Latest Crypto related questions

I need a lightweight cryptographic hash function which is additive but not reversible, however I'm not sure such a function exists! (it would be better if it works in multisets as well)

By additive I mean: given such function f, another function g must exist, having the property g(f(X),f(Y))=f(X||Y), where || denotes concatenation of strings X and Y.

I have found a homomorphic hash function from

In RSA-FDH to sign a message $m$, we apply a hash function $H$ and then "decrypt" it using the private key $d$, so $Sign(m) = H(m)^d \mod N =: \sigma$ and then to verify, we use the public key, resulting in $H(m) = \sigma^e \mod N$ if all goes well.

Why do we have to use RSA for this instead of something else, for example ElGamal? Is it because the ciphertext in ElGamal is twice as long as the pl ...

hello guys hope you are doing well :),

i am trying to simulate the Schnorr Signature, but i have encountered some difficulties finding the generator,

i have chosen a prime P of 1024bit and took a factor of 160bit as Q but for the generator i'm trying to produce,

i'm using the equation => g^Q = 1 mod P

how can i implement this in python, and if this approach is not good please guide me...

thanks ...

Suppose $f_k$ is an arbitrary block cipher. Can OFB via $f_k$ be used to make a MAC. I argue that you can't even with fixed l, $m = l \times k$ because in OFB, $\mu = f_k(f_k(...((IV))) \oplus m$, and with an oracle, you would be able to get $\mu$ for a given message and find $f_k(f_k(...(IV)))$ and so can find $\mu$ for any message. However, I'm not sure I've used the oracle correctly, that is I'm no ...

In secret sharing schemes, we usually give rational fractional parts of a secret out. E.g. Alice gets 4/10ths of the secret, Bob gets 7/10ths, Charlie gets 5/10ths, David gets 1/10th, etc., and you need 10/10ths total to unlock the secret.

My question is: is there a scheme that allows for an irrational fraction of shares to be distributed to someone? E.g. Alice gets $\frac{1}{\pi}$ shares, Bob gets  ...

While implementing SM2 DSS and reading RFC-8032 for EdDSA, I noticed that, both families of schemes provide provisions for including a "context" (in EdDSA) or "signer info" (in SM2 digital signature) in the signature.

Q1: What non-trivial benefit does it provide? Does it help prevent duplicate key attack?

Q2: Are there existing protocol or application that expect this feature from digital signature ...

Why do we take Gaussian-like errors in $\mathsf{LWE}$?

Why for example we don't take uniform errors?

Given the following definitions for $\mathbb{Z}[x] /\left(x^{n}-1\right)$:

$$ a \cdot b \equiv \sum_{i=0}^{n-1} \sum_{j=i+1}^{n-1} a_{i} \cdot b_{j} \cdot x^{i+j}+\sum_{j=1}^{n-1} \sum_{i=n-j}^{n-1} a_{i} \cdot b_{j} \cdot x^{i+j-n}\left(\bmod x^{n}-1\right) $$ Similarly, for $\mathbb{Z}[x] /\left(x^{n}+1\right)$ the multiplication is defined as $$ a \cdot b \equiv \sum_{i=0}^{n-1} \sum_{j=i+1}^{n-1 ...

This was a practice problem for a class. The class is over now and I never solved it, so I thought I'd ask here.

Let's ignored the fact that adding extra security to single textbook RSA is unnecessary. As hilariously stated here:

Think about it this way, if it is estimated to take 500 years for a prisoner to chew through the bars on his prison cell to escape, is the public any safer if we add a seco ...

I admit I don't know a lot about the math behind Curve25519 and the DH exchange based on it.

I'm asking if after publishing the result of this operation:

ephemeral_share = X25519(ephemeral_secret, BASEPOINT)

Can ephemeral_secret be found by whomever obtains ephemeral_share, given that they know the used curve (and therefore the curve's base point)?

It's not that I don't trust Filippo's judgment (the a ...

Would secrets.choice be random enough to pick winners in a raffle?

I'm reading "Quadratic Span Programs and Succinct NIZKs without PCPs" and I'm having trouble understanding the "Efficiency" of a span program. I can see that a span program cannot compute some functions, but I have no idea what does it mean to compute a function efficiently. Because in turning machines there is and Idea of time (steps) or space (tape) but there is no such thing in a span program.