Latest Crypto related questions

We call two ensembles $X$ and $Y$ indistinguishable in polynomial time if for every probabilistic polynomial-time algorithm $D$ and for every positive polynomial $p(\cdot)$, and all sufficiently large n's we have $$|Pr[D(X_n,1^n)=1]-Pr[D(Y_n,1^n)=1]| < \frac{1}{p(n)}$$.

One question I didn't confront with at the beginning is, does the definition imply that $|X_n|=|Y_n|$?

After a little bit of thinkin ...

I have a course work for university, the question is:

Consider a symmetric encryption scheme with its encryption operation written as

$$C = E(K, R||P)$$

where $E$ is a block cipher encryption algorithm, $K$ is an encryption key, $R$ is a random nonce (i.e., it is randomly generated for each encryption), $P$ is a plaintext, $C$ is a ciphertext, and "$||$" denotes concatenation.

Let the block size be

So I'm currently working on a past exam paper related to cryptography, this question essentially asks the reader why digital signature schemes are not used today.

Yet, when I did my research on this topic online, I found out that most technologies do in fact use digital signature schemes. In fact I'm even confused by what this question means now and would appreciate if anyone has any input to wha ...

In Zero-Knowledge (ZK) proofs/arguments of knowledge, the ZK knowledge property informally says that it is possible to simulate the output of a (malicious) verifier interacting with a prover knowing a witness $w$ without using $w$ at all:

$$\{OUT_{V^*_\lambda} \langle P(w,x) , V^*_\lambda(s_\lambda, x) \rangle\}_{\lambda,x,w} \approx_c \{Sim(x, V^*_\lambda, s_\lambda)\}_{\lambda,x,w}$$

where $\lambda$

We know that in bitlocker decryption procedure there is an intermediate key after the hash computing phase which used to encrypt nonce using AES-256 and the result (IV) will be used to decrypt VMK. How VMK is decrypted using IV?

I'm deriving a shared secret using ECDH with Ed25519 keys. According to the specification (page 5), the shared secret then can be any valid Curve25519 public key, i.e. any valid 32 bytes. My environment is such that I need to map this shared secret to being only 31 bytes long. A simple solution to this would be to just perform e.g. SHA256 on it and take the leftmost 31 bytes. I am wondering however, i ...

What kinds of properties does a KDF need to have in order to be considered secure? What steps should be taken during analysis to test for flaws?

In particular, I mean a KDF that is going to be used as a one-time pad. If the plaintext is 1 MB, then the KDF will produce a 1 MB key. And xor them together tp produce the ciphertext.

I was reading this post https://senderek.com/SDLH/ about Shamir's hash function, which is defined as follows:

Let $p,q$ be positive prime integers and let $n=p\times q$. Let $\ell = \mathrm{lcm}(p-1, q-1)$. Find $g \in (\mathbb{Z}/n\mathbb{Z})^*$ such that $\ell$ is the smallest positive integer for which $g^\ell \equiv 1 \bmod n$, i.e., $\ell$ is the order of $g$ in $(\mathbb{Z}/n\mathbb{Z})^*$.

In The Algorithmic Foundations of Differential Privacy (Dwork, C; Roth, A), the formal definition of differential privacy is given as:

"

The randomized algorithm $\mathcal{M}$ with domain $\mathbb{N}^{|\mathcal{X}|}$ is $(\epsilon, \delta)-$differentially private if for all $\mathcal{S} \subseteq Range(\mathcal{M})$ and for all $x, y \in \mathbb{N}^{|\mathcal{X}|}$ such that $\|x - y\|_1 \leq 1$: ...

I am trying to understand how adding padding like the PKCS1.5 RSA signature scheme can prevent the existential forgery attack in RSA. Is it just by changing the structure of the message?

I'm trying to understand the complexity of computing the Merkle root for stateful hash based signature schemes. Section 4.1 of the chapter on hash based signatures in "Post Quantum Cryptography" – by Bernstein, Buchmann and Dahmen (Springer Berlin Heidelberg states) -

($H$ in the following excerpt is the height of the Merkle tree, and $N$ is the number of leaf nodes such that $H = \log_{2}(N$)) ...

$ G \space is \space an \space elliptic \space curve \space group \space G \space with \space order \space q$ and three hash functions are defined as this: $$ H_1: \{0,1\}^*\times G \rightarrow Z^*_q $$ $$ H_2: \{0,1\}^*\times G \times G \rightarrow Z^*_q $$ $$ H_3: \{0,1\}^*\times Z^*_q \times G \times G \rightarrow Z^*_q $$ I searched and found this question and as far as I understand $ H_0: \{0,1\}^ ...

I am confused about whether/how ZKP based entity/message authentication scheme can achieve identity privacy, especially unlinkability. The security properties I'm looking for in the scheme is authentication (identity proof), such that the prover can prove it has some kind of identity so that it is allowed to be in the communication; and identity privacy, such that the real identity is hidden and differe ...

Web Crypto API allows creating ECC keys with some known curves: https://developer.mozilla.org/en-US/docs/Web/API/EcKeyGenParams

Those are P-256, P-384, P-521.

However as answered at this answer https://crypto.stackexchange.com/a/30273/99862

There are secp256k1, and secp256r1, and maybe more?

Which is the exact P-256 implemented by Web Crypto API?

Let $n = pq$, $p,q$ are two large primes, then $\mathbb{Z}_n^*\cong \mathbb{Z}_p^* \times \mathbb{Z}_q^*$. We disclose $n$ and keep $p, q$ secret. Is it secure if we disclose a random element $a$:

$a\in \mathbb{Z}_n^*$, $a = 1 \mod p$

That is, to disclose a random chosen element in $\langle 1\rangle \times \mathbb{Z}_q^*$ ? How to prove it?

Let $(E:y^2=x^3+ax+b) $ on $\mathbb F_q$, with $ q \mod 2=1$.

If $\gcd(3,q-1)=1$ and $a=0$, then it's easy to find the cardinality of the curve $E$ : $|E|=q$.

Are there an another conditions on $(q, a, b)$, where it's easy to find $|E|$?

In the SPHINCS+ paper(https://sphincs.org/data/sphincs+-paper.pdf) part 3.2, it explains that they are not using l-trees as a direct consequence of the use of tweakable hash functions.

I have read the tweakable hash function part, but the math made me so confused. Can you explain to me the difference between the usual WOTS+ and the WOTS+ used in the current SPHINCS+? Is there a difference in the  ...

Considering that P1 has value x, P2 has value y and they want to compute x+y without telling the other what he has,So P1 and P2 secret-share their values to each other. Now P1 gets x1 and y1, P2 gets x2 and y2 and they locally compute xi+yi. If P1 want to compute x+y = (x1+y1)+(x2+y2), P2 need to send x2+y2 to P1, but P1 can get x2 by computing x-x1, thus P1 can get y2 and then get the value y, which is ...

In this paper I'm reading (specifically section 3.1), the authors say that the BFV encryption scheme supports plaintext multiplication, which basically means that given a ciphertext, $c$ that is an encryption of a plaintext $p_1$ and a plaintext, $p_2$, one can easily compute an encryption of $p_1 \cdot p_2$. What's more, this can be done without the evaluation key. How exactly does this "plainte ...

Given a RSA modulus $n$, which is the product of two safe primes: \begin{align*} P &= 2p + 1 \quad\quad\quad Q = 2q + 1 \\ n &= P \cdot Q = 4p q + 2 p + 2 q + 1 \end{align*} The hidden group order is then \begin{align*} \Phi(n) &= (P-1)(Q-1) = 4p q \end{align*} Choosing some random element $z \in \mathbb{F}_n^*$, then most likely $z^4 \in C_{p q}$ (the subgroup of $\mathbb{F ...

I know that the security of both are the same (only nonce size is different). But which one is faster and better to use, when encrypting a lot of files (500+, from 1MB to 200MB)?

Recently, I started looking up for details about implementing a blind signature on ed25519 cryptographic. I saw this article https://stan.bar/blindsig/ by Stanislaw Baranski about it. In the first point, it says that Bob generates random number (nonce) $k$ in range $(1, q-1)$, computes $r=k \times G (\mod p)$ $r=k×G(\mod p)$ and sends $r$ to Alice.

Now, how safe it is to make $r$ public and to sh ...

I am trying to understand the post quantum based signature scheme Dilithium. I know what the hard problems are in the scheme, but I am having trouble in understanding the utilization of short integer solution in the scheme. Specifically speaking, I can't understand exactly where this problem is used in the scheme. Also, what would happen if someone finds a solution to this hard problem, besides fi ...

Is it possible to generate a new valid signature for some arbitrary message using DSA if we know existing signatures for the same message? We are an adversary, therefore we do not hold the private key, but we have access to a couple of signatures for the same message, say $(r_1, s_1)$, $(r_2, s_2)$.

I have a course work for university.

The question is:

My solution to the question is:

    P||R = D(K,C)

However, in the question it doesn't say we are given R so I'm not sure how to get P from P||R.

This could be because my understanding of concatenation is incorrect as I see it as simply adding the nonce to the plaintext.

If what I have done looks correct please let me know, otherwise any help on  ...

Suppose I have some plaintext $M$, and I want to have some process $f$ to make ciphertext $M':=f(M,s)$, where $s$ is some secret. The ciphertext $M'$ can be decrypted by using some decryption process $M=g(M',k_1,k_2)$, where $k_1$ and $k_2$ are two keys, and $k_1$ is a random key (cannot be controlled, such as the current time), and $k_2$ can be generated from $k_1$ by using the secret, i.e. $k_2=k ...

I am currently trying to follow the proof of correctness in the CRYSTALS-Kyber paper. The following is an excerpt of the proof:

• On the one hand, I am interested in how exactly one justifies/argues that $\mathbf{y}$ is pseudorandom, based on the MLWE assumption. About the difference $(\mathbf{y} - \text{Decompress}_q(\text{Compress}_q(\mathbf{y},d),d))$ I think myself as $(\mathbf{y} - inaccuracy)$ ...

I need an encryption scheme where a single source/location can encrypt using their private key and while anyone with access to the corresponding public key can decrypt it. It has to be asymmetric to avoid any one else deriving that private key and pretending to become that source. For example, government issues an encrypted document that any one authorized with the issued public key can decrypt it. But  ...

Compute $n = pq$ where p and q are prime. Fix $e$ to be coprime to $\phi(n)$. Compute $d = e^{-1} \pmod n$ and verify $ed \equiv \phi(n) \pmod n$. We sign the (hash of) a message with $s = h^{d}$. A verifier computes $s^e = h \pmod n$. Why can't an attacker fix $h'$ and solve ${s'}^e = h' \pmod n$ to forge a signature $s'$ for a given $(n, e)$? What assumption tells us this computation is hard? If ...

I was reading the SPHINCS+ paper and got confused in the signing with FORS (forest of random subsets) part.

I understand how we can sign a message using FORS but I couldn't understand how we choose the corresponding WOTS+ key to sign the FORS root node with.

If we are going to choose only one of the XMSS trees in the bottom layer, does that mean the remaining trees are going to be redundant?