Latest Crypto related questions

I am developing an application which stores user's private Identity key (ed 25519) on user's hard drive without any security.

What are the best practices / standards to save private key on hard drive, so even if the filesystem is hacked, keys are secure.

We are building out data masking framework mainly to mask PIIs. Our scale is pretty large, and masking will be done at ingest time, so we want the masking to be done in a very performant manner. Some of the constraints we have are that we would like the masking to be deterministic and reversible. I have looked at AES encryption to encrypt PII, especially AES SIV, on my macbook, it takes around ~2 millis ...

So if we look here, it shows that libsodium uses three 3 different algorithms for this, which sounds weird to me, cause nothing indicates that anything besides Curve25519 is used in those specific functions (the boxes specifically take private and public keys and nothing indicates there is any key generation for XSalsa20):

https://doc.libsodium.org/public-key_cryptography/authenticated_encryption#algo ...

Imagine a scenario:

1. Alice and Bob want to use a platform where they log in using email and password. The platform can be accessed on desktop and mobile devices.
2. Alice would like to store encrypted information in a database or send encrypted files to an S3 server
3. Bob will be able to fetch this encrypted information (data + files) if the server allows to (Alice granted Bob access to this data)
4. Both Bob an ...

Efficient Verifiable Delay Function paper suggested that there is two way to construct the group. One of them requires trusted setup in the sense whoever constructs the RSA unknown group order needs to destroy the factors otherwise fake proof can be constructed.

Another way is using a class group of imaginary quadratic fields. However, the paper didn't give an example of how it can be used. Is ev ...

The problem I'm trying to solve: Identifying the cheater in (3,5)-Shamir's secret sharing when we can see only the 3 shares that were given to the system in the secret reconstruction process, and we can inquire the 3 people who inserted the shares into the system(they don't know what the other people inserted). Also, we have no knowledge about the correct secret, but we do know the wrong secret.

 ...

As I am going through the “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” paper by Gennaro & Goldfeder, 2018, I am stumbled by the key generation protocol (Sect. 4.1, p.10):

In Phase 1, they create a (commitment, decommitment) pair using a commitment scheme. Earlier in the paper, they mention that “in practice one can use any secure hash function H and define the commitment to x ...

I want to find an encryption algorithm which provides the functionality described below.

Given a key (a vector Vkey) and a data (an image), use this key to encrypt the image; the encrypted image can not be identified afer encryption.

When decrypt, if:

1. use a key = Vkey to decrypt, the decoded image is the same as original one without error.
2. use a key = Vkey_1, and diff(Vkey, Vkey_1) < threshold, ...

Lets say Alice has a list of values, and Bob sends Alice a Merkle root that he claims is for this list of values. The Merkle tree construction algorithm is mutually known of course.

Alice can then pick arbitrary values from the list and ask Bob for their Merkle proof.

Lets say Alice wants to avoid constructing the whole tree to verify Bob's Merkle root. How sure can she be that Bob's Merkle root is  ...

I am currently implementing some QKD protocols using Qiskit and I came up with the following question: After the protocol is finished, a true random password is generated using 0s and 1s, however, and here my question, do these passwords need to be converted to another base? Maybe hexadecimal? Or are they used as they are?

When I mean by used is to using them, for instance, as a key for the one t ...

I have been reading some papers to find a 'faster' way to compare two integers without revealing their real values. But I think I'm a bit lost in those papers due to my limited knowledge in cryptography. There are some papers comparing the efficiency of HE based/ GC based/ OT based protocols, for example https://eprint.iacr.org/2016/544.pdf by Geoffroy Couteau(still a bit hard for me to understand th ...

Assume there is an RSA public key $(e,n)$ such that factarization of $n$ is unknown to both prover and verifier parties. We also have a prime order group $G$ and a generator $g$ for the group. For $m\in QR_n$, is there a zero-knowledge proof protocol to prove that $C_1=m^e$ and $C_2=g^m$, for public values $(C_1, C_2, e, n, g)$?

In practical applications, elliptic curves over $F_p$ seem to be more popular than those over $F_{2^n}$. Is it because operations over prime fields are faster than those over $F_{2^n}$ for the same security level?

Maybe it is my imagination. I just see many more open projects using elliptic curves over $F_p$ but not as many over $F_{2^n}$.

While reading the paper

• 2020 - Non-Malleable Codes for Bounded Polynomial Depth Tampering by Dana Dachman-Soled and Ilan Komargodski and Rafael Pass

I stumbled upon the case in which it was necessary to state whether the authors were assuming uniform or non-uniform attackers. For what I know, non uniform PPT are basically a sequence of PPTs, so $\mathcal{A}=\{\mathcal{A}_1,\mathcal{A}_2,\dots,\math ...