Latest Crypto related questions

Let's say that we have a classic RSA encryption, with n = p*q. For a given C, I saw on internet the RSA might be weak if we know that the plaintext M and n have a common factor. However, I wasn't able to find a proof of that.

We know that $M=C^e \space mod\;n$, with e being the public key. I tried to say that $M = a + k*n$, with a and k being positive integers, and to redo the algorithm. Therefore :

Assume elliptic curve in Weierstrass form.

$y^2 = x^3 + a x + b$ where $x,y,a,b \in F$

I noticed the point addition formula does not involve parameters $a,b$. Furthermore, one can always solve for $a,b$ given two distinct points.

Thus one can "add" 3 or more distinct points, as long as their coordinates are on $F$, without having them on the same curve. More formally, let $O$ be point of infinity, ...

According to RFC4880 standard

1.Refer to section 2.1 Confidentiality via Encryption --> OpenPGP combines symmetric-key encryption and public-key encryption to provide confidentiality

+To protect the session key --> encrypted with the receiver’s public key

+To decrypt session key --> use receiver’s private key

2.Refer to section 5.1 Public-Key Encryption session key Packets

+RSA encryption ...

So for my diploma thesis I'm writing about Regev's LWE cryptosystem from his original 2005 paper. I'm done with with correctness and security (only reduction from LWE-search via average-to-worst and decision-to-search reductions, however the main point of that paper - GapSVP to LWE-search reduction is outside of scope of my work) but now I'd like to demonstrate an attack on such cryptosystem with an att ...

I need to sign a message using a private key and verify the message with a public key, while making sure the message hasn’t been tampered.

I know that SHA-256 itself is prone to length-extension attacks.

I also know that things like HMAC have been specifically designed to circumvent such attacks.

But what if I sign a message with RSA and SHA-256? Are they safe?

Do I need to sign the RSA/SHA3 to be prote ...

I'm having difficulty finding a detailed proof for one of the most basic protocols in cryptography, that is the Schnorr protocol, or the sigma protocol for proving knowledge of a discrete log.

Most proofs I can find gloss over the running time of the extractor, or just assume the prover works with probability 1. But the prover could succeed with any probability $\epsilon > 1/2^\lambda$ and the ext ...

The company I work for wants me to implement some C functions to automatically sign their software. After doing some research I've found that openSSL is great for doing so.

Before starting the implementation in C, I wanted to get a feeling of the workflow by executing it in the CLI first. But that left me a bit confused, because I'm not sure where certificats should be used here.

These are the steps ...

If I download https://example.com/foo.txt, how can I prove to a third party that I got it from https://example.com.

I understand that their private key is used to secure the channel, rather than to sign the content of URLs.

Is there a way of downloading https://example.com/foo.txt and providing a chain of proof that my foo.txt was obtained from https://example.com?

Let's suppose I want to modify Kuznyechik block cipher by choosing a random S-box (taken from /dev/random for example).

How can I calculate/generate the inverse S-box?

Does anyone know the formula or algorithm used to do this?

The impossibility of a secure "blind HMAC" scheme - an HMAC-based analogue of blind signatures - is known (as I understand it, essentially due to the user being unable to validate the signature received against a public key for the signer, and therefore being unable to be sure the signer is not using many signing keys and later "un-blinding" them by determining which of their keys is valid for a given s ...

I was just wondering how the private key generator should publish the master public key inside of an IBE system. This key is needed for all devices in the network to derive the public key of receiving entities.

In XSL Attack, $t'$ parameter can be defined as "the number of monomials in the S-Box equations to be used in $T'$ method" Without taking into account the arguments about the attack, how can we choose this parameter? Is it flexible or strictly determined?

For example in $ch 7.1$ and $7.2$ , $t'$ is chosen as $9$ or $5$ for AES and $5$ for Serpent respectively. What is the idea behind this choice?