Latest Crypto related questions

From the Wikipedia page for DSA(Digital Signature Algorithm) we have the following private/public key generation:

1. Choose an integer x randomly from [1, q-1]
2. Compute y := g^x mod p
3. x is the private key, y is the public key

My question is: How are we sure that there does not exist z != x from [1, q-1], such that y = g^x mod p = g^z mod p and as a result, obtaining the same public key for different (z ...

I have seen a few answers here and elsewhere that say a salt doesn't need to be cryptographically secure randomness but rather just unique since they are stored in the open anyway. I am working on an implementation of PBKDF2 and AES-CBC and reading NIST SP 800-132 Recommendation for Password-Based Key Derivation from 2010, it states in section 5 regarding salts:

All or a portion of the salt shall

I am looking for authenticated key exchange protocols (AKE) based on a generic key encapsulation mechanism (KEM) and providing full/perfect forward secrecy. Optionally, the protocols should offer external anonymity. The idea is to plug into the protocol an existing post-quantum KEM such as CRYSTALS Kyber or SABER.

My research brought me to the following protocols, but which are not totally matchi ...

Let $\mathcal R$ be the ring of integers of a power of two cyclotomic field. That is, $\mathcal R = \mathbb Z[x] /\langle x^{2^k}+1\rangle $ for some integer $k$. We denote $\mathcal R / q \mathcal R$ by $\mathcal R_q$. This is a well known setup for ring-LWE.

I think that for randomly chosen element $a \in \mathcal R_q$, as I know, the algebraic norm $N(a)$ is approximate to $q^n$. (But I do not a ...

AES-GCM-SIV takes a 96 bit nonce, like the original GCM. The RFC states that "it is RECOMMENDED to use this scheme with randomly chosen nonces". It uses the random nonce to generate per-message encryption and MAC sub-keys using a PRF based on AES, and claims this construction offers beyond birthday bound security:

The AEADs defined in this document calculate fresh AES keys for each nonce. This allows a ...

This is not for a production application, but just my exploration to help me understand cryptography.

At the simplest level, I want to design a key-value store for user secrets.

This is exposed over an HTTPS API with usual create-read-update-delete operations supported: send a post request with a body of a sercret, the server encrypts and stores that secret, then returns back an id for that secret;  ...

This question is related to "Is it safe to initialize a random number generator with MD5?".

But in the context of steganography we don't know which pixels have been selected to hide information. In addition, the content could be encrypted, so we do not know if the hidden information that we extract (with a guessed password) is the message or noise.

In this scenario, is it safe to initialize a PRNG w ...

RFC 8784 introduces a staightforward mechanism to use a pre-shared key to make modified IKEv2 key agreement resistant to a quantum computer Shor algorithm attack- thus providing a "quantum-safe" infomation channel. One use of this information channel could be to share keys.

QKD authentication requires a PSK in order to be quantum safe. And then can provide a quantum safe channel to share keys.

Both ...

I am looking for symmetric cryptography algorithms that can be implemented on chips with very few resources (about 256K RAM and 16MHz CPU).

An algorithm that works perfectly in this environment is RC4, however it has multiple vulnerabilities. Are there algorithms that can be implemented in this type of systems that do not have known vulnerabilities?

The MD5 algorithm is no longer considered secure for most applications of a hash algorithm. However, is it safe to initialize a PRNG via a password?

If it is not, how could it be exploited?

On first glance, the optional customization string for cSHAKE resembles the optional salt input to HKDF-Extract. Indeed, the Noise Protocol Framework initially uses a protocol identifier string as its HKDF salt value (chaining key in Noise), which looks very similar to examples of customization strings given for cSHAKE. Both HKDF's salt and cSHAKE's customization string are intended in part for domain sep ...

I have read that some integers are not appropriate to be chosen as the modulus in an RSA cryptosystem. Some of these numbers are those that, given a modulus $n=pq$, then $p-1$ or $q-1$ do not have large factors. This is due to the fact that there are factorization algorithms that allow this type of modulus to be factored efficiently.

My question is, what other types of integers are not suitable t ...

I know that SSL Certificates use a private key on the server side and the public key for verifying it on the client side. I am wondering, is it the same for Code Signing Certificates? Or do they just use a single Certificate, signed by the CA, that you use to sign your code with. Or do you sign it with a private key, and then when you ship it, the public certificate is also provided for verification of  ...

I have two ETH transactions (both belonging to the same address) that both have the same r value in the transaction signature, is it possible to extract the private key from it? Details of both transactions below:

address: 0xF55f348c48bd2811a34105899db5fF7C2EBD9934

transaction hash(1): 0x374180005946ef3b1906ee1677f85fa62eb5a834aa0241b4c9c74174bca26a07

r: 0x41d43fd626c24e449ac54257eeff271edb438bbabbc9be ...

Given $E/K$ defined over a finite field extension $K$, can I find another curve $E'/K'$ and a group isomorphism $\phi: E/K \to E'/K'$, where $K'$ has an extension degree lower than that of $K$?

If $K = K'$ then we speak of isogenies defined over $K$, but I am specifically looking for an isomorphism defined over finite fields of different extension degree.

For instance given $E(\mathbb{F}_{p^2})$ for prime ...

How can I ensure that person X on website A is the same person who contacts me? Here is my use case.

On website A I post message asking username X to contact me. Someone send me an email - how do I ensure it is the same person? Website A does not have a private messaging functionality and all posts are public and visible for everyone.

I was thinking about most obvious way to do it when username X po ...

I want to AES-GCM some user data that I‘m going to persist in a database. I‘m wondering if I should encrypt individual columns (all with an individual IV ofc) or JSON stringify the sensitive data and then encrypt the whole dataset.

Despite the problem that I need more database space for storing additional IVs, I feel like encrypting individual columns leaks some information about the length o ...

I'm currently reading the specification of Salsa20 (link). DJB on whether he chooses "xor-a-rotated-sum" instead of "add-a-rotated-xor" states the following :

Should there be modifications other than xor-a-rotated-sum? There are many plausible ways to modify each word in a column using other words in the same column. I settled on “xor a rotated sum” as bouncing back and forth between incompatible ...

Given that H is a collision-resistant hash function from 2n-bit strings to n-bit strings.

How do I prove that Hash is collision-resistant if:

$$\text{Hash}(X_1∥X_2∥X_3) := \text{H}(X_1∥H(X_2∥X_3))$$

According to the following, ecdsa-256 only provides ~128 bit security even for 256 bit private key:

A multi-target attack on 128-bit ECDSA private keys

If the private key has only 128 bit entropy but constant-padded to 256 bit, then the corresponding 256 bit public key is distributed. Would it provide the same 128 bits security?

I want to ask 2 questions:

• Is GCC's stack canary cryptographically secured?
• Does stack canary in general has to be cryptographically secured?

I have two servers. A production server with a signed (trusted ca) cert and a test server with a self-signed cert.

How big is the difference between the two handshakes?

Because when benchmarking the two servers the self-signed handles ~90 req/sec where the trusted ca cert ~17 req/sec

The server with the self-signed cert handles about 5 times as many reuests per second as the trusted ca cert

Both  ...

How can I show that AES-GCM is secure under the adaptive chosen ciphertext game? This is assuming the GHASH Mac tag can't be forged faster than brute force?

A user of this forum told about ideal and practical hash functions.

What is the difference between them?

Can someone provide examples of ideal and practical hash functions?

In this post the top answer says that for $\mathbb Z_p^*$, $k$, the order of an element $g$, divides p-1. Then it was concluded that this entails we can check if $g$ is a generator by checking if $g^k\bmod p\ne1$, with $k=(p-1)/q$ for $q$ each of the distinct prime factors of $p-1$.

Why does the first claim being true entail the conclusion that the test is valid?

I know that the Chaotic Logistic map is $x_{n+1}=Rx_n(1−x_n)$. I read some articles about the Chaotic Logistic Map, but some things are not clear. Someone wrote in his article the following: The initial condition $x_0$ for the logistic map is extracted from the string of $256$ bits ($32$ characters) taken in ASCII form and denoted as $K=K_1,K_2,K_3,\cdots,K_{32}$ ($K_i$ denotes the $8$-bit key chara ...

It was a challenge from CTF (ended), but I didn't solve it.

p, q = keygen(512)
n = p * q
flag = bytes_to_long(flag)
enc = pow(n + 1, flag, n**3)

So we have module and encrypted flag. We don't know module's factors (p,q). I have tried some ways, search another writeups and read many topics, but I didn't find any information how solve it.

As far as I know Additive Secret Sharing uses a finite field to generate its shares. The gist of the scheme is that the shares $A_{shares}$ = {$A_1, A_2, ..., A_n$} of a value $A$ on a finite field $N$ can be attained by:

$A\ mod\ N = \sum_{A_i \in A_{shares}} (A_i\ mod\ N)$

If all shares in $A_{shares}$ are positive and no finite field was used, an adversary could infer from any given share that the t ...

I am learning about the concept of two security notions called IND-, which include IND-CPA, IND-CCA1 and IND-CCA2. While I got some grasp understanding about the scenarios between the challenger & attacker for each of these models. I am still not able to comprehend what properties of a security model are required to "upgrade" from IND-CPA to IND-CCA1, thus IND-CCA2.

• Starting with IND-CPA, I under ...

I have a question in the context of two-party computation and the proof of the security of an MPC. I have looked at some of the beginning parts of this, this chapter 7, and
this But I couldn't achieve my answer.

I want to understand the difference of a malicious adversary with an honest-but-curious one, and to get what does it imply.

Does the security against malicious adversary exactly means that if ...