Latest Crypto related questions

I took a look at the Kyber and Frodo procedures and found that the ciphertext consists of two components. In Kyber these are the lines 5-7 in algorithm 2 $c := (\mathbf{u},v)$ and in Frodo line 8 of algorithm 10 $c \leftarrow (C_1,C_2)$.

One part of the ciphertext pair contains the message to be encrypted, that is $v$ in Kyber and $C_2$ in Frodo. My question is, therefore, why do you need the other c ...

I'm trying to interpolate a Shamir secret in the exponent based on Boneh's and Shoup's book, Section 22.1 and Corollary 22.2. I think I understand how the scheme works, but I'm stuck now with some computations in a toy example that I've come up with. I'm a beginner so likely this is a beginner's mistake, any help would be appreciated! (The notation in here is based on Boneh's and Shoup's).

Setup. ...

In use-case we have a (random) generator $g_1$ and perform operations $g_1^{a}$ for known $a$ inside a safe elliptic curve modulo $p$.

Is there any function $f$ which gives us a new (most likely different) generator $g_2$ out of $g_1$ and $a$: $$f(g_1,a) = g_2$$ and the inverse given a generator $g_2$ (which can also be random) deliver us a generator $g_*$ and an exponent $a_*$: $$f^{-1}(g_2) = (g_*,a_*)$ ...

• Could you clarify where the stack object is typically generated? Is it created on the sender's device or the recipient's device?

• If I send funds to a multipay stack that was created on another device currently offline, what would happen? Would the payments defined by the stack be delayed until the offline device is back online?

Additionally, I came across a discussion about the mechanics of this cu ...

We are given some distinct DSA signatures $(r_i,s_i)$ and the distinct hashes $H_i$ of the corresponding messages. The signatures and messages are non-maliciously made per the same known group parameters $(p,q,g)$ (say the 2048-bit MODP group with 256-bit prime order subgroup of RFC 5114), using either one of two distinct non-maliciously drawn public/private key pairs. We do not know these public keys, m ...

I saw theorems stating that RSA-OAEP (or the similar variant OAEP+) is CCA-secure in the random oracle model.

I wonder about the following:

• Is RSA-OAEP (or even OAEP+) CPA-secure in the plain model? If so, what properties does the hash functions need to hold?
• Are there any lower bounds for the padding length compared to the plaintext? I remember hearing that one needs to have at least $\Theta(n)$ ...

I learned the Public Key Recovery algorithm for ECDSA, and wonder if we can use it in DSA. The answer seems to be no, but details are welcome.

I am currently analyzing the communication protocol of HomeKey. Here are two traces between the lock (reader) and the device (card).

First set:

r2c > 80 80 01 01 6B 5C 02 02 00 87 41 04 34 BC DE 44 04 90 01 8D 24 02 18 2B 80 46 2A D6 25 7D 52 03 64 10 5D 9C 66 5D 20 9A 51 BC 18 DF 23 4A A2 C2 2B 01 2F EC FF 3C 96 D7 82 88 A6 78 75 C2 43 B5 AD B0 00 86 2A 11 9B B6 A3 22 15 8E 4C 10 D9 5F F1 AD F9 5E ...

I'm considering some non-cryptographic PRNG which uses multiplication of two 64-bit or 128-bit random numbers at some point.

__uint128_t a;
__uint128_t b;

__uint128_t result;

result = a * b;

Is this constant time? I don't think so, especially since it takes less time to multiply two small numbers than when they are large numbers. Is there any way to implement this in constant time?

Here someone wrote t ...

Are there any cryptographic proof systems that rewind the prover to argue soundness but are not proofs of knowledge? In particular, I would be very curious to see examples of proof systems where rewinding is useful for arguing soundness but does not seem to suffice for witness extraction.

To give some nonexamples, Schnorr's discrete log proof of knowledge rewinds the prover to extract the discrete ...

Kerberos (and I assume other Trusted Third Party protocols) use (hash) an existing shared secret key to create a session key used for authentication. I read that this authentication secret key can then be used to create another secret key to be used as the session key for message encryption.

"If a message integrity or confidentiality key is required, a Kerberos sub-key or a Kerberos session key  ...

I want to generate some tokens for client as http cookie

can I md5 them with salt and then use "<random token>"+"<md5>" as the token for they can be verified in a cheap way

is it safe?

I referred to the explanation of encryption mode from Wikipedia, but I'm confused now, and I went to find some books about Cryptography, but it didn't solve my confusion.

The CTR mode uses Counter to participate in encryption.

But in Wikipedia, the encryption process is as follows:

It can be seen that both Nonce and Counter are encrypted by the block cipher encryption, so how are Nonce and Counter c ...

What are some approaches to find (ideally many/all) pairs of numbers $(x, y)$ with $ x \in [x_{\text{low}}, x_{\text{high}}]$ and $ y \in [y_{\text{low}}, y_{\text{high}}]$ such that the following holds:

$$a \cdot x \equiv y \pmod{m}$$

• Exhaustive search is not feasible since the intervals are each greater than $10^{30}$.
• $m$ is not necessarily prime.

Edit: added a numerical example:

m=10000000000 ...

I'm working on a project that involves broadcast (uni-directional) streaming and requires non-repudiation. Essentially, a device broadcasts a data stream over the air, and any receiving station needs to be confident that the data was actually transmitted by the claimed device.

My initial thought is that the broadcaster has an X.509 certificate and, every N bytes in the stream, transmits a header w ...

In LWE, the error term $e$ is "classically" obtained from the discrete normal distribution. Why is it so often found that this distribution is used? Are there other possibilities for distributions?

The secret $s$ is often uniformly distributed, this makes sense, if one wants to "hide" just the secret in the (uniformly distributed) matrix $A$. But would LWE remain safe if $s$ did not result from a unifo ...

I have a file with an EC Public Private Key Pair and curve parameters:

openssl ec -in keyfile.pem -noout -text
read EC key
Private-Key: (256 bit)
priv:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
pub:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:cc:aa:
    aa:bb:cc:aa:bb:ccaa:bb:ccaa:bb:ccaa:bb:c ...

Suppose I have a 2048 bit prime number p. Now for the group $Z_p$, could someone please tell me an efficient algorithm to check whether a randomly chosen number is a generator for the group or not

My Main Question:

Do we always require to be sure that the inputs of the parties in a secure multi-party computation are independent? i.e., one party's inputs do not have dependency on the other parties inputs? (this paper claims that the inputs must be independent)

Explanation and subquestions:

If this is the case, isn't it in contrast with the power of malicious adversaries who can select their ...

From what I have understood of naive RSA (without padding) so far, it seems that A and B must first decide on the prime factors in order for B to generate its private key to decrypt A's message. I do understand that the RSA system helps in the establishment of a secure "channel", rather than having to rely on creating a new secure channel everytime between A and B, but isn't this a circular argument?

I'm trying to design a zero-knowledge protocol for the creation of a shuffled deck of cards for use by two players. Naturally this requires that neither player knows the order of the cards after the shuffle, nor what card was drawn by the other during play, but I'd also like to be able to do this without needing a trusted third party as well.

My best efforts so far only require a trusted third pa ...

Say we have an element $g=H(m)$ in a group (this element may or may not be a generator of the group).

Are there signature schemes that enable to sign this element, and then to be able to derive a signature of $g^a$ for a chosen $a$ without the presence of the signer?

Thank you for your help.

any paper mentioning the performance decreases with N? why when N is increasing, the performance decreases? any papers?

BR

Hey there guys and gals,

so I am right now studying topics regarding pseudorandomness.

1. I was wondering why, for example with CBC-MAC oder a regular CBC blockcipher, we use padding instead of a PRG. If the block size is not a whole multiple of the clear text m, we could just use a PRG with the seed as the last block of m ? Or would that be "deterministic" since the seed is not selected truly random ? ...

Point on curve y^2=x^3+2 (to be found/result): Q2 = E2(68702062392910446859944685018576437177285905222869560568664822150761686878291, 78930926874118321017229422673239275133078679240453338682049329315217408793256)

Known parameters are:

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

E2 = EllipticCurve(GF(p), [0,2])

Point on curve y^2=x^3+7 (to be transformed): (538610160 ...

Assume I have a PRF $F$, with polynomial key length $s_{F}(n)\geq n$, and output length $l(n)$.

I need to construct a PRF $F'$, with key length $s_{F'}(n)=n$ and output length $l(n)$.

I thought about the following construction: $$F'(k,x)=F_{F(k',0)F(k',1)...F(k',m)}(x)$$ where $|k'| \leq |k|$ is an output of $s$ for some $n$, such that it will be possible key for $F'$, even if means discarding of some  ...

We all know that block Korkine-Zolotarev (BKZ) algorithm is essentially a deterministic lattice reduction algorithm. However, in the actual implementation, the BKZ algorithm contains some randomization, For example, the actual algorithm will do some random unimodular transformations on the lattice basis in order to obtain a better reduced basis. I wonder if this subtle change will make a big diff ...

I am trying to run the github code in windows 11. I don't know what all I need to install in my laptop to run the C++ code. It would be a great help if someone can point out the steps to run the code.

I wrote a command line application for encrypting/decrypting files to your local machine. The idea is you have an asymmetric key pair where the private key is stored encrypted and the public key is stored in plain text. This way you can encrypt data without having to "unlock" the application (decrypt your private key), but you must run the unlock command and provide your password to decrypt anything.

I am trying to implement the Schnorr’s identification protocol in C. I need a safe prime in order to be able to find a generator of the cyclic group efficiently. The problem is that my program takes too much time to find the safe prime. I am using Libsodium for generating random numbers and GMP for arbitrary precision arithmetic:

#include <stdint.h>
#include <stdio.h>
#include <std ...