Latest Crypto related questions

i'm studying for my basic crypto class and I'm trying to formalize the algorithm for the parameter generation of RSA, unfortunately, I cannot find any algorithm, just plain text.

Can someone tell me if this algorithm could be accepted? Please focus more on the public exponent $e$

1. KeyGen()

   2. Let $p,q$ be two random prime numbers
   3. $N\leftarrow pq$
   4. $\phi(N)=(p-1)(q-1)$
   5. $e\xleftarrow{R}\{x|\;0< x < ...

I'm looking into Shamir's Secret Sharing algorithm and it's clear to me how it works but I don't understand the exact reason why we need to find a prime number and do modulo arithmetic using that prime.

On Wikipedia, it says that if you don't use modulo arithmetic, an attacker could get some information on the value without having enough shares.

In Joy of Cryptography, it seems to justify the need o ...

The title must be confusing. Imagine we have this curve:

$y^2 = x^3 + 9x + 17$ over $\mathbb F_{23}$

And we know

[4]P = (19 , 20)

[8]P = (12 , 17)

If we only have the value of $[8]P$, Is it possible to calculate $2^{-1}X$ and $2^{-1}Y$ of $[8]P$ to get $[4]P$?

If I understood it correctly, in CTR mode I encrypt the nonce or IV together with the counter as a block, which is then XORed with the plaintext. For the next block, I increment the counter. Is there a fixed size of the counter to be able to iterate through all blocks, or does it start again at 0 at some point?

For example, if an algorithm with a block size of 16 bytes, I could theoretically iter ...

I'm reading through BIP340 and I'm having trouble understanding this part:

For example, without tagged hashing a BIP340 signature could also be valid for a signature scheme where the only difference is that the arguments to the hash function are reordered. Worse, if the BIP340 nonce derivation function was copied or independently created, then the nonce could be accidentally reused in the other scheme l ...

As far as I understood, the core of the RSA algorithm is to have 2 (large) primes ‘p’ and ‘q’, so that ‘n=pq’. Then ‘n’ is the public key, and ‘p’ the private one. The security comes from the fact that given ‘n’ is not easy to obtain ‘p’ and ‘q’, whereas it’s trivial to check that ‘p’ does factorise ‘n’.

My question is, how does SSH get these numbers in a ...

I know this topic has been discussed many times on this platform; however, I still lack the intuition behind proof systems' zero-knowledge property.

I understand that goal of the simulator is to simulate the real transcript between the verifier and prover. So if the simulator can create a transcript without having access to the witness that is indistinguishable from real proof by the verifier(it  ...

The LWE-cryptosystem is only CPA-secure as for example stated in A Decade of Lattice-Based Cryptography. Consider the following system described there (Section 5.2)

• The secret key is a uniform LWE secret $s \in \mathbb{Z}_q^n$, and the public key is some $m \approx (n+1) \log(q)$ samples $(\bar{a}_i, b_i = \left <\bar{a}_i, s \right > +e$ collected as a the columns of a matrix $A$ $$A = \begin{pmat ...

I want to encrypt my mails and sign them with my digital signaure. I just don't know how/where I get it.

1. what is a good/trustworthy CA?
2. how do I generate those keys?
3. I wanna use EC, which length, which curve, how?

Pretend I am dumb and really wanna be more secure in my everyday. And wanna sign some contracts with digital signature.

PS! I use Arch Linux. And I wanna do it all for free if possible.

Let's suppose I want to use a cipher with a large key size, such as ISAAC that supports 8192 bits ogf key.

I can hash with sha-256 or sha-512 and iterate until reaches the key size but I won't get 8192 bits of security as the internal state of this hash functions are capped to 256 or 512-bits.

I can hash with a XOF (eXtendable Output Function) such as Skein, SHAKE, KangarooTwelve, Blake3 or Blake2x  ...

Let $\mathbb{F}_q$ be a finite field of size $q$ (prime), and $\mathbb{F}_{q^n}$ be a degree-$n$ algebraic extension of $\mathbb{F}_q$.

Let $F$ be a polynomial function $\mathbb{F}_{q^n} \to \mathbb{F}_{q^n}$ of the form $$ \sum_{i, j \in I_A} A_{i,j} X^{q^i + q^j} + \sum_{i\in I_B} B_i X^{q^i} + C $$ where $A_{i,j}, B_i,$ and $C$ are some constants in $\mathbb{F}_{q^n}$.

Given a random $D \in \mathbb{F} ...

I have a string whose size is < 32 characters from the following limited character set.

• uppercase and lowercase Latin letters: A to Z and a to z
• digits: 0 to 9
• special characters: !#$%&'*+-/=?^_`{|}~

I am looking to encrypt this string with a public key where the resulting message is < 64 characters.

I understand there will be a trade-off between size and security.

Given a lattice L and a vector $v_1$ claimed to be the shortest, what is the fastest way to check/verify whether $v_1$ is indeed the shortest in the lattice?

Let us assume three entities: $A, B,$ and $C$, and let $[p_C, P_c]$ the private/public key pair of $C$. Assume that $A$ encrypts a message $m$ using the public key of $C$, $P_C$, and sends this encrypted message $c$ to $B$.

My question is: can $B$ somehow discriminate that the encrypted message $c$ is the result of the public-key encryption of a value with the public key $P_c$? (public keys are pub ...