Latest Crypto related questions

refer to this paper Khabbazian Paper I am trying to use double point compression in scalar for example double-and-add with k=27 which need to reduce the multiplications process for example scalar double-and-add algo consumes 4 doubling and 3 addition for P1(3,10) based on this example example

I am thinking to take two points P1(3,10) P2(7,12) and compress to get P3(x1,x2,y1+y2) P3(3,7,22)which will be ...

I am doing research about Non-interactive Secure Multi-party Computation and encounter a dilemma that I am not quite sure if it is possible and wonder if there are better thoughts that could help.

Situation:

There are $n$ parties ($i \in [n]$) and a dealer. The dealer has a number $U$ and weights $w_i (i \in [n])$ and parties have their inputs $x_i$. Now the parties would like to calculate $U - \su ...

I have an idea but I don't know if it will work. For the appropriate $p$ it is easy to find $n$ linearly independent $x_i$. Then we compute the inner product between the $x_i$. I think the information is enough to recover the $\boldsymbol{v_1},...,\boldsymbol{v_n}$, because, by matrix it can be written as $\boldsymbol{X}=\boldsymbol{T}*\boldsymbol{V}$, where $\boldsymbol{T}\in \{-1,1\}^{n \times  ...

I am a developer trying to follow best practice guidance as established by the IETF for my applications. I was researching standards for ECDSA key generation for some work that I have to do in the blockchain industry.

I am tasked with creating a unique, less complex zero-knowledge based scheme.

RFC Draft Indicating Deterministic ECDSA + EDDSA Signatures Were Still Insecure Without Supplemental Acti ...

I have been working through a book on cryptography and have recently come across elliptic curves. This particular question has me stumped and the book isn't much help, unfortunately. I was wondering if someone was able to talk me through the process a little better. The question is:

Alice and bob use

• the prime p=83,
• an elliptic curve E: y^2 = x^3 + 5x + c (mod 83),
• and point P=(3,11) on E.

Alice chose ...

Encrypting text with a computer has problems: we need to worry about hardware backdoors in processors, motherboards, and extension cards, software backdoors in OS, vulnerabilities in software, and viruses.

Computers are so complex that no single person knows every detail of how they work. It makes it impossible to examine every single part of hardware and software, so we can only hope that the co ...

I am using AES-GCM-256 to encrypt data in a database, and am using a single key that I salt with a unique random value for each user to encrypt their information. I am using the same IV for all of this.

Is this secure so long as I change the key each time?

I have a very important string it's of around 20-40 words. I want to encrypt this string and store it online . Which encryption algorithm will be useful for me.

In Vitalik Buterin's write-up on SNARKs Quadratic Arithmetic Programs: from Zero to Hero, he writes

Note that the above is a simplification; “in the real world”, the addition, multiplication, subtraction, and division will happen not with regular numbers, but rather with finite field elements

I assume SNARKs are used in blockchains to hide & also verify the transactions. However, blockchain t ...

I am a beginner in-terms of JWT libraries in programming.

How the keypair used (secp256k1) is related with the algorithmic header used for creation of JWT?

And why authfusion doesn't need an algorthmic header as such JWSAlgorithm.ES256K (nimbus library) or AlgorithmIdentifiers.ECDSA_USING_SECP256K1_CURVE_AND_SHA256 (jose4j 0.9.0)?

I am confused with these relations, please shed some light over it.

I have been working through the introduction to cryptography with coding theory book and have just come across Shamir secret sharing questions. However I just don't quite think I'm understanding it correctly. The question states:

In a (2,19) Shamir threshold scheme working in modulo 41, there are two shares (2,14) and (4,25). Another share is (3,x) where x is unreadable. Find x, the polynomial and  ...

Here a cycle is the smallest positive integer such that $f^i(x) = x$. Formally we want to prove that if $f$ is OWF then $\forall p(.)$ and sufficiently large $n$, $Exp(cyc_f(U_n))>p(n)$ where $n$ is length of input.

I understand that by applying Markov's inequality we get that, if $Exp(cyc_f(U_n))>p(n)$ then for every polynomial $q(.)$, we have $Pr(cyc_f(U_n)) > q(n).p(n)] < 1/q(n)$.

I'm looking for some basic algorithm to:

• generate a code
• send it to a website,
• where after payment a token is generated from the code and sent back,
• where the token is validated.

I'm not sure how to ask in cryptography terms, so I'll explain what am I looking for:

I have an app that runs on a watch. I'd like to display a short code (number or textual string) on the watch, then use this code in a websit ...

In NTRU algorithm one is supposed generate a vector which is invertible as a polynomial in both $(\mathbb{Z}/p\mathbb{Z})[x]/(x^n-1)$ and $(\mathbb{Z}/q\mathbb{Z})[x]/(x^n-1)$. But is there a mathematical lower bound to the probability of f being appropriate in that regard?

This is zero-knowledge proof that show x is not a quadratic residue.

I am trying to verify Honest verifier zero knowledge property.
My steps were these:
Let S be a simulator that does not know how to actually comute NQR(m, .)

1. Bob will choose a random $s$ and will send a $y$ according to the value of the coin b.
2. Now simulator does not actually know how to compute b' =NQR(m, y) - and I do not think that  ...

As we know the public key is generated from the private key and the process is point addition and point double and so on. If we see a list, it would look like a list of values coming from ECadd and ECdouble.

My question is,

• Is it possible to know whether this value is a result of ECadd or ECdouble? (by just looking at the value or in connection with any other parameter in secp256k1 like gx or gy etc) wi ...

From info provided by Google:

1. Lattice based key pair and signature sizes are roughly 12/2 kb and 9 kb, which is much larger than 256-bit ECC key sizes.
2. The number of q-bits need to break n-bit ECC can be 6n, but it's also affected by some other factors.
3. The difficulty level for adding more q-bits to a computer increase exponentially.

Since there could be a long time until humanity builds the 2000+  ...

Assume a password is hashed with a secure salt, e.g. hash = sha256(password+salt). If the hash and the salt are made public, an attacker can perform an attack by running possible password candidates through the hash function to try and find the correct password eventually. The assumption here is that if the hash function yields the correct output then it was the correct input, and this is often true  ...

Please bear with me... I want to store some data in an untrusted location (a server). I will want to share this with other people. I encrypt the data with AES encryption and a 20 character password. Then, if I know the RSA public key of the people I want to share the data with, I encrypt the password with their public key and upload those to the server also for them to retrieve and access the data at a  ...

As far as I know, when someone says 'a reduction is tight', it means that given that there is an adversary $A$ with advantage $\epsilon$ and running time $t$ and another adversary $B$ utilizing $A$ to solve a problem $P$, the advantage and running time of $B$ are apporximated to those of $A$.

But here is my question:

When do we say $\epsilon ' \approx \epsilon$ and $t' \approx t$ exactly? Is there ...

A protocol I am working with requires $\ell_n$-bit RSA modulus and $\ell_\Lambda$ such that computing $\ell_\Lambda$-bit discrete logs is hard in $QR_n$ (technically $n$ is $\ell_n+2$ bits in the definition of the paper).

Note we have the additional structure that $n$ is a product of two safe-primes $p=2p'+1$ and $q=2q'+1$ so $\operatorname{Ord}(\mathrm{QR}_n)=\frac{\phi(n)}{4}=\frac{(p-1)(q-1)}{4}=p ...

Bouncy Castle provides 6 different paddings for padding messages.

However, I am not quite sure which one to choose from.

ISO10126d2, ISO7816d4, PKCS7, TBC, X923, ZeroByte.

Given that the native Bouncy Castle API requires the message to be greater than 114 bytes.

• What could be the recommended padding to be used to pad the message?

• What is the strength and weaknesses of each padding?

• I would want  ...

I've got the 2nd edition, 3rd printing. On page 35 it lists the steps for signing a document:

1. Alice encrypts her message to Bob with K_A and sends it to Trent
2. Trent decrypts the message with K_A
3. Trent takes the decrypted message and a statement that he has received this message from Alice, and encrypts the whole bundle with K_B
4. Trent sends the encrypted bundle to Bob
5. Bob decrypts the bundle with K

What are the advantages of FrodoKEM over other NIST PQC candidates? Also, have any critical vulnerabilities been discovered so far?

This may be a polemic question, but since I did read the rules of the site and "terms and definitions" appear to be legitimate subjects, I want to raise this because I find this interesting, and I want to find out if someone can give me a new perspective on the matter.

Historically, Cryptography was not concerned with the communication channel. The whole point of most Cryptographic devices, protoc ...

I am working with hardware that can store an AES key securely--the hardware can perform AES encryption/decryption using a stored key without revealing the key to the caller. However, I would like to use ECC in my application.

For a single ECC key, I think I can do this by encrypting the ECC key using AES, then storing the encrypted key and nonce in the open, and the AES key securely. Then, at run ...

I am working on the following problem from the Boneh/Shoup textbook: 5.1 (Double encryption). Let E = (E,D) be a cipher. Consider the cipher E2 = (E2, D2), where E2(k,m) = E(k, E(k,m)). One would expect that if encrypting a message once with E is secure then encrypting it twice as in E2 should be no less secure. However, that is not always true.

(a) Show that there is a semantically secure cipher ...

Suppose we have a random access machine with $(n+1)2^n$ random bits on its tape. This assumption is weaker than assuming the existence of a random oracle, but using this assumption we can construct a PRG and hence a OWF: take a random seed $s \in \{0, 1\}^n$, and output $n+1$ bits, where the $i$th bit outputted ($i=1,...,n+1$) is the $(i-1)2^n + 2^s$th position on the tape. This is trivially a P ...

Using spec256k1 curve, Is it possible to calculate square root of a point? And If so what point would I get if the result is not a whole number? For example Let G be generator point. square root of 81G should be the point 9G but for 80G the result is decimal but I would get a point over finite field. In that case what would be the scalar of the point sqrt(80G)? Also the point I want to take the square r ...

For those who are not familiar with; XSL attacks basically focus on deriving a set of equations from the internal mechanics of a block cipher and then solving the same equations to recover the secret key.

Also a reason why Camellia is often seen equal to AES in terms of security despite using more rounds.

My question is:

Are block ciphers which utilize dynamic s-boxes such as Twofish immune to XSL att ...