# Questions tagged as ['signature']

Are there applications of sanitizable signatures without transparency property ?

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the M ...

qTesla is a signature scheme and a submission to the NIST post-quantum standardization process, which made it to the second round. It is based on the hardness of RLWE. The NIST round 2 status report says that it didn't make it to round 3 because:

the performance of the remaining parameter sets of qTESLA is not strong enough to remain competitive. In particular, the public key sizes of q-TESLA-p-I ...

For $p$ a 1024-bit prime, we have a 1021-bit element $g \in \mathbb{Z}_p^*$, where the order of $g$ is much smaller than the order of $\mathbb{Z}_p^*$. How does this small-order $g$ affect the security of the signature?

Imagine this:

- Charlie chooses two integers $x_1$ and $x_2$ and signs each of these integers with the same private key.
- Charlie sends the following to Alice:
- $x_1$ and $x_2$,
- the two signatures, and
- his public key.

- Alice computes $x = x_1 + x_2$ and sends the following to Bob:
- $x$ and
- Charlie's public key.

**Can Alice prove to Bob (without involving Charlie) that $x$ is the sum of two numbers ...**

I'm new to cryptography and I'm trying to implement a secure chat application using OpenSSL.

I want to ensure that public messages (which will be shown to all users) cannot be altered during transmission.

Does the use of SSL connection guarantee that?

If not, would using digital signatures to sign every message so as to prove the identity of the sender be a proper solution?

Lets say I have a message that needs to be signed by two keys that were generated using ECDSA

Is it possible to make a signature that accounts for both keys, meaning I can verify with both and see they are valid?

An example, if we need a cryptocurrency example:

Address 1 has 10 coins Address 2 has 10 coins

Both inputs are in the transaction, and now need to be signed. Is it possible to make it so only one ...

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

- Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Suppose I use the hash-and-sign paradigm and reveal a signature on the message digest $\sigma(H(m))$. Would just revealing this signature violate message confidentiality (assuming H is one-way and collision resistant)?

Suppose Alice sends message $Enc(k_{AB}, m)$ to Bob where $k_{AB}$ is the common symmetric key. Next Alice sends a signature of $H(m)$ $\sigma_{sk_A}(H(m))$ signed under her private signing key $sk_A$ to Eve, where H is a secure hash function. Then, Bob decrypts the message and sends it to Eve where she verifies it with the signature. Here, either Alice or Bob can be malicious. If Bob is malicious, he g ...

I'm trying to implement kleptography SETUP attack of ecdsa with python. Just a simply script to verify the algorithm. However i can't get the right output as the paper said. Where is the problem? Can anyone help?

```
from ecpy.curves import Curve, Point
import hashlib
import gmpy
cv = Curve.get_curve('secp256k1')
G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x48 ...
```

I am looking a way to sign a document, so that everyone could verify that one person out of a group did, but only a special person and/or the group could know who signed it.

Let's say, X chooses a group G of people (it can be assumed that everyone has some kind of known public key). Then a member Y of G should be able to sign a document such that everyone can verify that it was signed by someone ...

I am working on an application where I have a physical product identification label containing a block of **public**, low-entropy data (~50 bytes) such as serial number and other info, all readily available right on the label. I would like to use a hash-based signature algorithm to provide an authenticity check that the product is valid.

- Is this a reasonable idea? Does the low-entropy data cause problems? ...

I'm looking for an easy to use tool to generate RsaPssSha256 digital signature of a binary file using the private key. and verify the signature using the modulus and exponent of the public key.

any suggestion?

In many papers, I see `EUF-CMA`

and `SUF-CMA`

referenced as a canonical term used, but I did not find a reference paper/book that give a formal definition of the those terms. I am looking for a reference that formally defines `EUF-CMA`

, `SUF-CMA`

security and universal forgery, similar to this answer.

I'm a layman trying to deepen my understanding of crypto and private messaging by building a (proof-of-concept) centralized, end-to-end encrypted messaging "platform".

Messages are sent by devices to the "server" (running on my Pi inside my home network) where they are stored and from whence they can be retrieved by the recipients via an api call. The server knows just the bare minimum to distrib ...

Ciphersuite website says TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is secure but how do I know which RSA is used for the signature generation? If its the hashed one, where you hash the message before signing it, cant an attacker still generate valid signatures where he computes: (message,signature):( hash(m)^e , hash(m) ) and it is a valid signature?

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with **his own private key**, Alice uses Bob's **public key** to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

Page 8, Paper: "Efficient Group Signature Schemes for Large Groups" by Camenisch and Stadler

(1) I was trying to understand membership certificate part. I am have only basic knowledge of math, but there seems to be quite some math behind it. Can somebody help me understand this part? "e" and "y" are not secret. Why is it infeasible to construct a triple (x, y, v) without the help of Group manager?

...

In order to provide authenticity of a sent message, we use certificates as fingerprints. But how do I know that the certificate is not stolen by someone? If the certificates are made public, why cant an attacker just take someones public certificate and identify himself as someone else?

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't g ...

Let's say I want to prove to someone that a webpage claims X. I could take a screenshot, but it could easily be doctored. However, the webpage's contents are encrypted by the domain using its private key. Is there a way to use the encrypted message to prove to someone that I haven't modified it?

I think this is possible if I generate a temporary private key and use it in the connection, then pres ...

All these post quantum signature schemes are claimed by the authors to be naturally resistant to side channel attacks. My question is, why or how?

While reading papers on cryptography, a lot of time I have seen that people pick random elements $x\in \mathbb{Z}^*_q$ to do something (like setting secret key and all). How does one randomly pick elements in reality. I mean in practical implementation, what procedure do we follow? Do we use some CSPRNG?

In the NTRU Prime submission, principle author, the well-known DJB is adamant that

[the] primary objective [of NTRU Prime] is to eliminate unnecessary complications in security review

So much so, to the extent that the idea of pure cyclotomic ring, module, decryption errors, etc. are exterminated from the design.

I think this is good, as NTRU Prime serve as a model alternative to the other design ...

Recently, I have been wondering whether you can turn any PKE scheme into a signature scheme and, if so, how (is there a general construction, or is this scheme-specific?). I have found several posts that seem to suggest this is the case (e.g., this post, and this post); however, they don't really elaborate on how.

For some context:

I started wondering this (for some reason) when looking into Sabe ...

In some applications like QR-codes, saving 25 bytes out of 100 makes a difference in usability.

**What choice is there for a signature scheme with** (most important criteria first)

**As small as possible signature size**(for a signature with appendix) or as small as possible added size (measured at 40-byte arbitrary message for a signature scheme with message recovery, but I'd prefer avoiding these), at co ...