Latest Crypto related questions

I'm going to use NTRU as post-quantum public-key encryption algo in my project.
I've googled attacks on NTRU and found a lot of them
but since I'm new to NTRU and don't understand the math used, and could not conclude whether NTRU is still secure, if yes which parameter sets are secure?

For 256bit security, I found EES743EP1 and NIST NTRU-HRSS and NTRU-HPS Wikipedia article says the latter one is s ...

In my cryptography course our teacher said that solving the discrete logarithm problem in a group of order $2^e$ is easy, and he gave us the following algorithm:

Let $G$ be a cyclic group with $|G|=2^e$ and $g\in G$ a generator. The following algorithm computes $x$ such that $h=g^x$:

• Precomputation: $g^{-1}=g^{n-1}$.

• Inicialization: $x_0=0$, $b_0=h$, $m_0=\log_2(ord(h))$.

• Iterations:
  while $m_ ...

I am currently trying to get a grasp of homomorphic encryption and are working through the paper by Armknecht et al. (2015): https://eprint.iacr.org/2015/1192 which gives a nice overview and clear definitions.

The only thing I stumble across is the definition of the "depth of a Circuit". The paper defines the set of Circuits C as

We begin with a space P = {0, 1}, which we call the plaintext space ...

I would like to get a correct understanding of the padding mechanism used in onion routing. The following is taken from the original paper of onion routing[https://www.onion-router.net/Publications/IH-1996.pdf].

Notice that at each hop the onion shrinks as a layer is peeled off. To avoid compromised nodes inferring route information from this monotonically diminishing size, a random bit string the size  ...

Im building a backend for webapp(s), so that we can sell tickets for our events. The events ranges from 100-700 guests.

We sell tickets online and we would like to be able to scan the tickets at the entrance. This is done via a Barcode-128. But in the case it is not possible to scan the code, one should be able to type in the code and check it this way. So the code should not be longer than circa ...

In Shoup's proof of the hardness of discrete log in the generic group in this paper, he mentions that:

At any step in the game, the algorithm has computed a list $F_1,\dots,F_k$ of linear polynomials in $Z/p^t[X]$ along with a list of values $z_1,\dots,z_k$ in $Z/s$, and a list $\sigma_1,\dots,\sigma_k$ of distinct values in $S$.

The algorithm is initially given the encodings of $1,x$ and access to the ...

I want to understand the limits of modulus switching in BFV.

Lets assume $q$ represents ciphertext modulus and $t$ represents plaintext modulus. $q$ is set to a $60$ bit value and $t$ is set to $20$ bits value.

Now we are given a BFV ciphertext $c$ based on above parameter choices. Also assume that due to holomorphic operations, the noise e in $c$ is around $35$ bits.

Now can I switch this cipherte ...

I'm looking at D.3.2 Verifiably Random Base Points of NIST SP 800-186. Looks like step 5 is there to ensure that $hashlen > bitLen(q)+1$ and (potentially) discard big $e$, so $t$ is distributed properly. However, the generation method won't work in if $hashlen < bitLen(q)$ (say SHA256 and Curve448). Is there any way to fix it?

According to the literature (https://en.wikipedia.org/wiki/Garbled_circuit), Oblivious Transfer allows a party A holding a function $f$ and a party B holding a index i to jointly compute the value $f(i)$ while keeping the privacy of $f$ and $i$.

In my opinions, OT is enough for archiving the cryptographic functionality of Garbled Circuit: enabling two-party secure computation in which two mistrusting ...

I'm following a course that speaks about cryptography. In this course we talked about Min-Entropy ($H_{\infty}$) and Extractor. To show that an extractor $Ext:\{0,1\}^n \rightarrow \{0,1\}^l$ that outputs an uniformly random string doesn't exist if $H_{\infty} < n$ we take the special case $\ell=1$.

But I don't well understand the proof.

In this proof we take the preimage of $b$ where $b \in \{0,1 ...

I'm a complete noob. I was reading up on hash functions. So if a bank has its user password's run through a hash function, it'll produce a unique hash for every password right? Thus, even if hackers are able to get their hands on some data, they'll only have the hashes and not the original passwords.

But I also read that if a hacker runs a lot of common passwords through a hash function, and then ...