Latest Crypto related questions

Say we have a game-based definition of security and wish to prove the security of our construction using a series of hybrids. Can we somehow "fix" an adversary that we interact with in one of the hybrids and continue using it in the following hybrid steps? The answer to this Security proof. Adversary source of random coins. question states that in the game-based proofs it is indeed possible to fi ...

I hope this question is not too basic. I'm currently trying to implement compact proofs of retrievability that are publicly verifiable by BLS scheme as described in this paper Compact Proofs of Retrievability in GO. I already implemented it with RSA and now I want to do the same with the BLS Scheme as described in section 3.3 on page 12. For simplicity it is symmetric.

It states that I should generate

Background

Bob's goal: Receive data E = E(D) (encryption of D) from Alice that he knows for sure is encrypted and that he can't possibly decrypt (without brute force). This gives his data backup company peace of mind - no need to worry about what sorts of data he stores (copyright issues, etc.). When Bob sends E back to Alice, she can decrypt it with a key known only to her to recover D.

Solution/question ...

I am looking to get P-box and S-box from firmware

Decided to search the firmware for

Pbox - 8 nibbles from 0-7

i.e

pbox = [2, 0, 6, 5, 7, 4, 3, 1]

Found it :)

And for S-Box

16 bytes from 0-15 (based on my research on S-box)

i.e

sbox = [5, 11, 7, 12, 4, 8, 0, 3, 13, 9, 6, 1, 2, 14, 10, 15]

However cannot find it in firmware.

They should be next to each other in firmware.

But they're not.

Question: ...

I know that there are papers for both theoretic and practical zk snark computation.
And most of them could support general computations. i.e: support multiplication and addition
But what I am curious about is that are there papers/constructions that optimize the exponentiation computation, not just having a^n computed as a*a...*a?
Thanks a lot

Is there a known example of a deterministic algorithm that given an n-bit input returns 2n-bit output, and where a random output can't be efficiently distinguished from a random 2n bit string?

Want to get 32 bits from 0x8000 address as 8 bytes (perm box)

MEM_EXT:00008000                 db 54h
MEM_EXT:00008001                 db 53h, 57h, 20h
MEM_EXT:00008004                 dd 322E3256h, 31332030h, 30303330h, 31313320h, 43432036h
MEM_EXT:00008004                 dd 2F363535h, 20425345h, 865808FAh, 865808FAh, 865808FAh
MEM_EXT:00008004                 dd 865808FAh, 865808FAh, 865808FAh,  ...

Xorshift family pseudo-random number generators have a variety of different internal state sizes.

Let's take one of this family called xorshift1024*.

My question is:

Having xorshift1024* a internal state of 1024-bits, can I generate a block shorter than 1024-bits without having to compute the entire 1024-bits output before the internal state cycles to the next?

[Moderator note: this question now lives there]

So, I'm preparing a talk about the well known fact that humans are bad at the task of generating uniformly random sequences of numbers when asked to do so, which is a huge flaw for simple cryptographic systems.

I would like to spice the talk a bit by present some real cases where perhaps some tax fraud or bad science was revealed by a simple frequenc ...

I am trying to implement an electronic voting scheme which uses the exponential version of elgamal cryptosystem, voters encrypt their votes for each candidate and send them all to the ballot box. Now each ballot contains the encryption of either 0 or 1 for each candidate in a determined order, vote's validity gets checked by ZKP.
can I use exponential elgamal to encrypt the value 0? and why the foll ...

I don't understand why I need a salt for Argon2 if Argon2 is only needed as a KDF for a password which is then called AES. At the end neither the password nor a password hash is stored. Only the data which was encrypted with the KDF key. It is logical that when storing passwords in databases a salt is needed to prevent rainbow table attacks. It is also logical that a hard coded salt is bad. But why can' ...

I will be using a tRNG to generate EC keypairs on a Secure Integrated Controller.

I need to demonstrate I, the issuer, can not know the private key without colluding with the user to obtain it, even if the tRNG is weak. I also don't want to reveal the private key to the user, only the public key.

I'm thinking a scheme along these lines:

Data from an external (user-provided) source of randomness is conc ...

As Bleichenbacher states, a wrong implementation of the parsing function of the padding could lead to a signature forgery attack when using a low exponent.

In the provided example he assumes the attacker has the freedom to put chosen bytes in the "garbage" section at the end of the message, in order to create a perfect cube root.

00 01 FF FF ... FF 00  ASN.1  HASH  GARBAGE

I wonder if this attack ...

I know that both algorithms are similar to the Diffie-Hellman key exchange and are used for exchanging secret keys in a group but I still cannot figure out the key differences between both algorithms. Is the difference only in the number of rounds that are required to exchange the keys? I would appreciate an in-depth explanation. How do both behave in case of a new member join or a member leave?

 ...

Following ciphersuites found to be weak in Qualys(https://www.ssllabs.com/ssltest/analyze.html) tool:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 4096 bits
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits

TLS_ECDHE_RSA_WITH ...

I'm creating an application where I'm going to use Argon2, I'm going to have a password, and I'm going to use as salt: email+name+date of birth, you must think that my salt is silly because name and date of birth can change, which would change the result, well this is not the case with my application, I should and will use these 3 pieces of information for the salt anyway, but what do you think is safer ...

I am trying to understand the implication of the Borel-Cantelli Lemma to the random oracle model.

I think understanding a special case, say, a random oracle is one-way with probability 1, would be helpful. The statement (see, e.g., page 19 of Arkady Yerukhimovich's thesis) as far as I understand in words goes like "if the adversary $A$ given access to an $n$-bit random oracle $O_n$ succeeds in the  ...

As I know a very common hash code has 256 bits.

From a message, it outputs a hash code that's 256 bits. That hash code should be unique to that message. That message can be something like email.

But a message can be very long, far longer than 256 bits.

Theoretically there can be 2^256 different hash codes, and that's insanely large number.

But if a message contains 1000 letters, each letter being 8 bits,  ...

If you were designing:

• An open source client that offered E2E encryption for e.g. folder sharing between users
• Each user had public keys for signing (and separate public keys for encryption of symmetric keys etc, but this is not what the question is about).
• The service is extra cautious by default (wanting to be extra secure) and only allows users to share if they have manually verified their other con ...

I've been recently thinking about building a c++ poker game that would let players to play over sockets in a peer to peer network. However I do not know how security would be ensured. I was thinking that whenever a particular player has a turn, they alter the game state and then they broadcast this game state to the network (the other players in this game). However if the game state contains things like ...

The question is what is an appropriate public/private key length in order to encrypt a 256-bit or 512-bit AES key without wasting bytes, and whether long public/private keys provide meaningful increase in security simply from being longer.

I'm encrypting a 256-bit AES key using a public key from a 2048-bit private key. The maximum allowed message length is longer, making me concerned that I'm enc ...

new member here.

I am taking a course in computer security, and we just got introduced in Cryptography and especially in RSA Algorithm. Although i got the 'basic idea' behind the RSA algorithm and the prime numbers needed for the keys, we have an assignment. Roughly the content of the exercise, is this : Suppose an RSA commmunication between Alice and Bob. Bob got his public key which is the follow ...

A pseudorandom correlation generator for bilinear correlation (namely, $x_0 \otimes x_1 = z_0 + z_1$, where party $\sigma$ gets $x_\sigma, z_\sigma$) over some field $F$ works roughly as follows (based on Figure 14 of https://eprint.iacr.org/2022/1035):

Gen:

1. Pick two random sparse vectors of weight $t$ $e_0, e_1 \gets F^n$. Let $f$ be such that $f(i) = (e_0 \otimes e_1)_i$
2. Compute $(K_0, K_1) \ge ...

Traditionally, I think that implementing the CRS (common reference string) model in the real world is usually through a trusted third party or running a distributed protocol. Are there specific papers on this that I can refer to? Thanks a lot!

MPC protocols have a harder time handling division (truncation) than multiplication. The case I am considering is when the divisor is a public value. Dividing it may lead to a wrong result due to wrapping around the ring, or we need to pay more cost to get a faithful result. But if the divisor is public, parties can compute its reciprocal offline and then multiply to the reciprocal at the online stage.  ...

I only use one gpg key, which I use with pass, which currently holds a ton of password stuff. I also use that key to sign my github commits and a ton of other stuff. I leaked my key by posting my private key, thinking it was my public key on my github profile (it's been up for a couple of days now, and I just realized it).

I revoked this key on my computer, but how can I revoke it on github to where it  ...

Brzusk et al. introduced the state-separation proof technique to tame complexity in game-based security proofs. The framework allows for modular, easy to understand, and reusable proofs. It has been applied to real-world protocols, like in this paper on the security of the TLS 1.3 key schedule. Additionally, this formalism is used in Mike Rosulek's book "The Joy of Cryptography".

The framework (that I ...

How do you calculate the digraphic and trigraphic IOCs and the same expected IOCs? I'm aware of the formula for calculating the single letter IOC which is given at this formula but I can't find the formula for the higher orders.

Is it simply the sum of frequencies ( $F_i(F_i − 1)$ or $F_i \times F_i$ where $F_i$ is each letter frequency ) divided by 676 (26×26) or by 17576 (26×26×26)?

I'm currently trying to implement compact proofs of retrievability that are publicly verifiable by RSA as described in this paper Compact Proofs of Retrievability in GO. I'm currently struggling on page 26 with the following equation:

$$ σ_i \leftarrow \left(H(\text{name}\mathbin\|i) \cdot \Pi_{j=1}^s u_j^{m_{ij}}\right)^d \bmod N $$

Especially the exponentiation part is a problem, as $u_j$ and

I have been studying C/C++ and I read that if one wants unpredictable random data in a program, it is needed that a random generation function be supplied with truly and unpredictable random data (as of /dev/hwrng).

But this confused me because for cryptographic things a normal and non-cryptographic PRNG should be avoided.

Does supplying a truly random and unpredictable seed to a non-cryptographic P ...