Latest Crypto related questions

Can we encrypt data with two public keys and the encrypted data only needs one private key to decrypt once encrypted?

How do new cache designs aid in defending against cache-based side-channel attacks? While conducting a side-channel attack, we have the T-table/S-virtual box's address. Normally, address mapping is handled by the operating system. An adversary can always determine the virtual address. How will a new cache design help?

New cache design - https://memlab.ece.gatech.edu/papers/MICRO_2018_2.pdf

The code  ...

I'm interested on the polynomial used in GCM-mode : $X^{128}+X^7+X^2+X+1$

This polynomial is Primitive (in $\mathbb{F}_2$). What is the interest of choosing a primitive polynomial and not a simple irreducible polynomial? Is it a coincidence?

Suppose we have a plaintext $m$ and $|m| = 128$. Now suppose we know $l$ bit of the output $AES_k(m) = c$.

What is the best complexity of guessing the rest $128-l$ bits of output with probability at least $\frac{1}{2}$. Note that we don't know the value of $k$

I'm working on a protocol and am looking for a way to fingerprint a set of elements. All elements are evenly distributed across a finite field that is integers modulus $2^{256}$.

Assume I have a set of elements $[v_0, v_1, v_2, v_3]$, and a strong random value $R$ (also in the field).

I construct a hash like this $H = v_0 + v_1R + v_2R^2 + v_3R^3$

Can Schwartz–Zippel lemma be applied to this? Like th ...

The AES algorithm uses the irreducible polynomial. Consider

x^8+x^4+x^3+x+1 

for multiplying with a MDS matrix for encryption and decryption. Am I allowed to change this polynomial with another one? If so, then I need to redesign the MDS matrix? Does this effect security standards?

I have developed a project based on Raspberry Pi that communicates through Bluetooth with Android application, My idea is to enhance its privacy through encryption. So, I've tried chaotic encryption.

But I've observed a higher lattency while encrypting & Mainly I was dealing with images..It is adding up a lot of noise in channel and resulting in destroying the contents of the image(Most of the times ...

Suppose we have two plaintexts $m_1$ and $m_2$ such a way that $|m_1| = |m_2| = 128 $ and these two plaintexts are different just in one bit. Now suppose we know the value of $c_1 = AES_{k}(m_1)$($|k| =256$) .

What is the best complexity of guessing difference $c_1 \oplus c_2 = ?$ with probability at least $\frac{1}{2}$ by considering that we don't know the values of $c_2$ and $k$.

I started studying again recently, I forgot plenty of stuff.

But there are 2 areas that I am really struggling.

• The procedures to prove and demonstrate theorems.
• The basic math necessary for cryptography.

Do you guys have any books and references that are easy to learn about those two items?

Thank you!!

Blowfish encryption is made as follows:

1 - XOR the round key with half of the plaintext.
2 - Split the 32-bits word in 4 bytes and insert each one in the S-Boxes.
3 - Sum the result of byte #1 with #2 and XOR in the result of byte #3
4 - Sum the above result with result of byte #4.
5 - XOR the result of the above operations in the other half of plaintext.
6 - Repeat the steps above 15 times more.
 ...

Purpose: I'd like to shuffle a file system's blocks without loosing space so I thought if I formatted the disk to have exactly 2^32=4bn sectors, then a secure cipher with 32 bit wide data blocks could map all sectors to new ones without wasting place, like a hash map would do due to its collision chances.

In this paper by Alperin-Sheriff and Peikert from 2014, the authors state

To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitrary unbounded computations.

Is this still correct today or are there new schemes that don't require bootstrapping for the same effect?

Are there any newer FHE schemes that don't have noise accumulation and therefore don't n ...

How do I calculate the soundness error of a sigma protocol, such as Schnorr's interactive protocol for knowledge of a discrete logarithm?

I am trying to get into Universal Composable Security, but before diving deeper I would like to confirm my intuition of the framework.

https://eprint.iacr.org/2000/067.pdf

A protocol $\pi$ securely evaluates a function $\mathcal{f}$ if for any adversary $\mathcal{A}$ there exists an "ideal adversary" $\mathcal{S}$ such that no environment $\mathcal{E}$ can tell with non-negligible probability whether it ...

The wikipedia article on the Advanced Encryption Standard claims an attack against AES-128 with complexity $2^{126.1}$. The NIST call for proposals for post-quantum cryptography (table on page 18) estimates $2^{143}$ classical gates for key-search attack against AES-128.

1. What does the number in the wikipedia article mean? Number of gates or something else?
2. Where do these numbers come from?
3. What is the e ...

A KDF in Counter Mode (e.g., see NIST SP 800-108r1, Section 4.1, similar to HKDF) produces the output as what AES-CTR would do if one replaces AES with SHA2 (or, to be exact, with HMAC).

However, NIST, Section 6.3 does not recommend using the derived keying material as a key stream. As far as I understand, they mean the way it is used in AES-CTR.

How may AES be better than the SHA2 compression funct ...

ElGamal-based BBS proxy re-encryption is well known, but it works on a variant of ElGamal like ($mg^r$,$g^{xr})$ not standard ElGamal ($g^r$,$mg^{xr}$). After reading the original paper, I found the authors mentioned that the proxy scheme can be extended to work with standard EIGamal encryption. But unfortunately they do not describe it in detail.

I think it may looks like:

1. Alice encrypts $m$ as

In section 4.3.2 of this paper describing the BabyJubJub curve, an algorithm for computing the scalar multiple $[k]P$ is given, where $k$ is in arbitrarily large integer and $P$ is a point whose order is $251$ to $254$ bits on the BabyJubJub curve. In this algorithm, $k$ is 'split' into chunks of $248$ bits and the algorithm computes the scalar mulitple $[k]P$ using these chunks.

My question is the ...

I'm looking at the following text:

Why does CKKS decryption have an approximate correctness requiring that $\|u + e\| < {q / 2}$?

I mean if $\|u + e\| \ge {q / 2}$, how can I prove the CKKS decryption doesn't have approximate correctness?

How Schnorr signature security can be proved for signature forgery, replacement, and Replay attacks?

I'm searching good libraries to manipulate lattice tools to do cryptography.

I'm mainly interested by C/C++. But I'm also interested if it is in python.

Is 7-Zip really a good encryption tool? I wonder what kind of encryption is used in 7-zip. I see most people using 7-Zip. Just curious about what extent it is safe.

I have noticed that points on a NIST curve (secp256, secp384, etc.) or some other elliptic curves used in cryptography, when represented as 04 | x coordinate | y coordinate in hexadecimal, the coordinates appear to have a fixed length. Is this something that is proved somewhere ? As far as the math goes, I do not see any obvious reason why would this be true.

The problem I have is next:

• There's the centralized DataBase app which has its own private key and sends its public key to its customers.
• Each customer has its own private key and should be able to use the combination of his own key and DB app's public key to encrypt its own data.
• The encrypted data will be visible/available on the network to all third parties.
• Both DB app and customer should be able to ...

Are their any attacks on AES (any mode) in which before the attack is mounted, the adversary is aware that the input distribution is non-uniform? Most of the work assume that the plaintext is uniformly distributed. This is with reference to the following paper- https://eprint.iacr.org/2019/491.pdf

Choosing a proper nonce is a vital part of every symmetric-key encrypted communication, and it is mandatory that every encrypted message has a unique nonce. It can be shown that using a nonce twice with the same key has such catastrophic effects on the system. So in every protocol that uses AES-GCM or other AEAD algorithms, there are careful considerations for preventing the re-use of a nonce.

On th ...

I have been puzzled by the following for a long time. In the (very well know in the field) paper: Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures , the authors introduce the so-called cut and choose technique to produce zk proofs. In particular, they show how to prove that $y=f(x)$ where x is secret. So for example, one can prove $\operatorname{AES}_k(m)=c$ keeping

I'm working on a project with two computation "phases". In the first phase, I would like to homomorphically compute operations on my ciphertexts with a plaintext modulus of 2. But for my second phase, I would like to use a different plaintext modulus say 12799. Without decrypting and reencrypting my results between phase 1 and 2, is it possible to change the plaintext modulus after I have encrypted my c ...

I know about the existential forgery attack on RSA where a forgery is possible given two valid message and signature pairs but I am wondering how can a forgery be done on RSA with just the knowledge of the public key (e and n) without the knowledge of another message/signature pair given that the signatures are not padded?

IBM (now HCL) Domino has since way back a complete procedure to issue X509 client certificate as a login option to a webserver. Back in 2010-ish it worked fine in both Firefox and Internet Explorer. The handling has 4 steps

1. Acceptance of Root certificate, CA (usually self-signed from Domino)
2. Request client certificate, with PrivateKey to local certificate store and PublicKey sent to the server
3. Domino i ...