Latest Crypto related questions

I was reading this post https://senderek.com/SDLH/ about Shamir's hash function, which is defined as follows:

Let $p,q$ be positive prime integers and let $n=p\times q$. Let $\ell = \mathrm{lcm}(p-1, q-1)$. Find $g \in (\mathbb{Z}/n\mathbb{Z})^*$ such that $\ell$ is the smallest positive integer for which $g^\ell \equiv 1 \bmod n$, i.e., $\ell$ is the order of $g$ in $(\mathbb{Z}/n\mathbb{Z})^*$.

In The Algorithmic Foundations of Differential Privacy (Dwork, C; Roth, A), the formal definition of differential privacy is given as:

"

The randomized algorithm $\mathcal{M}$ with domain $\mathbb{N}^{|\mathcal{X}|}$ is $(\epsilon, \delta)-$differentially private if for all $\mathcal{S} \subseteq Range(\mathcal{M})$ and for all $x, y \in \mathbb{N}^{|\mathcal{X}|}$ such that $\|x - y\|_1 \leq 1$: ...

I am trying to understand how adding padding like the PKCS1.5 RSA signature scheme can prevent the existential forgery attack in RSA. Is it just by changing the structure of the message?

I'm trying to understand the complexity of computing the Merkle root for stateful hash based signature schemes. Section 4.1 of the chapter on hash based signatures in "Post Quantum Cryptography" – by Bernstein, Buchmann and Dahmen (Springer Berlin Heidelberg states) -

($H$ in the following excerpt is the height of the Merkle tree, and $N$ is the number of leaf nodes such that $H = \log_{2}(N$)) ...

$ G \space is \space an \space elliptic \space curve \space group \space G \space with \space order \space q$ and three hash functions are defined as this: $$ H_1: \{0,1\}^*\times G \rightarrow Z^*_q $$ $$ H_2: \{0,1\}^*\times G \times G \rightarrow Z^*_q $$ $$ H_3: \{0,1\}^*\times Z^*_q \times G \times G \rightarrow Z^*_q $$ I searched and found this question and as far as I understand $ H_0: \{0,1\}^ ...

I am confused about whether/how ZKP based entity/message authentication scheme can achieve identity privacy, especially unlinkability. The security properties I'm looking for in the scheme is authentication (identity proof), such that the prover can prove it has some kind of identity so that it is allowed to be in the communication; and identity privacy, such that the real identity is hidden and differe ...

Web Crypto API allows creating ECC keys with some known curves: https://developer.mozilla.org/en-US/docs/Web/API/EcKeyGenParams

Those are P-256, P-384, P-521.

However as answered at this answer https://crypto.stackexchange.com/a/30273/99862

There are secp256k1, and secp256r1, and maybe more?

Which is the exact P-256 implemented by Web Crypto API?

Let $n = pq$, $p,q$ are two large primes, then $\mathbb{Z}_n^*\cong \mathbb{Z}_p^* \times \mathbb{Z}_q^*$. We disclose $n$ and keep $p, q$ secret. Is it secure if we disclose a random element $a$:

$a\in \mathbb{Z}_n^*$, $a = 1 \mod p$

That is, to disclose a random chosen element in $\langle 1\rangle \times \mathbb{Z}_q^*$ ? How to prove it?

Let $(E:y^2=x^3+ax+b) $ on $\mathbb F_q$, with $ q \mod 2=1$.

If $\gcd(3,q-1)=1$ and $a=0$, then it's easy to find the cardinality of the curve $E$ : $|E|=q$.

Are there an another conditions on $(q, a, b)$, where it's easy to find $|E|$?

In the SPHINCS+ paper(https://sphincs.org/data/sphincs+-paper.pdf) part 3.2, it explains that they are not using l-trees as a direct consequence of the use of tweakable hash functions.

I have read the tweakable hash function part, but the math made me so confused. Can you explain to me the difference between the usual WOTS+ and the WOTS+ used in the current SPHINCS+? Is there a difference in the  ...

Considering that P1 has value x, P2 has value y and they want to compute x+y without telling the other what he has,So P1 and P2 secret-share their values to each other. Now P1 gets x1 and y1, P2 gets x2 and y2 and they locally compute xi+yi. If P1 want to compute x+y = (x1+y1)+(x2+y2), P2 need to send x2+y2 to P1, but P1 can get x2 by computing x-x1, thus P1 can get y2 and then get the value y, which is ...

In this paper I'm reading (specifically section 3.1), the authors say that the BFV encryption scheme supports plaintext multiplication, which basically means that given a ciphertext, $c$ that is an encryption of a plaintext $p_1$ and a plaintext, $p_2$, one can easily compute an encryption of $p_1 \cdot p_2$. What's more, this can be done without the evaluation key. How exactly does this "plainte ...

Given a RSA modulus $n$, which is the product of two safe primes: \begin{align*} P &= 2p + 1 \quad\quad\quad Q = 2q + 1 \\ n &= P \cdot Q = 4p q + 2 p + 2 q + 1 \end{align*} The hidden group order is then \begin{align*} \Phi(n) &= (P-1)(Q-1) = 4p q \end{align*} Choosing some random element $z \in \mathbb{F}_n^*$, then most likely $z^4 \in C_{p q}$ (the subgroup of $\mathbb{F ...

I know that the security of both are the same (only nonce size is different). But which one is faster and better to use, when encrypting a lot of files (500+, from 1MB to 200MB)?

Recently, I started looking up for details about implementing a blind signature on ed25519 cryptographic. I saw this article https://stan.bar/blindsig/ by Stanislaw Baranski about it. In the first point, it says that Bob generates random number (nonce) $k$ in range $(1, q-1)$, computes $r=k \times G (\mod p)$ $r=k×G(\mod p)$ and sends $r$ to Alice.

Now, how safe it is to make $r$ public and to sh ...

I am trying to understand the post quantum based signature scheme Dilithium. I know what the hard problems are in the scheme, but I am having trouble in understanding the utilization of short integer solution in the scheme. Specifically speaking, I can't understand exactly where this problem is used in the scheme. Also, what would happen if someone finds a solution to this hard problem, besides fi ...

Is it possible to generate a new valid signature for some arbitrary message using DSA if we know existing signatures for the same message? We are an adversary, therefore we do not hold the private key, but we have access to a couple of signatures for the same message, say $(r_1, s_1)$, $(r_2, s_2)$.

I have a course work for university.

The question is:

My solution to the question is:

    P||R = D(K,C)

However, in the question it doesn't say we are given R so I'm not sure how to get P from P||R.

This could be because my understanding of concatenation is incorrect as I see it as simply adding the nonce to the plaintext.

If what I have done looks correct please let me know, otherwise any help on  ...

Suppose I have some plaintext $M$, and I want to have some process $f$ to make ciphertext $M':=f(M,s)$, where $s$ is some secret. The ciphertext $M'$ can be decrypted by using some decryption process $M=g(M',k_1,k_2)$, where $k_1$ and $k_2$ are two keys, and $k_1$ is a random key (cannot be controlled, such as the current time), and $k_2$ can be generated from $k_1$ by using the secret, i.e. $k_2=k ...

I am currently trying to follow the proof of correctness in the CRYSTALS-Kyber paper. The following is an excerpt of the proof:

• On the one hand, I am interested in how exactly one justifies/argues that $\mathbf{y}$ is pseudorandom, based on the MLWE assumption. About the difference $(\mathbf{y} - \text{Decompress}_q(\text{Compress}_q(\mathbf{y},d),d))$ I think myself as $(\mathbf{y} - inaccuracy)$ ...

I need an encryption scheme where a single source/location can encrypt using their private key and while anyone with access to the corresponding public key can decrypt it. It has to be asymmetric to avoid any one else deriving that private key and pretending to become that source. For example, government issues an encrypted document that any one authorized with the issued public key can decrypt it. But  ...

Compute $n = pq$ where p and q are prime. Fix $e$ to be coprime to $\phi(n)$. Compute $d = e^{-1} \pmod n$ and verify $ed \equiv \phi(n) \pmod n$. We sign the (hash of) a message with $s = h^{d}$. A verifier computes $s^e = h \pmod n$. Why can't an attacker fix $h'$ and solve ${s'}^e = h' \pmod n$ to forge a signature $s'$ for a given $(n, e)$? What assumption tells us this computation is hard? If ...

I was reading the SPHINCS+ paper and got confused in the signing with FORS (forest of random subsets) part.

I understand how we can sign a message using FORS but I couldn't understand how we choose the corresponding WOTS+ key to sign the FORS root node with.

If we are going to choose only one of the XMSS trees in the bottom layer, does that mean the remaining trees are going to be redundant?

I am trying to understand digital signatures and digital certificates. I know that digital certificates verify a server's public verification key but what does the website's (client) private verification key sign?

Suppose there is a ciphertext $C_1$ that hides message $m_1$ using a distributed additively homomorphic public key. I would like the holders of the key to run a protocol where if $m_1 = 0$, then it will return a ciphertext of $0$, but if $m_1 \neq 0$, then it will return a ciphertext of $1$. However, I would like this done without the key holders knowing whether $m_1 = 0$. I am assuming that there  ...

Problem example

Let's say I have a plaintext with length of 50 bytes. I want to encrypt it using a stream encryption algorithm ChaCha20-Poly1305.

Poly1305 generate a 128 bit hash (16 bytes), so encrypted message will be of length 50 + 16 = 66... If I append nonce to it (12 bytes), it'll be 78 bytes.

But... When I add for example 1 more byte to a plain text, cipher text will be of a length 79 bytes (+1) ...

Given the following code, extracted from a Bip39 implementation for Android by Zcash

PBKDF2SHA512(
    passphrase = veryHighEntropy secret bytearray,
    salt = pontentiallyLowEntropy secret bytearray,
    iterations = 2024,
)

What happen if the passphrase gets leaked? is the total entropy of the hash reduced to the entropy of the salt?

If I understand correctly the secret salt should functions as a  ...

I've recently become interested in homomorphic encryption, specifically how boolean gates are constructed to do arbitrary circuit arithmatic on the encrypted data without decrypting it.

I have heard that all you need are arbitrary addition and multiplication operations to arbitrarily construct boolean gates that can operate on the ciphertext, specifically NAND gates, which are functionally complete

Suppose Alice has a verifiable (message, signature) pair from Cedric, who would not cooperate and routinely uses an algo (ecdsa, eddsa, rsa, or insert yours here) to sign messages.

Alice wants to interactively prove to Bob she has that (message, signature) pair with the valid signature, obviously. It doesn't have to be "zero-knowledge" - she might divulge bits and pieces, but it shouldn't be less har ...

As far as I know, key exchanging algorithms are vulnerable to an active MITM attack.

Let A (Alice) and B (Bob) be parties with no secret information. An adversary C playing man-in-the-middle interacts with A pretending to be B, and interacts with B pretending to be A. At the end, C establishes a separate channel with A and with B. Then, any message sent by is decrypted by C (using the key generated with ...