Latest Crypto related questions

In BLS multi-signature aggregation scheme we can combine different signatures of different peers into one single signature, and then we can verify whether the aggregated signature is truly signed by the claimed peers.

My questions is, having an aggregated signature, is it possible to separate the signatures and achieve the individual signatures of the peers? For example, having an aggregated sign ...

There is a statement in the paper "Asymptotically Efficient Lattice-Based Digital Signatures" by Lyubashevsky and Micciancio that says that "it is important that the ring of integers of $\mathbb{Q}(ζ)$, is efficiently samplable in practice - which is not known to be the case for particularly compact choices." Note that $\mathbb{Q}(ζ)$ is the number field where $ζ$ is the primitive root of $f( ...

I want to sign all of the HTML and JavaScript from my site with the site's TLS private key.

(The hex signature will be preceded with a <!-- comment which is valid for both HTML and JavaScript, and attached to the end of the text files.)

This is so that end users can prove that malicious JavaScript came from us, and so gain confidence that we would never do so.

Are there any security problems when ...

I am trying to show that by breaking the Computational Diffie-Hellmann (CDH) assumption one also breaks the Diffie-Hellmann inverse assumption. Unfortunately, I am a bit stuck and do not know where to go. I suspect that bilinearity property from the pairing group given by $PGGen$ is at fault, but I do not know quite sure how to approach the problem further. The definitions are as below.

With the Comput ...

Good afternoon . Please tell me how to change the md5 hash of one wav file to the md5 hash of another wav file. I want to bypass the anti-cheat check on md5. Maybe there are online paid services? I know English badly. I know that there have already been similar topics, but I could not do anything. Thanks!

It is known that we can transfer an ECDLP instance on a curve $E$ defined over $\mathbb{F}_p$ for prime $p$, to a discrete-log instance in $\mathbb{F}_{p^k}$ for some $k$. It is referred to as the embedding degree, and is the smallest integer $k$ such that the order of the curve divides $p^k-1$.

(One way to do this is using pairings.)

I am interested in the binary curves, e.g. defined over $\mathbb{ ...

I need to implement following operation:

w = (z mod (n-1)) + 1

where

z: 40-byte array

n: the order n of base point defined for NIST P-256.

I assume that resulted 'w' could be a point on the curve.

Any opinions are more than welcome

If I understand correctly, the way DSA in a group $G$ with a hash function $H$ works is: Peggy (signer) has a private/public key pair $x$, $g^x$. For signing, she produces a random session key $k$, $g^k$ then computes the signature: $s=\frac{H(m)+xF(g^k)}{k}$ where F is some "reasonably uniform function" $F: G \rightarrow \frac{\mathbb{Z}}{|G|\mathbb{Z}}$. To verify the signature, Victor checks that

Before you ask, this is neither for a CTF or homework, this is on problems in implementing non-standard RSA. If it feels like it is a CTF problem I will remove this post if necessary.

Murru Saettone RSA is a variant and quite vulnerable (to a continued fraction attack) RSA scheme based on the cubic pell equation. When implementing this in python, my encryption function appears to (may not) encrypt the ...

Given a number $N$ with $$N=Q\cdot R$$ $$Q=2\cdot q_1 \cdot q_2+1$$ $$R=2\cdot r_1\cdot r_2+1$$ with different primes $P,Q,q_1,q_2,r_1,r_2$.

If we now choose an exponent $\alpha$ containing prime factors of $Q,R$ with $$\alpha=2 \cdot q_2 \cdot r_2$$ we can generate a sequence $S$ with elements $$s_{i+1} = s_i^\alpha \mod N$$ starting at a value $s_0$ $$s_0 = x^\alpha \mod N\textbf{ }\text{ with}\text ...