After rigorous testing, it seems that it can possibly be a NIST-level candidate algorithm.

However, explaining or even finding the right people, experts in cryptography to talk about his invention seems to be quite a challenge. It's a time-consuming process to explain and present the material and a hard to believe subject...

We want to share this with the world to receive feedback and conduct a prop ...

I'm thinking let's say you have a smart contract that ensures no double usernames. What's if I generate an ECDSA pair like so:

• Accept username and password
• Validate username and password
• Generate keypair using seed of <username> <some separator> <password>
• Return keypair

Would this be cryptographically insecure? I'm sure there's something wrong with it but I'm curious as to what ...

I am doing some research on the BLS12-381 (https://hackmd.io/@benjaminion/bls12-381) and trying to understand if there are endomorphisms that are efficient. Of course, I am looking at this to explore faster multi scalar multiplications :)

I came across this post on Koblitz curves do koblitz curves over $\mathbb{F}_{P}$ as generalized in SEC2 always have $a$ as 0?

The case of interest for me is when th ...

I am currently reading about RS codes. I see that they are using a Galois Fields (Finite Fields) as vector spaces. Is there any other particular reason other than the fact that they simplify binary arithmetic and for example in $GF(2^8)$ each byte can be considered as a vector? Can they work in vector spaces that are defined on infinite fields like $\mathbb{Q}$. Thanks in advance for your time.

PS: Sorry ...

Background

I'm building a URL shortener, and the URL to shorten may contain a SessionId.

For the URL shortener to not compromise the security of the SessionId, I must use a shortening strategy that fulfills the same requirements as the SessionId.

OWASP states that:

• The session ID length must be at least 128 bits (16 bytes) here
• The session ID value must provide at least 64 bits of entropy here

At RFC2409, section 5.1, authentication header is like:

HDR*, IDii, [ CERT, ] SIG_I

HDR is an ISAKMP header whose exchange type is the mode. When writen as HDR* it indicates payload encryption.

IDii is ID of initiator

[CERT] means that sending certificate is optional

SIG_I is signature of initiator.

Why sending certificate payload is optional? How just sending signature is enough for authentication?

I have been reading crypto_box encryption and have a question. In the details of the algorithm, it uses Key exchange: X25519. However, I don't see why they need to use a key exchange algorithm.

So my question is where and why do they need to key exchange algorithm?

Have there been any publicly known exploits of a cryptographic break in a widely used cryptographic system to actually read encrypted information (or falsely authenticate) since the Ultra program in World War II?

I want to define my terms as precisely as possible to clarify what I mean. An example of what I'm looking for needs to satisfy three requirements:

1. It needs to be a true cryptographic break ...

Suppose there are two collision-resistant hash functions $h_1$ and $h_2$ with output sizes of $n_1$ and $n_2$ respectively.

Is $H'(x) = h_1(h_2(x))$ collision resistant for the different relationships between $n_1$ and $n_2$?

This has been boggling me and my colleagues for the past few days since two different approaches contradict each other:

1st approach:

Based on the definition of collision resis ...

I was trying to do a simple CPA attack against this scheme, to understand better the concept.

Instead of using a new each time, we decide to use the last block of the previous ciphertext as an initialization vector. Prove this new scheme is vulnerable to a chosen-plaintext attack.

So in this case,

• the challenger chooses a "game" and a key.
• After that, we send $(0\ldots 0,1\ldots 1)$
• and we receive

I am reading this explanation of zkSnarks written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf

My question is about Section 4.6.1

Setup

• construct the respective operand polynomial $l(x)$ with corresponding coefficients
• sample random $\alpha$ and $s$
• set proving key with encrypted $l(s)$ and it's "shifted" pair: $(g^{l(s)}, g^{{\alpha}l(s)})$
• set verification key: $( ...

It is known that, for an elliptic curves $E$ defined over a prime field $\mathbb{F}_p$ such that $E(\mathbb{F}_p)$ is a prime number, the best algorithms (beside some specific cases) for solving the discrete logarithm are the general ones for an abelian group: Baby-steps Giant-steps, Pollard rho, Kangaroo.

For elliptic curves defined over a field extension there exist index calculus methods. Two of ...

I am not understanding how to compute the output bits of a 6-to-4-SBOX with bitslice technique in DES. Matthew Kwan made a brief recap in his paper "Reducing the Gate Count of Bitslice DES" of Biham original paper. He wrote:

Basically, for each S-box, the technique is to take two of the input bits, expand them to all 16 possible functions of two variables, and use the remaining four S-box inputs to sele ...

https://www.rambus.com/wp-content/uploads/2015/08/TVLA-DTR-with-AES.pdf

As the paper shows, we can check the hardware if it is vulnerable to side channel attacks by performing this test, although is it possible to perform it even if the key is not known to us or it is known, but we cannot change the key? Do we have to adjust the test vectors by some linear operations, if the key is known?

Are there ot ...