Latest Crypto related questions

Can a file encrypted with a hashing algorithm (like SHA-256) be equally secure as a symmetrical algorithm (like AES)?

This is how it could be done using a password (this is the most simple example, please don't suggest optimizations, it's just the concept):

• Generate random looking binary data of the same length as the file contents, using hash(password+counter+seed).
• XOR the file contents with the dat ...

In BLAKE2X paper it is said:

BLAKE2X adds a constant overhead of $\lceil\ell/64\rceil$ (resp. $\lceil\ell/32\rceil$ compression function calls compared to the underlying 64-bit (resp. 32-bit) BLAKE2 hash. For example, to compute a 1056-bit (132-byte) hash as required in Ed521 signatures, BLAKE2X adds† $\lceil132/64\rceil=3$ extra compression function calls compared to BLAKE2b. Note that $\oper ...

I'm trying to understand the implication of the Binder Keys in in a TLS 1.3 resumed handshake. The TLS 1.3 RFC provides an additional RFC with example traces to validate all the math in a TLS 1.3 handshake. I'm using this example trace to try to re-create the binder keys to understand what went into them.

One of the example traces is a Resumed 0-RTT Handshake trace (section 4 in the linked RFC). This is  ...

If I encrypt a 1MiB file with AES-CBC (or any other cipher) and XOR a 128KiB of (truly) unpredictable random data repeating until the end of file, will I have a security of 1048576-bits (128KiB*8)?

This question is a little weird, but I would like to know if this scheme has a security flaw (maybe known-plaintext attacks).

Let's suppose I want to encrypt a 10GiB file but I don't want to use a One Time Pad, just a 1MiB key taken from /dev/random (in Linux).

I know that the key should not be repeated, but is it possible to do a form of pseudo-OTP by using the same key across the entire plaintext?

I thought in a scheme: Hash each 64-byte piece of the key with a hash function (with output size of the same size of the 64-b ...

There seem to be two ways to RSA-encrypt using .Net:

EncryptValue (which doesn't seem to pad the plaintext).

and

Encrypt (which does).

I was wondering, since what I'm encrypting is a cryptographically secure (cough...) AES key, do I need it to be padded by an official padding scheme? Assuming, of course, that the length of the data (the AES key) is exactly the right length, or padded by something simple e ...

I am following the NTRUEncrypt cryptosystem as described on the wikipedia. I have implemented it in Sage Math engine (with small problems along the way, but in the end - succesfully resolved) and the system works just as expected.

I have noticed an interesting publication regarding expanding NTRU to higher order algebras. This one is about quaternions but in the following example I will try compl ...

When I read the work of Dodis et al. ref1, it looks as if I have encountered a simple logical bug. (I'm not concerned with the details of secure proof techniques, but with the logic of reasoning.)

In this article, Dodis et al. demonstrate the one-way security of ROM-AI (ROM with auxiliary information). The core idea is to first consider event A, which means "the attacker has accessed the oracle (a,x ...

Let's say I have a 32-bit number and a primary secret key and want to encrypt it without increasing the size.

this is how I'm doing the encryption,

1. I create an HMAC hash using the primary key and current date as data
2. Then XOR input bytes with hash bytes a few times

for (let offset = 0; offset < hash.length - 4; offset++) {
    const key = hash.readUInt32BE(offset);
    input ^= key;
}

Is it s ...

In ZCash, Monero etc, the sender/receiver addresses as well as transaction details are hidden. However, with a viewing key, a third party can see the exact details of the transaction or all transactions done by a certain address. How are things like these achieved?

In ZCash, Monero etc, the sender/receiver addresses as well as transaction details are hidden. However, with a viewing key, a third party can see the exact details of the transaction or all transactions done by a certain address. How are things like these achieved? Any direction or sources are appreciated.

I'm going to guess the latter, but just wanted to ask here.

I want to have a relatively short signature, and my goal is to take a substring of the resulting hash.

I am making a program that verifies the avalanche effect for the SBOX of the AES block cipher for a certain number of iterations. This program changed one bit randomly in one of the elements of the input list (state) and then applied the subBytes operation to both the original and modified lists. After that, it counts the number of different bits between these two resulting lists.

sbox = [
    0x63 ...

A cryptography course covered among others following questions:

• arithmetic of polynomials over $GF(2^m)$ fields - polynomials division
• elliptic curves over field $GF(2^m)$

In scope of former point students were told polynomials product needs subsequent division by irreducible polynomial in order to stay in given order of polynomial (this detail is not this question objective). Then proceeding ha ...

It's given 2 plaintexts $m_1$ and $m_2$, and 5 different values of $n\quad\{n_1, n_2, n_3, n_4, n_5\}$ which are generated as follows:

• $n_1$ is a a product of two relatively small 128-bit $p$ and $q$ so its easily factorable by a simple database look-up,
• $n_2$ is the value of $p_1*p_2*q_1*q_2$, with $p_2$ being the next prime after a 512-bit prime $p_1$, and $q_2$ being the next prime after a 51 ...

Let's suppose I have a 1MB high-resolution photo and I want to hash and create a 1536-bits key.

I know that I could just use SHAKE-256 as its a pre-enginered way for doing that.

There is also Skein that can emit outputs of any sizes (up to 2^64-1).

But Skein has a internal state of 1024-bits.

If I decide to use Skein to generate the 1536-bits key, would I have the same security of that of SHAKE-256 despit ...

Hashing a seed with SHAKE-256 and setting the output size to 1GiB it takes 6.5 seconds on my system:

$ time dd if=/dev/random count=40960 bs=1 &>/dev/null | shake256sum -N 8589934592 > /dev/null 
real    0m6.497s
user    0m5.682s
sys 0m0.844s

/\ 165.2 MiB/s

SHAKE-256 can be used to generate keys of any size as an (experienced) user of this forum stated.

Let's suppose I want to use pure ...

I am trying to closely follow the algorithm here (keeping the same variable names) and reconstruct the cryptosystem in Sage Math engine. It seems to work on parameters (N, p, q) = (11, 3, 31) but raises assertion error at the end on (N, p, q) = (11, 3, 29). Please see the code below:

N = 11
p = 3
q = 31 # fails for 29

R.<x> = PolynomialRing(ZZ)
RR = R.quotient(x^N - 1)
P.<x> = PolynomialRing( ...

According to https://www.di.ens.fr/~nitulesc/files/Survey-SNARKs.pdf

in cryptography, we often want to hide information. A proof that does not reveal any information to the verifier besides the membership of the statement to the language is called a zero-knowledge proof. A way to formally define this property is to consider a simulator that is able to behave exactly as the prover in the protocol and t ...

I'm trying to get my head around this scenario. I understand that a private key can be used for signing a message to provide authentication and public key can be used for encrypting and its corresponding private key can be used to decrypt it. I came across this scenario and Ive been trying to research why this scenario will not work:

Suppose I changed the protocol in Kaufman & Perlman Plausibile Deni ...

I was reading the Wikipedia page for SHA-256 (SHA-2) and came across the following statement:

For a hash function for which $L$ is the number of bits in the message digest, finding a message that corresponds to a given message digest can always be done using a brute force search in $2^L$ evaluations.

Why is this true? Is it some property of SHA-256 or am I missing something? I know that there must  ...

I read a website on The Pohlig-Hellman Algorithm for solving the DLP, in which it states that we can express $x$ as:

$x= a_0 + a_1p+ a_2p^2+...+ a_{e-1}p^{e-1}$, where $p^e$ is a prime factor of the order of the group.

We then can brute force all of $a_i$'s. But my question is, if we can figure out all $a_i$'s, why we can't state that $x$ just is $a_0 + a_1p+ a_2p^2+...+ a_{e-1}p^{e-1}$?

After all, we ar ...

I searched a lot for this information in search engines as well as taking a look in the SHAKE reference implementation.

If I decide to use SHAKE as a stream cipher, can I access a specific part of the keystream without having to generate previous data from the beginning?

Let $n = P\cdot Q$ be the product of two safe primes $P = 2p+1$ and $Q=2q+1$. Let $g$ be a generator of $C_{p} \subset \mathbb{Z}_n^*$, the multiplicative subgroup of order $p$. In other words, $g^p = 1 \pmod n$. (But $p$ is still secret of course.)

Would it weaken a RSA modulus if $g$ was public? It is easy to compute such a generator when $q$ is known, but seems hard otherwise.

GMW is a pretty straight forward protocol for the setting of 2PC. It is still straight forward for the case of MPC except for the AND gate. I'm struggling to understand how to obtain a "good" communication complexity. To be more specific, the AND gate is described by the following function.

\begin{aligned} c &=a \wedge b=\left(a_1 \oplus \cdots \oplus a_n\right) \wedge\left(b_1 \oplus \cdo ...

I am trying to get into HE and Federated Learning and found the following Paper: https://arxiv.org/pdf/2204.07752.pdf

The Main Concepts are clear to me, but I do not understand how or if you can Evaluate multiple Ciphertext that are encrypted with different Public keys. If it is possible- how? And how does the decryption work?

Other Question: is it generally possible to add or multiply two cipher ...

Suppose we have the description of a group $\mathbb{G}$, a group of unknown order: the size of the group is unknown. For instance, an RSA group ($\mathbb{Z}^{*}_N,$ where $N=pq$ for unknown primes $p$ and $q$) or a class group. The prover wants to convince the verifier that for $h=g^x$ and that the exponent is non-negative ($x\geq0$) for a random, public $g\in_R\mathbb{G}$.

More formally, this is t ...

First of all, I am a student, so even if most of you think it is a useless question, don't dishearten me as it is a platform for me to learn I am using an AES code that has 3 Rows and 4 columns in its Shift Rows. Although I know in AES we have 4 rows and 4 column block. Then why is it working, I am not able to understand that. Here is the code attached:

def shift_rows(s):
    s[1][0], s[1][1], s[1] ...

If two ensembles are statistically indistinguishable, we all know that they are also computationally indistinguishable, i.e., for any PPT algorithm, the probability to distinguish them is negligible.

My question is, what if the algorithm is not polynomial-time, but time-unbounded?

Let $H: X \rightarrow \{0, 1\}^b$ denote a cryptographically secure, $b$-bits hash function on a set $X$. Let $H^*: \mathbb{P}(X) \rightarrow \{0, 1\}^b$ be a function on the power set of $X$ defined by \begin{equation} H^*(\{x_1, \ldots, x_n\}) = \sum_i H(x_i) \end{equation} where the sum is intended as wrapping addition over $b$-bit integers.

I am wondering if $H^*$ is cryptographically secure on ...