Latest Crypto related questions

I am searching for a scheme supporting group signatures and at the same time permitting the blinding of the message-signature pair. Let me explain.

There is a certification scheme proposed by Verheul: if we have message that is a public key, say $\texttt{pk}(A)$, and a signature $\texttt{sig}(\texttt{pk}(A), s)$ made with the secret key $s$, Verheul scheme respects blinding: $$\texttt{verify}(\left<\t ...

I'm studying Impossible Differential Cryptanalysis of SPECK paper and I'm having trouble understanding the differential diffusion property of addition in page 19 which is as follows:

can someone explain what that property means or what symbol k|∆x[K] means?

I'm new to secure multi-party computation and ORAM. My question is quite simple.

Is there a concrete example to explain the linear scan for an array with multiplexers to achieve obliviousness?

I didn't find any good examples to explain this.

Additionally, in a linear scan, each access of an n-element array requires a circuit of Θ(n) size where the entire array is multiplexed for the required ele ...

Here is the use case: A uses B's public key to encrypt a message and sent it to B. In later stages, a new member C joins and B would like to let C be able to see this encrypted message (i.e., give the decryption ability to C) without sharing his/her private key or letting A encrypt the message again using C's public key. It is in this question. A useful solution in that question is proxy re-encryption. I ...

If A has a certificate issued by a CA_X, certainly A should have the private key of the certificate. My question is, does A generate the private key by itself, or , the private key is generated by CA_X, and somehow is sent by the CA_X to A?

In an edit to an answer by user forest, it was mentioned that there has been a new attack developed for lattice-based cryptography. I thought lattice-based cryptography is a fairly well established way of providing quantum-computing-proof security, and that the only thing left to do is developed a standardised system at NIST.

But the current attack leads me to my question: Is there a current conse ...

Let $\{0,1\}^*$ be the set of finite $\{0,1\}$-strings. Then SHA512 can be viewed as a map $s: \{0,1\}^*\to \{0,1\}^{512}$.

The pidgeonhole principle implies that there is $y\in \{0,1\}^{512}$ such that $s^{-1}(\{y\})$ is infinite.

Is there $y\in\{0,1\}^{512}$ with $\emptyset \neq s^{-1}(\{y\})$ and $s^{-1}(\{y\})$ is finite?

I have a trivariate polynomial whose roots I am interested. The polynomial has monomials in $\{X^4,X^2,X^2Y,X^2Z,1\}$. What is the best way to generate the lattice and apply $LLL$ so that I can get a second polynomial in common with the first under the assumption the polynomial has size of coefficients which satisfy Howgrave-Graham bound applicable to Coppersmith's techniques?

I'm dealing with Galois fields $GF(2^{8})$ and need help finding a polynomial $r^{-1}(x)$ such that $r^{-1}(x) r(x) \equiv 1 \mod m(x)$, where:

• $m(x) = x^{8} + x^{4} + x^{3} + x + 1$
• $r(x) = u(x) - q(x) \cdot m(x)$
• $u(x) = s(x) \cdot t(x)$
• $s(x) = x^{7} + x^{5} + x^{4} + x$
• $t(x) = x^{4} + x^{2} + 1$

Thus:

• $u(x) = x^{11} + x^{8} + x^{6} + x^{4} + x^{3} + x$
• $q(x) = x^{3} + 1$
• $r(x) = -x^{7} - x^{4}  ...

Answers to question RSA key length vs. Shor's algorithm suggest that e.g. 2048 bit RSA encryption would be trivially broken with 4099 qubit quantum computer using Shor's algorithm (best known implementation of the algorithm requiring 2n+3 qubits).

Is this really true? If I've understood correctly, the number of gates (logically quantum operations) needed would be around log(2^2048)^2×log(log(2^20 ...

What are the main differences between the Fast Fourier Transform (FFT) and the Number Theoretical Transform (NTT)?

Why do we use the NTT and not the FFT in cryptographic applications?

Which one is a generalization of the other?