Latest Crypto related questions

I've know that a PRF Xored with its key is not a secure PRF. Then I wonder that what if the Xored (or multiplied) item is another random number. The formal expression is as belows:

Let $F_k(x):\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n$ be a PRF.

"$<<$" operation indicates left rotation, "$\cdot$" operation indicates the binary multiplication module $2^n$ where an $n$-bit string is inter ...

Given the coin flipping protocol:

• A chooses $a \in_R \{0,1\}$ and computes $commit(a,r)$. She sends $commit(a,r)$ to B.
• B chooses $b \in_R \{0,1\}$ and sends $b$ to A.
• A sends $open(a,r)$ and B checks if the opening is valid.
• Both output $coin = a \oplus b$

where $commit$ is the commitment scheme used by Alice.

I am trying to understand how it is possible that one of the sides has a winning str ...

Various proposals are being explored for X509 V3 certificates in a Post Quantum Cryptography (PQC) world.

Currently, these include just having a certificate for classical and PQ, having a hybrid certificate for classical and PQ using X509 extensions or composite certificates that concatenate as many signatures into one blob as needed. If I understand correctly, the first two approaches are an or  ...

I want to use the asymmetric encription offered by a tool to encrypt my files and I would like to know if the following encryption process works, regardless of perhaps not optimal use.

• Generate a 32-bytes-random-key inside the browser with window.crypto.getRandomValues

• use sjcl crypto library for:

  • choosing AES algorythm cipher.aes
  • generating 4 words random IV vector random.randomWords(4, 0)
  • encrypting ...

As far as I understand, a property is computational if it holds in a computationally-bounded context, so for ANY computationally-bounded involved entity (even if an unbounded one could discover the property is actually missing): e.g. any computationally-bounded distinguisher evaluating two transcripts to check CZK, or computationally-bounded provers of an argument.

I guess that explicitly capturi ...

I want to implement a client that generates random 48-bit values and send them as broadcast messages. We assume also there is a legitimate receiver getting those values (so, there is some sort of pre-authentication that has already happened but it is not of importance here. We can also assume the client/receiver share a common key $K$). Since these are broadcast messages it means also that anyone  ...

I'm writing an audio program in c++ with the juce framework and I'm able to successfully encrypt and decrypt. Juce has a function CreateKeypair: https://docs.juce.com/master/classRSAKey.html in the docs there is suggested code on how to encrypt in php or java but untested. The createpair spits out a private and public key but the keys are split into 2 hex parts to be used with BigIntegers. Now I'm try ...

I am looking at wrapping AES keys with RSA. In NIST SP 800-57 Part 1 Recommendation for Key Management, pg 55 it is estimated that the RSA security-strength equivalent of symmetric AES-256 key would be a RSA key with 15360 bits modulus. This RSA key size looks impractical, and mostly not even available due to technical reasons.

Is there a practical and proven mechanism for wrapping "stronger" sym ...

I'm currently working on replacing the chacha20 encryption in my app with chacha20poly1305, but I'm running into a few questions that I can't seem to find clear answers to, mainly stemming from the Rust chacha20poly1305 crate:

• Why does the chacha20poly1305 crate require a nonce for every message, but chacha20 only requires a single nonce when initializing the cipher? Why does this not seem to be the c ...

I have a bunch of signatures (1000) signed with ECDSA secp256k1 curve. I can verify all of them with the same public key.

I have studied attacks are performed against ECDSA signatures using known MSB or LSB of the nonce.

Is private key recovery possible if nonce $k$ value is of unknown length? None of the signatures have the same $k$ value.

Without private key knowledge can I alter valid signatures t ...

Reference paper: "A CERTIFIED DIGITAL SIGNATURE"

1. With reference to the image above which is from Page 20 of the attached paper. What is this new protocol that the paper speaks of here? What does "transmitting Yi to B just before signing a message" mean? How does it differ from the default case? How could anyone claim to be A? What does an "authorized signature" mean?

2. With reference to the attached pap ...

Let's suppose I want to do One-Time-Pad but I only have a biased true random number generator (TRNG).

I XOR to the ciphertext block with another with random data got from the TRNG, e repeat the process two or more times with different random blocks.

Will this scheme make the One-Time-Pad more secure? Will this provide the same security as if was done with a non-biased TRNG?

I have a honest-verifier zero knowledge simulator $M$. The conversation between prover and verifier has the usual $(a, b, z)$ form. How can the bounded model $M$ generate $a$ and $z$ is the prover is probably unbounded? I know that I have to use the fact, that the verifier is honest, but I just cannot figure it out how.