Latest Crypto related questions

I have a honest-verifier zero knowledge simulator $M$. The conversation between prover and verifier has the usual $(a, b, z)$ form. How can the bounded model $M$ generate $a$ and $z$ is the prover is probably unbounded? I know that I have to use the fact, that the verifier is honest, but I just cannot figure it out how.

I have Microsoft Server 2019 offline Root CA

I want to renew the Root CA certificate, but I do not want it to be used immediately (as I want to push out the new Root CA certificate to key stores on clients ahead of using it to sign Issuing CA certificate/s).

if I renew on the Microsoft Certification Authority GUI tool (the standard one that is installed when you install the CA) the certificate immed ...

In the knowledge soundness definition page 8 of Groth16, it says: The extractor gets full access to the adversary’s state, including any random coins. My question is why full access? Why we just don't say oracle access to the adversary?

Then in the definition of witness-extended emulation (WEE) in Bulletproof (page 10) they say the extractor has oracle access to the transcript of interactions betw ...

Consider the DSA digital signature scheme. Does the intercepted message m||s||r contain all information about the signer’s private key? Please justify your answer carefully.

Please note that the equation $a = αx \mod p$ does give all the information about $x$ in the range $0 ≤ x ≤ p − 2$ when $a$, $p$, and the primitive root $α$ of $p$ are given, even though computing $x$ (i.e., retrievin ...

Basic question: ENT seems to trip up generators that pass NIST 800-22 and maybe even dieharder. How do the latter two test suites miss such an obvious failure?

There are two things I want to mention about the well-known randomness test suite ENT, which is, as far as I understand, considered to be far less rigorous than test suites like NIST SP 800-22 and diehard(er).

I've applied ENT, the NIST test suit ...

I am really new to cryptography and I have asked a similar question which is about Decisional Diffie-Hellman assumption (What's the meaning of asterisk and PPT in this paper?) and it is already kind of difficult to me.

But this paper Practical Secure Aggregation for Privacy-Preserving Machine Learning (https://eprint.iacr.org/2017/281.pdf) proposes a Two Oracle Diffie-Hellman assumption, which is even ...

I am looking for a hash function that uses a timestamp as salt, and produces an output that when run through another function only returns the timestamp used.

What would this be called? It's not a one-way hash and it's not a fully reversible hash function.

I have read again and again this paper from A. May, but, probably because I am new to this field, I don't succeed in understanding the MEET-LWE part.

In particular, in part 5 it states to choose a "randomly chosen target vector" $t ∈ \mathbb{Z}_r^q$. Later, is is said that a value of $s1$ satisfying $π_r (As1 + e1) = t $ may be the solution of the LWE system, and something similar for s2. Thus my quest ...

Let me try to reformulate the problem, as it might help a bit. The requirements are the following:

1. At the beginning of their connection, the two end-points perform a Diffie-Hellman to derive with a common key $K$.
2. Then EP1 needs to generate a random 48-bit value $R$ and send it to EP2. This random value needs to have the following two properties: (a) an attacker is not able to guess the next random  ...

Given an one-key cipher such that: E[k1,E(k2,m)]=E[k2, E(k1, m)] Is there any key distribution protocol that involves only two parties (Alice and Bob) without the key distribution center? The protocol should allow Alice to send a session key to Bob with confidentiality using the one-key cipher.

I understand that there are symmetric and asymmetric (public-key) cyphers. The first have the same key used for encryption and decryption, while the second use a public key for encryption and a private key for decryption.

I understand that there are block and stream cyphers. The first work on rounds through the various blocks of a message, while the second work on bits as they come.

I also understan ...

I've been wondering about this paragraph for some time:

Multiplication is a great mixing function. If you work out what multiplication looks like in terms of ANDs and XORs it becomes apparent how elaborate a 64bit multiply is. The amount of transistors required to implement it in hardware prohibits multiplication from being used in most cryptographic algorithms. But for non-cryptographic PRNGs which onl ...