point (0, y) and a scalar (k), the computed point should be (0, y^k).

This attack worked successfully with affline points (X:Y), with point addition formulas such as:

Although, when implementing the same attack with extended coord ...

I'm looking for a way to publish a message, so that it will only be publicly known after some time (let's say a few minutes). Even I shouldn't have the power to prove what my message was, before this time passes.

I was thinking of something like:

• the message is encoded using my private key, then published in this encoded way
• (I could prove what the message is by revealing my private key, but I reall ...

That is, in the case where the iterations value is a large number, since iterations are costly is there a difference in security of doing something like this, where two separate derivations are performed on the original password with the same large iterations value but different salts:

PBKDF2(password, randomSaltA, iterations = 1000000))
{       
    cryptKey = PBKDF2.Derive(); 
}
PBKDF2(password,  ...

I've created a python library that uses both RSA and AES encryption to allow for hybrid encryption of text or images. I am wondering if I should implement a keystore and/or a better key management system and if that would be applicable or useful for my purposes (I plan to implement this in a chat flask web-app). Additionally I would like to know if my library is cryptographically secure and if I can mak ...

Does the "no false negative" property hold if a bloom filter becomes full? I tried playing with this interactive example but it only gives the false positive probability.

Here is Ariel Gabizon's Blog for the process of converting Arithmetic Circuits into R1CS - https://electriccoin.co/blog/snark-explain5/

Here, he writes

• We assume multiplication gates have exactly two input wires, which we call the left wire and right wire.

• We don’t label the wires going from an addition to multiplication gate, nor the addition gate; we think of the inputs of the addition gate as goin ...

This is from Vitalik Buterin's post.

Here he says

Note that modulo (%) and comparison operators (<, >, ≤, ≥) are NOT supported, as there is no efficient way to do modulo or comparison directly in finite cyclic group arithmetic (be thankful for this; if there was a way to do either one, then elliptic curve cryptography would be broken faster than you can say “binary search” and “Chinese re ...

NIST SP 800-57 Part 1 rev 5 section 5.6.1.1 gives following comparison between different encryption types. For example, it shows that 3TDEA, RSA-2048, ECC224 provides security strength of 112 bits.

Does it mean that with computational power of $2^{112}$, chances of breaking 3TDEA, RSA-2048 and ECC224 are equal? or breaking one of these cipher is difficult than other?

There seem to have been defined multiple ciphers using the Keccak sponge as building block / primitive. These seem to have escaped public attention, possibly because they have not been standardized and because current ciphers seem to cover most use cases.

I'd like to know:

• Which ones have been defined?
• What are the differences between them?
• And which purpose do they serve?

Do these have any advantages ...

This is a follow-up question to Mikero’s answer to Simulation-based proofs and universal composability proofs.

Let there be some protocol $\pi$ running between two parties $A$ and $B$. Furthermore, assume that I have proven $\pi$ secure using a stand-alone simulation-based proof. That is, I have written some proof $\mathsf{P}$, constructing a simulator for $A$ (and later for $B$) in the ideal world th ...

So, for my capstone project, I've been working on a cryptographic algorithm accelerator on an FPGA. While it did get approved, I've been suggested to work on a more application-based idea that could incorporate my accelerator, where its use can be justified. I'm trying to find examples where using FPGAs over Microcontrollers in encryption would be practically a better option

I'm new to crypto, and I've got an idea and I want to get some feedback if it's even a right direction. Let's say that I create a symmetric cipher by using an XOF with a salt and a secret key.

Something like that.

XOR(XOF(salt, secret), plaintext)

When I want to send somebody an encrypted message, I will send both the salt and the ciphertext.

How to break this encryption?

We are using libsodium and regarding exchanging secrets we would like to use the so-called crypto_box (https://libsodium.gitbook.io/doc/public-key_cryptography/authenticated_encryption). Under the hood, ECDH is used. The problem is that it can be possible as well, that I encrypt this secret by myself. In that case, Alice and Bob would be the same person and the public keys will not differ. Is that a secur ...

DDH is believed hard for subgroup of $ℤ^*_p$ with order $q=(p-1)/2$ when $p$ is a safe prime chosen randomly.

What if $p$ isn't random: When parameters are shared, $p$ mightn't have been chosen randomly—primality can be tested, random sampling cannot—is DDH still believed hard, are any security concerns created/mitigated?

would compress and encrypt on data comromise security for PGP like application, would it be secure for use in Encrypted Messaging?

I have heard its safe for data at rest encryption , i have heard about CRIME and BREACH attacks on TLS, i am concerned if it would affect PGP like applications and the case of encrypted messengers.

I wonder if a rotor machine similar to enigma can be considered secure by today's standards under four conditions:

1. A rotor machine which consists of 50 rotors picked out of a set of 100.

2. A rotor machine in which a letter can encipher to itself.

3. You can select the very same rotor multiple times.

4. No plugboards, no secret wirings, and no operational errors

So with these in mind, can it be considered ...

I want to create a self signed PKI for a couple servers I am running. I am finding tutorials with copy paste commands from openssl, and hand waving explanations that describe the general purpose of signing certificates, or 20 page papers on the algorithms used. However, I am really trying to understand the way certificates are added on from the basic public and private key.

I would really like to ...

Please I do have a question as you know to sign a message the sender must first of all calculate the hash of the message and then encrypte it using his private key and then send it to the reciver and then the reciver will use the public key of the sender to decrypte the signateur. so how the reciver got the public key and if the sender send it to the reciver that woudn't be dangeuros the key is k ...