Latest Crypto related questions

Assume we have a secure block cipher $E$ (strong pseudorandom permutation) and a fixed key $k$ which are publicly known. We construct our hash function $H(m)$ as $$ H(m) = E_k(m_1) \oplus \dots \oplus E_k(m_t) $$ where $m = m_1 \mathbin\Vert m_2\mathbin\Vert\dots \mathbin\Vert m_t$. Here all $m_i$ are $128$-bit blocks.

I know that just using XOR is not a secure hash function due to collisions at zero and ...

I found this question while preparing for exam. The question is

Q)Suppose, you and your friends have a few numbers of locks and you all want to share that numbers among yourselves securely using RSA based cryptosystem. You are using the private key as (5,27) and your friends are using the public key as (13,27). One of your friends wants to share the exact amount of locks only to you. What are the maxima ...

Consider the following scenario:

We have two agents, A and B.

B needs to prove that they know a secret to A, without sharing the actual secret.

e.g.: A needs a way to de-duplicate the secrets they receive from B, but they don't need to know the actual secrets. (and B does not want them to know)

Think of it like sharing a hash of that secret, except: it's a very small, low entropy source (there's abo ...

Imagine the following scenario:

In a given cryptocurrency, privacy should be as high as possible.
For this purpose, a new account with a new address is created for every incoming transaction (the address is the public key of a private/public key pair). However, users are not always online to generate new accounts with new addresses as soon as someone wants to send them money. Therefore, all users shoul ...

In the paper Zero-Knowledge Proofs of Identity (by Feige, Fiat, and Shamir) a ZK protocol is described that leverages quadratic residues. Section 3 describes an "Efficient Identification Scheme," but (to my understanding) the PK algorithm seems to be broken (in the "does not work" sense, not in terms of "poor security").

The key generation protocol is (steps 1-3 are quoted from the paper, using t ...

It seems that neural cryptography is an interesting research topic and there are some important contributions published in the last years.

The proposed algorithms are suitable for symmetric key generation starting from the common hidden weights, thus representing a possible Diffie-Hellman substitute.

As far as I understood, the main advantages are that Tree Parity Machines are quantum resistant and  ...

https://en.wikipedia.org/wiki/Paillier_cryptosystem

Paillier cryptosystem exploits the fact that certain discrete logarithms can be computed easily.

If I were to select $g \in \mathbb{Z}_{n^2}^*$ where $n$ divides the order of $g$, then the discrete log is easy (w.r.t base $g$) if I understand correctly.

But if I were to select any random value $r \in \mathbb{Z}_{n^2}^*$ where $n$ does not divide the  ...

What are some standard assumptions made in showing the security of a block cipher?
For example, is it commonly assumed that $P\not=NP$? To this end, are there any block ciphers whose security does not rest on the assumption that $P\not=NP$, and if so what are the assumptions?
Furthermore, do there exist any block ciphers that are provably secure under some set of assumptions?

Most of the answers I can find date to years back where the first collision(s) were found, but hardware mainly GPUs have progressed a lot in the past few years (with for example the new line of 3090s coming).

How easy is it to do so right now?

A prover has the following value: $$C = (h^ag^x)^b$$

and he needs to prove in zero knowledge to a verifier that $x < t$, for some public threshold $t$. The verifier knows $h$, $g$, $C$, and $t$. The prover knows everything. Essentially, it is the following relation:

$$\{(a,b,x)\ |\ C = (h^ag^x)^b \wedge x < t\}$$

I know this is possible for a value $s' = h^ag^x$ (using bulletproofs, for examp ...

I stumbled across this correctness of a scheme:

$e(g^r, H(id)^x) = e(g^x, H(id))^r = e(g^x, H(id))^r$

and have a hard time following the properties of the bilinear pairing. Does anyone know the "rules" for such pairings or where to read about them?

As far as I have learned I know that:

$e(g^{xy}, g) = e(g,g)^{xy} = e(g^x, g^y)$

but do these properties commute, and how is the correctness scheme ab ...