Latest Crypto related questions

As I understand, the Bitcoin network can be seen as a supercomputer looking for SHA256 collisions. It hasn't found one yet (March 2022). Also, in the post-quantum cryptography era, you would be capable of reversing SHA256 hashes.

But in the case of finding hash collisions, is there an algorithm already proposed?

The BFV scheme is good for representing lots of integers inside a polynomial and we can even operate on them individually relatively fast. However, bootstrapping on BFV is infeasible, such that no library even implements it.

On the other hand, schemes like TFHE have very fast bootstrapping, but operate on gates. This paper is the newest I could find that finds a way to encode integers on the toru ...

The PKCS#7 padding is defined in rfc5652#section-6.3

Some content-encryption algorithms assume the input length is a multiple of k octets, where k is greater than one. For such algorithms, the input shall be padded at the trailing end with k-(lth mod k) octets all having value k-(lth mod k), where lth is the length of the input. In other words, the input is padded at the trailing end with one of t ...

Consider a variant of DES algorithm, called DES-WEAK. In DES-WEAK, there is no permutation P in a round and all the S-boxes are replaced. The new S-boxes are all identical and defined as follows. Let b0, . . ., b5 represent the six input bits to an S-box and a0, a1, a2, and a3 the four output bits. Then, a0 = b3 ⊕ b0b1b5, a1 = b0 ⊕ b1b3b5, a2 = b1 ⊕ b2b3b5, and a3 = b2 ⊕ b4 ⊕ b1b3b5. • Desig ...

The well known Decisional Diffie Hellman assumption (DDH) assert that for any $n = \log q$ and generator $g$ of $\mathbb{Z}_q$, for uniformly i.i.d $A, B, C \sim U(\mathbb{Z}_q)$, the following are indistinguishable for any PPT $M$: $g^A, g^B, g^C$ vs. $g^A, g^B, g^{AB}$. That is, up to negligible advantage: $$\epsilon = \left| \Pr[M(g^A, g^B, g^C) = 1] - \Pr [M(g^A, g^B, g^{AB}) = 1 \right| \leq 1/\o ...

I'm trying to figure out how to construct an extractor for a non-interactive lattice-based proof. Specifically, I'm curious about the Fiat-Shamir transform applied to a five-move interactive protocol. Can you please explain to me what strategy should be used? Or share a link to an article with examples (references to extractors for non-interactive three-move protocol are welcome as well). Thank you!

Hello I am quite new in cryptography so I found Trivium stream cipher can anyone explain in basic language how Trivium cipher works

I have been doing some research in group and ring signature literature for anonymous signatures. I am trying to find a group signature scheme which provide the following proprieties:

• Anonymity for the signer
• The signature can be verified by a generic receiver
• Output just one signature (I do not want a kind of LSAG Signature Scheme)
• Signer in the group should be able to create the signature on the ...

A cyclic sequence can be produced with

$$s_{i+1} = s_i^a \mod N$$ with $N = P \cdot Q$ and $P = 2\cdot p+1$ and $Q = 2\cdot q+1$ with $P,Q,p,q$ primes.
and $a$ a primitive root of $p$ and $q$.
The starting point $s_0$ is a square ($\mod N$)
It will produce a cycle of length $\mathrm{lcm}(p-1.q-1)$
(except $s_0$ is a $p$-th or $q$-th power $\mod N$)

Given now a starting point $s_0 = x_1$ it will  ...

Testing a code that uses the Camellia 1.2.0 source code, when generating a keyTable from the input key, using:

void Camellia_Ekeygen(const int keyBitLength, 
          const unsigned char *rawKey, 
          KEY_TABLE_TYPE keyTable)

The output shows a few 'zeroed' words at the same places. Two random examples for 256 bits:

E1AE67E4 07AE952B 94B0FCD1 CD366E1C 5160F1A8 45893AE8 0994EC20 1B5782AF

 ...

I am working on a hardware security problem. It involves authentication of contents of a packet header at the network-on-chip level, which is very resource constrained in nature. I have a Pearson Hash of the header contents, which I would like to digitally sign so that it can be verified by other nodes of the network that the hash was indeed generated by the source node. The hash is of 8 bits. I want to ...

I have been studying Zero Knowledge Proof. I found the Definition of Interactive Proof says that Verifier is ppt. And I only found in PP (Complexity) Wikipedia says that ppt:

Turing machines that are polynomially-bound and probabilistic are characterized as PPT, which stands for probabilistic polynomial-time machines.[2] This characterization of Turing machines does not require a bounded error pro ...