Latest Crypto related questions

Can I decrypt ciphertext from AES-CBC encryption, if I have the key and ciphertext only?

This problem appeared in a past exam paper.

In PAKE (password authenticated key exchange) protocols, $A$ and $B$ authenticate each other by knowledge of a shared password that is too weak to allow an attacker to try out repeated guesses to try to find it by knowing how a single message of the protocol was constructed. There is no cryptographic signature or alternative shared secret or trusted third party ...

I'm trying to find a Feistel cipher in which the subkeys are constructed badly so that a meet in the middle attack will compromise its security. I thought about trying out a cipher where all the subkeys are equal but that didn't really lead to anything. I know that in general you want ciphers to not be linear in their subkeys so I'm trying to exploit that property, but haven't made much progress.

I'm looking at the FIPS-186 standard. On page 88, it gives a table recommending the size of the base field for the elliptic curve versus the order $n$ of a point on the curve. The numbers don't seem to make sense. For example it says if the bit length of $n$ is between $161$ and $223$, then the bit length of the ambient finite field should be $192$. But if you go off these numbers, there's a good c ...

For the following cipher, what is the probability of someone without the private key generating a valid public key, using only information from a list of $k$ public keys previously generated with the private key?

This is the cipher:

To generate the private encryption key, $Y$: Let $X$ be an $n$ by $i$ matrix of random integers between $0$ and $9$, inclusive. Let $Y$ be a vector of the $n$ real nu ...

In the dual lattice attack of Espitau, Joux and Kharchenko (On a dual/hybrid approach to small secret LWE), the authors propose distinguishing (and subsequently recovering secret values) of LWE samples $(A,\mathbf b)=(A,A\mathbf s+\mathbf e)$ by finding dual vectors $(\mathbf x^T|\mathbf y^T)$ such that components of the vectors are small (with the possible exception of a small subset of components ...

Consider the problem of distinguishing between polynomially many samples of either \begin{equation} (x, b, As + e) ~~\text{or}~~\left(x, b, ~Ax + b\cdot(As + e) + e'\right). \end{equation}

Here, $A$ is a public matrix and $s$ is a secret vector chosen uniformly at random. $e$ and $e'$ are Gaussian errors. $x$ and $b$ are sampled uniformly at random.

The dimensions of different objects are:

\begin{ali ...

A rule 30 cellular automaton produces chaotic output from a very simple rule and therefore can be used as a pseudo-random generator (but not a cryptographically secure one).

One of the problems is that there are "black holes", for instance the constant 0 bit-vector gets mapped to itself, and the constant 1 vector gets mapped to constant 0.

This can be mended using a simple toggle (via XOR) of bit 0 ...

Blowfish splits a 32-bit word into 4 bytes and insert each byte as an entry in a S-box.

Let's suppose I do the same but with an entire word, 32 or 64-bits. MARS block cipher does the same with 32-bit words.

Does it consume the same cycles per byte as inserting a single byte?

Page 33 of The Algorithmic Foundations of Differential Privacy gives two examples where a composition of mechanisms can be viewed as a vector-values output, histograms, and fixed counting queries, where the privacy bound can be analyzed by considering the sensitivity of the vector-valued output.

I was wondering about a more general statement; when, generally, can a composition can be viewed as a vecto ...

I have a string $S$ of length (say) 34, that I know the first (say) 24 bytes of, but not the last 10. I also have the 10-byte error correcting code $RS_{44,34}(S)$ in full. Do I have any hope of recovering $S$?

The amount of information of $S$ that I'm missing far exceeds the theoretical guarantee of Reed-Solomon (which I think in this case is 3 bytes), but at the same time, there's $2^{80}$ poss ...