Latest Crypto related questions

Let's suppose that Bob has only Alice's IP and no more information about Alice's key, nor the digest of Alice's key.

They exchange keys and need proof that the received keys are the same keys that were sent.

How Bob and Alice can know that the key received is the right key?

Also, I read about Sigma protocol:

The general idea is that Alice and Bob do an unauthenticated Diffie-Hellman (D-H) key exc ...

Is there an algorithm that lets me sign a value with two keys at the same time, and in turn requires both keys to verify the signature?

For instance, a scheme could work like this:

• Sign X with Key1 and Key2 at the same time
• Verify X is signed by these two keys

This would be like a joint bank account: to do anything on this account, the bank will require signatures from the two persons that initially  ...

1. I have seen authors taking $G_1=G_2=G_T=G$ to be the same group of prime order $q$.

2. What I know is that for pairing of type $$e:G_1\times G_2\rightarrow G_T,$$ size of the element in the target group is $kn$ where $n$ is the size of an element in $G_1$ and $k$ is the embedding degree.

Source: A New Family of Pairing-Friendly elliptic curves by Michael Scott and Aurore Guillevic. and this que ...

What is the historical pattern for key size increases for rsa vs discrete log?

What are the current and future projected sizes for these?

I am testing the quality of AES S-box and using the lookup table I built a function from GF($2^8$) to GF($2^8$) seen as vector spaces. I was wondering if there is a transformation that I can use to find an equivalent permutation of AES S-box that sends $0$ in $0$ without modifying the properties of the S-box such as linearity, differential uniformity and so on.

I am trying to verify an Ed25519 implementation, but I can't find any test vectors for the curve points. All test vectors focus directly on signature constructions (EdDSA).

I tried to use https://asecuritysite.com/ecc/nacl07 but that seems to give the wrong results. For instance, it reports that the affine coordinates of the point 5G are:

x = 4938425407427312995059319313886117595473939396972359778374 ...

How is it possible to recover RSA private keys considering that weak LCG (random number generator) is used? I have some other keys (Public and private created with the same generator) and also some crypt texts encrypted with both keys.

It is relevant to highlight that there is no clue about the algorithm used to create those keys.

Any ideas?

Thanks.

Let $s: \{0,1\}^* \to \{0,1\}^{512}$ be the SHA512 hash (where $\{0,1\}^*$ is the countable set of all finite $\{0,1\}$ strings.

Is it known whether $|\text{im}(s)|/2^{512} \geq 0.5$?

If yes, what is the largest $n\in\mathbb{N}$ such that $|\text{im}(s)|/2^{512} \geq 1 - (1/2)^n$?

In the Bleichenbacher attack, when the $|M_i−1| = 1$, we should choose $r_i >= 2(bs_{i-1} -2B)/n$ in order to increase the search performance. I don't quite understand how this $r_i$ value is calculated and how this can improve the performance. Anyone can help? The above information can be found on https://eprint.iacr.org/2012/417.pdf page 3.
And the original paper is http://archiv.infsec.et ...

I was doing some Microsoft Seal testing on my macbook pro (i7) and got following results

Coefficient mod $q = 100$ bits and Polynomial degree $n= 8192$

• Ciphertext-Plaintext multiplication takes 0.211 milliseconds
• Ciphertext-Ciphertext multiplication takes 24 milliseconds, when I pick 5 RNS moduli for coefficient mod.
• It takes 9 milliseconds when I pick 2 RNS moduli for coefficient mod.

I want to und ...