Latest Crypto related questions

The Schnorr signature scheme was defined originally as $(c, s)$ such that $sG = R + cX$, and the verification process consisted of computing $R = sG - cX$ and then verifying that $c = H(R||m)$ so using only $H(m)$ would not have worked for verification. However, in the verification process of the Schnorr signature variant $(R, s)$, we first compute $c = H(R||m)$ and then verify that $R = sG - cX$

I am recently reading about multi party computation and its various existing protocols. From what I understand, all the arithmetic operations are performed over a field or a ring such that when two secret values, a and b, are used to perform secure computation c = f(a,b), the output of the MPC protocol is c mod P (for some modular P).

My question is, in real-life applications when we are performi ...

I have been investigating libraries that implement operations and protocols involving BLS12-381 curves. I have noticed an absence of libraries that support encryption over (either of) the groups G1 and G2 that are defined by the BLS12-381 curves.

Is there some cryptographic reason that encryption (say, ElGamal encryption) over these groups is not appropriate, or is this instead just an indication ...

I am mainly looking to perform this trick for fun. I have access to an API that uses WebCrypto under the hood for encrypt and decrypt methods. I would like to hijack the decrypt method in order to create a deterministic seed.

I have read other articles, and it seems like this trick should be relatively straight-forward, as AES-CBC does not have any integrity checks (that I know of). My understandi ...

I am trying to find out how to write a security proof for a two-party computation problem.

I have read some examples to write simulators like $x_1 ∧ x_2$ problem and the example in Goldreich's book. I have also read some parts of Lindell's toturial . But I am still unsure about my understanding. I have also seen the paper which uses the game-based approach for its security analysis. I have also re ...

I'm having some trouble understanding the idea behind C_InitToken. I can tell what it does from the standard, but not its purpose.

One of the things it does is to provide authentication of the user as the SO, or initialize the SO's PIN if the token comes from factory. The second half I understand, but the first one seems unnecessary: this could be accomplished by opening a session and logging in  ...

I need some help for the following simple game:

An adversary is given a multiplicative group $\mathbb{G}$ and the 4-tuple $(g_1, g_2, g_3, g_1^a \cdot g_2^b \cdot g_3^c)$ where $g_1$, $g_2$ and $g_3$ are random elements from $\mathbb{G}$, and $a$, $b$ $c$ are hidden.

During the challenge phase, the adversary either receives:

• Case $b=1$: $(g_4, g_5, g_6, g_4^a \cdot g_5^b \cdot g_6^c)$,
• Or case $b=0$

While XOR is used as simple symmetric encryption with arbitrary custom key, what is a simple asymmetric encryption that use arbitrary custom key?

That means I want to be able to set custom private key or public key (in ASCII format).

Expectation:

pub = "mypubkey"
pri = "myprivkey"
msg = "hello world"

encrypted_msg = encrypt(msg, pub)
decrypted_msg = decrypt(encrypted_msg, pri)

print(decrypted_msg) # "h ...

Let's suppose I take 1MiB of truly random data and split in pieces (seeds) of 32-bytes (256-bits), so I hash each seed with a hash function with the same output digest size (32-bytes/256-bits) and XOR each piece of hashed seeds into a 1MiB plaintext.

The random data is kept secret.

My question is:

Will this scheme have the same security of One-time pad?

At a high level, the Uber assumption states that it is not possible to compute (distinguish) linearly independent elements. In the decisional version, the problem is restricted to $G_T$, but it is unclear whether the linearly independent elements can be from $G_1$.

Here is a simple example:

Let be type-3 pairing $E$: $(e, G_1, G_2, G_T, g, h)$ where $g$ and $h$ are generators over $G_1$ and $G_2$ ...

Let's suppose I encrypt an 1MiB plaintext with AES-256 in ECB mode but using different keys for each 16-byte block (I know this is weird but it's just an example).

Remembering that a different 256-bit key will be used for each 128-bit block, so if the adversary wants to break a block, a brute-force in the key space of 2^256 will be needed, and due to the Pigeonhole principle, many different keys wil ...

This question may be of no practical interest. But as a meaningful or meaningless question, can we extend the domains of the keyspace, input space and output space of a PRF to be defined over intervals of $\mathbb{R}$?

For instance, let $I := (a,b) \subset \mathbb{R}$ be some interval of $\mathbb{R}$, and $F: I\times I \to I$ be a function that takes a parameter $p\in I$ and an input $x\in I$ and maps ...

I am trying to implement a stream cipher that uses an LFSR PRNG. I have found resources online that give good primitive polynomials, but I am struggling to find resources with the initial states as well.

I really need to be able to have something to test against so I know my code is working as intended. I would really like something like the example below but with a "bigger" polynomial.

Example 3.4 ...

I am new in the field of cryptanalysis and wonder how the differential cryptanalysis work

Reading about index calculus for discrete logarithm, I noticed that it works for $(\mathbb Z / p \mathbb Z)^*$. Is this the only situation in which it works? If not, please give examples of other situations in which index calculus works to solve discrete log.

I have a question regarding understanding representation of length in AES-GCM while doing padding for the IV to calculate ICB/J0. In the aes GCM test vectors testcase5 I see the IV is of length 8 bytes as follows:

IV cafebabefacedbad

But len({})||len(IV ) is mentioned as

00000000000000000000000000000040

but since the length of IV is of 8 bytes in length the representation len({})||len(IV ) should be  ...

I am currently studying a course in cryptography, and I have this exercise about OWF.

I'm failing to prove that this is an inverter to f. Am I in the right direction at all? Thank you!

I'm currently confused about the distinctions between two-party computation (2-PC), secure function evaluation, and private function evaluation. Additionally, I came across the term secure circuit evaluation, which has further added to my confusion. If these concepts are essentially the same, then why are they referred to by different names in various papers? I would greatly appreciate any assistance in ...

Is anyone aware of the source for a technique that incorporates external wire values into Garbled Circuits? I have come across this technique, which can be found here. However, I was unable to locate the primary reference for it.

The purpose of this technique is to reduce the number of decryption operations required during the evolution phase. By incorporating external wire values into Garbled Circuits, ...

Rumba20 is a compression function that maps a 192-byte (1536-bit) string to a 64-byte (512-bit) string. It's designed to provide collision resistance by using Salsa20 (or ChaCha20) with the feedforward.

However, from the Rumba20 webpage:

Rumba20 is not designed to provide unpredictability, truncated collision resistance, etc. These features must be provided by an appropriate output filter. Rumba20' ...

I have two files ctext0 and ctext1 that are byte files and they are encoded using the same one time pad, so I tried to write a pygame program to allow me to use crib-dragging to figure out some words like so:

import pygame
import sys
import os

file_size1 = os.path.getsize('ctext0')
file_size2 = os.path.getsize('ctext1')

pygame.init()

# Load the byte files
with open('ctext0', 'rb') as f0:
    cte ...

I recently looked into the subject of public key cryptography (especially with X.509 certificates). I am the administrator of a web server using HTTPS which uses 2 levels of certificates (in addition to the end-user certificate for the website). Here is the schema :

The black line is intentional to keep the anonymous. But it corresponds to my end-user certificate.

By looking carefully into the "CA ...

I have a program implementing a function $f$, and want to find a pair of functions $e$ and $h$ such that $h \circ e = f$, but $e^{-1}$ cannot be recovered from $h$.

In other words, given some $e$-encrypted data, $h$ decrypts it and applies $f$. Knowing $h$ doesn't allow me to get back the unencrypted data, but rather only the result of $f$ applied to the unencrypted data.

I have following simple function

uint128_t crypto_aes_prf( ECB_Mode< AES >::Encryption& e, int message)
{
    // Encrypt the input using AES
    unsigned char messageBytes[16]= {0};
    unsigned char ciphertext[16] = {0};
    std::memcpy(messageBytes, &message, sizeof(message));

    e.ProcessData(ciphertext,  messageBytes, sizeof(messageBytes));

    uint128_t result = 0;
    for (si ...

Let's say I want to perform addition on "small" numbers (if it matters, let's say integers between 1-10K) without decrypting the numbers -- i.e. I have E(A) (the encryption of A in a crypto system under a given key) and E(B) and I want to compute E(A+B) without decrypting A or B.

The state of the art would be to use a homomorphic encryption (like in the Pallier Cryptosystem for addition). However, these ...

Given a certificate .p12 I want to extract the public key, the private key and Modulus and Exponent both from the public key and from the private key.

I am using PHP and OpenSSL functions

As I understand it, the Module and Exponent of the public key must be different from the Module and Exponent of the private key.

            // Obtenemos el certificado .p12
            if (!$pfx = file_get_conte ...

It is DTLS 1.2 version question of this question.

I know from 4.1.2.4. of RFC 5246 (DTLS 1.2) AEAD Ciphers can be used in DTLS 1.2 exactly the same with TLS 1.2.

In TLS 1.2

AAD = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length

It makes sense since it is (implicit) sequence number + header of TLSCiphertext. However at DTLS 1.2 new header field epoch is added. Shouldn't I ...

In a similar anonymous PKE based on D-H key exchange, in a many-to-one (one-to-many) case, is there any way to implement authentication without revealing the identity of the sender (receiver)? Could you recommend some papers?

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P = (x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form.

As a result, if software chooses to truncate a hash to its first half, and if the attac ...

By full alternatives I mean things that can do everything RSA can, namely establish secure security without privately sharing information prior. Something which AES can't do.

In other words, I'm looking for quantum-resistant asymmetric encryption.