Latest Crypto related questions

If we know the value of G*n, the value of n, and the value of p in Zp, is there a way to find out G?

I tried the code below on sage but the value was different from the original G.

# we know nG = (x, y)
Gx = inverse_mod(n, p)*nG[0] % p
Gy = inverse_mod(n, p)*nG[1] % p
G = (Gx, Gy)

I am currently studying the Double Ratchet Algorithm from Signal (link to the documentation). I stepped over a security issue which I was not able to find that it was mentioned anywhere.

I assume that an attacker is able to delay messages at the public channel. Let's say Alice and Bob are having a conversation via double-ratchet encrypted messages.

At double ratchet, if an attacker has compromised a me ...

This question is about adding new data with different proportions to a dataset with equal proportions for each type of data, and determining at what point the added data can be distinguished.

For example, in a hospital with doctors, nurses, cleaners, and security personnel, with proportions of [0.5, 0.2, 0.2, 0.1], there is a table of 1000 encrypted doctors, 1000 encrypted nurses, 1000 encrypted  ...

Is there a known feasible method for determining an unknown public key from a Diffie Helman shared secret and the other public/private key pair?

This would be rarely useful, but I am curious if the DH operation is 'invertible' given the derived secret and private/public key of one party.

So if the shared secret (which is known to the attacker) was directly used to encrypt data, and the local key pai ...

I am building the Threshold Signature Scheme (TSS) based wallet. I would like to run the each party's node separately with different host. And these nodes should be able to send the messages through the secured and authenticated channel to the other partie's nodes. So what channel protocol is prefered to used. Can i use the rabbitMQ?

Can you explain the mathematical details of Grover's algorithm for children?

I want to hash my signature of JWT using public & private key, since we are using ES-256 algorithm in JWT. But the problem is that I have both the keys in JSON & .PEM format, so how can I do it in one openssl command? below is the shell script code which I am using to hash the signature:

SIGNATURE=$(echo -n "$DATA" | openssl dgst -binary -sha256 -hmac "$SECRET"| openssl base64 -e -A | sed 's/=// ...

The shape of the edwards curve is equal to $a x^2 + b y^2 = d x^2 y^2 + 1$ in $\mathbb{Z}_p$. Is there a way to know $p$ when we know the five points on the edwards curve without knowing $a, b, d, p,$ and generator $G$?

I tried to find p by using the five points given to me by concatenating the relationship $a x^2 + b y^2 - d x^2 y^2 - 1 ≡ 0 (mod \ p)$, but the expression became too complica ...

Considering that I am writing a circuit that will take age as input and return true or false.

For this ZKP system, I guess I don't need a separate prover circuit and verifier circuit.

Consider that I am writing a circuit that will take age as input and generate a proof. Now I will write another circuit for a verifier that will take the proof as input and verify whether it is true or false.

I am seeking ...

I'm thinking about storing packed integers $(x_1,x_2,...,x_k)$ into a single ciphertext slot using the Chinese Remainder Theorem (CRT). However, in order for the CRT to work, the plaintext modulus would have to be a product of prime values (the same prime values used in the CRT). So I ask, does the plaintext modulus have to be prime in BGV?

I want to prove that the DSA signature scheme is EUF-CMA secure in the random oracle model, if the discrete logarithm problem is hard. I know it can be proved by the following two parts:

1. Discrete logarithm problem is hard $\Rightarrow$ DSA identification scheme is UI-PA security
2. DSA identification scheme is UI-PA security + $H,F$ are random oracle $\Rightarrow$ DSA signature scheme is EUF-CMA secure

Under which conditions is it secure to publish an encryption of the secret key $s$ under itself in terms of an $RLWE_s(s)$ ciphertext? Because for some schemes this is (repeatedly) used in bootstrapping or key switching, it seems to be secure (or at least it is assumed to be so).

On the other hand, if multiple encryptions $RLWE_{s_i}(s_k)$ are published it seems to be critical that there is no ``cy ...

We have 2 ciphertexts, one encrypted using Paillier and another encrypted under Elgamal encryption schemes. Is there a way to design ZK-proof to prove equality of the underlying plaintexts of these 2 ciphertexts.

Bilinear Pairings are widely used in many new schemes like Group Signature and Aggregate Signature. The problem is whether it is post-quantum secure. In other words, does Bilinear Diffie-Hellman intractability assumption stand against a quantum computer?

With a quantum computer, Shor's Algorithm solves Prime Factorization and Discrete Log problem in polynomial time, which nullifies the security of p ...

Let $H(h,k)$ be the expected entropy of some random oracle $X:\left\{0,1\right\}^h \to \left\{0,1\right\}^k$, where $h$ does not necessarily equal $k$.

1. Then, is it true that $\lim\limits_{h\to\infty}H(h,k) = k$ ? (for constant $k$)
2. If so, is the above still true if $h = 2k$? In other words, does $\lim\limits_{h\to\infty} h - H(2h,h) = 0$ ? (for common hash functions like SHA-256/512, the input block siz ...

I understand that domain separation in hashing is important, but I'd like to understand more clearly why and what are the risks involved.

• What is the theoretical justification for requiring domain separation?
• What are examples of schemes/protocols that can be broken if domain separation is not used?
• How can one evaluate whether the lack of domain separation is an issue or not? (e.g. Ed25519 does not us ...

I have two elementary questions related to the special distribution $|x'-x \text{ mod}^{\pm} \, q| \leq B_q := \left\lceil \frac{q}{2^{d+1}} \right\rfloor$ in Kyber. The first question is about the paper and the second question is about a section in the specification. I am asking this as one question because I think it fits well thematically.

1. In the paper on page 4 it says:

• Unfortunately, there  ...

What is the specific process of recovering the original secret of secret sharing? Is the parties with secret shares communicating with each other and exchanging secret shares, and if the number of secret shares greater than or equal to the threshold is collected, the secret will be recovered, or a third party will collect the secret shares to restore the secret, how is it generally done in the current s ...

The following statements seems to be a consensus in cryptography community.

Oblivious tranfer is a complete primitive for secure multiparty computation (SMC).

But I cannot find any explicit construction. What I want is a general method to construct SMC from OT with as few assumptions as possible, especially without the computational assumption so that it applies to information-theoretical security.

I am working with the securit yof CRYSTAL's Dilithium signature in the QROM. I am working with Kiltz et al.'s approach through lossy ID-schemes and looking at the proof of minimal entropy for the $DFS[ID, H, PRF]$ derived Dilithium-QROM signature. Unfortunately, I am not able to see how the proof of the lemma flows, nor understand what is beeing done and why it is "ok" to make the claims that are made... ...

Assume a given pseudo-random function $H:\{0,1\}^a\mapsto\{0,1\}^b$ with $b\in[104,256]$ and $b/2<a<b$. We want to exhibit a collision if there is one, which has probability $>63\%$.

We are ready to perform $2^{b/2+1}$ evaluations of $H$ or slightly more, distributed among several search units. But we don't have $2^{b/2}b$ bits of memory, especially accessible by each search unit. How can we pra ...

Say that $\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T$ are cyclic groups of prime order $r$ over which the pairing $e : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T$ is defined. It is well known that $\mathbb{G}_1 \subseteq E(\mathbb{F}_p)$ and $\mathbb{G}_2 \subseteq E(\mathbb{F}_{p^k})$ where $p$ is a prime number and $k$ is the embedding degree of the elliptic curve $E(\mathbb{F}_{p^k})$. It is also kn ...

I know that if using Grover's algorithm to break a cipher, one would need to perform (2^[key space])^0.5 queries (the square root of the number of all possible keys).

A simple transposition cipher COULD have their security of (transpositions)! (factorial of the number of transpositions), but how would it be in a post-quantum scenario?

Will the classical security of encryption schemes based on transpositi ...

As XMSS is post-quantum we can use it to secure blockchain. One of the main disadvantage of XMSS is its signature size. If we can reduce the size of the signature then we can use XMSS in the blockchain. XMSS signature contains the Sign on message+ index of OTS + Authentication path. If we can store the OTS index and Authentication path on off-chain such as a wallet, isn't is significantly reduce the  ...

When utilizing the closest vector problem for decrypting data, does lattice size matter. For example, is a 1000x1000 grid necessarily more safe than a 100x100 grid? And if so, why would these affect the computations of quantum computers? Also is there a "safest way" of choosing a lattice point that guarantees higher success?

Some time ago I had a question here about WinRAR security and probably the most common recommendation I came across was to use Veracrypt.

Veracrypt uses XTS, but according to others, XTS encryption is unnecessarily complicated and does not provide such protection to be considered secure enough. (see Thomas Ptacek; Erin Ptacek (2014-04-30). "You Don't Want XTS", or Evaluation of Some Blockcipher Modes of  ...

In RSA encryption, the larger the size of the prime numbers utilized for the creation of the public key, the more computational power is required in order to "Brute force" decryption.

• Does a similar concept apply when considering lattice-based encryption?
• Naturally, I would assume so, but how much more safe would a 3d lattice be, rather than a 2D lattice?
• Would it be exponential? and if so why?
 ...

Such as integer factorization problem and discrete logarithm problem. Assuming a large polynomial is obtained by multiplying two generated polynomials, is it NP hard to decompose it into these two generated polynomials ? And Assuming that A is the generator of the Galois field and B is a random number, is it NP hard to find an x to make $A^x=B$ hold?

May I ask if I use top-K to compress the gradient, can the attacker recover the original information of the data from the compressed gradient?

This recent paper shows that discrete logarithms are solvable if you have an oracle for the Diffie–Hellman problem. However, to me, it seems there is a much simpler reduction and I wonder where I am wrong:

Core idea: A DH oracle allows us to exploit the multiplicative structure of a curve's scalar field, whereas normally, we can work only on its additive structure.

You can use a DH oracle to compute ...