Newest Questions

In TLS, mlkem768x25519 derives a master shared secret from a concatenation of the x25519 shared secret and the ML-KEM shared secret. The FIPS-approved hybrid PQC key agreement algorithm, ...

Both ML-KEM (Kyber) and Streamlined NTRU Prime are post-quantum KEMs that achieve IND-CCA2 security. According to DJB's website, Streamlined NTRU Prime is designed to minimize the complexity of a ...

Consider the following problem: we have two parties: Alice and Bob Alice has some sensitive data D (for Data) that she does not want to reveal to Bob Bob has some sensitive code C (for Code) that he ...

I was given the following explaination, some parts of it are wrong but others looks truethefull: Here is the rigorous mathematical explanation of why this technique works. The validity of the formula $...

I have been using lifted ElGamal for my binary choice encryption into an exponent $g^m$, where m=0 or m=1. After ciphertext aggregation and decryption I got a message as $g^{m1+m2+m3+...+mn}$ and I ...

Universally composable (UC) security is defined in the ideal/real model paradigm. In this paradigm, a real protocol $\Pi$ is defined to be secure when the outputs of this protocol are ...

The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf. I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...

To get a grasp on Elliptic Curve cryptography I would love to perform all the steps of creating a set of domain parameters myself. For that reason I chose a prime $p = 1099511627689$ and now I need to ...

I’m using XChaCha20-Poly1305 as an AEAD cipher and I’d like to derive a separate encryption key for each encrypted file from a single long-term master key. My idea is to use HKDF-SHA256 as follows: ...

In the standard Keccak hash function, the sponge construction is used with Keccak-f permutation as the internal transformation. Since Keccak-f is efficiently invertible, we can walk back the internal ...

My understanding is that we can formally prove that PRGs can generate a polynomial length pseudorandom expansion of the seed. But don't the FSRs with non linear feedback like Trivium claim to generate ...

I’m a software developer (not a cryptographer) and I know the usual advice “don’t roll your own crypto”. I am NOT proposing a new cipher; instead, I built a simple file container on top of standard ...

For a standard hash function $H$ like SHA-256, one can choose a secret message $M$, compute and publish $h=H(M)$, then prove knowledge of the preimage $M$ in zero knowledge [that is without disclosing ...

I’m currently studying FHE, specifically CKKS, as part of a seminar. I understand most of it, but I’m still stumbling over one issue that I haven’t found a clear explanation for online. Here’s the ...

I still do not understand the security model when proving the zero-knowledge property. Take the Sigma protocol as an example: In the book Proofs, Arguments, and Zero-Knowledge (Section 12.2.1), the ...