This says $f_n$ is memory hard if, for any space $S$ and time $T$, $S\cdot T \in \Omega(n^2)$.

My questions:

• What is $S$? Space? E.g. bytes of available memory?
• What is $n$? Bytes of requested memory by the memory hard function?
• What is $T$? Number of rounds?
• How good is this definition? E.g. how tight is it? E.g. $\Omega(n^2)$ is asymptotic lowest bound, but I guess not all functions that ...

So, the question is, a commitment scheme on elliptic curve is given.

Initialisation phase:

1. There is an elliptic curve EC, generator point $G$ over $GF(p)$, which creates a group, and random prime number $e$.
2. Choose an $x$.
3. Calculate $M = x \cdot G$.
4. Calculate $M' = e \cdot M$.
5. Extract $xM$, where $xM$ is an $x$ coordinate of $M$.
6. Calculate $H = xM \cdot G$.

EC, $G$, $e$ are public parameters, $x$

In NSA's FAQ on Quantum Computing and Post-Quantum Cryptography, it is mentioned as

Q: Should I use a QKD system to protect my NSS from a quantum computer?
A: No. The technology involved is of significant scientific interest, but it only addresses some security threats and it requires significant engineering modifications to NSS communications systems. NSA does not consider QKD a practical securit ...

I posted a question recently about whether a celestial body could be used in cryptography. I got many fantastic responses explaining how the celestial object could be used to generate a common reference string.

My follow up question is then: if it were possible and feasible to use a celestial object to allow two parties to communicate securely, would this only be of academic interest perhaps for gov ...

I am studying on cryptanalysis of WhatsApp software. I know this is secure software but I want to present a documentary on this topic as a seminar at the university for applied mathematics students.

As you know, WhatsApp is based on the Signal protocol, and for this reason, I first focused on the structure of this protocol. The first document I studied was this master's thesis.

The advantage of thi ...

Most hash functions are designed to be fast in conventional processors, but there are contexts where machine integers either don't exist, or aren't the most efficient option. For example, zk-snark circuits don't have these, and brainfuck has only increment and decrement. If you needed fast hash functions on these environments, it is unlikely that sha2/keccak/blake would perform better than something des ...

I have been studying on algebraic methods on cryptanalysis of block ciphers. This is where I am reading from currently

I need some help to understand Attack C.

Excluding equations from the first r rounds till which the differential characteristic holds, we are just left with the SBox equations and one constraint from the input difference to the $(r+1)^{th}$ round S Boxes as a consequence of the r ...

Background

MuSig is an extension of/derivation from Schnorr signatures using cyclic groups on elliptic curves. In the original paper, the authors point out that naive multi-Schnorr is vulnerable to a rogue key attack:

Given $\Bbb G$ is a cyclic group of prime order; $g$ is the generator point; $H$ is a hash function; $m$ is the message to sign; and there are $n$ participants:

Let $L = \{ X_1 = g^{x ...

let we have sbox s: Vn -> Vn.

If we make LAT table for s, fix any row and get a sum by columns, that sum would be $+-2^{n-1}$.

And vice versa, if we fix any column and get a sum by rows, that sum would be $+-2^{n-1}$ too. Why is it so?

Element in "a" row, "b" column of LAT is $#{<a, x>=<b,s(x)>} - 2^{n-1}$. Where <,> is scalar product.

Sum is a sum of integers that are in one m ...

Let it be $K$ a key generation algorithm which takes $(k,d)$ as input with $k$ as the bit length for $n=pq$ with $p,q \in \mathbb{P}$ and $d=|p-q|$ as the minimum distance between $p$ and $q$ (RSA). What would be the security parameter $1^\kappa$?

Would it be $\kappa=k+d$ or only $\kappa=k$ and if it were the case on what would it depends?

I searched the following links and could not find an answer to  ...

We have a use case of tokenising the credit card information and returning a tokenised value after preserving the format.

Ideally this should be one way, and following a FPE might not be the best solution. Pls suggest what best solution can be provided here.

If it were possible to receive a string of numbers from a celestial object (by anyone on the Earth who knows which object to look at, and what time to look) could this be of any use in cryptography?

Or would it be useless, because if a bad-actor knew which object you were looking at and at what time, they could find the key?

Let's start with what I mean by cryptographic random beacon (RB). A RB is a protocol among some parties who generate a random value all together such that:

1. these parties do not trust each other
2. the result is publicly verifiable (anyone can verify the result is correctly generated by the protocol)
3. The output is unbiasable: No party can make a bias in the result.
4. the result is unpredictable: no body can p ...

I had the idea of storing large amounts of data in a small space using a Merkle tree. But from what I understand about Merkle trees is you cannot extract the data from the Merkle root (since hashes are not reversible). Though I wonder, is there a way to use an encryption algorithm that gives a fixed output length like how we use hashes in Merkle trees? I know my question is hard to understand but lookin ...