Latest Crypto related questions

I got to know that Root CA's are cross signed so that at the time of certificate expiry, there are no outages. However, I am unable to find any good docs explaining how cross signing works and how it prevents outages when a root CA certificate is going to expire in the near future?

While researching, I found the below from ssltrust.in:

"Cross-signing is simply when multiple valid paths exist between ...

In DSA signature where signing is done via

$$s = k^{-1}(H(m) + xr) \mod{q} $$

I understand why if two messages singed by the same private key $x$ use the same $k$ value you can recover the private key

But I've read various comments and answers that say if two messages signed by the same private key have the same $r$ value that is all that is needed to recover the private key, and I don't understand ...

Deriving the addition equation for a Weierstrass curve is simple and straightforward (I started with this video that covers the simple case. If you know the basic derivative rules you can find the second case -- adding a point to itself -- easily).

How does one go about deriving the addition equation for an Untwisted Edwards Curve with a form of $x^2+y^2 = 1 +dx^2y^2$?

I know the formula itself is

The Libsodium docs list the AEAD forgery limits for ChaCha20Poly1305 and AES-GCM which seems like a < 128-bit security level but says that it's not a practical concern. I've seen other people say Poly1305 has a 128-bit security level but haven't found much about the security level of either. There's also mixed information on the post-quantum security of both.

What's the security level of Poly1305 and ...

On github there's this code part of Microsoft's SEAL:

SEAL_ITERATE(iter(operand1, operand2, result), coeff_count, [&](auto I) {
    // Reduces z using base 2^64 Barrett reduction
    unsigned long long z[2], tmp1, tmp2[2], tmp3, carry;
    multiply_uint64(get<0>(I), get<1>(I), z);

    // Multiply input and const_ratio
    // Round 1
    multiply_uint64_hw64(z[0], const_ratio_0, &carr ...

As we know, NIST PQC project is at its 3rd round, with draft standard expected to arrive in the next (few) year(s).

An unfortunate fact is that, we're not seeing many signature schemes general-purpose enough (in the sense that, the size of some of their cryptograms may be large). However, the lattice-based PKC/KEM algorithms have favorable cryptogram sizes.

In SSL/TLS, the forward secrecy feature is ...

Is it possible to encrypt with the RSA private key and decrypt with the RSA public key(not for signature) The task is that I have to encrypt the data with a private key. Transfer this data to another person and he decrypted it with a public key, added the data and encrypted it with the same public key and sent it to me. The whole task is written in Python, can there be any libraries for this?

Consider the function $f(x)=x^{2k+1}$ in $\operatorname{GF}(2^{n})$ for $n$ odd and $\gcd(k,n)=1$, which is differentially 2-uniform function.

For $n=3$, $k=1$, I want to find the Algebraic Normal Form of the function. Is there a way?

Is there such a encryption and decryption mechanism: Given an encryption C = E(K1, M), where K1 is the encryption key and M is plain text, it have to apply decryption with two keys K2 and K3 sequentially to recover M, that is D(K3, D(K2, C)) = M. Given a K1, it is ideal to generate unlimited number of pairs K2 and K3 to ensure distributed trust. The encryption and decryption shall not be too slow for la ...

Some block cipher keys are weak when used with GCM; see this question. This happens when the multiplier $H$ decided by the key ends up in a small-order subgroup of $\mathbb{F}_{2^{128}}$.

Poly1305 has a very similar structure to GHASH. It's the same idea: add in a block, then multiply by a key-determined constant, within a field. GHASH uses $\mathbb{F}_{2^{128}}$ (binary field) and Poly1305 uses

I'm looking at a research paper about the insecurity of a specific (wrong) usage of Pedersen commitments.

First, I'll go through the steps of Pedersen commitments, so that it can be shown if I have a basic misunderstanding.

My understanding of Pedersen commitments

Firstly we say Bob wants Alice to commit to a message, therefore he generates two prime numbers p and q.

p <--- random prime q <--- rand ...

Could attack similar to described in paper "The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function" be applied, if Streebog used Matyas-Meyer-Oseas instead of Miyaguchi-Preneel?

Could it be adapted? I don't see how, but it seems too simple to actually work.

Many existing deniable encryptions are for files or FS volumes, which are too heavy for simple short secrets, such as password, tokens, etc.

So I try to implement a PoC crypto container based on streaming cypher (ChaCha20), which at once encrypts multiple secrets with different passwords, and then one can decrypt one of the secrets by the corresponding password.

Some explain on the simple scheme. Fo ...

In general, proofs of security for secure Multiparty Computation are based on Ideal Functionalities. For instance, see Definition 4.1 of this Simulator tutorial.

However, in a regular program in an object-oriented programming language, one deals not only with functions but with objects. Objects have functions, but also have some persistent memory.

It is possible to implement MPC objects. For inst ...