Latest Crypto related questions

Consider the following version of Learning With Errors.

You are either given $(A, As_1 + e_1, As_2 + e_2, \ldots, As_k + e_k)$ or $(A, u_1, u_2, \ldots, u_k)$, where

• $A$ is an $m \times n$ matrix whose entries come from the field $\mathbb{Z}_q$ --- the entries are sampled uniformly at random.
• $u_1, u_2, \ldots, u_k$ are $m \times 1$, each of whose entries come from the field $\mathbb{Z}_q$ unifor ...

If I have public element $W=K^r$, and $K=v^x$ should be kept secret where $v$ is a generator in $\mathbb G$, is there a way to produce a zero knowledge proof on x and r such that $W=v^{x \cdot r}$ while committing to $x$ and $r$ individually. Thanks.

I need to generate a deterministic identifier from some user data. One of the user data items is highly sensitive, but the other two are not. The identifier will be sent to an external party regularly, so it must not change in the future - i.e. the same input should always produce the same output in the future.

A pseudo random function (PRF) seems like an ideal solution to this problem. We use th ...

I cannot seem to understand why the function $F$ defined in Theorem 7.1 of the paper “Permutation rotation-symmetric Sboxes, liftings and affine equivalence” is described as “a bijection on $\mathbb{F}_2^n$”.

The input contains $n$ bits, yet the given definition seems to imply that the output contains $k=n-2$ bits: $$F(x_1, x_2, \ldots, x_n) = (f(x_1, \ldots, x_k), f(x_2, \ldots, x_{k+1}), \ldots ...

I am trying to understand SHA2 - 512 algorithm, so I am following this document which has the intermediate values for the string "abc". At t=0, the values for f, h and g are straightforward. But I am not getting the same value for e, which suggests that I am doing something wrong when I am computing $T_1 = h + \Sigma_1(e) + \text{Ch}(e,f,g) + K_i + W_i$. I am almost sure that I have implemented $ ...

With the proliferation of https, and one of the primary functions of my pc being browsing the intarwebs, it occurs to me that my cpu is spending a lot of cycles doing AES en and de cryption. For the "average" PC (i.e. not servers or supercomputers, which is an interesting but different question), about what percent of one's cpu cycles are spent doing bulk data encryption? How does this compare with oth ...

Some implementations of a Schnorr signature will determine the challenge as follows:

$c=H(kG \mathbin\| X \mathbin\| m)==H(rG+cX \mathbin\| X \mathbin\| m)$, where:

$c$ is the challenge
$m$ is the message being signed
$X$ is the public key of the signer such that $X=xG$
$G$ is a well-known base point
$x$ is the private key of the signer
$r$ is the response to the challenge, calculated as $r=k-cx$

The process of Shamir secret sharing degree reduction in multiplication gate is explained in the following link

Now, based on the secret sharing that done by a degree one polynomial, we must be able to reconstruct the secret, i.e. $10$, with each of the $2$ shares out of the $3$ shares $(3, 7, 0)$. Nevertheless, the reconstructed secret using $(3, 7)$ is correctly $10$, but reconstructed secret using ...

The protocol shown in the Figure is open for an attack that will let an attacker learn the secret value from the server without having to know the key Kcs. Can anyone help in finding such an attack? Only, the client C and server S share the symmetric key Kcs. Regards.

I found in many recourses that hill cipher uses 2X2 and 2X1, other uses 1X2 and 2X2 so which one is correct, if I one matrix and turned it into another it does work? so which one to use

In ECDSA, $f(G)=r$, where $r$ is the $$-coordinate of group element $G$. Now it is known that $f(G)$ is not uniform(Why isn't $f(G)$ uniform in ECDSA?). Then in which range $f(G)$ is uniform?

Let $\langle G\rangle$ be a cyclic group on the ECDSA elliptic curve with the generator $G$, and $S=\{x|f(W)=x,\forall W\in\langle G\rangle\}$. My question is: for any $W\overset{\\\$}{\leftarrow}\langle G\rang ...

David Wong in his book Real-World Cryptography writes:

In 2013, following revelations from Edward Snowden, it was discovered that NSA had purposefully and successfully pushed for the inclusion of backdoor algorithms in standards (see “Dual EC: A Standardized Back Door” by Bernstein et al.), which included a hidden switch that allowed NSA, and only the NSA, to predict your secrets. These backdoors ca ...

A cyclic sequence can be produced with

$$s_{i+1} = s_i^a \mod N$$ with $N = P \cdot Q$ and $P = 2\cdot p+1$ and $Q = 2\cdot q\cdot r+1$ and $r = 2\cdot u \cdot v \cdot w +1$ with $P,Q,p,q,r,u,v,w$ different primes

We can now project a random number $x_R$ into a subspace of size $2(r-1)+4$ with $$s_R = x_R^{\beta} \mod N$$ $$\beta = 2\cdot p \cdot q \cdot n \mod \phi(N)$$ with a factor $n$ of choice.