Latest Crypto related questions

Background

I have a degree in electronics engineering, I'm not bad at programming with many languages, but I'm not that good at cryptography, I'm just able to use that from libraries, and I understand just a few basic principles. I'm evaluating the McCallum-Relyea key exchange protocol (the one used in the tang protocol) in order to use it in a project, so I became aware of a few things about ellipti ...

I am struggling to understand how messaging protocols (like Signal) are able to use perfect forward secrecy. My understanding is that the server generates temporary keys which are used in combination with a user's persistent keys in generating shared session keys.

But if the temp keys are discarded after the session ends, how do the client devices decrypt messages from previous sessions? I must be miss ...

This is a pretty open question, so I'm mostly looking for gut reactions from experts more educated than I.

Given these assumptions which are easy to verify with a quick Google search:

• One Time Pads need to be truly random to be unbreakable
• Human beings cannot generate truly random numbers mentally

My question is: how insecure are human-generated numbers really? Obviously without perfect randomness th ...

I am trying to fix issues with a server where the server keeps freezing up and needs to be restarted. I recently started hearing about entropy and it importance to secure tls keys in linux. The one thing I haven't found in my research is, how much is needed/how to increase entropy on a linux server for TLS 1.2.

I believe this is where the issue is coming from. It started to appear when we were im ...

I was recently discussing with a friend how to instantiate something that requires a RO (with a potentially long output) in a practical implementation. Specifically, for a Fiat-Shamir transform.

The options I see are:

1. Hash function
2. PRF
3. CSPRNG
4. KDF/randomness extractor
5. ...?

What primitive can be used, in what construction and what are arguments for its security?

For example, hash functions seem like a ...

I am looking for a DRNG/DRBG (cryptographically secure) algorithm/function (which I can program into js). I am looking to use a DRNG as a seed generator for generating multiple, identical AES keys on separate client devices, sharing the seed for the DRNG securely between users. Basically, I trying to see if there are any simple mathematical ways to achieve this. Any suggestions are greatly appreciated!

A common method to mitigate the effect of rainbow tables is to add a string to the end of the user password before hashing, a process known as salting.

However, let’s say for example that someone uses a certain password across multiple websites which all salt their passwords, all use the same cryptographic hashing function, and are all have their database leaked.

Can having multiple salted hashes  ...

Is it possible to receive from a party $I$ a signed message $M$ that can be presented to two independent other parties $V_1$ and $V_2$ as $M'_1$ and $M'_2$ in such a way that they cannot establish a correlation between $M'_1$ and $M'_2$, but that they can verify that the message was signed by $I$ and issued to the one presenting it?

EDIT:

To make it more clear what I would like to achieve here's an ...

I want to produce a transaction log that is encrypted while being produced. I'd prefer asymmetric encryption. It is possible that my program will terminate without writing any closing blocks, so my output can't depend upon being able to write any end-of-file blocks the encryption scheme may require.

I can open new transaction logs as needed and do not require the ability to append to a previous o ...

Let

x = 100 - initial balance

M = 1,000,000,000

transfer amount final balance M+x

E(p-M) + E(M + x) = E(p - M + M + x) = E(p + x) = E(x)

producing correct proof of the fact that the final balance minus the initial balance is equal to the transfer amount where E(x) = x*g,

g - generator of ellipt.curve,

p = ellipt. group order

and a similar question, does it arise somewhere in zk-snorks? if this problem ...

I was practicing some questions on cryptography (newbie) and came across this question:

I know that Z₂₆ means modulo-n arithmetic is used, but what does the superscript (3) denote? My guess is that the superscript represents the dimension of the square, key matrix. But, I would like it if someone confirms it for me or corrects my understanding.

Let's say I have a block cipher $E: K \times M \rightarrow C$.

Is the function defined by $\operatorname{Enc}(k_1,k_2,m) = E(k_1, m)\ \operatorname{XOR}\ E(k_2,m)$ guaranteed to have an inverse function $\operatorname{Dec}$?

If it has, then what is $\operatorname{Dec}(k_1,k_2,c)$?

Say that in $\mathbb{F}_{999,999,000,001}$ I have an equation $0 = ax - b$ where $a$ and $b$ are random values from the field.

Is it possible to solve this equation for $x$ using the Extended Euclidean Algorithm without a brute force search?

If instead I was in a finite field with order as a 254 bit prime, would this problem be intractable?

I know that the message never directly changes those last c bits of the internal state (as seen in the image). And I also know that the capacity bits make the sponge construction resistant against collision and preimage attacks. How do the c-bits make it resistant against such attacks?

Let $E_{k}(P)$ be the AES-128 function with key $k$ and plaintext $P$, both 128 bits. I want to know if the following property is generally true for AES or if have I stumbled upon a special set of keys:

$$E_{k_1}(E_{k_2}(P)) = E_{k_1}(P) \oplus E_{k_2}(P)$$

I am trying to solve an rsa problem where we only know the public key (n,e) and the ciphertext c.

The modulus n is actually a prime number, so we can easily compute phi as phi = n-1.

But the problem is that e shares a common factor with phi, where gcd(e,phi) = 8 , where gcd = greatest common divisor. So this means we can't get the private key d. Also e is a power of 2 (e = 16).

In my research I found th ...

I’m trying to understand the proposal presented in this papger zkKYC - A solution concept for KYC without knowing your customer, leveraging self-sovereign identity and zero-knowledge proofs.

The essence of the paper is on page 10 and specifically in the two sections zkKYC token and Validity proof.

According to the paper:

1. The zkKYC token is a message that is asymmetrically encrypted for a recipi ...

I am start learning about Elliptic curve and I read about Compression multipoint in curve which will be more efficient for saving more memory, I am looking for an example I can follow it with correct output.

For example, if we run this openssl command:

openssl aes-128-ecb -a -in <(echo -n "AAAAAAAAAAAAAAAA") -K "deadbeefdeadbeefdeadbeefdeadbeef"

The output in hex looks like:

block 1                          block 2
7a03acccf884d4ac38b7a2f3529806fa adfbc6ad78223f79cded6638d1d9802b

If I run it again and change the last byte, I get:

openssl aes-128-ecb -a -in <(echo -n "AAAAAAAAAAAAAAAa") -K "de ...

My goal is to design an encryption scheme for the application so that the backend stores encrypted data and the whole process of encoding and decoding happens on the frontend. And you can be sure that even if the backend database gets compromised the data is impossible to decrypt.

I'm in no way an expert on the topic but tried my best to grasp as much information as I could in the last couple of  ...

I understand how the Kate Polynomial Commitment Scheme Evaluation Proof works however, I don't understand what is the purpose of it?

In general, in a commitment scheme, Peggy commits to message & sends the commitment to Victor. The purpose of a commitment scheme is two fold

• Once Peggy commits to a message, then she cannot change it. At a later stage, when the commitment is opened, Victor can chec ...

I'm a student studying cybersecurity for the first time, and the part where our textbook explains using CCA attacks for RSAs seemed really unclear for me, so I am here seeking for clarification.

Our textbook quotes

if the attacker receives encrypted message c = m^e (mod n), they can multiply by the encryption of a random number r^e (mod n) and ask the decryption oracle to decrypt r^e*c, which giv ...

I am self studying "A Graduate Course in Applied Cryptography" by Boneh-Shoup. I am stuck on the following problem.

Let $\mathcal{E}$ be be an encryption scheme where messages and ciphertexts are bit strings.

(a). Suppose that for all keys and all messages m, the encryption of m is the exact same length as m. Show that $(E,D)$ cannot be semantically secure under a chosen plaintext attack.

I would lik ...

I have a problem where I have a table of various reencryptable/rerandomizable ciphertexts (Paillier, Elgamal, EC Additive Elgamal). Each row on a given table has the same structure, but each column potentially has its own cryptosystem. This shuffle gets executed several times on different tables with different numbers of columns.

• I want a group of parties to execute a verified shuffle of this table ...

I'm working with https://cr.yp.to/nistp224/library.html and trying to correctly format my integer e for the library. The doc states:

The integer e is 2^224 + 2^216(e[0] - 136) + 2^208(e[1] - 136) + ... + 2^0(e[27] - 136).

I already have an integer e in mind, but I've got it encoded as a big endian array of bytes. What is the encoding above called (if it has a name)? Is there a known method for tak ...

In RSA, I want to know a way to be able to retrieve all possible plaintexts $m$ given a ciphertext $c$, $\phi(n)$, $n$ and $e$. The decryption exponent $d$ can not be generated due to the fact that $e$ is not co-prime with $\phi(n)$.

In fact, the $e$ I have is not even prime(it is specifically $1024$ in this case and thus it is even so it is certainly guaranteed to have a gcd greater than $1$ with bo ...

If I would like to focus on only one signature scheme, and only one encryption based on lattices in a pedagogical context (to introduce the concept of lattice-based crypto to people familiar with cryptography)?

Is it possible to consider only one cryptographic problem in this context?

I'm reading our school's notes for cryptography, and it does a good job explaining CBC and DES in detail, but it fails to provide good information on how they are related.

From what I've researched so far, it appears that CBC is essentially a series of block ciphers, and DES can be used for the block cipher encryption process.

Is that it, or are there some other ways these are related? I'm really lo ...

I am studying Elliptic curve and I got the scalar methods like NAF(k) w-NAF(K) double-and-Add but I am reaching now to know how can I apply these scalar methods any of them I mean to apply it on Affine curve and jacobian to get less M and S and I.

And I want to know Does Compression the point considered as better than Scalar methods like NAF(k) w-NAF(K) double-and-Add or I can use Scalars with point co ...

When researching about PQ KEM's I have come across two different definitions of indistinguishability under (adaptive) chosen ciphertext attack. IND-CCA (https://eprint.iacr.org/2017/604.pdf page 10, Kyber - https://eprint.iacr.org/2017/634.pdf page 3) and IND-CCA2 (https://eprint.iacr.org/2002/174.pdf page 4), the security experiments differ only in that the adversary, in the IND-CCA2 case, has an acces ...