Newest Questions

My question is more about typesetting than about crypto. I work with Cryptocode package in $\LaTeX$ and want to generate discription of games with oracles. My goal ...

I'm trying to solve the discrete log problem in this context : I have a curve given by a short Weirstrass equation : $y^2 = x^3+ax +b$ where the point addition and scalar multiplication are done ...

brothers. I'm a 21-year-old college student studying security and cryptography in South Korea. When I first encountered quantum computers a few years ago, I didn't pay much attention, but seeing the ...

Given prime $p$, generator $g$ of $\mathbb Z_p^*$ and $h_1,h_2,h_3\in\mathbb Z_p^*$ is $$\log_ph_3=(\log_ph_1)(\log_ph_2)$$ where at every $i\in\{1,2,3\}\mbox{ }g^{\log_ph_i}\equiv h_i\bmod p$ holds? ...

In TLS, mlkem768x25519 derives a master shared secret from a concatenation of the x25519 shared secret and the ML-KEM shared secret. The FIPS-approved hybrid PQC key agreement algorithm, ...

Streamlined NTRU Prime (SNTRUP) is a post-quantum KEM that achieves IND-CCA2 security. According to DJB's website, Streamlined NTRU Prime is designed to minimize the complexity of a thorough security ...

Consider the following problem: we have two parties: Alice and Bob Alice has some sensitive data D (for Data) that she does not want to reveal to Bob Bob has some sensitive code C (for Code) that he ...

I was given the following explaination, some parts of it are wrong but others looks truethefull: Here is the rigorous mathematical explanation of why this technique works. The validity of the formula $...

I have been using lifted ElGamal for my binary choice encryption into an exponent $g^m$, where m=0 or m=1. After ciphertext aggregation and decryption I got a message as $g^{m1+m2+m3+...+mn}$ and I ...

Universally composable (UC) security is defined in the ideal/real model paradigm. In this paradigm, a real protocol $\Pi$ is defined to be secure when the outputs of this protocol are ...

The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf. I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...

To get a grasp on Elliptic Curve cryptography I would love to perform all the steps of creating a set of domain parameters myself. For that reason I chose a prime $p = 1099511627689$ and now I need to ...

I’m using XChaCha20-Poly1305 as an AEAD cipher and I’d like to derive a separate encryption key for each encrypted file from a single long-term master key. My idea is to use HKDF-SHA256 as follows: ...

In the standard Keccak hash function, the sponge construction is used with Keccak-f permutation as the internal transformation. Since Keccak-f is efficiently invertible, we can walk back the internal ...

My understanding is that we can formally prove that PRGs can generate a polynomial length pseudorandom expansion of the seed. But don't the FSRs with non linear feedback like Trivium claim to generate ...

I’m a software developer (not a cryptographer) and I know the usual advice “don’t roll your own crypto”. I am NOT proposing a new cipher; instead, I built a simple file container on top of standard ...

For a standard hash function $H$ like SHA-256, one can choose a secret message $M$, compute and publish $h=H(M)$, then prove knowledge of the preimage $M$ in zero knowledge [that is without disclosing ...

I’m currently studying FHE, specifically CKKS, as part of a seminar. I understand most of it, but I’m still stumbling over one issue that I haven’t found a clear explanation for online. Here’s the ...

I still do not understand the security model when proving the zero-knowledge property. Take the Sigma protocol as an example: In the book Proofs, Arguments, and Zero-Knowledge (Section 12.2.1), the ...

Is there a way for two parties, Alice and Bob (consider they are two remote systems communicating over an untrusted network), to establish or agree on a one-time pad (OTP) in an autonomous way? I mean:...

This question is purely to satisfy my curiosity - I'm not attempting to implement my own encryption, I'm just curious. Let's say Alice and Bob establish a communication channel, and the first thing ...

I'm considering the following Sigma protocol based on Lyubashevsky's paper (https://eprint.iacr.org/2024/1287.pdf). We are given public key $A,b=As+e$ for $A \in \mathbb Z^{n\times m}$ and private key ...

I wish to have common ASN.1 encoding for all my numerical primitives, whether it is big int or encoded elliptic curve point. Almost always big ints are encoded as ASN.1 INTEGER, but I wish to encode ...

I get a statistically close to random matrix $A$ and a trapdoor over $\mathbb Z_q^{n \times m}$ using a trapdoor preimage sampler. Lets say I want to sample a short preimage for some other matrix $U$ ...

I have a question that needs answering. I am currently in the middle of changing careers and have some interest in the tech field. Earlier this year, I made a list of jobs/careers that I wanted to ...

I have read the Keccak team document about PRNG. When you hash with Keccak SHAKE the amount of random bytes you wish to return is unlimited, i.e. I can fetch() as ...

I'm a new student IT. I need to understand the typical digital signatures, such as DSS, DSA or other in e-commerce.

Is there a way to generate a backup of a GnuPG private key (without encryption) using any kind of Secret Sharing (like Shamir's Secret Sharing Scheme)? The idea is getting something that can be ...

"In the third step of the Schnorr protocol, the prover's response takes the form $z=r+cx$. Why can't this form $z=cr+x$ work? I found these answers 1 and 2 are related to my questions However, ...

This is a speculative question that may be hard to answer reliably. Apologies. According to a Techcrunch article linked here A stunning report in Forbes today detailed that the NSA’s rapidly ...