Latest Crypto related questions

As I understand it, RSA works as follows:

1. Pick two large primes $p$ and $q$
2. Compute $n = p \cdot q$
3. The associated group $\mathbb{Z}^*_n$ consists of all integers in the range $[1, n - 1]$ that are coprime to $n$ and will have $\phi(n) = (p-1)(q-1)$ elements
4. Select the public exponent $e$, which must be coprime to $\phi(n)$
5. Compute the private exponent $d$ by solving $ed = k\cdot \phi(n)+1$ with th ...

When exchanging a public key I usually receive some compressed form of X,Y coordinates. To use some speed ups I'd need to represent that in the Jacobean x,y,z form.

Z=1 satisfies everything and looking at the speed ups (https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html) I don't see an obvious reason why Z=1 would b ...

For the chronological categorisation of cryptography, I have proceeded as follows:

1. Cryptography by hand (e.g. Caesar, Vigenére, etc., till around 1900/1920)
2. Cryptography using machines (e.g. Enigma, TypeX, etc., till around 1960)
3. Computational Cryptography (e.g. DES, AES, RSA, etc.)
4. The Future of Cryptography (e.g. Quantum crypto)

The slots 1,3, and 4 are well documented and have a lot of different ...

I have a question that is realted to symmetric encryption with a block cipher using CBC-mode, what is the consequence of: Using a predictable IV? and with Reusing an IV?

I'm trying to figure out exactly how solving different generic lattice problems can solve LWE, and in particular, BDD. Everything I've found says that since an LWE sample is $(A,b=As+e\mod q$), then the lattice $L_q(A)=\{v : \exists x:Ax=v\mod q\}$ contains $As$, so $b$ is within distance $\Vert e\Vert$ of that lattice. Hence, if a BDD solver can solve for distances up to $\Vert e\Vert $, on input ...

To my best knowledge, the Goldreich's pseudorandom generator (PRG) with locality 5 has been considered as one of standard assumptions.

On the other hand, Lin and Tessaro (Crypto'17) provides a new notion, called the block-wise locality PRG. As I know, block-wise locality 2 PRG was broken, but block-wise locality 3 PRG still remains one of hard problems.

Then, in this situation, is still the block-wi ...

I have read some PIR papers, but I find the related discuss of PIR framework was in 7 years ago.

So could somebody tell me，what is the mainstream PIR method in industry now？

Outside of professional carrier, I often stumble upon a need for a unique password for exp. for local database, game server, or on tons of, not so important, websites.

I came up with an idea to write a deterministic password generator for myself, which takes a tuple:

• master password
• header for exp. just a word "pinterest"

and generates a password of specified length, always the same.

I realise that this ...

I considered Extendable-Output Function (XOF) with a random seed but it seems I would have to specify the output length at the start and store the entire output. I don't know how many bytes I will need in advance, and I don't want to store a very long string.

I also considered some ad-hoc stateful construction using XOF that maintains a running counter. I wonder what is the "standard" and efficie ...

I'm aware we can quantify privacy with ε-differential privacy (ε-DP). But when we apply DP, how do we actually select the value for ε ? Are there some rule-of-thumbs? Is it decided case-by-case basis? In general, how do we decide we've enough privacy when using some algorithm that satisfies ε-DP definition?

Is AES GCM without GMAC vulnerable against bit-flip attacks? Let's assume the plaintext is known for some reason (e.g. it can be guessed). In my opinion, I can flip bits in the ciphered blocks and can so generate a plaintext, which is flipped at the same position. So it would be easy to change 0x01 to 0x00 in the plaintext, even when I don't know the key or Initialization vector.

Did I oversee so ...

Using

montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p

it is possible to transport an Edwards curve point (Ed25519 public key) to the Montgomery curve. Does it have any side effects if the Ed25519 public key is not valid, in case of a small subgroup or invalid curve attack for example?

And if yes, what would be the best solution to handle that properly?