What is the impact of leaving a salt used in HKDF open to attacker control?
RFC 5869 for HKDF says "an application needs to make sure that salt values are not chosen or manipulated by an attacker".1 Soatok also discusses some nuances in choosing salts for HKDF.2 ...
Are rejected Dilithium commitments secret?
On 6 March, Yi Lee sent over the NIST mailing list an announcement of their submitted paper that found a flaw in the original security proof for Dilithium. In their manuscript, they fix the proof on
sUF-CMA security of Lyubashevsky's ID and signature protocol
I have been working on the post-quantum safe ID/signature-schemes of Vadim Lyubashevsky (https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf).
I am in particular studying the security ...
How do you instantiate a Random Oracle?
I was recently discussing with a friend how to instantiate something that requires a RO (with a potentially long output) in a practical implementation. Specifically, for a Fiat-Shamir transform.
The
Distribution distinguishability as a decision problem
In the definition of a pseudorandom function, we consider two distributions $D_0$ and $D_1$ over functions, where $D_0$ is the distribution of a random function and $D_1$ is the distribution of a
Random oracles and the Borel-Cantelli Lemma
I am trying to understand the implication of the Borel-Cantelli Lemma to the random oracle model.
I think understanding a special case, say, a random oracle is one-way with probability 1, would be
OPSEC Cybersecurity News Live