Latest Crypto related questions

Lattice-based cryptography is being used for several primitives and applications.

I know there are newer works for PIR, PSI, ORAM that have seen tremendous improvements due to FHE. In some cases, FHE is the only tool that can be used for practical constructions of these primitives.

My question is which other such primitives have seen improvements (in performance or security)?

I'm reading the paper "Why and How zk-SNARK works" to learn zkSNARK, and I suffered some problem in section 4.4, when prove the ability of single operation.

In this section, it tries to come up with a protocol to verify that the prover have the ability of doing multiplication. It gives two number $b$ and $c$ and tries to verify the result of multiplication. The prover construct to polynomials $l(x)$

The parameter of a lattice signature scheme DAZ19 with tight reduction can be choosed to make the underlying hardness problem intractable. How to estimate the parameter of a lattice signature scheme ESLL19 with lossy reduction? is there any relation between the reduction and parameter?

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

I believe I am misunderstanding something about the bounds derived for the key switching error in CKKS. I will refer to the initial paper, but similar bounds have been derived in all variants I have looked into.

My particular point of confusion is with $B_{\mathsf{mult}}(\ell)$ (on page 12, as part of lemma 3), which is defined to be $P^{-1}q_\ell B_{\mathsf{ks}}$, where $B_{\mathsf{ks}} = O(N\sigma)$

I know that Bitcoin uses a 32bit nonce that miners iterate over trying to hit the target number of prefixed 0's in the hash. If they run through all 2^32 combinations they then change something else in the block (either the 32bit extraNonce field, or by adding and removing transactions, changing the timestamp of the block slightly etc.)

I am implementing my own cryptocurrency from scratch and my  ...

If I try to do MD5(SHA256(input)), what is the strength of this so-called double hashing approach?

Is it as strong as SHA256, or as strong as MD5, or as strong as SHA256 + MD5?

This is not a homework question btw, I am asking because of a real issue in my project. By right, I only need to do SHA256(input) on the input, and store it in a column in one MySQL table. But my practical concern is: SHA256 is o ...

when reading [BDLOP18], I run the lwe-estimator with the recommended parameters in Table 2 , but the result of hermite factor is 1.007, this result is bigger than the recommended hermite factor 1.0035

My question is a little difficult to describe, so let me first start with an analogy

In an elliptic curve over a finite field, there are 2 groups - the first group is a finite field over which the elliptic curve is defined. The 2nd group is the group which is formed by all the points of the elliptic curve. These are the 2 different groups.

My actual question:

In AES256 we use a polynomial to represen ...

In Is Diffie-Hellman less secure when A and B select the same random number? , the possibility of Diffie-Hellman key exchange producing identical peer keys and the vulnerability of it against passive attackes was brought up, again - as a duplicate.

But is there a equivalent in *-LWE family of lattice-based key exchanges? My question being, without considering CCA-hardening such as Fujisaki-Okamoto t ...

As I understand,

1.The security strength is specified in bits according to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

2.Security strength is depend on the length of entropy input when generating random number

So, in the signature generation function, if the random k is an input parameter (not generate random k in this function)

How to check valid k? security strength of  ...

What hash based digital signature algorithms exist that have reasonably small signature sizes?

• By reasonably small, I mean not much bigger than what you would get with a 256-bit ECDSA (which I believe has a signature of about 64 bytes). If nothing close exists, then what's the smallest signature size I can get?

• I want 128 bit security or better (although its not a hard requirement).

• I will be si ...

I AM an amateur (for some reason, I have originaly written "I am not"... embarassing, sorry) in cryptography so this might be a very basic question.

I am interested to know if there exist ciphers such that if I encrypt a message with it and then lose first say 300 bits then I can't recover any information from the message even if I have the decryption key?

My problem is basically that I don't have a ...

TLS is the standard cryptography protocol on the internet, and many websites use it to secure their communications. However, for personal use, most people use other protocols like PGP, instead of using TLS keys/certificates.

There doesn't seem to be any reason to not use TLS for these things, or at least the encryption/signing part. The transport part of TLS isn't always needed, since people have ...

I read on the page 16 of On the Security of Hash Function Combiners that

the classical combiner for collision-resistance simply concatenates the outputs of both hash functions $Comb_{\mathbin\|}(M) = H_0(M) \mathbin\| H_1(M)$ in order to ensure collision resistance as long as either of H0, H1 obeys the property.

Consider H, a secure internal hash function with 256-bit inputs and 128-bit outputs