Latest Crypto related questions

Today, I found a website for Pedersen commitment scheme; however, the generators g and h are not independent and therefore a prover can open a commitment c into many ways. I computed the commitment c for a message m and a randomness r (assuming that I know s):

c  = g^m * h^r 

   = g^m * (g^s)^r 

   = g^m * (g^(s * r))

   = g^(m + s * r) 

Say, I have committed to the message m, randomness r, and the c ...

I am reading about bitcoin and I am a little confused about "elliptic curve function" and "SHA256". Do they have the same properties? Can both be used to generate private and public key pairs?

Let us say we have to generate Shamir's secret share for n data points. Is there a way to speed up the implementation apart from using Horner's rule for the polynomial evaluation?

I am trying to solve a problem that reads as follows:

Let $E_1 = (\text{Gen}_1, \text{Enc}_1, \text{Dec}_1)$ be a crypto system that has perfect secrecy. Denote the message space $\mathbb M_1$, the key space $\mathbb K_1$ and the cyphertext space $\mathbb C_1$ ($\mathbb M_1=\mathbb C_1 = \mathbb T, \mathbb K_1 = \mathbb K$). Let $E_2 = (\text{Gen}_2, \text{Enc}_2, \text{Dec}_2)$ be a crypto system ...

I understand that it is feasibly impossible for A and B to select the same random number, given the large input space, but what if it does happen? Does it effect the security of the key exchange? Can an attacker determine that the same keys were chosen?

Can an authenticated encryption scheme (like AES-GCM) detect if a wrong key is used for decryption? If not, what is the standard way to check whether the entered key is indeed correct. I presume KCVs can be used for this but does this somehow leak any information about the key?

I'm going to be teaching an audience about algorithms. I'd like to give them one to create unique personal passwords for websites.

1. They could start with the domain name of the site and their own secret "word".
2. The algorithm would be simple enough to memorize. Failing that, they could sketch out my flowchart on the back of a business card or something else that fits in a wallet.

There are similar q ...

I would like to know about encryption schemes that are based in Fractal theory, while they have decent security and are pretty fast.

While talking about symmetric encryption schemes like AES we always have a goal of achieving confusion and diffusion. But when it comes to asymmetric encryption schemes like RSA, DH etc. we never talk about diffusion and confusion.

Is it known that modular arithmetic and prime arithmetic ensure confusion and diffusion?

Is there any literature that dives into the information theoretic analysis, in te ...

I am studying finalist algorithms of NIST Post-Quantum Cryptography Standardization. I noticed that almost all third party cryptanalysis papers consist of side-channel attacks. Why are classical cryptanalysis methods -algebraic, mathematical attacks etc.- more effective on classical algorithms than post-quantum algorithms?

In addition, I know that mathematical problems behind post-quantum algorit ...

In Key Policy Attribute-based encryption if we need a targeted broadcast where the set of attributes are the same for a group of users. It means they all share the same secret key right? Or is it that every user needs to have at least 1 attribute value different from all other users.

Example: If I need to encrypt a message to everyone who is a researcher in CS then attribute= researcher dept=CS.  ...

In the bounded storage model, it assumes the storage of the adversary is bounded or limited, and thus it is possible that we can achieve a kind of cryptography without relying on hardness assumption. But what does it mean by "bounded storage"? Should it assume the length of the message is always too long for any computer on the earth to store? So can I conclude that the cryptographic scheme that replies ...

For a long time I've used the uuid npm package for my v4 uuid needs. It seems in recent versions of node they have introduced a built-in crypto module with the method randomUUID.

Some benchmarks have been done to show crypto.randomUUID is much faster than uuid.v4 (roughly 3x +).

However I can't find any information about how the implementations differ (if at all) in terms of how they choose random num ...

Assuming that $x$ is a sequence of $l$ bits and $0 \le n < l$, let $R(x, n)$ denote the result of the left bitwise rotation of $x$ by $n$ bits. For example, if $x = 0100110001110000$, then $$\begin{array}{l} R(x,0) = {\rm{0100110001110000}},\\ R(x,1) = {\rm{1001100011100000}},\\ R(x,2) = {\rm{0011000111000001}},\\ \ldots \\ R(x,15) = {\rm{0010011000111000}}. \end{array}$$

Let $A \oplus B$ denote th ...

I'm currently studying AES encryption and I'm quite confused on how do we use a 256-bit key in AES?

Becuase in my understanding, AES no matter what the key size is, it still operates and encrypt a 128-bit block of message only in the whole cycle/rounds until it reaches the end.

well for AES-128 we use a 128-bit key that is total of 16 byte char, and that can be represented by a 4x4 matrix, and most  ...

What makes IBE (Identity-based Encryption) unsuitable for Access Based mechanisms? What are the attempts made for using IBE for access control?

How does the concept of ABE (Attribute-Based Encryption) sort out the issue?

I am trying to make an RSA module in VHDL, which in turn will be deployed to an FPGA. I am trying to implement a full Montgomery algorithm which means that I am working with the Montgomery Exponetiation algorithm, and the Montgomery Multiplication algorithm. Mostly my tests consists of generating random numbers (keys, modulus, r, messages) that I use to perform encryption/decryption. If the original mes ...

Suppose I use the hash-and-sign paradigm and reveal a signature on the message digest $\sigma(H(m))$. Would just revealing this signature violate message confidentiality (assuming H is one-way and collision resistant)?

According to https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#From_mnemonic_to_seed

To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The le ...

Suppose Alice sends message $Enc(k_{AB}, m)$ to Bob where $k_{AB}$ is the common symmetric key. Next Alice sends a signature of $H(m)$ $\sigma_{sk_A}(H(m))$ signed under her private signing key $sk_A$ to Eve, where H is a secure hash function. Then, Bob decrypts the message and sends it to Eve where she verifies it with the signature. Here, either Alice or Bob can be malicious. If Bob is malicious, he g ...

I am trying to choose a mode of operation for encryption which does has the lowest malleability and is specifically not vulnerable to a bit flip attack. My understanding is that PCBC is the only mode which makes the rest unreadable, therefore is the best option?

I do not want to apply any message authentication at this stage.

Thanks!

(Cross-listed on math stackexchange, received no replies) For context, this is a homework question from an assignment already turned in. I am looking for better understanding of the concepts involved, mainly complexity theory since I have not seen it before outside this class (and prior knowledge was assumed).

I am asked to evaluate the complexity of RSA decryption with and without using CRT, wit ...

From what I know, proving the existance of a Knowledge Extractor implies perfect soundness.
So why in zk-SNARKs (and similar) we talk about Arguments of Knowledge, where the soundness property is only computational (a.k.a, secure only from computationally bounded Provers), if a Knowledge Extractor also exists? Am I missing something? Maybe a Knowledge Extractor can be proven in different "levels" of ...

I'm currently studying a paper (Sequences of Games: A Tool for Taming Complexity in Security Proofs) on proving semantic security using the Game Hopping technique by Victor Shoup.

On pages 9-11, he is using a sequence of three games, $Game 1$, $Game 2$, and $Game 3$ to deduct the semantic security of Hashed ElGamal to DDH and entropy smoothing assumptions. How does he combine the three probabilitie ...

1. I've heard that STARKS are not a non-interactive protocol, if so:

• What is (briefly) the mechanism they use to operate?
• Can they be considered a Sigma protocol?
• Why SNARKs are not interactive, instead?

2. Is it correct to state that STARKS are quantum-secure and they don't need a trusted setup because they are defined in the random oracle model, and they use a hash that is collision resistant and this i ...

To my understanding, the DHKE algorithm is symmetric since it only produces a shared secret, rather than public and private keys, however googling "is diffie hellman asymmetric?" results in the following:

Based on public key cryptography, the D-H algorithm is a method for securely exchanging a shared key between two parties over an untrusted network. It is an asymmetric cipher used by several protocols  ...

Is hashing random numbers generated from a TRNG enough to create a key?

Basically taking the output of something like a Lavarand and pass that through a hash function like sha-2.

I guess at the end of the day the core of my question is, can an hash function be used as a pseudorandom number generator?

Would it be beneficial to create a cryptographic hash function for more security. A cryptographic hash function is pretty much a pseudorandom string generating algorithm and it can easily be made difficult to break by increasing the number of possible hashes that can be generated.

Why make another cryptographic hash function

I want to hash passwords in a database such that the attacker cannot find ...

Hi I'm fairly new to studying cryptography and I'm just curious about the security of Vigenère cipher.

Given today's powerful super computers, how secure/unsecure does Vigenère cipher can get?

let us say we will only use Vigenère cipher with the following requirements:

• encrypt only non-text files
• only use keys that has byte character > 10,000
• use ECB mode of encryption

Is there a way for today's  ...

This is in context with the inbuilt berlekamp_massey function in SAGEMATH.

While computing the minimal polynomial of the sequences using the Berlekamp Massey function, I have felt that the Berlekamp Massey function in Sagemath is so designed that it requires the periodic sequence to be repeated twice for correct results. Considering the problem of computing the linear complexity of the periodic s ...