Newest Questions

Universally composable (UC) security is defined in the ideal/real model paradigm. In this paradigm, a real protocol $\Pi$ is defined to be secure when the outputs of this protocol are ...

The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf. I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...

To get a grasp on Elliptic Curve cryptography I would love to perform all the steps of creating a set of domain parameters myself. For that reason I chose a prime $p = 1099511627689$ and now I need to ...

I’m using XChaCha20-Poly1305 as an AEAD cipher and I’d like to derive a separate encryption key for each encrypted file from a single long-term master key. My idea is to use HKDF-SHA256 as follows: ...

In the standard Keccak hash function, the sponge construction is used with Keccak-f permutation as the internal transformation. Since Keccak-f is efficiently invertible, we can walk back the internal ...

My understanding is that we can formally prove that PRGs can generate a polynomial length pseudorandom expansion of the seed. But don't the LFSRs with non linear feedback like Trivium claim to ...

I’m a software developer (not a cryptographer) and I know the usual advice “don’t roll your own crypto”. I am NOT proposing a new cipher; instead, I built a simple file container on top of standard ...

For a standard hash function $H$ like SHA-256, one can choose a secret message $M$, compute and publish $h=H(M)$, then prove knowledge of the preimage $M$ in zero knowledge [that is without disclosing ...

I’m currently studying FHE, specifically CKKS, as part of a seminar. I understand most of it, but I’m still stumbling over one issue that I haven’t found a clear explanation for online. Here’s the ...

I still do not understand the security model when proving the zero-knowledge property. Take the Sigma protocol as an example: In the book Proofs, Arguments, and Zero-Knowledge (Section 12.2.1), the ...

Is there a way for two parties, Alice and Bob (consider they are two remote systems communicating over an untrusted network), to establish or agree on a one-time pad (OTP) in an autonomous way? I mean:...

This question is purely to satisfy my curiosity - I'm not attempting to implement my own encryption, I'm just curious. Let's say Alice and Bob establish a communication channel, and the first thing ...

I'm considering the following Sigma protocol based on Lyubashevsky's paper (https://eprint.iacr.org/2024/1287.pdf). We are given public key $A,b=As+e$ for $A \in \mathbb Z^{n\times m}$ and private key ...

I wish to have common ASN.1 encoding for all my numerical primitives, whether it is big int or encoded elliptic curve point. Almost always big ints are encoded as ASN.1 INTEGER, but I wish to encode ...

I get a statistically close to random matrix $A$ and a trapdoor over $\mathbb Z_q^{n \times m}$ using a trapdoor preimage sampler. Lets say I want to sample a short preimage for some other matrix $U$ ...