Latest Crypto related questions

Let us consider the following situation. Let $U_f$ be a gate computing $f$ mapping $\{0,1\}^n$ to $\{0,1\}^n$. That is, $U_f\left\vert x,0^n\right\rangle=\left\vert x,f(x)\right\rangle$. Let $\left\vert\phi\right\rangle$ be the uniform superposition on $\{0,1\}^n$. By performing $U_f$ on $\left\vert\phi\right\rangle\left\vert0^n\right\rangle$, we have $\left\vert\phi'\right\rangle=\sum_{x\in\{0,1\}^n ...

For $p$ a 1024-bit prime, we have a 1021-bit element $g \in \mathbb{Z}_p^*$, where the order of $g$ is much smaller than the order of $\mathbb{Z}_p^*$. How does this small-order $g$ affect the security of the signature?

How feasible would it be to migrate from AES-128 to AES-256?

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $\text{sk}$ and $\text{pk}$ respectively). Bob has an authentic copy of $\text{pk}$. The adversary has an authentic copy of $\text{pk}$.

Now, Bob wants to send his $\text{PIN}$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $N_0$ (a number chosen randomly  ...

Suppose in a elliptic curve (say the curve equation is: $y^2 = x^3 -17$) with prime order $q$, we have $(x,y_1) = nP$, where $P$ is a generator and $n<\lceil{q/2}\rceil$. Can we claim that there does not exist $n' < \lceil{q/2}\rceil$, such that $(x,y_2)=n'P$ is a valid curve point where $y_2 \neq y_1$?

My course teacher mentioned that the two forking lemmas have different prerequisites for use. The former article (Security Arguments for Digital Signatures and Blind Signature) is more limited, but I did not find it in the second article I read, and the article did not describe the difference between the two in detail (for example, the article mentioned that article 1 is not applicable to multi-s ...

I'm currently working on an hardware implementation (with verilog) of PRESENT-80 for research purposes. Due to our goal to strengthen the security of PRESENT-80 with Masking and Error Detection I need to understand how the S-Box is designed.

In PRESENT: An Ultra-Lightweight Block Cipher the 4x4 S-Box is simply stated as a lookup table:

Let $H:\mathbb{Z} \rightarrow \mathbb{Z}_{p}^{*}$ and $a \mapsto g^a\bmod p$ for $g \in \mathbb{Z}_{p}^{*}$ where $p$ is prime. Is this function (strongly) collision-free meaning we cannot find practically $x_1$,$x_2$ such that $H(x_1)=H(x_2)$?

I argue no with the following reasoning: Let $A$ be an Algorithm which generates $x_1 \neq x_2$ such that $H(x_1)=H(x_2)$ and define $A: \mathbb{N} \rightarro ...

Imagine this:

• Charlie chooses two integers $x_1$ and $x_2$ and signs each of these integers with the same private key.
• Charlie sends the following to Alice:
  • $x_1$ and $x_2$,
  • the two signatures, and
  • his public key.
• Alice computes $x = x_1 + x_2$ and sends the following to Bob:
  • $x$ and
  • Charlie's public key.

Can Alice prove to Bob (without involving Charlie) that $x$ is the sum of two numbers ...

I've a problem with a protocol for which I can prove the security if the messages sent by the adversary are sent in clear, but I can't prove the security anymore if the messages sent by the adversary are encrypted... and this is a bit strange since I expect the protocol to also be secure in that second case.

More precisely, I'm considering a protocol for which a server Bob receives a message $k$ from ...

I know one of the advantages of hash functions is that they are fast. However, I read somewhere (I don't know where exactly) that the speed is a disadvantage for password hashes when storing them in databases, but why is this so ? Would someone explain to me if being fast is a disadvantage for password hashing and why is this so ? (If possible could you also write some links to websites/papers describi ...

Started reading up on Cryptographic Accumulators recently to incorporate them in a project. Using this survey to understand what features the accumulator needs to offer it seems I am looking for a Dynamic Universal Strong Accumulator that only supports addition. This paper lists reference [23] as having the above characteristics in Table 1, but reading the paper it turns out those accumulators also su ...

I think I found a small error in the security proof Link end of page 37. It states that

$ \sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q +1)q/2+2}{p - (3q +2)^2 /4}$.

But shouldn't it be

$\sum_{i\leq q} \frac{3i+2}{p-(3q +2)^2/4} \leq \frac{3(q+1)q/2+2q}{p - (3q +2)^2 /4}$ ?

I think that the proof still works, since we want to show that you need $\mathcal{O}(\sqrt{q})$ queries to succe ...

This (https://en.m.wikipedia.org/wiki/Discrete_logarithm) Wikipedia article confuses me. If you have the equation a = g^n (mod P), and g, P and a are all known, then how does a brute force solving for n algorithm run in exponential time, as this article states. Shouldn't it be linear, or am I reading this article wrong?

I am trying to implement a cramer-shoup cryptosystem but I don't understand how to work with the plaintext I want to encrypt.

From what I understand, the plaintext needs to be converted to an element of the cyclic group G, which was generated with the key. I've checked multiple resources, from the wiki to several papers, and none of them seem to take the time to explain how to convert a plaintext ...