Latest Crypto related questions

Consider the following modification to the Short Integer Solution (SIS) problem:

Let $n$ be an integer and $\alpha=\alpha(n),\beta=\beta(n),m=m(n)>\Omega(n\log \alpha)$ be functions of $n$. Sample a uniform $A\gets[-\alpha,\alpha]^{n\times m}$. The task is to compute "short" vector $e\in\mathbb{Z}^m$ in the kernel of $A$. That is:

1. $|e| < \beta$.
2. $A.e=0^n$. Here, equality holds over the integers

I am quite new to the study of elliptic curve cryptography and as such I might be asking something with a mundane solution, but I can't easily find such a solution online. My understanding of ECC is that you can generate a private key (some integer $k$), a starting point on the curve ($G$), and a curve equation, and then generate a public key through finding $kG$. My understanding is then that your comput ...

Suppose that $n$ is a power of two, $q=3\pmod 8$, prime and $R=\mathbb{Z}[X]/(X^n+1)$. Denote $\Vert\cdot\Vert$ as the infinity norm in $R_q=R/qR$ on the coefficients of elements in $R_q$. The coefficients are assumed to be in $[-\frac{q-1}{2},\frac{q-1}{2}]$. I'll just cite some facts that I will use in my proof:

1. $X^n+1$ factors into two irreducible factors modulo $q$, where each factor is of de ...

This question is about the serialization of pk, sk, and context in HElib. In my scenario, there are two trusted parties (A and B), these two parties can encrypt the messages and decrypt the ciphertexts.

So, A will send the context, pk, and sk to B. Then, A encrypts the message and send ctxtA to B, B decrypts ctxtA and sends another ctxtB to A. This example is just for explanation.

But it's confusing in ...

In WOTS+ — as described in section 3 of RFC 8391 — public keys, private keys and signatures all consist of $len$ strings with $n$ bytes each, where $len, n \in \mathbb{N}$. Is it safe to use the hash of the concatenation of all $len$ strings as a short public key? Since you just need the message and the signature to compute the (long) public key, the process would be exactly as described in sectio ...

I'm reading the WOTS+ paper, but I'm having some trouble with its notation and specially the involved units. For example, under my interpretation, the parameters n=11, w=16 and m=256 result in a quantum security level of about 81 bits, with a 992 bytes signature length, but that looks incorrect.

To the best of my knowledge, I've made the following script to output public key and signature lengths, and ...

I read Regev's paper in 2005 about Learning with Errors and he mentioned that the secret of a LWE sample is unique but I have not seen a proof of this claim. Can someone point me to a paper proving this claim? Also, for the ring-LWE case, in particular for power of two cyclotomics, is the secret always unique?

I'm writing a paper on Authenticated Key Exchange Protocols. I've read Bellare and Rogway's seminal paper on the subject and I think I understand BR Model and I'm now reading Cenetti and Krawczyk's paper which aims to improve on it. I'm confused as to how the CK model is an improvement of the BR. As mentioned in the appendix of the CK paper, the BR paper phrases their analysis in terms of oracles. They m ...

From the WOTS+ paper:

Furthermore, W-OTS+ uses a family of functions Fn : {f_k : {0, 1}^n → {0, 1}^n | k ∈ Kn} with key space Kn. The reader might think of it as a cryptographic hash function family that is non-compressing. Using Fn we define the following chaining function.

I do not understand the meaning of this paragraph. My interpretation of it is that I need a family of n n-bit pseudoran ...

I just found a project that used XSalsa20Poly1305 for transit and encryption at rest. I am trying to find some information if that is something worth trusting data to.

It feels a little hard to put the information I found into context. I read that a Poly1305 (MAC) with (a good number of rounds of) Salsa20 (cipher) can be an alternative to AES.

1. Is there a significant advantage of using XSalsa20Poly1305?

In BGV12(Fully Homomorphic Encryption without bootstapping), they investigate the efficiency of a FHE scheme by considering the per-gate computation overhead of the FHE scheme, defined as the ratio between the time it takes to compute a circuit homomorphically to the time it takes to compute it in the clear. I wanna know what means compute a circuit homomorphically and compute it in clear?

Thank you ...

How can representation theory be used in cryptography and/or coding theory?

I am studying a MSc in pure mathematics and I am currently working on things related to biset functors, but cryptography and coding theory are some of my interest areas. I know that classical representation theory (complex character theory) can be applied in group codes, but I haven't found anything related to biset funct ...

We have seven different keys derived from DH key and nonces via PRF in IKEv2 as skd, skai, skar, skei, sker, skpi, skpr. Why different keys are generated for initator and responder for encryption? What are the explicit usage of different keys derived from SKEYSEED in IKE?

For example, ska and skp are defined as "a key to the integrity protection algorithm for authenticating the component messages ...

I've just learn about NOTS, a quantum-resistant signature scheme based on hash functions that claims to have much shorter signature and key sizes. Is this signature scheme known to be secure? From looking at the paper, I'm suspicious about the way it uses modulus of indices (couldn't an adversary just generate a hash with the same char counts?). Is it legit?

The string is encrypted with the following properties (using C#):

myAes.Mode = CipherMode.CBC

myAes.KeySize = 128

myAes.Padding = PaddingMode.PKCS7

myAes.BlockSize = 128

myAes.FeedbackSize = 128

Key: 5753B8AA97BE5B5D9584864DF3134E64

This is my decryption function:

int AESdecrypt(unsigned char *ciphertext, size_t ciphertext_len, unsigned char *key, unsigned char *iv, unsigned char *plaintext)
  {
    ...