Latest Crypto related questions

https://nsucrypto.nsu.ru/archive/2021/round/2/task/4/#data

The main idea of the exercise: Find the secret key $k$, having access to the $Enc(x, d) = Enc(x^d \bmod n), n = 1060105447831$. I will assume $0 < k < n.$ $Enc$ is a normal hash, it returns the same output as its corresponding input.

I want to find a collision such that $hash(k, 1) = hash(x, d)$, this would mean that I found $k = x^d \bmod n ...

F: {0,1}^λ → {0,1}^2λ is a secure pseudorandom generator, it says that λ is a security parameter, what does that mean?

An EC point $B$ is published publicly so that a recipient in possession of a scalar $a$ can calculate the shared secret $S = [a]B$. This is done with the Ed25519 curve.

If the sender (who knows $b$ and $A$ such that $[b]A=[a]B$) also publicly publishes one byte of the 32-byte compressed representation of $S$, what are the security consequences of this?

Are any of the bytes of the 32-byte EC point  ...

Let's say we're using the Ed25519 curve, and we're computing a Diffie-Hellman shared secret EC point $S$ by scalar multiplication of scalar $a$ with EC point $B$.

Is there any way of partially calculating at least a few bits of $S$ without completing the full scalar multiplication process?

The goal is to be able to communicate a few bits (ideally 8 bits) of $S$ in advance to the person that intends  ...

• I have elements from $\{0, 1\}^{n}$ (range of a hash function)
• The master $A$ can have any subset of this range.
• There are clients that each have a subset from the space, too.
• I want to make sure that the union of the clients' sets is equal to the master set
• The communication should be as least as possible.
• The elements are secret. (this requirement can be relaxed with a solution that could potential ...

It is a well-known fact that knowing the nonce used in signing the ECDSA signature allows the private key to be computed easily from that signature. If I understand it correctly, this nonce is a positive integer of finite size, so there aren't that many possibilities compared to trying to brute-force the private key directly. Actually, I read that in some cases knowing only one bit of nonce is enough to ...

Don't know a lot about cryptography, so need some help on this.

I would like to use a SHA256 string as a unique id in my database for users, but scaling that would be difficult.

Is it possible to convert a SHA256 string to be a shorter unique version, that would not collide (or collide very rarely)?

Could passing the SHA256 string through CRC32, FNV164, or ADLER32 be a viable option in this case?

I have read some code, the generator of the additive group of prime order is easy to get because every element in the group is a generator.So in JPBC I just need to randomly generate elements as generators.But this method is not valid in composite order groups because the elements in composite order groups are not all generators.So how to get the generator of composite order group in JPBC?

Let $p$ and $q$ are Sophie-Germain primes such that $p=2p'+1$ and $q=2q'+1$. Also let $n=pq$ and $n'=p'q'$. In Section 8.2.1 of this paper, the internal direct product of $\mathbb{Z}_{n^2}^*$ is shown as $$\mathbb{G}_{n}\cdot\mathbb{G}_{n'}\cdot\mathbb{G}_{2}\cdot T$$ where $\mathbb{G}_{\tau}$ is the cyclic group with the order $\tau$ and $T$ is the subgroup generated by $-1\text{ mod }n^2$. Furthe ...

How to generate constraint on right shift bitwise operator in the circom circuit language?

I'm trying to do the following:

pragma circom 2.0.0;

template MAIN() {

    signal input v;
    signal output type;

    type <== v >> 5;
}

component main = MAIN();

I'm getting the following error:

error[T3001]: Non quadratic constraints are not allowed!
   ┌─ "/Users/ilia/compiling/main-circom/m ...

I am aware that there are weaknesses in ECDSA when reusing NONCE and I am aware that there is a lattice attack on ECDSA. Are there other ways to attack ECDSA when one private key has made more than 10 million signatures? I'm interested in the secp256k1, secp256r1 elliptic curve parameters. Under what conditions can the private key in these curves be revealed if a large number of signatures were generated ...

I am looking for performance measurements in cycle counts for an implementation of the elliptic curve Diffie-Hellman for curve, ed25519. Ideally, the cycle counts should be for the M4, so that they are comparable with the pqm4 benchmarks: https://github.com/mupq/pqm4. Are there any measurements that can be compared to this end?

In general, I would be interested in how much "slower/faster" in terms of CPU  ...

In hash functions, $h(m) = h(m_1)$ is called collision and is very undesired that they are feasible to find as it undermines hash security. However, is there essentially analogous concern in encryption like block ciphers (AES-256) or RSA? If there is plaintext key pair $m,k$ that yields some ciphertext, and there exists another key, message pair $m_1, k_1$ that also yields the same ciphertext, is this ess ...

Motivation. There is a fast approximation to conventional multiplication. It conceptually works like long multiplication except for the fact that the carry is discarded instead of applied to the more significant position. Hence its name: carry-less product. One use is to improve the speed of applications doing block cipher encryption in Galois/Counter Mode. The operation is also known as an XOR mu ...

In RSA, if we use Square and always Multiply algorithm in decryption, how does decrypting the ciphertext $c=n-1$, while our public key is $(n,e)$, cause the private key $d$ to reveal due to side-channel attack?