Latest Crypto related questions

Consider for example this set of encrypted values under the Elgamal keys $y_0$,$y_1$,$y_2$: $$ Enc_{y0}(g^0),Enc_{y1}(g^{-20}),Enc_{y2}(g^{-10}) $$ Can I prove that one value is $g^0$ and the others are $g^b$ where b is negative without revealing which one is who?

I was reading the following:

The functions $2^{-n}, 2^{-\sqrt{n}}$ are negligible. However they approach zero at different rates. For example, we can look at the minimum value of $n$ for which each function is smaller than $\frac{1}{n^5}$

1. Solving $2^{-n} < n^{-5}$ we get $n>5\cdot log(n)$. The smallest integer value of $n>1$ for which this holds is $n=23$.

1- I don't understand why/how did t ...

I was reading intro to modern cryptography and didn't understand how did they calculate the probability:

Say we have a cryptographic scheme in which an honest parties run for $10^6 \cdot n^2$ cycles and for which an adversary running for $10^8 \cdot n^4$ cycles can succeed in breaking the scheme with probability at least $2^{-n/2}$.

I'd like to access directly to the numbers composing the ciphertext Ctxt from HElib, but reading the documentation I don't seem to find anything that can help me.

I have an object Ctxt containing the ciphertext of a vector representing an encrypted image; I understand that the real ciphertext is stored in the attribute "parts" of the object, but there is no getter method to access this attribute. ...

Both unconditional and perfect security were very clear to me, until I bumped upon different sources that confused me.

For example : 1 2 3. Also in 3 the DH76 paper is referenced and it doesn't define unconditional security in terms of a negligible function.

In terms of IND-Game, this is how I perceived them, with the perfect security being a special case of unconditional security

In IND-Game, if

The definition of zk-SNARK involves not leaking any information from the prover-verifier interaction, but what about leaking information from the circuit itself? e.g., could there be a circuit to demonstrate that I know the preimage to s, where s is a signature generate by secret x and signing algorithm HMAC(x, plaintext)? This circuit shouldn't give any information about what x is.

Edit: to clarify m ...

I have question regarding DLP in GF(p^m) I know we can use CADO-NFS to solve the DLP in GF(p). But what if we move into the GF(p^m) and are working with polynomials? Does the Cado tools can calculate it still? If so, how to use it when the domain is GF(P^2) with polynomials?

Anyone with some experience with this tool could help me, please? I didn't find anything on the Internet and the documentat ...

I received an answer in one of my questions saying that multiple-encryption with CTR mode of operation is vulnerable to a sort of meet-in-the-middle attack if the IVs are public. The same user said that keeping the IVs secret such attack not applies and that the cost of breaking a double-encryption with brute-force for example is multiplied by 2*[IV lenght].

Does encrypting two times with CTR mode while ...

I'm reading Understanding Cryptography by Christof Paar and Jan Pelzl. In chapter 2 (Stream Ciphers). There is a section talking about "Bulding Key Streams from PRNGs".

They assume a PRNG based on the linear congruential generator:

$$S_0 = seed $$ $$S_{i+1} \equiv AS_i + B\mod m, i=0,1,...$$

where we choose m to be 100 bits long and $ S_i,A,B \in \{0,1,...,m-1\}. $ Note that this PRNG can have excell ...

I want to clear out some confusions I have about Lattice crypto.

As discussed in this talk Signatures, Commitments, Zero-Knowledge, and Applications

For ring $Z_q[x]/f(x)$, I want to understand following:

• Does $f(x)=x^d+1$, is it true that when $d$ is power of two NTT is fast it splits polynomial into many smaller factors. Or there is some condition on $q$ as well.
• What extra advantage we get if

I am working on a system to transfer short messages while obfuscating the intended recipient.

In essence, it combines many messages encrypted using PGP, and periodically publishes a file containing those messages. The recipients would then download that file and try all messages against their secret key.

Given a message encrypted using PGP, could a potential attacker derive the public key from that  ...

I'm very new to cryptography. I'm required to read a paper.

I totally don't understand. First, what's the meaning of the asterisk in $H:\{0,1\}^*\rightarrow \{0,1\}^k ?$.

Second, what does PPT mean here? (I searched the Internet but didn't get satisfying answer.)

Third, why if $b=1, s\leftarrow H(g^{ab})$, else $s\leftarrow \{0,1\}^k$? I understand step 1,2,3 but don't understand step 4,5,6.

Could anyon ...