Latest Crypto related questions

I want to prove that the DSA signature scheme is EUF-CMA secure in the random oracle model, if the discrete logarithm problem is hard. I know it can be proved by the following two parts:

1. Discrete logarithm problem is hard $\Rightarrow$ DSA identification scheme is UI-PA security
2. DSA identification scheme is UI-PA security + $H,F$ are random oracle $\Rightarrow$ DSA signature scheme is EUF-CMA secure

Under which conditions is it secure to publish an encryption of the secret key $s$ under itself in terms of an $RLWE_s(s)$ ciphertext? Because for some schemes this is (repeatedly) used in bootstrapping or key switching, it seems to be secure (or at least it is assumed to be so).

On the other hand, if multiple encryptions $RLWE_{s_i}(s_k)$ are published it seems to be critical that there is no ``cy ...

We have 2 ciphertexts, one encrypted using Paillier and another encrypted under Elgamal encryption schemes. Is there a way to design ZK-proof to prove equality of the underlying plaintexts of these 2 ciphertexts.

Bilinear Pairings are widely used in many new schemes like Group Signature and Aggregate Signature. The problem is whether it is post-quantum secure. In other words, does Bilinear Diffie-Hellman intractability assumption stand against a quantum computer?

With a quantum computer, Shor's Algorithm solves Prime Factorization and Discrete Log problem in polynomial time, which nullifies the security of p ...

Let $H(h,k)$ be the expected entropy of some random oracle $X:\left\{0,1\right\}^h \to \left\{0,1\right\}^k$, where $h$ does not necessarily equal $k$.

1. Then, is it true that $\lim\limits_{h\to\infty}H(h,k) = k$ ? (for constant $k$)
2. If so, is the above still true if $h = 2k$? In other words, does $\lim\limits_{h\to\infty} h - H(2h,h) = 0$ ? (for common hash functions like SHA-256/512, the input block siz ...

I understand that domain separation in hashing is important, but I'd like to understand more clearly why and what are the risks involved.

• What is the theoretical justification for requiring domain separation?
• What are examples of schemes/protocols that can be broken if domain separation is not used?
• How can one evaluate whether the lack of domain separation is an issue or not? (e.g. Ed25519 does not us ...

I have two elementary questions related to the special distribution $|x'-x \text{ mod}^{\pm} \, q| \leq B_q := \left\lceil \frac{q}{2^{d+1}} \right\rfloor$ in Kyber. The first question is about the paper and the second question is about a section in the specification. I am asking this as one question because I think it fits well thematically.

1. In the paper on page 4 it says:

• Unfortunately, there  ...

What is the specific process of recovering the original secret of secret sharing? Is the parties with secret shares communicating with each other and exchanging secret shares, and if the number of secret shares greater than or equal to the threshold is collected, the secret will be recovered, or a third party will collect the secret shares to restore the secret, how is it generally done in the current s ...

The following statements seems to be a consensus in cryptography community.

Oblivious tranfer is a complete primitive for secure multiparty computation (SMC).

But I cannot find any explicit construction. What I want is a general method to construct SMC from OT with as few assumptions as possible, especially without the computational assumption so that it applies to information-theoretical security.

I am working with the securit yof CRYSTAL's Dilithium signature in the QROM. I am working with Kiltz et al.'s approach through lossy ID-schemes and looking at the proof of minimal entropy for the $DFS[ID, H, PRF]$ derived Dilithium-QROM signature. Unfortunately, I am not able to see how the proof of the lemma flows, nor understand what is beeing done and why it is "ok" to make the claims that are made... ...

Assume a given pseudo-random function $H:\{0,1\}^a\mapsto\{0,1\}^b$ with $b\in[104,256]$ and $b/2<a<b$. We want to exhibit a collision if there is one, which has probability $>63\%$.

We are ready to perform $2^{b/2+1}$ evaluations of $H$ or slightly more, distributed among several search units. But we don't have $2^{b/2}b$ bits of memory, especially accessible by each search unit. How can we pra ...

Say that $\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T$ are cyclic groups of prime order $r$ over which the pairing $e : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T$ is defined. It is well known that $\mathbb{G}_1 \subseteq E(\mathbb{F}_p)$ and $\mathbb{G}_2 \subseteq E(\mathbb{F}_{p^k})$ where $p$ is a prime number and $k$ is the embedding degree of the elliptic curve $E(\mathbb{F}_{p^k})$. It is also kn ...

I know that if using Grover's algorithm to break a cipher, one would need to perform (2^[key space])^0.5 queries (the square root of the number of all possible keys).

A simple transposition cipher COULD have their security of (transpositions)! (factorial of the number of transpositions), but how would it be in a post-quantum scenario?

Will the classical security of encryption schemes based on transpositi ...

As XMSS is post-quantum we can use it to secure blockchain. One of the main disadvantage of XMSS is its signature size. If we can reduce the size of the signature then we can use XMSS in the blockchain. XMSS signature contains the Sign on message+ index of OTS + Authentication path. If we can store the OTS index and Authentication path on off-chain such as a wallet, isn't is significantly reduce the  ...

When utilizing the closest vector problem for decrypting data, does lattice size matter. For example, is a 1000x1000 grid necessarily more safe than a 100x100 grid? And if so, why would these affect the computations of quantum computers? Also is there a "safest way" of choosing a lattice point that guarantees higher success?

Some time ago I had a question here about WinRAR security and probably the most common recommendation I came across was to use Veracrypt.

Veracrypt uses XTS, but according to others, XTS encryption is unnecessarily complicated and does not provide such protection to be considered secure enough. (see Thomas Ptacek; Erin Ptacek (2014-04-30). "You Don't Want XTS", or Evaluation of Some Blockcipher Modes of  ...

In RSA encryption, the larger the size of the prime numbers utilized for the creation of the public key, the more computational power is required in order to "Brute force" decryption.

• Does a similar concept apply when considering lattice-based encryption?
• Naturally, I would assume so, but how much more safe would a 3d lattice be, rather than a 2D lattice?
• Would it be exponential? and if so why?
 ...

Such as integer factorization problem and discrete logarithm problem. Assuming a large polynomial is obtained by multiplying two generated polynomials, is it NP hard to decompose it into these two generated polynomials ? And Assuming that A is the generator of the Galois field and B is a random number, is it NP hard to find an x to make $A^x=B$ hold?

May I ask if I use top-K to compress the gradient, can the attacker recover the original information of the data from the compressed gradient?

This recent paper shows that discrete logarithms are solvable if you have an oracle for the Diffie–Hellman problem. However, to me, it seems there is a much simpler reduction and I wonder where I am wrong:

Core idea: A DH oracle allows us to exploit the multiplicative structure of a curve's scalar field, whereas normally, we can work only on its additive structure.

You can use a DH oracle to compute ...

I want to derive session keys for many clients from a Master Key. Suppose I derive a key for the client $n$ in the following way:

master_key = HKDF-extract(salt, IKM)

key_client_n = HKDF-expand(master_key, info_client_n, L)

Then, I generate session keys for the client $n$:

key_client_n_session_0 = HKDF-expand(key_client_n, 0, L)

key_client_n_session_1 = HKDF-expand(key_client_n, 1, L)

Is that safe? Is ...

I have private keys that are close to 2kb big. Now I want to password encrypt them in the following manner.

1. Generate the private key of an asymmetric encryption algorithm (public key can be derived from private key later) with a random number (I'm using a system PRNG).
2. Generate a random salt of length 48 bytes (also from system PRNG)
3. Hash the salt with argon2 and a secret password (arbitrary length, bu ...

I wanna do an experiment. I wanna see if it's possible to sign in to an outdated website that still uses MD5 to store passwords (there are surprisingly still a lot) with two different passwords.

For example "Password123" must have another string that produces the same hash value. I've found a few examples online of two strings that produce the same MD5 hash value, but all of them would exceed the ...

I'm working on an open source iOS-native (both UX- and implementation-wise) 2FA app. Two of primary goals for the project are ensuring security and simple backups. Addressing these two areas is the last blocker before the release.

I'd like to ask you for your opinion and advice regarding the scheme I devised for the app. I'm not a cryptographer, and the amount of key wrapping in the scheme makes me fe ...

Walkthrough the textbook content, understand that we need to compute the slope of 2 points before can compute the new point as the result of addition.

Multiplicative inverse is part of the operation in a process to find the slope, where we know Extended Euclidean Algorithm is one of the best method to be used.

However, in order to realize the Extended Euclidean Algorithm in hardware RTL, we need to  ...

According to https://www.reddit.com/r/cryptography/comments/v0sw2r/enigma_ring_settings_question/

While the rotor is in the machine, the ring+notch+rotor all rotate in sync. While the rotor is pulled out, the ring+notch can be detached and rotated to a different offset compared to some canonical orientation of the inside rotor wiring.

This makes sense.

The online Engima encoder at https://www.101c ...

I am using some ark libraries, such as ark_ff and ark_bls12_381, to implement some cryptographic algorithms. In these algorithms, random oracles are needed, which gets some group elements in G1,G2,Gt in bls curve, will output a scalar number(ark_bls12_381::Fr). How to do these steps? To be specific, I need to hash group elements and get an 'u8' array, and then generate a Fr from the bytes array. I need  ...

Experts suggested 3DES when AES wasn't developed yet, since meet-in-the-middle attack, they suggested triple DES. Grover's algorithm, a quantum algorithm, weakens symmetric encryptions, how about triple ChaCha20? Does triple ChaCha20 have 256-bit security against quantum computers?

​I have been thinking about this question: if I directly replace the hash function with the message in the BLS signature, does the security of the BLS degenerate from existential unforgeability(EUF) to selective unforgeability(SUF) under the known message attack(KMA)?

The modified BLS signature scheme is defined as below. $\cdot BilinearGen\to pp:=(G_1,G_2,G_T,e,p,g_1,g_2)$ where the paring type i ...

In federated learning using homomorphic encryption, all participants in most schemes share the same pair of keys, which can easily cause key leaks and lead to data privacy leaks.

After research, I found that someone proposed to use a multi-key homomorphic encryption algorithm to solve the above problems. But I wonder why no one has added a key management scheme, such as secret sharing, to the exi ...