Latest Crypto related questions

In practical applications, elliptic curves over $F_p$ seem to be more popular than those over $F_{2^n}$. Is it because operations over prime fields are faster than those over $F_{2^n}$ for the same security level?

Maybe it is my imagination. I just see many more open projects using elliptic curves over $F_p$ but not as many over $F_{2^n}$.

While reading the paper

• 2020 - Non-Malleable Codes for Bounded Polynomial Depth Tampering by Dana Dachman-Soled and Ilan Komargodski and Rafael Pass

I stumbled upon the case in which it was necessary to state whether the authors were assuming uniform or non-uniform attackers. For what I know, non uniform PPT are basically a sequence of PPTs, so $\mathcal{A}=\{\mathcal{A}_1,\mathcal{A}_2,\dots,\math ...

Question

I seek a quantitatively better proof of theorem 13.11 in Katz and Lindell's Introduction to Modern Cryptography (3^rd edition) (or nearly equivalently, theorem 19.1 in Dan Boneh and Victor Shoup's freely available A Graduate Course in Applied Cryptography). The proof is about the Schnorr identification scheme for a generic group $\mathcal G$ of prime order $q=\lvert\mathcal G\rvert$ and genera ...

While reading about mining in crypto currency, I found that it requires some leading bits of a hash function output to be 0. This boils down to preimage resistance of the hash function, hence done with exhaustive search.

My question, say I have an ideal hash function that gives 128 bit output and I want leading 4 bits be 0. What is the expected number of time I have to run it (with randomly chose ...

Let $n, q, \sigma$ be the polynomial degree($x^n+1$), coefficient modulo, and the standard derivation, respectively. I often see some parameters such as

For RLWE, we can use the CRT to decompose the $\text{RLWE}_{q}$ to some $\text{RLWE}_{q_i}$ for $1\leq i\leq l$, where $q = q_1 q_2\cdots q_l$, then when we consider the security of RLWE, we should take $\log q$ or $\log q_i$ to be considered?

I am attempting to manually encrypt a plaintext message (message = MI) using RSA.

I receive an answer of: 33,264 and 21,164.

When I enter the same plaintext into CrypTool to confirm that my calculations were correct, I receive a different answer:

What am I doing incorrect? How can I obtain the same result as CrypTool?

I am trying to figure out how to complete RSA manually. I am trying to encode a simple block message (Mi). I used CrypTool to determine the encryption. When I "manually" computed the plaintext, I obtained a different number than what CrypTool provided. Can someone guide me? Am I doing the manual encryption for RSA correct?

I am creating a simple Sign up and Sign in form using PHP. At the sign up, I create hash using password_hash() function and then store it in the DB. At the time of Sign in, initially what I did was created a new hash using password_hash() function again and then compared it with the stored Password hash.

This failed all the time because as I understand now, a new salt is used every time you creat ...

As my survey, most of(I am not sure if it is "all") the constructions of VRF are instantiated with the use of pairing. Can we construct a VRF without using pairing?

A message, m is encrypted using a private key d.

p = prime()
q = prime()
e = 65537
c = pow(m, e, n)
PHI = (p-1)*(q-1)
d = mod_inverse(e, PHI) 

Assume all these values are known to the attacker, except for the message (m) and ciphertext (c).

Is it possible to find an alternate value for d such that:

c ^ d_alternative % n == m (the ciphertext decrypts correctly to the message)

And

d_alternative % PHI ...

I want to find the curve points that intersects an arbirtary line, not just tangent line or a line through curve points. An example:

p = 1303
b = 7

input : arbitrary points : (1, 1),(2, 2)
output : curve points : (319,319),(356,356),(629,629)

(319,319) 319^3+7 ≡ 319^2 ≡ 127 (mod p)
(356,356) 356^3+7 ≡ 356^2 ≡ 345 (mod p) 
(629,629) 629^3+7 ≡ 629^2 ≡ 832 (mod p)

The line should wrap aroun ...

I've been trying to get a grasp of how the Signal protocol works. According to the spec, DH is done on four keys: IK_A, SPK_B, EK_A and IK_B:

If the bundle does not contain a one-time prekey, she calculates:

    DH1 = DH(IK_A, SPK_B)
    DH2 = DH(EK_A, IK_B)
    DH3 = DH(EK_A, SPK_B)
    SK = KDF(DH1 || DH2 || DH3)

Given that all these four keys are public keys and are announced through untrusted  ...

Given the following information:

"curve": "P-256",

"qx": "729C51D177EBE2079A0FB7B0B3C2145159CF81EC61960E642A1744719AA9F913",

"qy": "8C36BCF51475016E614F8C7E0CB1B37C7EA65B4ECCF809852C9B2D0E438710BD"

The above coordinates are supposedly valid as per the test vector expected results:

"testPassed": true

I need to determine if the above public key coordinates are valid points on the curve or not. I have t ...

Is there any concrete group in which one CDH is exponentially easier (even it's still hard) than DLog.