Latest Crypto related questions

Suppose for $sk = x$, $pk = g^x$ we encrypt message $m$ with ElGamal encryption as $(g^r,m\cdot pk^r)$. My goal is to prove that I performed the encryption correctly, i.e. that the same $r$ is used across $g^r$ and $m\cdot pk^r$.

I thought of a simple $\Sigma$-protocol to show this as follows:

1. Prover samples $q_1,q_2$, computes $R_1 = q_1\cdot pk^{q_2}$ and $R_2 = g^{q_2}$ and sends $R_1, R_2$ to Veri ...

The paper says that

We show that preimage resistance (PRE) follows tightly from the conjunction of second-preimage resistance (SPR) and decisional second-preimage resistance (DSPR).

As I understand from here instead of assuming the hash function SPR and PRE we can assume DSPR and PRE to have secure scheme.

And the original proof of SPHNICS+ we need to assume PRE and Eq 14 to have SPR property.

Now RLWE-based Encryption scheme is so popular because of its post-quantum property and application in Homomorphic Encryption. I am trying to get more familar with RLWE-based Encryption by implementing it. I know there is a lot of library already give some industrial implementation like NIST post quantum submissions, Microsoft SEAL . But it uses so many optimization like NTT transform , RNS representa ...

In our Python codebase, some random bytes were generated that we wanted to be cryptographically secure. Previously, the code was:

capability = "".join(secrets.choice(string.digits) for i in range(33))

I've changed it to:

capability = secrets.token_bytes(16)

By my estimation, the first version chose 33 times between 10 digits and so had 33*log₂(10)=110bits of entropy, while the second has 128bits of ...

Let $E$ be an elliptic curve over a binary extension field $GF(2^m)$, with constructing polynomial $f(z)$ be an irreducible, primitive polynomial over $GF(2)$, and let $G(x_g,y_g)$ be a generator point on the curve.

Is there any possibility that two (or more) different $f(z)$ can produce exactly the same GAL group for an elliptic curve (same polynomials as elements)? We do not allow adjustments of coeff ...

are there any available tools/libraries that implement the idea of EIGamal-based proxy re-encryption scheme shown below? Preferably in Golang. Thank you!

Source of this picture: https://www.cs.jhu.edu/~susan/600.641/scribes/lecture17.pdf

In my course about cryptography, we started looking at hash functions. As homework, we had to pick a modern hash function and describe it in class. I chose BLAKE2b, which I can understand well when it is explained in words, but the official implementation raises questions.

static void G(int roundNum, int i, int a, int b, int c, int d)
    {
        int p = (roundNum << 4) + 2 * i;
        in ...

I was wondering whether there exists a symmetric encryption scheme such that

1. there is 1 sender and n receivers. Each receiver has 1 random and independent symmetric key. The sender knows the symmetric keys of all receivers in advance.
2. the sender can encrypt one message using the above n keys and produce a ciphertext. Each receiver can decrypt the ciphertext using his own symmetric key to recover the m ...

A bunch of friends are using public-key encryption to send encrypted messages to each other using an open public forum. I.e. each friend has a public key (which you can use to encrypt messages for them) and a private key (which they use to decrypt messages for them).

Bob sends Alice the encrypted message $y$, which, when decrypted, yields the text $x=$"I'm going to murder you unless you send me \$1000".  ...

May someone please explain how the reduction is done? I am familiar with other algebraic structures but wondering if I am doing reduction correctly for this.

It is understood that a Polynomial Ring of this form, $\mathbb{Z}_{q}[x]/(x^n + 1)$, consists of the set of all polynomials defined by $(x^n + 1)$ with coefficients over $\mathbb{Z}_q = \{0, 1, ..., q-1\}$.

For simplicity, say I am working in

From what I understand, in BIP 32, the knowledge of the parent public key and the child private key provides the parent private key, in a non-hardened path. Indeed, it's only a matter of substracting the part provides by the current path from the child's key to get back the parent's key.

I have an application in which I would like:

• the people to be able to derive the public key of a given ID ("child pub ...

Given a set of plain texts $P \subseteq \{0, 1\}^n$. Assume we know the corresponding set of cipher texts $C \subseteq \{0, 1\}^n$ produced by applying one-time pad with an unknown key $k \in \{0, 1\}^n$.

Question: How to compute $k$, based on $P$ and $C$?

My approach: For every pair $(p, c) \in P \times C$, compute the key $k' = p \oplus c$. Output the key most frequent key $k'$.

My question: What ...

Previously I thought about a pair of 8-bit uniformly distributed random numbers $(a,b) \in \{0,1\}^8$, and $X$ to be bitwise XOR, $Y$ to be 8-bit addition. But it turned out that revealing $a \text{ XOR } b, a+b \bmod{2^8}$ does reveal a lot of information bits about $a,b$.

A smart dude here mentioned "dependence" as a property. So I guess I am looking for independent operators? Or, at least, oper ...