Latest Crypto related questions

According to Representing a function as FHE circuit, the AND gate for FHE encrypted data is just A*B, in the case that the plaintext has only 0 or 1 coefficients.

Remember that on the BFV FHE scheme, it encrypts polynomials, and we can set the maximum value of the coefficients of the polynomial. So, if we set the max value to 1, then we can do binary gates easily. For example:

  1 + 0x^1 + 1x^2 + 0x^3 ...

I have a device that signs (symmetrically) very short messages, and I would like to sign a long one.

I split it into several short messages, signed each one separately, and now combine all the signatures. Of course, the trivial way is to concatenate them, but is there a way to have the combined signature of the same length as the individual ones?

It doesn't seem easy to protect from rearranging the  ...

Time-lock encryption is a method to encrypt a message such that it can only be decrypted after a certain deadline has passed.

This sounds like time-lock decryption. I was wondering if the inverse with respect to time variable is possible, something like time-limited decryption? Of course if something is encrypted with some key, the key will never expire and will always be able to decrypt the message, e.g. ...

I'm referencing RFC-6090 for an attempt at implementing ECC in my spare-time project.

In the RFC, pseudo-code examples are given to illustrate how to handle points-at-infinity in point arithmetic, and this involved several special cases. This is because the point doubling and point add formula in affine and homogeneous coordinates cannot correctly handle point at infinity.

So I want to ask: is the ...

I'm implementing ECC in my spare time project. I'm referencing RFC-6090 for point arithmetic algorithm over homogeneous coordinates.

In Appendix F subsection 2, there are 5 case labels when determining which formula to use depending on how many if any point-at-infinity exists in operands. For me, implementing these case labels in constant-time isn't too big a problem, but I'm not too sure about determini ...

I've came across an example where the e value is three but no matter what tool/script I try, I can't decrypt it. I'm wondering if the ciphertext and n is super super large, is it possible to crack it even if e=3?

Why does the number of samples in FrodoKEM is $m \approx n$?

The paper is here.

I read about using 64-bit words in PRF functions.

I want to convert the 32-bit ARX cipher Chacha into a 64-bit version, with key/block size of 1024-bits (512*2=1024-bits)

My question is:

Should I add more rounds to achieve similar security?

Currently, I have been assigned to attack a reduced version of SHA-1. What are we trying to achieve? How do we attack it?

Let $\text{Adv}^{\text{DLWE}}_{n,m,q,\sigma}$ be the advantage of an attacker to distinguish LWE samples from uniform ones, where $m$ is the number of samples, $q$ the modulus and $\sigma$ the standard deviation of the error distribution.

I can't find an explicit expression for this advantage.

Does reducing $q$ and increasing $\sigma$ implies smaller advantage (and hence better security?)

I stumbled across this question where the questioner asked for specific requirements for the round function $F$ in a Feistel network so that the construction is secure. The answer explained that a pseudorandom function in a four round Feistel cipher is sufficient for it to achieve security.

Is that also necessarily the case? In other words, can a Feistel cipher be constructed with a round function ...

I read about XEX mode of operation in Wikipedia My question is:

There are two keys that are XORed against plaintext, if instead of two XORed keys I add 4 or 6, does it increase the security of block cipher mode?

In the case of 4 XOR operations, I mean XOR the first key, XOR the second, encrypt, and XOR the third and fourth key.

Can one be thought to be a more powerful resource than the other? It seems to me like you could use QSDC to achieve the same thing as QKD (sharing of a secret key) without the use of a classical channel. What exactly is the trade-off between the two?

Finally, are there established bounds on the capacities of various quantum channels for QSDC, and if so, how do they relate (do they differ?) from  ...

FIPS 186-4 Digital Signature Standard defers to ANSI X9.62-2005 for the specification of ECDSA, with additional requirements set out in Chapter 6 and Appendix D. However, X9.62-2005 has since been withdrawn and replaced by ANSI X9.142-2020. The FIPS 186-5 draft noted the withdrawal of X9.62-2005 and that X9.142 was under development (Appendix E, p. 78), and instead gives its own specification of ECDSA ...

The problem setting is as follows. Suppose there exists a public input $x$ and the prover evaluates $y \gets VRF_{sk}(x)$, but the prover does not wish to reveal the output $y$. My question is would it be possible to let the prover publishes the commitment of $y$, say $com_y$, then proves that the committed value of $com_y$ is correctly generated by evaluating the VRF using the secret key $sk$ and the ...