Latest Crypto related questions

EDIT: I messed up something (see comments at answer). This question contains some false statements EditEnd.

For tetration modulo prime $P$ $$^{i}g = g\uparrow \uparrow i = \underbrace{g^{g^{\cdot\cdot\cdot^{g}}}}_i\equiv v \mod P$$ with suitable $g,P$ so that $$|\{^jg \mod P\}| = P-1 \text{ }\text{ , or }\text{ } v\in[1,P-1] $$

Given $P,g,v$, how difficult is finding the related $i$?
Harder than DL ...

The following details are given:

• Partial Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX11000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011
• Initialization Vector: E898EF8E91F8C9B201E6E29DF87EE152
• Ciphertext Block 1: 14B8D1412766A8520BACE4598F8AFAEE
• Ciphertext Block 2: 7E687A49015FA6F1B914635325A6361B
• Ciphertext Block 3: 8AD191394EF79CEC4B5A256313632CD4
• Ciphertext Bl ...

I'm reading and implementing this tutorial, the author explains everything pretty clearly, the only thing I'm missing is how he decides which trail to use (pg. 12). I understand that one should prefer trails with the least amount of active S-Box and maximize the bias of the trail (in fact, finding the optimal trail seems to be the most important step when trying to apply linear cryptanalysis to a symmetr ...

For a lot of cryptographic applications, multi-party protocols are used. The idea is to create shares of a key/secret and give them to multiple parties. My question is: Do all parties have to participate in the multi-party protocol or do protocols exist, that only need e.g. >51% of the shares to compute correctly?

I understand how this linear approximation board below is produced,

but I can't understand how this second board is produced using the first one

and finally how the pilling-up lemma values are calculated

( o in S 12 the approx. Λ 1 = X5 XOR X7 XOR X8 XOR Y 6 has bias +1/4

o in S 22 the approx. Λ 2 = Y 6‘ XOR Z 6 XOR Z 8 has bias –1/4

o in S 32 the approx. Λ 3 = Z 6‘ XOR W6 XOR W8 has bias  ...

I been trying to solve a particular challenge where we have to sign an admin message.

At first it seems a classic RSA blind signature attack but eventually they didnt give out the public exponents(e,n) and e is of prime(128) length.

The server offers to encrypt anything n number of times but not the admin message and there's is a option for verification,if we verify the admin message we get the flag ...

I have the following information:

key = hellotherenhsctf - this was part one of the challenge which we managed to get
cipher text = jkwb44pg26teiu}78uu{
alphabet = vxotbj9a8yqp7n5mh1rzwcd6gfiks3uel240{}_

It's from an internal CTF at college that has been and gone but has no solves and I was wondering what it was

The final format would have been in the form: flag{xxx}. No vigenere cipher I have tri ...

In multivariate public key cryptography, why can not we use the same public key for both signature and encryption?

I read that for signatures the public polynomial $P:\mathbb{F}^n\rightarrow \mathbb{F}^m$ has $n\geq m$ whereas for encryption $m\geq n$.

I've been implementing a hobbyist cryptography library, and I'm at the part where elliptic-curve cryptography is being implemented. I've already implemented and tested ECDSA with P-256 and P-384, where static and ephemeral private keys are 256-bit and 384-bit each, so far so good.

What's bothering me is P-521. I'm planning to generate 512-bit static ($d$) and ephemeral keys ($k$) to ease implementation,  ...

After rigorous testing, it seems that it can possibly be a NIST-level candidate algorithm.

However, explaining or even finding the right people, experts in cryptography to talk about his invention seems to be quite a challenge. It's a time-consuming process to explain and present the material and a hard to believe subject...

We want to share this with the world to receive feedback and conduct a prop ...