Latest Crypto related questions

While I'm trying to implement BGV scheme myself, I found that I'm really confusing about the encryption and decryption of the scheme. Here's my understanding:

Let $p$ be a plaintext modulus and $q$ be a ciphertext modulus (they are coprime). Let $\mathbb{Z}_{m} = (-m/2, m/2] \cap \mathbb{Z}$ be the fixed set of representatives modulo $m$ and $[\cdot]_{m}: \mathbb{Z} \to \mathbb{Z}_{m}$ be modulo  ...

Why exactly do we use factorial for finding an $L$ which is divisible by $p - 1$?

Pollard's algorithm is about B-powersmooth numbers & not B-smooth numbers. So where exactly does the factorial come in? Factorials aren't done by powering anything - it's just a multiplication of numbers without any exponentiation.

I am referring to Pollard's $p - 1$ algorithm as covered in Silverman's Mathematical C ...

I was looking at an example of the ElGamal encryption operation here (page 24), but I can't seem to understand why: $$\beta = 3(10, 3) = (10, 8)$$

I am considering the following questions and would appreciate any help.

Problem formulation:

Suppose Alice holds a secret value $x$ and there is a public Boolean predicate function $\texttt{Pred}$ that applies to $x$, $\texttt{Pred}: x \rightarrow \{0,1\}$. A sample predicate function can be whether the input $x$ is in a certain range or not.

Now Alice computes $y\gets\texttt{Pred}(x)$, but instead  ...

I was reading the “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” paper by Gennaro & Goldfeder, 2018 and I encountered this portion (Sect. 2.4, p.6):

This excerpt leaves me slightly confused. First, there’s seemingly a mismatch (a typo?) between r and R — or is it that R is the set from which r is sampled? Second, most important, what are these coin tosses? There’s no men ...

A Merkle signature scheme is post-quantum-suitable as it relies only on the security of a one-way function. However, this construction seems to only be capable of authentication, and not confidentiality.

Is there any cryptographic protocol enabling key exchange via a Merkle scheme -- that is, without relying on weaker assumptions that might be broken by future cryptographers with a quantum compute ...

Wikipedia:

The ANOM sting operation was a collaboration by law enforcement agencies from several countries, running between 2018 and 2021, that intercepted millions of messages sent through the supposedly secure smartphone-based messaging app ANOM. The app was covertly distributed by the United States Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP), with law enforcement ag ...

I wonder is it efficient to use less Target condition and double hash algorithms with different target (or the same target with different Hash algorithms) and one nonce in a Block.

Example

Target 1 for Hash1 H1 is 3zeroes, 000F543D... Target 2 for Hash2 H2 is 4zeroes, 0000FSDF...?

In my IoT project, I use the xxTEA encryption algorithm to encrypt my data. I use the same encryption key for all my packets because I don't have the possibility to do a key exchange between Alice and Bob.

I want to know how many packets it would take to deduce my key. I looked on the document of Alex Biryukov named "Differential cryptanalysis to ciphertext-only attacks" (https://link.springer.com/cont ...

In IKEv2 document, there are expressions as [CERT,] or [CERTREQ,] in the parts of IKE_SA_INIT or IKE_AUTH exchanges. In this notation brackets indicates that it is optional. I didn't see expressions as CERT or CERTREQ without brackets in document. Is certificate always optional in IKEv2? Under what conditions it is useful? Is it related with preferred authentication method of IKEv2?

I understand the general idea of key switching, but I would like to know when it is used. Sometimes it is referred to as same thing as relinearisation(after multiplication), but is key switching also used when rotating (batched ciphertexts)? If so, how similar to each other are different key switching situations? I am interested in the most popular schemes(BFV, BGV, CKKS).

Thanks for help!

Is the representation of the polynomial system of a symmetric cipher overdetermined?

Hey can someone please tell me what kind of encryption this is? This is not the whole encrypted code but you should still be able to tell what it is from the structure.

HC1:6BFOXN*TS0BI$ZDFRH5+FPWF9EIZ.0769Y3S3XHP+56R5-F9/17BOMEY4/OBMMD/GPWBILC9GGBYPLR-SNH10EQ928GEQW2DVJ5UL8W2BM8Q.L8SNCYNAK+FA7E7:4N3IK/4S1ARO4R48/3987CGSK37F/HS$*S-CK9B92FF9B9LW4G%89-8CNNM3LK.GVD9O-OEF82E9GX8$G10QVGB3O1KO-OAGJM*KIE9MI ...

I believe I am overthinking it; however, I need to clear out my doubts.

What is exactly RSA groups and how their order is unknown? I know in RSA N is computed by multiplying two prime numbers (p and q) and it is hard to find p and q given N. Is N what is called RSA group?

In VDF they use unknown order of RSA group; however, N is public.

Assuming I have a valid signature scheme, and modify it like:

m = m0 || m1, and output Sign(sk, m0) || Sign(sk, m1).

While it is correct, would this violate existential unforgability?

I've been learning about different types of encryption schemes in class and I was wondering if it's possible to create a private-key encryption scheme that is multi-message secure but is NOT CPA-secure?

It seems that CPA security implies multi-message CPA security, but what about the other way? For example if given a private key multi-message secure scheme what changes would need to be made to ensure i ...