Questions tagged as ['signature']

Algorithms and protocols for creating signatures to documents, and verifying such signatures. These are normally asymmetric, for symmetric signatures see [mac].
Score: 0
Shweta Aggrawal avatar
Are there applications of sanitizable signatures without transparency property?
us flag

Are there applications of sanitizable signatures without transparency property ?

Score: 2
Designated verifier signature from Diffie–Hellman and a MAC
ru flag

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the M ...

Score: 5
a196884 avatar
Is qTesla Secure?
cn flag

qTesla is a signature scheme and a submission to the NIST post-quantum standardization process, which made it to the second round. It is based on the hardness of RLWE. The NIST round 2 status report says that it didn't make it to round 3 because:

the performance of the remaining parameter sets of qTESLA is not strong enough to remain competitive. In particular, the public key sizes of q-TESLA-p-I  ...

Score: 0
Security of ElGamal signature scheme with generator of small order
cn flag

For $p$ a 1024-bit prime, we have a 1021-bit element $g \in \mathbb{Z}_p^*$, where the order of $g$ is much smaller than the order of $\mathbb{Z}_p^*$. How does this small-order $g$ affect the security of the signature?

Score: 3
Elias Strehle avatar
Prove that $x$ is the sum of digitally signed numbers without revealing the summands
pg flag

Imagine this:

  • Charlie chooses two integers $x_1$ and $x_2$ and signs each of these integers with the same private key.
  • Charlie sends the following to Alice:
    • $x_1$ and $x_2$,
    • the two signatures, and
    • his public key.
  • Alice computes $x = x_1 + x_2$ and sends the following to Bob:
    • $x$ and
    • Charlie's public key.

Can Alice prove to Bob (without involving Charlie) that $x$ is the sum of two numbers ...

Score: 0
guangyu liao avatar
How to estimate the parameter of a lattice signature scheme with lossy reduction?
cn flag

The parameter of a lattice signature scheme DAZ19 with tight reduction can be choosed to make the underlying hardness problem intractable. How to estimate the parameter of a lattice signature scheme ESLL19 with lossy reduction? is there any relation between the reduction and parameter?

Score: 1
Does SSL connection provide integrity?
us flag

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

Score: 3
guangyu liao avatar
parameter estimating in lattice signature scheme
cn flag

when reading [BDLOP18], I run the lwe-estimator with the recommended parameters in Table 2enter image description here , but the result of hermite factor is 1.007, this result is bigger than the recommended hermite factor 1.0035enter image description here

Score: 0
Raccoondude avatar
Is it possible (and if so how) to make one proof for multiple private keys in ECDSA
ru flag

Lets say I have a message that needs to be signed by two keys that were generated using ECDSA

Is it possible to make a signature that accounts for both keys, meaning I can verify with both and see they are valid?

An example, if we need a cryptocurrency example:

Address 1 has 10 coins Address 2 has 10 coins

Both inputs are in the transaction, and now need to be signed. Is it possible to make it so only one ...

Score: 1
Myria avatar
Should Ed25519 verification multiply by the cofactor?
in flag

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

  1. Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and

Score: 0
krystof18 avatar
How to ensure the data comes from verified source without using asymetric encryption
ag flag

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Score: 0
Ordinary avatar
Does hash-then-sign provide confidentiality?
sy flag

Suppose I use the hash-and-sign paradigm and reveal a signature on the message digest $\sigma(H(m))$. Would just revealing this signature violate message confidentiality (assuming H is one-way and collision resistant)?

Score: 0
Ordinary avatar
Is there a way to ensure that the signer has generated a valid (message, signature) pair without seeing the message?
sy flag

Suppose Alice sends message $Enc(k_{AB}, m)$ to Bob where $k_{AB}$ is the common symmetric key. Next Alice sends a signature of $H(m)$ $\sigma_{sk_A}(H(m))$ signed under her private signing key $sk_A$ to Eve, where H is a secure hash function. Then, Bob decrypts the message and sends it to Eve where she verifies it with the signature. Here, either Alice or Bob can be malicious. If Bob is malicious, he g ...

Score: 2
Zim avatar
kleptography SETUP attack in ecdsa
de flag

I'm trying to implement kleptography SETUP attack of ecdsa with python. Just a simply script to verify the algorithm. However i can't get the right output as the paper said. Where is the problem? Can anyone help?

The algorithm

from ecpy.curves import Curve, Point
import hashlib
import gmpy

cv = Curve.get_curve('secp256k1')
G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
          0x48 ...
Score: 1
jjj avatar
Looking for a (partly) anonymous signature
cn flag

I am looking a way to sign a document, so that everyone could verify that one person out of a group did, but only a special person and/or the group could know who signed it.

Let's say, X chooses a group G of people (it can be assumed that everyone has some kind of known public key). Then a member Y of G should be able to sign a document such that everyone can verify that it was signed by someone  ...

Score: 1
Signature of low-entropy data: can they be faked?
cn flag

I am working on an application where I have a physical product identification label containing a block of public, low-entropy data (~50 bytes) such as serial number and other info, all readily available right on the label. I would like to use a hash-based signature algorithm to provide an authenticity check that the product is valid.

  1. Is this a reasonable idea? Does the low-entropy data cause problems? ...
Score: 0
makouda avatar
A tool to generate and verify signature of a binary file
gp flag

I'm looking for an easy to use tool to generate RsaPssSha256 digital signature of a binary file using the private key. and verify the signature using the modulus and exponent of the public key.

any suggestion?

Score: 0
cryptobeginner avatar
Reference for a formal definition of universal forgery and EUF-CMA
cn flag

In many papers, I see EUF-CMA and SUF-CMA referenced as a canonical term used, but I did not find a reference paper/book that give a formal definition of the those terms. I am looking for a reference that formally defines EUF-CMA, SUF-CMA security and universal forgery, similar to this answer.

Score: 1
korolev avatar
In general, how do e2e messaging platforms deal with changes to the structure of the encrypted data?
tz flag

I'm a layman trying to deepen my understanding of crypto and private messaging by building a (proof-of-concept) centralized, end-to-end encrypted messaging "platform".

Messages are sent by devices to the "server" (running on my Pi inside my home network) where they are stored and from whence they can be retrieved by the recipients via an api call. The server knows just the bare minimum to distrib ...

Score: 0
Is RSA in ciphersuites secure?
us flag

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

Score: 0
Lê Thành Vinh  avatar
Why a private key is used to encrypt hash in digital signing
in flag

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with his own private key, Alice uses Bob's public key to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

Score: 0
Group Signature by Camenisch and Stadler
je flag

Page 8, Paper: "Efficient Group Signature Schemes for Large Groups" by Camenisch and Stadler

(1) I was trying to understand membership certificate part. I am have only basic knowledge of math, but there seems to be quite some math behind it. Can somebody help me understand this part? "e" and "y" are not secret. Why is it infeasible to construct a triple (x, y, v) without the help of Group manager?


Score: 0
Authentication of certificates
in flag

In order to provide authenticity of a sent message, we use certificates as fingerprints. But how do I know that the certificate is not stolen by someone? If the certificates are made public, why cant an attacker just take someones public certificate and identify himself as someone else?

Score: 1
user3776738 avatar
How is a keyImage linked to a ring signature?
cn flag

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't g ...

Score: 0
Is it possible to extract a signature from a HTTPS webpage?
se flag

Let's say I want to prove to someone that a webpage claims X. I could take a screenshot, but it could easily be doctored. However, the webpage's contents are encrypted by the domain using its private key. Is there a way to use the encrypted message to prove to someone that I haven't modified it?

I think this is possible if I generate a temporary private key and use it in the connection, then pres ...

Score: 2
Natural resistance to side channel attacks of XMSS/LMS/SPHINCS+
cn flag

All these post quantum signature schemes are claimed by the authors to be naturally resistant to side channel attacks. My question is, why or how?

Score: 2
Shweta Aggrawal avatar
How do we pick random elements in cryptography?
us flag

While reading papers on cryptography, a lot of time I have seen that people pick random elements $x\in \mathbb{Z}^*_q$ to do something (like setting secret key and all). How does one randomly pick elements in reality. I mean in practical implementation, what procedure do we follow? Do we use some CSPRNG?

Score: 1
DannyNiu avatar
Is it possible to create a Dilithium Prime or Falcon Prime?
vu flag

In the NTRU Prime submission, principle author, the well-known DJB is adamant that

[the] primary objective [of NTRU Prime] is to eliminate unnecessary complications in security review

So much so, to the extent that the idea of pure cyclotomic ring, module, decryption errors, etc. are exterminated from the design.

I think this is good, as NTRU Prime serve as a model alternative to the other design ...

Score: 1
MM45 avatar
Can a PKE scheme be turned into a signature scheme?
dj flag

Recently, I have been wondering whether you can turn any PKE scheme into a signature scheme and, if so, how (is there a general construction, or is this scheme-specific?). I have found several posts that seem to suggest this is the case (e.g., this post, and this post); however, they don't really elaborate on how.

For some context:
I started wondering this (for some reason) when looking into Sabe ...

Score: 3
fgrieu avatar
What short signature standard?
ng flag

In some applications like QR-codes, saving 25 bytes out of 100 makes a difference in usability.

What choice is there for a signature scheme with (most important criteria first)

  1. As small as possible signature size (for a signature with appendix) or as small as possible added size (measured at 40-byte arbitrary message for a signature scheme with message recovery, but I'd prefer avoiding these), at co ...