Latest Crypto related questions

I am trying to understand digital signatures and digital certificates. I know that digital certificates verify a server's public verification key but what does the website's (client) private verification key sign?

Suppose there is a ciphertext $C_1$ that hides message $m_1$ using a distributed additively homomorphic public key. I would like the holders of the key to run a protocol where if $m_1 = 0$, then it will return a ciphertext of $0$, but if $m_1 \neq 0$, then it will return a ciphertext of $1$. However, I would like this done without the key holders knowing whether $m_1 = 0$. I am assuming that there  ...

Problem example

Let's say I have a plaintext with length of 50 bytes. I want to encrypt it using a stream encryption algorithm ChaCha20-Poly1305.

Poly1305 generate a 128 bit hash (16 bytes), so encrypted message will be of length 50 + 16 = 66... If I append nonce to it (12 bytes), it'll be 78 bytes.

But... When I add for example 1 more byte to a plain text, cipher text will be of a length 79 bytes (+1) ...

Given the following code, extracted from a Bip39 implementation for Android by Zcash

PBKDF2SHA512(
    passphrase = veryHighEntropy secret bytearray,
    salt = pontentiallyLowEntropy secret bytearray,
    iterations = 2024,
)

What happen if the passphrase gets leaked? is the total entropy of the hash reduced to the entropy of the salt?

If I understand correctly the secret salt should functions as a  ...

I've recently become interested in homomorphic encryption, specifically how boolean gates are constructed to do arbitrary circuit arithmatic on the encrypted data without decrypting it.

I have heard that all you need are arbitrary addition and multiplication operations to arbitrarily construct boolean gates that can operate on the ciphertext, specifically NAND gates, which are functionally complete

Suppose Alice has a verifiable (message, signature) pair from Cedric, who would not cooperate and routinely uses an algo (ecdsa, eddsa, rsa, or insert yours here) to sign messages.

Alice wants to interactively prove to Bob she has that (message, signature) pair with the valid signature, obviously. It doesn't have to be "zero-knowledge" - she might divulge bits and pieces, but it shouldn't be less har ...

As far as I know, key exchanging algorithms are vulnerable to an active MITM attack.

Let A (Alice) and B (Bob) be parties with no secret information. An adversary C playing man-in-the-middle interacts with A pretending to be B, and interacts with B pretending to be A. At the end, C establishes a separate channel with A and with B. Then, any message sent by is decrypted by C (using the key generated with ...

I am having a university assignment that requires me to study on the threats that quantum computer poses to modern cryptography.

At the moment, I know that modern symmetric encryption will reduce their key size strength in half through Grover's algorithm. It can also break existing standardized RSA, Curve448 and Curve25519 (Not Grover's algorithm).

Can I have the papers or some layman's reference li ...

I am reading the paper A Concrete Security Treatment of Symmetric Encryption and am confused by the reduction from ROR to LOR on page 11. Specifically, when it says:

When $\mathcal{O}_2(\cdot)=\mathcal{E}_K(\mathcal{RR}(\cdot,0))$, we have that $\mathcal{O}_1(\mathcal{LR}(\cdot,\cdot,0))$ and $\mathcal{O}_1(\mathcal{LR}(\cdot,\cdot,1))$ return identically distributed answers.

So, $\Pr[\mathbf{Exp}_ ...

Here is my idea:

Under the symmetric key encryption. Alice and Bob share the symmetric key K. Let HASH be a secure hash function and Enc_k(message) be the encryption message m by AES in the CBC mode with a random IV

First, Alice compute c = Enc_k(message)

Second, Alice compute t = Hash(m)

Third, Alice sends (c, t) to Bob

Fourth, Bob receive (c, t), first verify if Hash(c) = t. If this is the case, ...

Suppose you have two files encrypted with AES-256. One of the two files is 5MB, the other one is over 1GB. Their passwords are reasonably strong: >12 characters, letters, numbers, upper and lower case characters. If you tried to brute-force them, would it take a shorter time to try the same number of passwords on the smaller file than on the larger one?

For example (just making up numbers here ...

I have a CBC-MAC scheme using AES as the block cipher (T=H_K1(M)), which gives me a tag and a stream cipher using another key and a nonce, which gives me a cryptotext (C=E_K2(N,M)). So my question is based on a known-plaintext attack to create a valid (ciphertext, nonce, tag)-tuple. I already figured out how I can create a new message to get the same tag with a given pair (M,T):

M1 = M xor T => T = H ...

I am currently studying the Kyber Paper. I have a question about section 2.2 Compression and Decompression, but first I would like to quote the statement:

Compression and Decompression. We now define a function $\text{Compress}_q (x, d)$ that takes an element $x ∈ \mathbb{Z}_q$ and outputs an integer in $\{0,..., 2^d − 1\}$, where $d < \lceil\log_2(q) \rceil$. We furthermore define a function

So I'm currently working through this cryptography question and so far I have the answer of an increase of hackers due to increase in computational power. But apart from that I don't know what else. Number spoofing? Weaker security mechanisms in organisations? Not really sure apart from the computational power increase point.

I'm creating a mobile chat application using python (django) as backend, and I'd like to implement an end-to-end (E2E) cryptographic system for protecting messages.

Now, as I understood so far, when one of the user create the chat, the server will go to generate 2 couples of public and private key, and the next step is to exchange the public keys between the users and save locally the private one ...

I'm working on this past exam paper and found this question about pre-image resistance and its relation to data integrity:

Displaying the hash of a file on a website in order to provide data integrity relies only on the preimage-resistance property of the underlying hash function. Is this true or false?

I answered false due to the fact that:

• Pre-image only makes it infeasible to find an input that ha ...

Yesterday IBM announced that they have a 433 bit quantum computer, called Osprey. There is nothing in the press releases I can find that says whether it can or cannot run Shor's Algorithm.

They also say they are on track to release "Condor", an 1121 bit processor next year.

Shor's algorithm, as far as I know, requires twice the number of bits in the key, so a 256 bit key requires 512 qubits to crack. Henc ...

When I'm convincing non-believers that crypto is secure, I have a hard time with hash functions and the associated block ciphers.

It is easy to show why RSA is hard to crack: I multiply two small primes and ask people to factorize the product. They find it difficult compared to the multiplication step.

It is easy to show how Vernam cipher is secure: I tell them an Alice and Bob story with a flipping ...

I've been reading lately some contradicting messages with regards to the quantum-safe resistance of AES128. First, there are blog posts by Ericsson people like these ones:

Can quantum attackers break AES-128?

No. NIST estimates that a quantum computer breaking RSA-2048 in a matter of hours could be built by 2030 for about a billion dollars. This means that NIST estimates early quantum computers t ...

I am trying to solve this problem from https://toc.cryptobook.us/book.pdf. I am having trouble with this question :

(Baby Bleichenbacher attack). Consider an RSA public key (n, e), where n is an RSA modulus, and e is an encryption exponent. For x ∈ Zn, consider the predicate Px : Zn → {0, 1} defined as:

Show that by querying the predicate Px at about log2 n points, it is possible to learn the ...

TL:DR I'm learning RSA. I've made it to the decryption stage but I don't know how to handle huge exponents. These are my values:

p = 17  
q = 31
e = 7
m = 2
n = 527
(n) = 480
de = 7(343) = 2401
d = 343
PU = {7, 527}
PK = {343, 527}
C = 128

So I'm unable to handle the processing of the decryption of Cipher text 128, without a calculator or tool. With a tool, I think the value is 2. How can I process th ...

How many timestamps are issued when someone signs a PDF with timestamp Long Term Archive (LTA)? Why is it necessary to issue more than one timestamp?

I have some troubles with this proof from Foundations of Cryptography by Oded Goldreich p.52. Why exactly does the parsing of x to x'x'' take quadratic time in length x'x''? If I have |x'x''|=p(|x'|), and a x of this length. I will try step by step all prefix lengths |x'| in {1, 2, ..., |x|}, till I have p(|x'|)=|x|. So I determine at most p(1), p(2), ... p(|x|). I am not quite sure what to say about t ...

I'm trying to understand CKKS (non bootstrappable) and I'm struggling with the encoding part. Particularly with to questions. I'm using the original paper , "Homomorphic Encryption for Arithmetic of Approximate Numbers ", also this notes "Lattices, Homomorphic Encryption, and CKKS" and this blog.

Given a vector $z\in \mathbb{C}^{N/2}$ they use the canonical embedding $\sigma^{-1}$ to map it to $\mathcal ...

Given a random 256bit key used for data encryption with Streaming AES GCM

I would like to wrap it for backup with AES GCM.

Is it safe to use

HKDF(
    km = new random 256bit key
    salt = Argon2(weak password) 256bit
    algo = HMACSHA512
    outputkey = 256bit )

in theory the km parameter has to be stored safely offline in hex format, similarly on how bip39 does with mnenonic words. And the prod ...

I have a pair of coordinates of which all values belong to $Z_{p}$ where $p$ is a prime. I want to construct a straight line that goes through those two coordinates. Then I want to generate two more random points on that line. I also need a function that returns the value of y given any x on that line. For that I can treat it as a linear diophantine equation and generate any number of random integer c ...

I am wondering if there might be a scheme for the following scenario: Let's suppose a government wants a truly democratic intelligence agency. For this the government publishes all intelligence reports in an encrypted format to the public and allows people to do a majority vote to declassify its contents.

A naive solution would be to simply employ a Verifiable Secret Sharing Scheme for every publ ...

Imagine an MPC protocol where both multiplications and additions come for free (2 round). The protocol works over arithmetic circuits, and the security setup is as relaxed as possible:

1. Semi-Honest.
2. Honest Majorities.

• Does such a protocol exist?
• If so, what would be the most restrictive security model, and maintain the 2 rounds?

I'm trying to verify a time stamp token embedded into a PDF using the PDF 2.0 feature of the "Document Time-stamp Dictionary". The embedded time stamp token is exactly the token of a time stamp response from a time stamp authority server.

Since the OpenSSL library of Ruby doesn't seem to provide the necessary interfaces to do the task, I'm trying to do it manually. And I'm stuck at verifying that ...

I am having difficulty visualizing the stepping process.

The permutation of Wheel I of Enigma I is as follows:

ABCDEFGHIJKLMNOPQRSTUVWXYZ  
EKMFLGDQVZNTOWYHXUSPAIBRCJ  

For this rotor, the stepping notch is at Y. The literature states that the letter Q is visible when the notch is positioned, and after the step, R is visible.

It is my current understanding that the lower (exit) row increments with eve ...