Latest Crypto related questions

Given that CBC mode encryption is vulnerable to padding oracle attacks, what is the next best alternative ?

a) Include a hash check in the API scheme, validate the hash and then proceed with CBC. If hash check fails then return error indicating same. Eg: Include HMACSHA256(AES256(plaintext)) checksum that is required to be validated as part of message.

b) Implement a custom CBC mode that include a hma ...

The goal is for Alice to send an encrypted message to Bob. Neither Bob nor anyone else should be able to decode the message. Alice should be be able to decode it, when all data is shown to her. However, Alice cannot store anything related to the message.

Private keys:

• X1 - random bits
• X2 - random bits
• M - large prime number

Transmitted Key:

• A - random large prime number

To send a message:

According to wikipedia:

https://en.wikipedia.org/wiki/Rijndael_S-box

AES is doing interesting thing (where $<<<$ is circular shift):

$s = b \oplus (b \lll 1) \oplus (b \lll 2) \oplus (b \lll 3) \oplus (b \lll 4)$

and this is equal to ($\times$ is multiplication in $GF(2^8)$):

$s = b \times 31 \mod 257$

This provides a great bit of mixing to my eye. Let's say I have 128 bit $x$ and $y$ and  ...

I'm trying to understand that scheme:

https://xilinx.github.io/Vitis_Libraries/security/2019.2/guide_L1/internals/gcm.html

Here on page 11 it looks like GHASH gives only one value "Return $Y_m$":

https://web.cs.ucdavis.edu/~rogaway/ocb/gcm.pdf

After hashing several subsequent blocks. It make no sense to me. If I understand it well every GF128_mult(H) is one block of our output, right? So the stream i ...

How can you measure how secure or private the new variables are relative to the real (actual) variables.

I want to compare homomorphic encryption and differential privacy in combination with machine learning models. Maybe using a measures like Kullback-leibler, but I will need the distribution of the encrypted variables.

I'm using the tenseal python package and random forest.

I'm a bit confused on how to validate the authentication tag between two different AES GCM implementations.

One implementation (on my part) is in Java. The other, I don't know.

In my implementation, the plaintext is encrypted with the doFinal function. I prepend the initialization vector to the result.

I understand that the authentication tag is added to the end of the encrypted message, and when de ...

I read here:

https://www.researchgate.net/publication/220335697_GCM_GHASH_and_Weak_Keys

how GHASH works. So we have $m$ 128-bit blocks $X_{i}$ and we compute in $GF(2^{128})$:

$Y_{m} = \sum_{i=1}^{m} X_{i} \times H^{m-i+1}$

$H$ is a key. Am I see right there that $H$ is raised to the power? Is there method to do it fast in $GF(2^{128})$ or it is just standard exponentiation modulo with fast exponentiat ...

So I was casually practicing RSA on paper for an exam, I did the whole process I wrote bellow, and when I tried the encryption and decryption I got distracted and instead of doing $m^e \mod n$

I did $m^e \mod {\phi(n)}$ and both the decryption and encryption worked. Is this normal?

Here are the numbers: $$ p = 11\\ q = 23\\ n = (p\cdot q) = (7 \cdot 23) = 253\\ \phi(n) = (p-1) \cdot (q-1) = 220\\ e ...