Latest Crypto related questions

What does it mean to solve $\mathsf{SVP}_{\gamma}$ in worst-case?

Does it mean that the problem is solvable for any lattice we choose?

While coding for Edwards curve, I noticed that, the addition formula and the doubling formula return what seems to be different result.

I took the adding and doubling formula from both RFC-8032 and https://eprint.iacr.org/2008/522 and confirmed this difference.

Why is that? How does it, if it does effect computations within EdDSA?

Say a server plays a game of blackjack with a client, and the cards are shuffled and dealt by the server. The shuffle itself may or may not be fair, but what needs to be shown is that the cards dealt weren't altered during the course of gameplay, ie: after the start of the hand, the cards in the deck do not secretly have their ordering changed by the server.

I was thinking of the following soluti ...

I want to implement LWE-based encryption scheme, the modulo $q$ could be decomposed as $q = q_0\cdot q_1\cdots q_k$ according to CRT. I guess the modular arithmetic by $q_i$ is key operation, so I try to choose the Mersenne prime. However, there are only two primes satisfied: $2^{31}-1$ and $2^{61}-1$.

Are there any other primes such as $2^n-b$ that are easy to modulo(It better be between $2^{40}$

I am familiar with Fourier Transform and computing the DFT and FFT matrix for fast multiplication of integers. However, this is the first time I work with NTT applied to polynomial rings of the form $\mathbb{Z}_q[x]/x^{n} + 1$.

Say for small q=5 and $n$=2. My elements consists of all polynomials of degree at most $n-1$ with coefficients in $\mathbb{Z}_{q}$. All arithmetic of coefficients is done in

Hi I am quite new to NIZK. I know a trusted party (Generator) generates proving key and verifying key and then distributes them to Prover and Verifier. Apparently, the verifying key can be seen as public for anyone in the system, but what about the proving key? If the proving key is known to a different party other than the original prover, is there any problem such as another party can forge proofs, et ...

There is a Feistel block cipher based on Blowfish called Kaweichel. In one of its papers, there is this affirmation:

For the construction of the round function one choses usually parallel substitutions (s-boxes). The output bits of these s-boxes are permuted in order to achieve diffusion. For the derivation of the round keys from the userkey one has to choose a key schedule.

The basic idea behind this  ...