Latest Crypto related questions

I think my understanding on initialization vector (IV) might be lacking, but as I understand it, an IV is used to create randomness to an encrypted message so that the message is difficult to crack from an attacker. The randomness part I can see the importance of.

The part I can’t get my head around is why use the IV. For example, say I add 16 random bits to the start of my message and encrypt  ...

As I understand it, in WPA2, the shared key (for encryption) is derived from the password, plus nonces and identities used in the initial 4-way exchange. An attacker who was able to sniff the initial exchange could perform an offline dictionary attack on the AP password.

I've also learned about PAKE protocols that also derive cryptographic keys from a shared, low-entropy password, but are resista ...

So I went ahead an wrote this little program. What it does is it takes a password for a seed and generates a (pseudo-random) bit-pattern using rule 30 from cellular automata. It then XORs our input file with the same-length pattern. In theory this should be secure, given I would start padding the plaintext and only use a password once?

import sys

def rule30(a, b, c):
    return (a ^ (b | c)) & ...

Content and Informal Problem

Suppose a protocol $\pi$ doing an arbitrary task between two users A and B. I only know that $\pi$ relies on a IND-CPA symmetric encryption scheme $\mathcal{E} = $(KeyGen, Enc, Dec). In details, A holds a key $k$ in $\pi$ computes encryptions of $n$ messages $m_1, \dots, m_n$, providing to B the ciphertexts $\psi_1, \dots, \psi_n$.

To prove the security of $\pi$, I compute a ...

In the official documentation of the X3DH Algorithm (link) is made an analysis about the forward secrecy. Forward secrecy would be an uselful property if we would repeat the protocol multiple times. But in the Signal-Protocol it is always used only once, to initialize the Double Ratchet Algorithm (which then on its own leads to forward / backward secrecy and so on). So why do we care about the security f ...

"Factoring integers with sublinear resources on a superconducting quantum processor" seems to indicate the end is getting closer for RSA - much faster than anticipated earlier:

We proceed by estimating the quantum resources required to factor RSA-2048. We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain syst ...

While using ECDH key exchange, we can choose to use different kind of elliptic curve, e.g. P224, P256 or P384 etc. (btw, I am using go).

My question is, what is the criteria to choose different kind of elliptic curve? Is it related to desired security level? If yes, what is the "rule of thumb" to choose between the curves?

Let's say a device has 2 private keys and service has the 2 corresponding public keys. Is there an efficient way to encrypt a symmetric key from the service side utilizing the 2 public keys, such that on the client, it requires both private keys in order to decrypt?

I.e if I only have private key 1, I am unable to decrypt the encrypted symmetric key.

I believe one way could be double encrypting it?  ...

Given a message $m$, how can I prove that $m$ lies between 0 and 31 without revealing the message using a Sigma protocol?

The message is encrypted as:

$$c = a^{\beta} \cdot g^m ,$$

where:

• $a$ is the public key of the receiver,
• $\beta$ is the secret key of the sender, and
• $g$ is a generator of a cyclic group $G$ of prime order $q$.

I know I need to use "OR" composition and the Diffie-Hellman (DH) tri ...

Is there modification to LWE public key crypto-system which makes the decryption process is totally deterministic and does not affect security?

Let $E\!: y^2 = f(x)$ be an elliptic curve over a finite field $\mathbb{F}_{q}$ of odd characteristic. Consider an $\mathbb{F}_{q}$-point $P = (x,y)$ on $E$. Suppose that we only have the $x$-coordinate (with one auxiliary bit) and we want to recover $P$, that is, the value $y = \sqrt{f(x)}$.

Assume that the field $\mathbb{F}_{q}$ is highly $2$-adic, i.e., $q-1 = 2^\nu m$ for the large $2$-adicity

Let's suppose I encrypt two blocks of 1MiB with AES-256 in CBC mode, each one using different keys, XOR the resulting ciphertexts and send this XORed block to an adversary. Remembering that the adversary will not have access to resulting ciphertexts, only the XOR of them.

What could he/she do with the XORed block? Can he/she find the keys I used, or even the plaintext of one of the ciphertexts in ...

Sorry in advance if I'm asking a stupid question:

I thought the role of "IV" in encryption is to avoid having identical ciphertext for identical plaintext. So one could use some random IV.

Writing some Perl code I'm confused, however. Consider this test code:

use Crypt::Rijndael;
my $cipher = Crypt::Rijndael->new('x' x 16, Crypt::Rijndael::MODE_CBC());
$cipher->set_iv('IV' x 8);
my $data = 'ol ...

A signature system applies textbook RSA to a $b$-bit hash of the message. What's the cost (preferably, as CPU time on common hardware) of existential forgery assuming known signature of $r$ random messages? How much is that reduced if public exponent is very small ($e\le7$)?

We assume

• Safe RSA public key $(n,e)$ and matching secret private key $(n,d)$ with $n$ of $\ell$ bits and $2048\le\ell\le8192$

I have found similar question for PIV (and not PGP)

I assume PIV and OpenPGP would work in similar ways. I also assumes that the GPG private key never leaves the Yubikey.

If these assumptions are correct then:

• at encryption: a symmetric key is generated and encrypted on the sending computer using the GPG public key, then message is encrypted on the sending computer using symmetric key
• at decryption: the  ...

I am currently studying the proof of the Dilithium signature in the quantum random oracle model (QROM). I am curious to hear if anyone have any thoughts on the importance of having proofs in the QROM or if proofs in the standard random oracle model should be sufficient?

Have been exploring the topic briefly with some mates and considered it along the lines that the ROM has stood the test-of-times ...

I'm trying to design an encryption system for a new mobile app and am thinking of using Shamir's Secret Sharing Scheme in a way which I have not seen before. Does this seem possible or does it violate some mathematical concept I'm not understanding in SSS?

I want to split a key generated on the user's mobile device where:

• n parts are necessary to rebuild it
• n-1 parts are stored on the user's mobile devic ...

For a public-key encryption scheme (Gen,Enc,Dec), the textbook definition of IND-CPA security is the following:

1. The challenger runs (pk,sk)←Gen and sends pk to the adversary.
2. The adversary performs some computation, chooses (m0​,m1​) and sends them to the challenger.
3. The challenger runs ct←$Enc(pk,mb​) , b←${0,1}, and sends ct to the adversary.
4. The adversary performs some computation a ...

Let $f_k$ be a PRF. We claim that $f_k$ is a OWF. PROOF let $f_k$ is not a OWF, there exists a $PPT$ algorithm $A$ that can invert $f_k$ with non-negligible advantage. Even if we know the input $x$ for given $f_k(x)$ with a non-negligible advantage, how can we claim that we can distinguish $f_k(x)$ from random with non-negligible advantage? Here, a key $k$ is still secret.

I am going through Dan Boneh's video tutorial on PLONK Polynomial IOPs - https://www.youtube.com/watch?v=vxyoPM2m7Yg

He describes 3 type of proof gadgets he will use

He gives a proof of the Zero Test which I understood. However, he doesn't cover the proof for the Sum Check & Product Check in his video.

Prod Check

Prove that $\prod_{a \in H} f(a) = c$

He says that has Product Check covered in ...

RFC 5869 for HKDF says "an application needs to make sure that salt values are not chosen or manipulated by an attacker".1 Soatok also discusses some nuances in choosing salts for HKDF.2 This question also discusses a situation where it led to a vulnerability.3

While these sources all indicate that salts should not be left to attacker control, I would like to know exactly what is put at risk by doin ...

Consider a variant of the Paillier encryption scheme where the message space is restricted to $\mathbb{Z}_q$ such that the RSA modulus $N$ of the Paillier cryptosystem satisfies $N > q + q^2$. I am interested in the following variant of the CCA security game where the decryption oracle answers with not a complete decryption of the requested ciphertext but with an integer blinding of it:

• $\mathcal{C}: ...

Intuitively, if we can invert a PRG, then we can easily distinguish it with random distribution by checking g(inverse(y)) = y. So every PRG is a OWF?

Unlike the problem "Is every pseudorandom generator a one way function?", i can prove that if the output length is large enough (for example |g(x)| >= 2|x|) then the PRG must be a OWF, but it seems that such a restriction is not necessary.

I am trying to understand how this ciphertext length is calculated from a signcryption scheme to analyze the communication cost. I understand, we consider the key length and the message length to calculate the ciphertext length. But don't understand at what step and what parameters we actually consider. For example, in the given paper "A secure and lightweight certificateless hybrid signcryption s ...

I think I understand the value of using ZKP's for proving things about data in isolated systems, like for privacy and computation roll-ups in blockchains L2's.

But I hear a lot about real-world use-cases, a classic example is proving your age is above a certain number, or proving your income to a mortgage lender, without revealing exact figures. While this sounds fantastic, in both these scenario ...

In "Efficient reductions among lattice problems" by Micciancio (2007) it is said, that

SVP reduces to SIVP in their exact versions.

I did not found anything about this fact, is a reduction that trivial? Does the same hold for their approximation versions?

I have an AES encrypted data and the key, but I am not able to tell the block cipher mode [ECB|CBC|CTR] used in encryption or know the key length.

Below is the encrypted data output in java.

{"encrypt_data":"GorwlI4cdifSjaKM0Uu4v24DewQqsaN3VTkZMmtDZkttVdoUEV23mBYlYhbcB/oN","encrypt_aes_key":"VRkSYqtGUBr4Zzt7ET8kMw2dvrQkOBH2cGWYwKhNRUU5fCVP+UhZSDKDpQSwx5aHQNIGApRq9INRzLTlB9uJjUXgbl0yEL0Ztyk5OpBU4pIk1imRF ...

I don't understand why relinearization is so significant. I understand the equations in the paper (in this post I'll be using notation from BV but I would it applies to BGV+BFV) but if anything it seems like it would be less efficient. We go from: $$h_0+\sum_ih_ix_i+\sum_{i,j}h_{i,j}x_ix_j$$ to utilizing t and getting: $$h_0+\sum_ih_i(b_i-\langle a_i,t\rangle) + \sum_{i,j}h_{i,j}(b_{i,j}-\langle a_{i, ...

The conventional and simple wisdom is to combine head with /dev/urandom to create the amount of pseudo-random data that is needed. But that is slow.

I found a faster method - cryptsetup FAQ suggests to use its mechanism.
See 2.19 at:
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions

But the issue with this method is that root privileges are required for the mapping by cryptsetup ...

I am reading the Wikipedia page for Interactive proof systems and am having trouble understand the notation in the definition of soundness, many of which is left unspecified.

Given a formal language of strings $L$, a verifier $\mathcal{V}$ for this language satisfies the soundness property if for every prover $(\tilde{\mathcal{P}})$ and every $y \notin \mathcal{L}$,

$$ \operatorname{Pr}[(\bot,(\t ...