Latest Crypto related questions

I have to write an essay on the paper ad hoc multi-input functional encryption, and can't understand the security definition. In a nutshell it is a primitive that allow sources to supply encrypted data, such that at any point a dynamically-chosen subset of sources can allow an agreed-upon joint function of their data to be computed by the aggregator.

Syntax description:

Security definition:

I ...

Definition of XOR-Universal hash functions by Abidin[1]:

A class $H$ of hash functions from $M$ to $T$ is XOR-Universal$_2$ ($XU_2$) if there exist at most $|H|/|T|$ hash functions $h$ $\in$ $H$ such that $(h(m_1) = h(m_2$) $\oplus t)$ for any two distinct $m_1$, $m_2$ $\in$ $M$ and any $t \in T$.

If there are at most $\epsilon|H|$ hash functions instead, for $\epsilon > 1/|T|$, the class $H$

When multiplying polynomials from $\mathbb{Z}_q[X] / (X^n-1) $, the discrete NTT is used because: $$ f \cdot g = \mathsf{NTT}_n^{-1}\left( \mathsf{NTT}_n\left(f\right) * \mathsf{NTT}_n\left(g\right) \right) $$ However, in virtually all schemes I've seen the negacyclic convolution is used - the ring is $\mathbb{Z}_q[X] / (X^n+1) $ and a trick is used to compute $\mathsf{NTT}_{2n}^{-1}\left( \mathsf ...

Are there any functions f, g and h, such that:

1. f is one-way and is used to generate an encrypted message c when applied to message m with a public key (c = f(m, N))
2. Original message m can only be obtained from c in polynomial time (decrypted) if a private key (k) is known
3. A new encrypted message (c') for a desired receiver can be generated (function g) with the original encrypted message c, public key  ...

Does there exist an encryption algorithm that can ensure that given an input it will generate a ciphertext in a way that will always satisfy a fixed polynomal ?

I can be flexible in the input side but the output side should be fixed to a finite or infinite set of vectors that satisfy the polynomial of degree $d$.

The polynomial is secret. Those who are encrypting do not know that the exact polynomial is ...

Consider an elliptic curve $E$ over a finite field $\mathbb{F}_{\!q}$. Do you know protocols of elliptic cryptography, which require a hash function $H\!: \{0,1\}^* \to E(\mathbb{F}_{\!q})$ such that $H$ is not necessary a random oracle (but only collision-resistant) ?

TL;DR: This ABSOLUTELY does not work and presents a huge security risk. Posting it anyways in case there are other threats I missed or to dissuade any other person who comes up with this idea.

Hi! I’m sort of new to cryptography. I’m starting to venture into ZK schemes. For a small project of mine with which I intend to put in practice what I learnt so far, I came up with a protocol and I’d lo ...

What is an advantage of the Charles--Lauter--Goren hash function (based on isogenies of elliptic curves) among other provably secure collision-resistance hash functions ? I heard that it is slower.

We know that in RSA algorithm Sender A can send an encrypted message to receiver B without any prior exchange of secret keys. A just uses B's public key to encrypt the message and B decrypts it using the private key, which only he knows.

In digital signature reverse RSA algorithm can also be used to sign a message, so A can sign a message using their private key and B can verify it using A's publ ...

I need test vectors for E382 and E521 edward curves in order to test signature and verification process of a software.

I came across a comment about AES 128 without ShiftRow. I want to use this weakness to perform an attack. So far, I get that It possible to divide in 4 independent blocks of 32 bits. So we can launch a attack independently for each block. However, as the key scheduling use all the master key, I don't know if it is possible to make a group force attack with all round.

Currently, I know that I can  ...

If you look at the AES Linear Approximation Table (computed for example with Sage) you will see there are many entries with what looks like a high bias of -16 ("absolute bias" scale).

I know AES is designed to be resistant to Linear cryptanalysis. If you agree that -16 is a high bias, then there are 2 (3) options:

• either the AES Sbox is weak to linear cryptanalysis, but the overall cipher is not thanks ...

Section 3.3.5 of the paper “Schwaemm and Esch: Lightweight Authenticated Encryption and Hashing using the Sparkle Permutation Family” (the link to PDF can be found in this page) contains the following text:

Alzette provides very fast diffusion. In particular, all outputs bits depend on all the input bits after 4 rounds, though this dependency can be very weak. After 8 rounds however, we have that  ...