Latest Crypto related questions

Homomorphic properties turn out to be very useful, e.g., for achieving secure multiparty computation.
As a concrete example, homomorphic commitments can be used as a building block for secure election schemes: very roughly, during the voting stage, voters put their votes into homomorphic commitments, and during the tallying stage, the votes are counted in a verifiable manner by taking the product o ...

In asymmetric key encryption, we have 2 functions, encrypt(m,k) and decrypt(m,k), and 2 keys, public_key and private_key.

And it must hold true that decrypt(encrypt(msg, public_key), private_key)) = msg.

Question 1: Are the encrypt(m,k) and decrypt(m,k) functions different, or are they the same function?

Question 2: Must it also hold true that encrypt(decrypt(msg, private_key), public_key)) = msg?

Let $N=pq$ be an RSA modulus, that is, $p$ and $q$ are large, distinct primes.
Let $J_{N}=\{y\in\mathbb{Z}^{*}_{N}:(\frac{y}{N})_{J}=1\}$ denote the set of all integers in $\mathbb{Z}^{*}_{N}$ with Jacobi symbol $1$.
The Quadratic Residuosity (QR) problem is to decide whether a given $y\in J_{N}$ is a quadratic residue modulo $N$ or not, that is, whether $y\in QR_{N}$, where $QR_{N}=\{y\in\mathbb{Z}^{* ...

Given $e(a,b)$ as known, can I get the value of $a$ or $b$?

AFAIK, SuperSingular curves appear to be broken by MOV:

A. J. Menezes, T. Okamoto and S. A. Vanstone, "Reducing elliptic curve logarithms to logarithms in a finite field," in IEEE Transactions on Information Theory, vol. 39, no. 5, pp. 1639-1646, Sept. 1993, doi: 10.1109/18.259647.

I recall that with a big order chosen for the field ie. 1000-2000 bits, it was possible to have secure-enough curves. But  ...

LWE schemes are currently being deployed. LWE has no quantum polynomial time algorithms as far as we know.

Despite this what is the consequence if LWE can be broken on a classical computer? Do we have any other alternatives?

Given integers $s_1, \dots , s_n$ and target integer $t$, I'm trying to find small integer coefficients $x_1, \dots , x_n$ such that: $$ t \approx x_1 s_1 + \dots +x_ns_n $$ Taking inspiration from the Knapsack problem, I was trying to use LLL on the matrix : $$ B = \begin{pmatrix} 1 & & & & \\ & 1 & & & \\ & & \ddots & & \\ & & & 1 & \ ...

Hi I am new to lib sodium, may I ask that is it possible to get scalar of ristretto255 from integer/bytes or NTL:zz?
Some thing as follows:

crypto_core_ristretto255_from_bytes(px, x); 
crypto_core_ristretto255_from_int(px, x); 
crypto_core_ristretto255_from_ntl(px, x); 

TIA

Hi I want to implement pedersen commitment ontop of lib sodium
Below is what I am trying to do:
comm1: m1G+r1H
comm2: m2G+r2H
comm3: (m1+m2)G+(r1+r2)H
comm4: comm1+comm2

and comm3 should equals comm4
And here is my code:

unsigned char x[crypto_core_ristretto255_HASHBYTES];
randombytes_buf(x, sizeof x);

unsigned char g[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_from_hash(g, x); //co ...

I want to test my server application (TLS 1.3) using s_client program from the openssl library and I need to get from the s_client a keyshare in the 1st ClientHello for secp256r1 (it proposes x25519 now).
Could you tell me, which command line options in s_client should I use ?

According to section 4.2 of Pedersen's verifiable secret sharing, given a secret share $(s_i, t_i)$, it is possible to verify that the secret share is valid by using the commitments $E_j$, for $j=0,\ldots,k-1$, by using the formula

$E(s_i, t_i) = E_0 \cdot E_1^{x_i} \cdots E_{k-1}^{x_i^{k-1}}$, i.e. $g^{s_i}h^{t_i}=g^{a_0}h^{b_0} \cdot (g^{a_1}h^{b_1})^{x_i} \cdots (g^{a_{k-1}}h^{b_{k-1}})^{x_i^{k-1 ...

we have a concern about a key export. We completed the migration to Key Block LMK in our environment (with HSM Thales 10K). Now, we have to exchange keys with third-parties that still use Keys in variant form. We generated the keys and formed the ZMK using the Key Block standard. To resolve the issue we have to export keys using "X" Key Scheme.

About compliance, we are still exporting keys in the correc ...

bscrypt is a cache-hard password hashing algorithm/KDF from Steve Thomas (aka Sc00bz/TobTu), who was on the Password Hashing Competition (PHC) panel. He argues it is better than the alternative algorithms on his minimum password hashing parameters page. There are two talks for further information, but it's not thoroughly documented currently.

Pufferfish2 is another cache-hard, but not memory-hard, pass ...

The spec ( https://github.com/ulid/spec which is not a real standard ) explains that there are 80 random bits in an ULID. UUIDv4 is better from a security aspect, as it has 122 bits for randomness. But UUIDv4 has no monotonic sort order, and that would be very benefical in my actual application.

So how bad would it be to use ULIDs for session ids?

Say $B$ is a server and $A$ is a client who wants to login to the server, by proving herself to $B$. In challenge-response authentication protocols, $B$ sends challenge to $A$ and $A$ replies with response.

Here, I think all kinds of challenge-response authentication protocols are vulnerable to Man-in-the-Middle attack because if there is $E$ (who wants to login to the server, impersonating $A$) be ...

In mental poker, we can use ZK-shuffle to deal cards to the players such that the cards are kept private to each player (https://hackmd.io/@nmohnblatt/SJKJfVqzq). Suppose we deal exactly one card to each player, I wonder if there is any way for the players who got the cards with the same number to know this fact without revealing it to anyone else? (Like the three players who got 3-spade, 3-heart, ...

Given n voters and p candidates, how can we design a trustless voting algorithm that satisfies the following properties. Each voter can only vote for exactly one candidate.

The algorithm needs to:

• Keep all voters' vote private, i.e. only known to the voter itself
• Keep the number of votes each candidate receive private. No one should know exactly how many votes each candidate get.
• Does not rely on a trust ...

By using additive sharing of the private key over the integers, one can obtain a simple threshold RSA signature scheme.
It provides security against a passive adversary.
The dealer chooses random $d_{i}$ from $\mathbb{Z}$ such that the RSA private key $d=\sum_{i=1}^{n} d_{i}\mod \phi(n)$.
In order not to reveal information about RSA private key $d$ or phi Euler of modulus $\phi(n)$, the $d_{i}$'s are chos ...

I need a digital signature scheme with the following characteristics, but I don't know what it's called, so I'm having trouble searching for publications about it. It seems likely that something like it already exists. Could you please help me identify what it's called?

The scheme I need consists of four algorithms:

1. $\mathsf{Gen}(1^\lambda) = (pk, sk)$ takes a security parameter and returns a pair ...

In general or in specific examples, how is the group used in an instance of the hidden subgroup problem embedded into a complex Hilbert space in order to apply the quantum fourier transform needed to solve the problem efficiently?

In quantum computing we imagine qubits as unit vectors in a complex Hilbert space $\mathbb{C}^{2^n}$ where $n$ is the number of bits in the system.

I've thought about th ...

Clarification on the use of Key block Version ID
For the first time since we migrated to the Key Block we are exchanging keys with third parties, The keys were all generated by choosing Key Scheme "S". During export as Key Scheme of ZMK we selected "R". One of the counterparts is experiencing problems and they believe to be in the "Key Block version ID". From our analysis all the keys have as "Key B ...

Suppose we have multiple parties ${P_i}$ each holding a secret share $(y_i,k_i)$ of the secret $(y,k)$. How can we calculate the inverse value $(y+k)^{-1}$ using multiparty computation such that these secret shares are never revealed?

I have private data and I want to encrypt it to share it with some users who should be able to decrypt it. Therefore, I need multiple keys to decrypt it. But, I also want to be able to revoke a key to prevent someone from decrypting it, is there an algorithm that allows key revocation without encrypting the data again?

I have a system where it is not feasible to encrypt all the data again, since  ...

Assume that we have n people each owning a secret number. Now we want to collaboratively compute the addition of all these numbers without anyone revealing their numbers. Then the result will be made public to all. Wonder what algorithm shall I use?

(I have looked into multi-party computation, specifically secret sharing. But that, according to my basic understanding, is for a trusted dealer to d ...

Recently, I have noticed that openssl always gives numbers which have '1' in upper two bits. It always begins with 0xC or higher values (0xD, 0xE, 0xF). It doesn't give primes that starting with 0xB, 0xC, 0xA, 0x9 or 0x8. Common thing among those values is that their bit before msb is '0'.

I have an assumption about that situation. In RSA key generation, we need p and q values as primes and they ne ...

Is it possible to check if a PGP signed message has been modified when the public key of the signer is not available?

Like, is there a message digest (hash) that can be checked without knowing the public key of the signer?

Note that I am aware that, even if the message digest is okay, it is not possible to prove authenticity. However, what I am asking is if I can discover just the case that the messa ...

Does Apple secure enclave support rfc6979 with P256 curve? This RFC defines a deterministic ecdsa with a deterministic k value.

THATS LINK OF THE RFC https://www.rfc-editor.org/rfc/rfc6979

I looked everywhere in their documentation but couldn't find a mention of such usage

I am trying to create linear approximation table of AES SBox to better understand linear cryptanalysis, I have followed the formula in this paper (page 7 of pdf file) to be able to generate the linear approximation table of AES S-Box, specifically that is $$\frac{\#\{x\in R|x \cdot t_x=B(x)\cdot t_y\}}{2^8} -\frac{1}{2}.$$ This is equivalent to $$\frac{\#\{x\in R|x \cdot t_x=B(x)\cdot t_y\}}{2^8} -\frac ...

In a previous question, we explored various security definitions of encryption schemes, such as IND-CPA, IND-CCA{1,2,3,etc.}

These indistinguishability games can roughly translate to blockciphers, as both data encryption and block encryption involve keys - a hidden parameter unknown to the adversary.

What I'm curious about, is how do we mount a distinguishing attack against a permutation? And how does  ...

I know that in order to find the linear complexity of the two sequence beginnings $$(1,-1,0,-1,0,0,0,0,1,0,\dots)\in\mathbb{Z}_3^\mathbb{N}\\ (2,0,-1,-2,0,0,-2,2,-1,-2,\dots)\in\mathbb{Z}_5^\mathbb{N},$$ I have to find LFSRs that generate these sequences. Do these have to be found by trial and error or is there a better way than trying them with brute force?