# Questions tagged as ['signature']

Algorithms and protocols for creating signatures to documents, and verifying such signatures. These are normally asymmetric, for symmetric signatures see [mac].
Score: 0
Are there applications of sanitizable signatures without transparency property?

Are there applications of sanitizable signatures without transparency property ?

Score: 2
Designated verifier signature from Diffie–Hellman and a MAC

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the M ...

Score: 5
Is qTesla Secure?

qTesla is a signature scheme and a submission to the NIST post-quantum standardization process, which made it to the second round. It is based on the hardness of RLWE. The NIST round 2 status report says that it didn't make it to round 3 because:

the performance of the remaining parameter sets of qTESLA is not strong enough to remain competitive. In particular, the public key sizes of q-TESLA-p-I  ...

Score: 0
Security of ElGamal signature scheme with generator of small order

For $$p$$ a 1024-bit prime, we have a 1021-bit element $$g \in \mathbb{Z}_p^*$$, where the order of $$g$$ is much smaller than the order of $$\mathbb{Z}_p^*$$. How does this small-order $$g$$ affect the security of the signature?

Score: 3
Prove that $x$ is the sum of digitally signed numbers without revealing the summands

Imagine this:

• Charlie chooses two integers $$x_1$$ and $$x_2$$ and signs each of these integers with the same private key.
• Charlie sends the following to Alice:
• $$x_1$$ and $$x_2$$,
• the two signatures, and
• his public key.
• Alice computes $$x = x_1 + x_2$$ and sends the following to Bob:
• $$x$$ and
• Charlie's public key.

Can Alice prove to Bob (without involving Charlie) that $$x$$ is the sum of two numbers ...

Score: 0
How to estimate the parameter of a lattice signature scheme with lossy reduction?

The parameter of a lattice signature scheme DAZ19 with tight reduction can be choosed to make the underlying hardness problem intractable. How to estimate the parameter of a lattice signature scheme ESLL19 with lossy reduction? is there any relation between the reduction and parameter?

Score: 1
Does SSL connection provide integrity?

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

Score: 3
parameter estimating in lattice signature scheme

when reading [BDLOP18], I run the lwe-estimator with the recommended parameters in Table 2 , but the result of hermite factor is 1.007, this result is bigger than the recommended hermite factor 1.0035

Score: 0
Is it possible (and if so how) to make one proof for multiple private keys in ECDSA

Lets say I have a message that needs to be signed by two keys that were generated using ECDSA

Is it possible to make a signature that accounts for both keys, meaning I can verify with both and see they are valid?

An example, if we need a cryptocurrency example:

Both inputs are in the transaction, and now need to be signed. Is it possible to make it so only one ...

Score: 1
Should Ed25519 verification multiply by the cofactor?

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

1. Check the group equation $$[8][S]B = [8]R + [8][k]A'$$. It's sufficient, but not required, to instead check $$[S]B = R + [k]A'$$.

Does that mean that code doing verification should point-multiply both sides by $$8 = 2^c$$ for cofactor $$c$$ or should they not? The document and

Score: 0
How to ensure the data comes from verified source without using asymetric encryption

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Score: 0
Does hash-then-sign provide confidentiality?

Suppose I use the hash-and-sign paradigm and reveal a signature on the message digest $$\sigma(H(m))$$. Would just revealing this signature violate message confidentiality (assuming H is one-way and collision resistant)?

Score: 0
Is there a way to ensure that the signer has generated a valid (message, signature) pair without seeing the message?

Suppose Alice sends message $$Enc(k_{AB}, m)$$ to Bob where $$k_{AB}$$ is the common symmetric key. Next Alice sends a signature of $$H(m)$$ $$\sigma_{sk_A}(H(m))$$ signed under her private signing key $$sk_A$$ to Eve, where H is a secure hash function. Then, Bob decrypts the message and sends it to Eve where she verifies it with the signature. Here, either Alice or Bob can be malicious. If Bob is malicious, he g ...

Score: 2
kleptography SETUP attack in ecdsa

I'm trying to implement kleptography SETUP attack of ecdsa with python. Just a simply script to verify the algorithm. However i can't get the right output as the paper said. Where is the problem? Can anyone help?

from ecpy.curves import Curve, Point
import hashlib
import gmpy

cv = Curve.get_curve('secp256k1')
G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x48 ...
Score: 1
Looking for a (partly) anonymous signature

I am looking a way to sign a document, so that everyone could verify that one person out of a group did, but only a special person and/or the group could know who signed it.

Let's say, X chooses a group G of people (it can be assumed that everyone has some kind of known public key). Then a member Y of G should be able to sign a document such that everyone can verify that it was signed by someone  ...

Score: 1
Signature of low-entropy data: can they be faked?

I am working on an application where I have a physical product identification label containing a block of public, low-entropy data (~50 bytes) such as serial number and other info, all readily available right on the label. I would like to use a hash-based signature algorithm to provide an authenticity check that the product is valid.

1. Is this a reasonable idea? Does the low-entropy data cause problems? ...
Score: 0
A tool to generate and verify signature of a binary file

I'm looking for an easy to use tool to generate RsaPssSha256 digital signature of a binary file using the private key. and verify the signature using the modulus and exponent of the public key.

any suggestion?

Score: 0
Reference for a formal definition of universal forgery and EUF-CMA

In many papers, I see EUF-CMA and SUF-CMA referenced as a canonical term used, but I did not find a reference paper/book that give a formal definition of the those terms. I am looking for a reference that formally defines EUF-CMA, SUF-CMA security and universal forgery, similar to this answer.

Score: 1
In general, how do e2e messaging platforms deal with changes to the structure of the encrypted data?

I'm a layman trying to deepen my understanding of crypto and private messaging by building a (proof-of-concept) centralized, end-to-end encrypted messaging "platform".

Messages are sent by devices to the "server" (running on my Pi inside my home network) where they are stored and from whence they can be retrieved by the recipients via an api call. The server knows just the bare minimum to distrib ...

Score: 0
Is RSA in ciphersuites secure?

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

Score: 0
Why a private key is used to encrypt hash in digital signing

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with his own private key, Alice uses Bob's public key to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

Score: 0
Group Signature by Camenisch and Stadler

Page 8, Paper: "Efficient Group Signature Schemes for Large Groups" by Camenisch and Stadler

(1) I was trying to understand membership certificate part. I am have only basic knowledge of math, but there seems to be quite some math behind it. Can somebody help me understand this part? "e" and "y" are not secret. Why is it infeasible to construct a triple (x, y, v) without the help of Group manager?

...

Score: 0
Authentication of certificates

In order to provide authenticity of a sent message, we use certificates as fingerprints. But how do I know that the certificate is not stolen by someone? If the certificates are made public, why cant an attacker just take someones public certificate and identify himself as someone else?

Score: 1
How is a keyImage linked to a ring signature?

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't g ...

Score: 0
Is it possible to extract a signature from a HTTPS webpage?

Let's say I want to prove to someone that a webpage claims X. I could take a screenshot, but it could easily be doctored. However, the webpage's contents are encrypted by the domain using its private key. Is there a way to use the encrypted message to prove to someone that I haven't modified it?

I think this is possible if I generate a temporary private key and use it in the connection, then pres ...

Score: 2
Natural resistance to side channel attacks of XMSS/LMS/SPHINCS+

All these post quantum signature schemes are claimed by the authors to be naturally resistant to side channel attacks. My question is, why or how?

Score: 2
How do we pick random elements in cryptography?

While reading papers on cryptography, a lot of time I have seen that people pick random elements $$x\in \mathbb{Z}^*_q$$ to do something (like setting secret key and all). How does one randomly pick elements in reality. I mean in practical implementation, what procedure do we follow? Do we use some CSPRNG?

Score: 1
Is it possible to create a Dilithium Prime or Falcon Prime?

In the NTRU Prime submission, principle author, the well-known DJB is adamant that

[the] primary objective [of NTRU Prime] is to eliminate unnecessary complications in security review

So much so, to the extent that the idea of pure cyclotomic ring, module, decryption errors, etc. are exterminated from the design.

I think this is good, as NTRU Prime serve as a model alternative to the other design ...

Score: 1
Can a PKE scheme be turned into a signature scheme?

Recently, I have been wondering whether you can turn any PKE scheme into a signature scheme and, if so, how (is there a general construction, or is this scheme-specific?). I have found several posts that seem to suggest this is the case (e.g., this post, and this post); however, they don't really elaborate on how.

For some context:
I started wondering this (for some reason) when looking into Sabe ...

Score: 3
What short signature standard?

In some applications like QR-codes, saving 25 bytes out of 100 makes a difference in usability.

What choice is there for a signature scheme with (most important criteria first)

1. As small as possible signature size (for a signature with appendix) or as small as possible added size (measured at 40-byte arbitrary message for a signature scheme with message recovery, but I'd prefer avoiding these), at co ...