Does encrypting plaintext multiple times with the same stream cipher but independent keys increase security? If each key is n-bits, and the cascade uses m-streams, could this be considered mn-bit encryption? If so, when?

Versions of this question are already addressed in the following posts, but they seem to mostly discuss the result by Maurer and Massey, which states that the security is at leas ...

This is a follow-up of my previous two questions (1 and 2), might be relevant to check them out first for a full context. I am trying to re-create results from this paper. The basic algorithm is described here.

I am trying to implement NTRUEncrypt system but working on a Quaternion algebra. I think the code is correct since it works fine for a very simple blinding value $r$. The problem is - it works

I have access to an HSM that can sign messages but doesn't have a way to expose the private key. The signatures are deterministic (RFC 6979). Another application only works with ed25519 signatures which isn't supported by the HSM.

Is it safe to have the HSM sign a message and use the signature as a secret to deterministically generate an ed25519 key pair? If not, I would like to know why instead o ...

So I needed symmetric encryption for my program. I landed on AES 192 bits in the CTR mode, because of some Computerphile videos on YouTube.

After using it with the Node.js "crypto" lib implementation, I noticed that some of the outputs are very similar. The output is created from a UTF-8 SQL syntax string input and digested to base64. Based on what know so far, this makes sense, since a lot of S ...

I am looking at the paper on Kate Polynomial Commitments.

The paper refers to Appendix A & Appendix B but it's not available with the document. Does anyone know where I find the full paper with the Appendices?

I am self studying "A Graduate Course in Applied Cryptography" by Boneh-Shoup. I am not sure if my proof for the following problem in the book is correct. The problem asks to prove that if a stream cipher is semantically secure, then the underlying PRG is secure. Please let me know if my attempt works. If my solution is incorrect, I would appreciate a hint for how to approach the problem.

Let $G$

Hey I got a pointer a while ago to hidden order groups and I found papers like https://eprint.iacr.org/2006/178.pdf dating way back using this, but I couldn't find any elementary read on what can and can't I do with hidden order groups.

Does anyone have a small pointer for me on where to pick up reading?

I'm a newbie, currently interested in data security & integrity.

I'm quite new to blockchain and distributed system theories, and suffering from some unclear doubts/questions on the fault-tolerant consensus.

May I ask for your kind advice on my dull thoughts regarding on the blockchain's true objective?

It would be a great help for me to step forward on understading better concept of consensus.

I need to know if there is a security proof for ECDSA in the Random Oracle model?

Using the notation from the Wikipedia article: https://en.wikipedia.org/wiki/Schnorr_signature, the Schnorr signature mixes the random value $k$ and the hash $e$ like this:

$$s = k - xe$$

(Where $x$ is the private key scalar)

My question is: What would be the problem with reversing the two scalars like this:

$$s = e - xk$$

And the recovering the hash in the point domain directly like this:

$$e_v = ...

I was reading the FORS and DFORS Few-Time-Signature scheme. I understood the security of HORS Few time signature equals to $ (rk/t)^k $, but I could not understand the security of FORS is $ (r/t)^k $ as discussed in the following paper page no 5. [Hash based signatures Revisited]: https://eprint.iacr.org/2020/564.pdf

In FORS few time signature, How Adversary A who observed the signatures of r messages ...

I'm considering a case when after hybrid encryption (AES Key encrypted via RSA) RSA key will be "splited" like in OTP. On the end one side gets encrypted AES key and "half" key RSA, and second side gets another "half" RSA and encrypted data what force to combine both sides to decrypt data.

But...

What in case when same data need to be decrypted multiple times ? As I undersand then OTP is vulnerable  ...

Let A(x) and B(x) be two secret polynomials. Suppose a user publishes commitments $C_A$ and $C_B$ to these polynomials (such that the lengths of $C_A$ and $C_B$ are sublinear in the degree of $A(x)$ and $B(x)$). I would like to prove that the GCD of these two polynomials, (given the commitments) is 1. Is there a special scheme that proves such statement (i.e., not a NIZK for a general computatio ...

Is there a well know (cryptographically secure) algorithm to shuffle a vector of values, deterministically, without using any randomness, such that it is hard (or as hard as possible) to guess its initial configuration?

The goal is to achieve an effect similar to what a hash function achieves, but instead of producing a digest, it should simply shuffle the data.

I know I can hash the data and use th ...

I'm currently trying to write the blake3 algorithm in JS using the official whitepaper or what it's called.

If I understand correctly then... after the 7 round keyed permutation (at the end of the compression function) the first half of the output values is then xor'ed with the latter half to get the NEW first half. And the latter half is xor'ed with "h0... h7", which AFAIK are the chaining value ...

I did some experimenting with web subtle crypto.

I derived a key using PBKDF2 with SHA-512 and 100 000 iterations and timed it. Doing same with 200 000 rounds doubled the time as expected.

Then I did PBKDF2 twice in parallel, both with same password, same iteration count (100k) but different salts. This took about same time than doing one time 100 000 iterations. I took the results and hashed those  ...

In light of the LastPass hack their use of PBKDF2 had me wondering a few things.

1. If PBKDF2 with a salt and the Master password is used to generate a vault password every time you type in your master password to access the vault wouldn't that salt need to always be the same?

2. If so then where is that salt stored and wouldn't that also be in clear text?

3. Wouldn't the Pseudorandom function also alw ...

We have a block cipher $E:\{0,1\}^{128}\times\{0,1\}^{128}\rightarrow\{0,1\}^{128}$.

We know that the PRP advantage of E is Adv$_E^{PRP}=t/2^{128}$ where $t$ is the time needed by the algorithm to get the maximum advantage.

From $E$ we define $E'$ such that $E':\{0,1\}^{128}\times\{0,1\}^{128}\rightarrow\{0,1\}^{128}$ and $E'(k,\cdot)=E(k\bmod126,\cdot)$

Two questions:

1. What is the PRP advantage of

https://en.wikipedia.org/wiki/Disk_encryption_theory

Why do we use XTS over CTR for disk encryption?

If we used ChaCha20 (without authentication) by simply encrypting each disk sector with the same random key and with the block number as the nonce (no additional data), how would this break the properties of the security model outlined in the Wikipedia link above, under "Problem definition"?

The ChaCha k ...

I want to encrypt data on client side with Openssl AES 128 GCM and decrypt those data on server side inside Intel SGX using rijndael 128 GCM. I can see inside sgx_aes_gcm.cpp that it uses the same functions from Openssl.

I can imagine that the tag generated by EVP_CIPHER_CTX_ctrl(pState, EVP_CTRL_GCM_GET_TAG, 16, tag) function is mandatory for the decryption to success.

So my question is, how can I  ...

I am a web developer and a newbie in cryptography, so my question may sound not very related to this community, let me know if so, and where to ask.

Context is a distributed application, to exchange an important notifications, with a digital proof that users exchanged them. Will use standard Alice and Bob parties names below. Application is not about cryptocurrencies and do not use blockchain. it is  ...

I'm aware that GnuPG encrypts for multiple recipients, but is there any way to build a multisig, say, 2 of 5 signatures with GPG?

So having a file encrypted for the following recipients needs at least two of the five to decrypt it:

gpg --encrypt \
  --recipient [email protected] \
  --recipient [email protected] \
  --recipient [email protected] \
  --recipient [email protected] \
  --recipient eve@exampl ...

I'm reading Boneh and Shoup's book "A Graduate Course in Applied Cryptography." Im doing one of the questions at the end of the stream ciphers chapter. I'm not sure how to do this problem:

Let $\mathcal{E} = (E,D)$ be a cipher defined over $\mathcal{K}, \mathcal{M}, \mathcal{C}$. Assume that one can efficiently generate messages from the message space $\mathcal{M}$ at random. We define an attack ga ...

Let's say we have an IND-CPA secure public key encryption scheme $\Pi = (\text{Gen}, \text{Enc}, \text{Dec})$. Construct a new PKE $\Pi' = (\text{Gen}', \text{Enc}', \text{Dec}')$ that behaves exactly as $\Pi$ except it additionally leaks the hash of the private key. For example, $\text{Gen}' = (sk, pk \vert \vert H(sk))$ where $(pk,sk) \xleftarrow{} \text{Gen}()$ and $H$ is a hash function (for c ...

Situation

I need to generate unique 16-digit decimal values in NodeJS API or C++ Addon.

It's used internally in my organization (gift card id). And performance doesn't matter as it's generated non-realtime.

I've searched for some options, but unsure about their safety. If there's better way to do it, please let me know.

Option 1. Use crypto.randomInt

Generate Integer Between 0 and 9, 16 Times.

The documen ...

In the concept of Automatic Test Pattern Generation (ATPG), two events are required to perform in sequence: Fault Activation and Fault Propagation.

In the case of a linear 2-input XOR gate, without loss of generality, we consider a stuck-at-0 fault at the input register a, while the input register b may take values independently. In order to activate the fault at a, one must set a = 1. The next step  ...

This question pertains to identity-based key encapsulation mechanisms (IB-KEMs). To recap the functionality:

• $\mathsf{KeyGen}(1^\lambda) \to (\mathsf{msk}, \mathsf{mpk})$ Generates the master keypair
• $\mathsf{Extract}(\mathsf{mpk}, \mathsf{msk}, \mathsf{id}) \to \mathsf{usk}$ Constructs an identity-bound private key $\mathsf{usk}$ that can be used for decapsulation.
• $\mathsf{Encap}(\mathsf{mpk}, ...

I am implementing TLS (or something like it perhaps) because the browser doesn't seem to provide a direct client-script interface to TLS. The browser provides a SubtleCrypto.encrypt() function that claims to do AES-GCM. However, the documentation for this function does not mention an input for RFC 5246/5116 AEAD Associated Data A which is authenticated but not encrypted.

Is there a way to use the existing ...

Let we have 2 generator $G$ and $H$ in any elliptic curve.

A prover creates a ciphertext with Homomorphic ElGamal, $(r_1G,\;mG + r_1P)$ such that $r_1$ is random and $P$ is public key of the prover.

Then the prover creates a Pedersen commitment $(mG + r_2H)$ or $(mH + r_2G)$ if it makes the proof easier.

The prover wants to make a proof that the encrypted message and the message hidden in the commitm ...

This is an existing website with approx. 100K accounts, and passwords are hashed using bcrypt with a high number of rounds.

The current design that I'm questioning is that we're sending the username and password to the server, and doing the bcrypt on the server, instead of sending a SHA generated in the browser and bcrypting that, so that we never touch the user's password.

The original rationale wa ...