Latest Crypto related questions

I'm going to use the Simon Cipher as an example, but I want to frame the question to be more general. Why would the same cipher structure have a different optimal attack for different bit widths? I would think that structure would be what dictates the attack and not the bit width. SIMON32/64 and SIMON128/256 are virtually identical, with the only differences being key/block widths and round count.  ...

How to make a proof of the correctness of the RSA encryption and decryption formula for $GCD(m_i,n)=1$ and $GCD(m_i,n) \neq1$ where encryption is defined as $c_i = m_{i}^e$ mod n and decryption $m_i = c_{i}^d$ mod n.

So thanks @poncho for giving tips, I wrote a following proof:

Recall that the integers $e > 0$ and $k > 0$ are chosen such that $ ed = 1 + k(p − 1)(q − 1)$

It suffices to show ...

I'm developing a way to deterministically generate private keys for arbitrary elliptic curves based on some user-input (a brain-wallet). Currently, I'm using the Scrypt password hashing algorithm with robust difficulty parameters to hash a number of input parameters into a key.

The output of Scrypt should be uniformly distributed among $[0, 2^{b})$ where ${b}$ is the number of output bits used from the S ...

I'm new to homomorphic en/decryption. I have two questions regarding to this paper: "A Full RNS Variant of Approximate Homomorphic Encryption". I will refer this paper as 'RNS CKKS'.

Question 1: The multiplication operation of this paper involve modular raise and modular reduction for relinearlization. I just wonder what is the purpose of these two operations? In the original CKKS scheme ("Homomo ...

Suppos i mine a block with giving me 10 bitcoin.

Why does no miner build on my (fraudulent) block?

Is there a way for the miner to check, whether every transaction of a block is valid and therefore not build on my fraudulent block?

In DSA, we compute the signature $(r,s)$ on $m$ by sampling $k\in\{1,...,q-1\}$ and then computing

$r := g^k \bmod p$

$s := k^{-1}*(m+x*r) \bmod q$

During verification, we compute $v:=g^{m*s^{-1}}*y^{r*s^{-1}}\bmod p$ and then check $r=v \bmod q$.

Question: Would it be fine to leave $k^{-1}$ out from the computation of $s$ (i.e., $s := m+x*r$) and then instead check for $g = v$?

I am currently reading the paper Graceful Degradation in Multi-Party Computation. The paper mentioned something about correct structure, denoted C = {C1, . . . , Cl}.

On page 10 the paper reads:

Then, if the inconsistencies can be explained with a faulty set C ∈ C, the values from parties in C are ignored.

I am confused about what that could mean.

In RSA we compute e (encryption key) and d (decryption key) $\bmod phi(n)$ and not $\bmod n$, so how come when we get the keys and encrypt and decrypt we use $\bmod n$ not $\bmod phi(n)$ using the following rules:

Encryption: $C =(m^e) \bmod n$

Decryption: $m = C^d = (m^e)^d \bmod n = m^{e.d} \bmod n = m^1 \bmod n = m \bmod n$

I don't understand how come $e \cdot d=1$ even if its $\bmod n$ not $\bmod phi ...

I am confused about a simple input-sharing schema.
The schema: a party that holds an input x, and generates a random variable r.
That party secret share r as [r], then distribute it to other parties.
Then broadcast x-r to other parties, then each other parties compute x-r+[r] as the share of [x].
What I am confused here is that if adding up [x], won't it become n-1(x-r)+r?
Thanks in advance

I was comparing classical schemes with post-quantum schemes. Therefore I was interested in the round three candidates of the NIST standardization process. So far I know, that those post-quantum schemes need a much bigger key-, signature- and ciphertext sizes. Regarding performance, I concluded that the difference is not significant.

Now I was wondering, how the size of the implementations differs. I thou ...

I was in an interesting discussion with Jon Skeet on StackOverflow. He indicated that hashes are irreversible, but he extended this to non-cryptographic hashes. A hash function has a specific output size while the function can handle any sized messages. So if you argue from that point of view, a hash is always irreversible as there are many messages that have the same hash.

However I wonder if th ...