Latest Crypto related questions

In small subgroup confinement attack in diffie hellman, what are the rules to calculate the value of K

Is there any rules about the order of the subgroup which we will be choosing to perform the exhaustive operation

I'm not fully sure what the most accurate terms would be to describe what I'm looking for, but here's the gist:

Let $u_1, \cdots, u_n$ be the users from a set of users $U$. Users may or may not submit some data $d_{u_1}, \cdots, d_{u_n}$ into my database, which I'll model as a set of data $D$. I want to be able to determine the set of users $U_{submitted} \subset U$ who submitted data to the database, w ...

What goes wrong if we use the same key k in deterministic counter mode to encrypt two different plaintext messages m0 /= m1.

It is not true that c0 = c1, because we XOR output of m0 with input of m1 in counter mode. As a result, c0 cannot equal c1, and c1 cannot be said to be the same as c0.

Could this be true?

Attacker find two c0 and c1, then find m0 and m1.

Currently, attackers can check all new me ...

It's well known that two parties, Alice and Bob, can flip a fair coin using commitments.

1. Alice picks a random number $a \in \mathbb{Z}_q$ and computes $c_a = Com(a, r_a)$ where $r_a \xleftarrow{R} \mathbb{Z}_q$. She then sends to Bob $c_a$.
2. Bob does the same, pick a number $b \in \mathbb{Z}_q$, and compute $c_b$ and send it to Alice.
3. Then, as Bob went second, he's required to open $c_b$ first, reveal ...

Does there exist a lattice in $\mathbb{R}^n$, with an independent generative family $(b_1, \dots, b_{n+1})$ of $(n+1)$ vectors (without any loss of generality I suppose $(b_1, \dots, b_{n})$ is a $\mathbb{R}$-basis), for no generative family of size $n$.

I know:

• If these vectors are in $\mathbb{Q}^n$, then the answer is NO, because the lattice is included in $\frac{1}{q}\mathbb{Z}^n$ with $q\in \mathbb ...

In a WPA2 (802.1X) scenario, there are 3 entities -> Supplicant (client), Authenticator (router) and Authentication server (Radius server). Radius server performs the authentication process and, as far as I understand, in the authentication process, the router works only as a proxy.

If an attacker is able to sniff the communication between the client and the router during WPA2 (802.1X) handsha ...

I have a question regarding the paper:

Andreeva, E. et al, Securely Release Unverified Plaintext in Authenticated Encryption , 2014 (DOI: 10.1007/978-3-662-45611-8_6)

AE schemes such as GCM [28] and CCM [40] reduce to CTR mode in the RUP setting. This is because the adversary does not need to forge a ciphertext in order to obtain information about the corresponding (unverified) plaintext.

I cann ...

I wonder if it's possible to do public key authentication (preferably not vulnerable to replay attacks) before modern computers became a thing (e.g. in a medieval setting).

Specifically:

1. Authentication can be done in a reasonable time by hand.
2. Brute force by hand requires unreasonable time. (But it may be possible with modern computers)

As I understand it, this would require that the disparity betwee ...

The iOS version of Signal application (not the protocol) includes a form of key wrap that I've never seen elsewhere: SHA256-HMAC-SIV.

It's used to encrypt your master key with your pwHash(PIN) before sending it to signal.org's Key Backup Service.

So far as I can tell, it does the following:

SHA256-HMAC-SIV(kek, raw)
kek: key encryption key
raw: original master key bytes

key_auth = HMAC(kek, "auth")
key_e ...

Let $G:\{0,1\}^n \leftarrow \{0,1\}^{2n}$ be a PRG. Establish whether the following PRG candidates $$G^{'},G^{''}:\{0,1\}^n \leftarrow \{0,1\}^{3n}$$ are secure or not:

• $G^{'}(s)=(x⊕y,u,v)$ where $(x,y)=G(s)$ and $(u,v)=G(y)$;
• $G^{''}(s)=(x,y ⊕ u,v)$ where $(x,y)=G(s)$ and $(u,v)=G(y)$;

This was in my exam today and I thought the following argument: Suppose $s$ random in $\{0,1\}^n$ then $(x,y) ...

How should I generate the remaining keys when performing subkey generation in AES encryption? I generated keys 0 and 1 first, but the other keys I generated later were wrongly generated, so what steps should I do to generate the rest? I know the steps of shifting rows and mixing columns but I don't know what to use when.

This is Key 0:

This is Key 1:

These are the rest of the keys, and I don't know ...

In this question, we restrict to RSA public keys $(n,e)$ such that

1. $n$ and $e$ are odd, $3\le e<e_\max$, $e<n$

   Note: For some old Windows API, $e_\max=2^{32}$. In FIPS 186-4, $e_\max=2^{256}$. Other requirements are from PKCS#1.

2. For all $m\in[0,n)$, it holds $m^e\bmod n=m$. That is, textbook RSA encryption is the identity function. Such unusual requirement is for debugging/analysis purposes. ...

From here - Batch Opening of KZG PCS

One can prove multiple evaluations $(\phi(e_i) = y_i)_{i\in I}$,for arbitrary points $e_i$ using a constant-sized KZG batch proof, $\pi_I = g^{q_I(\tau)}$, where

\begin{align} \label{eq:batch-proof-rel} q_I(X) &=\frac{\phi(X)-R_I(X)}{A_I(X)}\\ A_I(X) &=\prod_{i\in I} (X - e_i)\\ R_I(e_i) &= y_i,\forall i\in I\\ \end{align}

$R_I(X)$ can be interpola ...

Suppose that Alice has an X25519 key pair $\{S_A,P_A\}$ (secret and public key, respectively). Using randomly selected X25519 public keys $\{P_*\}$ (such that $P_A\notin \{P_*\}$), Alice calculates several values $X_* = \operatorname{X25519}(S_*,P_*)$.

She then repeatedly flips a (fair) coin. Each time, if the result is heads, she sends a (truly) random 256-bit string to Bob. If the result is tails, she ...

I rent a room in a building. There are also 9 others who rent other rooms in this building. Just like everyone else who rents a room I only have one key of this building.

With my key I can open the front door of the building. Just like everyone else who rents a room can with their key. However, only I can open the door of my room with my key and the others can't open my room with their keys. I ca ...

I was trying to come up with simple padding functions for the RSA, then trying to break them just to have a better understanding of why we need all the pieces used in the RSA OAEP... So, I am considering the following.

Let $N = p\cdot q$, $pk = e$ and $sk = d$ be the RSA parameters and keys, as usual.

Now, let $n = \lceil \log_2 N \rceil$ be the number of bits of $N$ and $k < n$ be some extra paramet ...

In university, I'm currently learning how to use Scyther to model security protocols. Currently I am trying to understand what is happening in an example protocol given to me which is:

# Key Establishment Protocol
#

usertype SessionKey;

protocol ke11(I,R,S)
{
    role I
    {
        var Kir: SessionKey;

        send_1(I,S, R); 
        recv_2(S,I,{Kir}k(I,S));

        claim_I1(I,Running,R,Kir) ...

The protocol would look like this:

1. User creates account and provides username, static public key
2. User logs in by sending username
3. Server responds by sending an ephemeral public key
4. For the duration of the user's session, all requests must be accompanied by the ECDH shared secret between user-static and server-ephemeral keys

So the shared secret is used as a raw token or cookie. Assuming the communic ...

My understanding is that iOS FaceID/Fingerprint for example use an underlying mathematical representation of the biometric features.

Is it possible to generate a key pair from this representation and re-generate the same key pair from the same input but on a different device for example?

I only found this old thread from 2014 that touches a similar subject but I'm wondering if there is a way to d ...

I'm working on a friendly tower finite field implementation for educational purposes. The library should allow easy building of tower fields from smaller ones - a user may define $\mathbb F_q$ and then build a tower field such as $\mathbb F_q \rightarrow \mathbb F_{q^k} \rightarrow \mathbb F_{(q^k)^m}$ and add/multiply inside the constructed field.

My initial plan was to reduce polynomial operations in t ...

What issues do yall see with the following in terms of key recovery and related key attacks:

RC4 used to "sign" a nonce:

3 byte nonce concatenated with 16 byte long term key > RC4 Keystream Generator > 259 bytes keystream output

Discard first 256 bytes of keystream leaving only last 3 bytes "Signature"

3 byte Nonce / 3 byte Signature pairs are the only information sent publicly

I'm studying the post-quantum cryptography (PQC). While studying hash-based pqc, I read a thesis about Winternitz one-time signature scheme (W-OTS). What is the exact definition of "One-time Signature (OTS)"? There is lots of papers and posts quote the word "OTS", but anybody didn't write the definition of OTS.

This may be a very basic question.

I know that symmetric key algorithms use the same key to encrypt and decrypt plaintext and ciphertext.

However, it seems that hash functions are often classified as symmetric key cryptography.

Even though the key is not used in the hash function, from what point of view can it be classified as symmetric key cryptography?

I am presented with the following problem:

Given a set of matrices $M = \{A^i_{m,n} : 0 < i < 101 \}$ design a procedure to compose all of them into one encrypted matrix $E_{m,n}$ and later decompose (decrypt) it into the initial set. The procedure should be as difficult to break as possible (quantum-resistant preferably). It does not need to be fast, as the message will be sent only once (meaning t ...

Is there any way in which classical computers oculd end up breaking ECDLP. I read that GNFS could through prime factorization, but I am not sure if I understood this properly.

On my old laptop, ChaCha20 is quite a bit faster than AES as there is no hardware acceleration for AES. But for disk encryption AES based schemes seem to be the only option, as a stream cipher like ChaCha20 cannot directly be used for disk encryption. Is it possible to use ChaCha20 in some other way/mode to make it suitable for disk encryption? Or are there any good block ciphers (maybe ARX ciphers?) ar ...

According to the Curve25519 website:

Computing secret keys. Inside your program, to generate a 32-byte Curve25519 secret key, start by generating 32 secret random bytes from a cryptographically safe source: mysecret[0], mysecret[1], ..., mysecret[31]. Then do

mysecret[0] &= 248;
mysecret[31] &= 127;
mysecret[31] |= 64;

to create a 32-byte Curve25519 secret key mysecret[0], mysecret[1], .. ...

As we know, the IV and the output of SHA-256 are identical in size. Suppose the input value to the SHA-256 is completely transparent. Is there any correlation between IV value and output? Is it possible to limit the output space?

I would appreciate it if you can introduce any source - article or manuscript in this specific subject.

I am trying to show that UF-naCMA doesn't imply UF-CMA. UF-naCMA is actually defined as UF-CMA but the adversary should send $q \in poly$ messages $m_i$ chosen non-adaptively (i.e. all at the same time) before obtaining the public key. Then, as in UF-CMA in order to win he has to forge a valid $(m^*,\sigma^*)$ with $m^*$ fresh.
I can see the implication doesn't hold intuitively but can't figure out an eff ...

In RSA, one of the math background is:

m ^ φ(n) % n == 1, where m is the message to be sent, n = p * q.

The equation is from λ(n) (Carmichael function), which requires m and n are co-primes.
And, since n = p * q, thus φ(n) = λ(n), I guess. Question 1: is this correct?

Question 2: If m equals p or q, then m and n are not co-primes, in this case, does that means decryption will be wrong, aka. the pri ...