Latest Crypto related questions

Let $f_k$ be a PRF. We claim that $f_k$ is a OWF. PROOF let $f_k$ is not a OWF, there exists a $PPT$ algorithm $A$ that can invert $f_k$ with non-negligible advantage. Even if we know the input $x$ for given $f_k(x)$ with a non-negligible advantage, how can we claim that we can distinguish $f_k(x)$ from random with non-negligible advantage? Here, a key $k$ is still secret.

I am going through Dan Boneh's video tutorial on PLONK Polynomial IOPs - https://www.youtube.com/watch?v=vxyoPM2m7Yg

He describes 3 type of proof gadgets he will use

He gives a proof of the Zero Test which I understood. However, he doesn't cover the proof for the Sum Check & Product Check in his video.

Prod Check

Prove that $\prod_{a \in H} f(a) = c$

He says that has Product Check covered in ...

RFC 5869 for HKDF says "an application needs to make sure that salt values are not chosen or manipulated by an attacker".1 Soatok also discusses some nuances in choosing salts for HKDF.2 This question also discusses a situation where it led to a vulnerability.3

While these sources all indicate that salts should not be left to attacker control, I would like to know exactly what is put at risk by doin ...

Consider a variant of the Paillier encryption scheme where the message space is restricted to $\mathbb{Z}_q$ such that the RSA modulus $N$ of the Paillier cryptosystem satisfies $N > q + q^2$. I am interested in the following variant of the CCA security game where the decryption oracle answers with not a complete decryption of the requested ciphertext but with an integer blinding of it:

• $\mathcal{C}: ...

Intuitively, if we can invert a PRG, then we can easily distinguish it with random distribution by checking g(inverse(y)) = y. So every PRG is a OWF?

Unlike the problem "Is every pseudorandom generator a one way function?", i can prove that if the output length is large enough (for example |g(x)| >= 2|x|) then the PRG must be a OWF, but it seems that such a restriction is not necessary.

I am trying to understand how this ciphertext length is calculated from a signcryption scheme to analyze the communication cost. I understand, we consider the key length and the message length to calculate the ciphertext length. But don't understand at what step and what parameters we actually consider. For example, in the given paper "A secure and lightweight certificateless hybrid signcryption s ...

I think I understand the value of using ZKP's for proving things about data in isolated systems, like for privacy and computation roll-ups in blockchains L2's.

But I hear a lot about real-world use-cases, a classic example is proving your age is above a certain number, or proving your income to a mortgage lender, without revealing exact figures. While this sounds fantastic, in both these scenario ...

In "Efficient reductions among lattice problems" by Micciancio (2007) it is said, that

SVP reduces to SIVP in their exact versions.

I did not found anything about this fact, is a reduction that trivial? Does the same hold for their approximation versions?

I have an AES encrypted data and the key, but I am not able to tell the block cipher mode [ECB|CBC|CTR] used in encryption or know the key length.

Below is the encrypted data output in java.

{"encrypt_data":"GorwlI4cdifSjaKM0Uu4v24DewQqsaN3VTkZMmtDZkttVdoUEV23mBYlYhbcB/oN","encrypt_aes_key":"VRkSYqtGUBr4Zzt7ET8kMw2dvrQkOBH2cGWYwKhNRUU5fCVP+UhZSDKDpQSwx5aHQNIGApRq9INRzLTlB9uJjUXgbl0yEL0Ztyk5OpBU4pIk1imRF ...

I don't understand why relinearization is so significant. I understand the equations in the paper (in this post I'll be using notation from BV but I would it applies to BGV+BFV) but if anything it seems like it would be less efficient. We go from: $$h_0+\sum_ih_ix_i+\sum_{i,j}h_{i,j}x_ix_j$$ to utilizing t and getting: $$h_0+\sum_ih_i(b_i-\langle a_i,t\rangle) + \sum_{i,j}h_{i,j}(b_{i,j}-\langle a_{i, ...

The conventional and simple wisdom is to combine head with /dev/urandom to create the amount of pseudo-random data that is needed. But that is slow.

I found a faster method - cryptsetup FAQ suggests to use its mechanism.
See 2.19 at:
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions

But the issue with this method is that root privileges are required for the mapping by cryptsetup ...

I am reading the Wikipedia page for Interactive proof systems and am having trouble understand the notation in the definition of soundness, many of which is left unspecified.

Given a formal language of strings $L$, a verifier $\mathcal{V}$ for this language satisfies the soundness property if for every prover $(\tilde{\mathcal{P}})$ and every $y \notin \mathcal{L}$,

$$ \operatorname{Pr}[(\bot,(\t ...

I am studying the zerocoin paper‡. More precisely I am stuck at page 6, on the Spend function (in paragraph "B. Our construction"). I am not understanding how the ZKSoK is computed. Let's consider the Pedersen commitment as $$C\gets g^Sh^r\bmod p$$

I've found a lot of examples online but they all refer to a case where the "secret" is $ω$: $x=g^ω$ And $x$ is public. I understand the steps in  ...

Why was the dimension of A doubled in kyber?

LWE encryption uses a public matrix A of dimension K but kyber uses a double matrix A resulting in $A ^{ k * k * n }$

When deriving the results of the definition of gen, enc en dec this results in:

$$ RA_0 S + RA_1 S + RE + E_3 + \frac{q}{2}m - RA_0 S + RA_1 S + ES \\ $$

Which reduces into: $$ RE + E_3 + \frac{q}{2}m - ES $$

Which is equivalent to the

Is there a list of all the (most) assumptions (such as RSA and DDH assumptions) used in cryptography and the corresponding properties?

I'm implementing impossible differential cryptanalysis on mini-AES using Raphael phan's paper.

I've coded mini-AES using Raphael phan's first paper on the structure of mini-AES, where he only mentions 2-round mini-AES.

But in the impossible differential paper we're attacking 5-round mini-AES so I need to extend the key generation algorithm and to do this I need $5\;rcon$ but the paper only mention ...

I read this in the documentation of HighwayHash:

By contrast, 'strong' hashes such as SipHash or HighwayHash require infeasible attacker effort to find a hash collision (an expected 2^32 guesses of m per the birthday paradox) or recover the seed (2^63 requests). These security claims assume the seed is secret. It is reasonable to suppose s is initially unknown to attackers, e.g. generated on start ...

I read somewhere that ike1 does not support asymmetric authentication. Does that mean that it does nit support PKI authentication (digital certs)?

Thanks Champ

I am relatively new to cryptography and am curious what cryptographers would say about what I think is a beautiful one-way hash function described in a paper I found here https://arxiv.org/abs/1801.05079

To summarize the hash function, the Collatz function $f: \mathbb N \rightarrow \mathbb N$, is defined as $f(n)=(3n+1)/2$ when $n$ is odd and $f(n)=n/2$ when $n$ is even.

Let $n$ be composed of 512 bits.  ...

In short what are the differences (pros & cons) between multiplying by powers of Tau (from this lecture https://youtu.be/tAdLHQVW)

and raising to powers of Tau (from this lecture https://youtu.be/xuGQYEvytxk)

I know pairing is used by the verifier in both, and that they deferred the pairing details to the next lecture to get a better understanding of the idea first, but I don't understand wh ...

I have been unable to find any mathematical explanations on how TrueCrypt's plausible deniability encryption works, when using TC containers.

Would someone be able to provide a mathematical walkthrough of how it works?

Other encryption systems implementing things in a similar way is outside the scope of my question. Also, whilst I have some experience in the theoretical side of cryptography, the sim ...

Assume we have a hash table using the function h(x) = x mod 32. h(x) = x mod 33. Also assume it dynamically resizes by doubling the amount of buckets and rehashing. If I was able to provide inputs for the hash table it would be really easy to flood with colliding entries to slow lookups to O(n).

However, say we were to xor each input with a random pepper before hashing. If the input is ever longer t ...

KZG poly-commitment & QAP linear PCP can be proved sound under Knowledge of Exponent assumption or Generic Group Model (I take it for granted from lecture 6 and 9 of ZK-MOOC https://zk-learning.org/), and it seems to me GGM is the preferred one because it permits less trusted setup parameters.

If I have understood correctly, GGM core is about considering opaque the group elements encoding/labelling, r ...

In an online community, you sometimes have to ban certain IP addresses or even entire IP ranges due to abuse. You may hire moderators to help you with this, but you might not trust them enough to show them everybody’s plain IP address.

The question is: Is there a scheme to encrypt or hash IP addresses in a way that preserves prefixes, i.e. such that you can still do range bans, but cannot easily reco ...

There is a common term used in cryptography called a hash collision. If I am reading the definition correctly on Wikipedia, this can occur if two different data values give rise to the same hash value.

Duplicate hash, different input:

text1 encoded = hash1 
text2 encoded = hash1

The first code block is a binary value with a hash obtained from the digest() function, which I found on a website. The sect ...

I am studying the Dilithium signature from Ducas et al's CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme.

Wanting to understand how the supporting algorithms work together, I am trying to work out and visualize an example by hand. If I understand correctly we have the HighBits and LowBits algorithms calling the Decompose algorithm. For instance, how the $ HighBits $ algorithm is called ...

I am given C, e, and d to decode an RSA ciphertext (or would it be SRA given this information?), and I am thoroughly confused. I have tried working backward to n by reversing modulo operators and then brute forcing scalars, but nothing is working, is this even possible? Many thanks in advance.

I have seen various papers discussing the security of the Learning with Errors problem with very small uniform secrets and errors but I have not found any papers on the general LWE problem with uniform secrets and errors within (-b,b) range where b < the LWE modulus q but not so small as to be binary or ternary. Is there a costing for the LWE problem for bounded secrets and errors when they are chos ...

When recovering the public key from ECDSA signature (r, s), the first step is recovering the point R.

You do this by plugging in (r + xn) into the curve equation where n is the order of the basepoint and x is some integer

my question is how do you find this x value, say for secp256k1 but also the general case

I have a vauge notion that this may be related to the cofactor of the curve (usually working w ...

I am currently working on Side Channel Attacks (SCA) on Kyber and Dilithium. I have found myself quite confused with side channel, because so much is mentionned all the time.

For instance, I don't understand when to use distinguishers, when to use tools like the t-test, when you need to work with key guesses, etc... In the articles I am reading, they sometimes describe the attacks, which I unders ...