Latest Crypto related questions

In "The Skein Hash Function Family" paper authors wrote:

The MIX/permute structure has been designed to provide full diffusion in 9 rounds for Threefish-256, 10 rounds for Threefish-512, and 11 rounds for Threefish-1024.

How they know it? Is there some rule of designing such structures, which can quarantee some level of diffusion and it was used there (then they could estimate the number of rounds need ...

I am not an expert in cryptography and therefore I would like to address this problem to people who have been working on this topic for a long time and thus verify the facts from several sources.

I use Winrar for file encryption because it is most suitable for me, it's fast and I'm already skillful with this program. I am using up-to-date version of Winrar which uses PBKDF2(HMAC-SHA256) AES-256 C ...

In aggregated BLS Signatures, there's a known attack which allows an adversary to forge a valid signature for a message $m$ knowing only the victims public keys.

Reading about the maths behind it, this justification is done:

After some juggling math around, everything is clear but the middle equality. What allows one to assert that $e(g_1, H_0(m)^b) = e(g_1^b, H_0(m))$?

My algebra is far from th ...

I have a help recommended high-school project that I'm stuck with. To basically explain the problem: I have an encryption function that is used as the decryption function and I need to reverse it to make an encryption function.

I tried many things but I can't find the proper result. The best I came with was to encrypt 1 byte on 2 properly.

Here is the core of the function (the rest is variables init ...

The RSA modulus is the product of two $2048$-bit primes.

And the two Public Exponents are both $16$-bit.

I also got the difference between two Private Exponents $\left | d_1-d_2 \right |.$

Is there any way to factorize the Modulus $N$?

Can we use a MAC to transform a CPA secure encryption scheme into CCA secure one?

In EdDSA with Ed25519 the algorithm of public key computing is following:

h = hash (privateKey)
h[0] &= 0xF8
h[31] &= 0x7F
h[31] |= 0x40
publicKey = h * B

The questions are

1. Why is Hashing in Ed25519 key generation needed?
2. Why are the actions on h bits are needed?
3. What does the clearing relate to the 31st bit?

I need a fast linkable ring signatures library, something that is O(log(n)) and n is the ring size. I read a few papers about these kinds of schemes but I didnt find any implementations of them. Here are few of the papers I read: https://reader.elsevier.com/reader/sd/pii/S0304397512009528?token=6FCBA7389B1AF78F2C3B52B706F5C9E13130E044B14FD7F6DD55632C02F6B742E9CE2B288610AC2FFE0FCF198729F510&ori ...

In the Blum Blum Shub random number generator, we take two random prime numbers $p$ and $q$ such that both have a remainder of $3$ when divided by $4$. My question is why can't we just take any $2$ random primes? What is significance of having remainder $3$ when divided by $4$ from the perspective of mathematics and security?

For LWE decryption, Someone told me that If we can bound r⋅e by q/4 then we can retrieve M by checking if this is closer to 0 or q/2

However, how to use tail estimation to derive the relationship between upper limit bound of standard deviation (α) and q/4 ?

Note: There is also upper bound value of sqrt(M) for r, which I am also quite confused with.

This might be a silly question but I am unable to wrap my mind around it. In Diffie-Hellman can we find $a$ when $A = g^a\bmod p$, given we know $A$, $g$ and $p$?

I recently implemented AES block cipher, encryption side only, to be used in QUIC parsing (QUIC uses GCM mode). There are other modes than GCM that use only encryption: for example CTR, OFB, and CFB.

When implementing the AES cipher encryption side, it occurred to me how everything is done there has to be reversible, so the bit-mixing operations you do can't be arbitrary, they have to be carefull ...

When performing homomorphically encrypted computations, when should I use BFV / BGV / CKKS?

It seems BFV / BGV is better suited for integers, and CKKS for floats. It also seems BFV-BGV have some portability. I want to calculate using integers.

How do I understand if I should use BFV or BGV?

I also don't understand why the imprecision from CKKS could not simply be fixed by rounding, since it is comparat ...

I was asked recently if it is somehow possible to use already existing keypairs stored in HSMs for, e.g. ped-DKG.

Which ultimately led me to the question, which data is actually exchanged between parties when generating a shared key-pair? I was thinking surely there has to be some communication of the parties, e.g. agreeing on a threshold (degree of polynomial) before generating their private key fra ...

Assume I create a hash using SHA-256 and then take only the first 160 bits of the hash, as the result. is the result more cryptographically secured than SHA-1? Or are the two algorithms equally secure except for the hash size? (for example in terms of uneven distribution of the hashes and other means that determined the resilience of hashing algorithms)

What about the rest of the SHA family of ha ...

I wonder if there is a more efficient polynomial multiplication than Karatsuba over the finite field $\operatorname{GF}(2^n)$. Brief research on this topic gave me a few results on fast multiplication on $\operatorname{GF}(2^n)$ using a polynomial over $\operatorname{GF}(2)$, however, it was hard to find a fast 'polynomial' multiplication over GF(2^n). (i.e. Multiplication over $\operatorname{GF} ...

If Alice does the trusted setup, how does Bob validate the proving key and verification key are well formed, i.e., they are actually a pair derived from the said circuit and same toxic waste? Alice could run the setup twice and give Bob the proving key from the first run and verification key from the 2nd run, causing key mitmatch. Can Bob detect this kind of subversion in a SNARK such as Groth16?

I'm looking at scheme on Wikipedia:

https://en.wikipedia.org/wiki/Merkle–Damgård_construction

And it looks like function f takes two inputs. So do we have to use in this scheme OWF which can take two inputs or maybe we can somehow combine IV with message block, for example by xoring them? Then f can technically take only one (combined) input?

I do not understand how to formally argue using the simulator of the original Honest Verifier Zero Knowledge Proof?

Why physical random number source can be weak? I see two kinds of problems:

• it is hard to control it and make it resistant to some unwanted bias, but also deliberate attacks,
• it has normal distributuon, while we usually want to have uniform distribution (that's why we use randomness extractors or KDFs).

Can anyone elaborate on this topic? What is weak physical random number generator/source and wh ...

In a Sigma-protocol, the steps are (1) commitment, (2) challenge, and (3) response. In general, the prover has a statement and witness that they can use to compute the commitment step. But in some cases (like Schnorr or equality of two discrete logarithms) the prover doesn't use the statement or witness in the first step.

Are there more general Sigma-protocols that have this delayed input propert ...

I am reading the Paper of Traceable Ring Signatures and I do not really understand how the Tag is created and how you achieve the traceability when using the same tag for two different messages. Could you explain how the Tag is created?

In Discovering faster matrix multiplication algorithms with reinforcement learning (Nature, 2022; lightweight intro), the authors used reinforcement learning (an artificial intelligence technique) to devise a new, slightly faster matrix multiplication algorithm.

Could a similar technique work towards a better multiple-precision modular multiplication algorithm, as at the core of RSA and ECC using pri ...

4.25) Let F be a strong pseudorandom permutation, and define the following fixed-length encryption scheme: On input a message $m ∈ \{0,1\}^{n/2}$ and key $k ∈ \{0,1\}^n$, algorithm $Enc$ chooses a uniform $r ∈ \{0,1\}^{n/2}$ and computes $c:= F_k(m∥r)$. (See Exercise 3.18.) Prove that this scheme is CCA-secure, but is not an authenticated encryption scheme.

Solution: The scheme trivially does n ...

Encryption schemes typically are built on the idea that even if a man in the middle attacker knows exactly what kind of encryption you're using, they cannot decrypt your messages without the key.

There are a number of different mechanisms for two users to create or exchange keys without a man in the middle being able to deduce the keys. If a man in the middle attacker did not know in advance what ...

The Fiat-Shamir transform typically works by substituting (public) coin tosses from the verifier by hashes of the prover's messages until this point, i.e.: $$H(x,\alpha_1) = \beta_1, \\ H(x,\alpha_1, \alpha_2) = \beta_2,\\H(x,\alpha_1, \alpha_2, \alpha_3) = \beta_3,\\\vdots$$ where $x$ is the public input of the protocol and the $\alpha_i$'s are the prover's messages.

I understand that this is prov ...

Is there a way to determine the private key (or the phi value) without n factorisation if one knows the ciphertext and the public key and that each letter of the (English) alphabet has been encrypted individually?

In the Linux program Argon2, we need to supply the salt in the command line. This limits the salt to be printable characters. How can we use a binary string as the salt?

# argon2 -h

Usage:  argon2 [-h] salt [-i|-d|-id] [-t iterations] [-m log2(memory in KiB) | -k memory in KiB] [-p parallelism] [-l hash length] [-e|-r] [-v (10|13)]
        Password is read from stdin
Parameters:
        salt            T ...