Most Popular
1500 questions
10
votes
1 answer
Most influential/illuminating papers/books/courses on lattice based cryptography?
I'm interested in some sort of "compendium" on lattice-based crypto. There are a bunch of maths behind FALCON and other stuff. A lot of articles are devoted to lattice crypto, but not of them are of paramount importance. The other problem is that…
Kirill Tsar.
- 589
- 3
- 12
10
votes
4 answers
Is there any protocol for proving that a message was written at a certain time?
Does there exist a way to cryptographically prove that a message was written at a certain time? I know that one can write messages in bitcoin transactions to that the message is preserved in the blockchain, which can be used to prove the message was…
Christine Sheng
- 101
- 2
10
votes
2 answers
Are interactive proofs more secure their non-interactive counterpart?
Given an interactive zk proof, if we use fiat-shamir to make it nizk proof, does the proof become less secure?
Are there any new attack vectors that get introduced?
Is there any reason to use the interactive version over the non-interative version?…
WeCanBeFriends
- 1,263
- 10
- 19
10
votes
4 answers
Signature security proof in the Random Oracle model
As a study case, I consider the BLS signature scheme, but the following question is relevant in the general context of security proofs in the Random Oracle model.
Let us briefly recall BLS signature scheme:
Let $e:G \times G \to G_t$ be a bilinear…
Snoop Catt
- 1,297
- 6
- 12
10
votes
0 answers
What is the origin of the phrase "Don't roll your own crypto"?
The phrase is well-known and widely used, it is often attributed to Bruce Schneier and is indeed relevant to his Schneier's Law. However, I wasn't able to find this specific wording among Schneier's publications.
Is there any single author of the…
rkiyanchuk
- 343
- 2
- 9
10
votes
1 answer
Contradiction to the Sequential Self-Composability of Black-Box Zero-Knowledge?
In short: it is well-known that black-box zero-knowledge protocols are sequentially self-composable. However, Goldreich and Krawczyk [GK90] present a protocol which is proven to be zero-knowledge (in a black-box manner to me), but NOT sequentially…
Xiao Liang
- 251
- 1
- 6
10
votes
1 answer
What's the difference among Vector Commitment, Zero-knowledge Set, Zero-knowledge Accumulator, and Zero-knowledge Elementary Database?
Vector commitment allows one to commit to an ordered sequence of $q$ value ($m_1,\cdots,m_q$) in such a way that one can later open the commitment at specific positions (e.g., prove that $m_i$ is the $i$-th committed message).
A Zero-knowledge set…
Qiang Wang
- 131
- 6
10
votes
3 answers
How does AWS Secret key and access key work
Those keys are too short to be public/private RSA keys. What are they? How does it use them to authenticate the client?
My guess is:
AWS access key ID is a form of unique user/account identifier
AWS secret key is like private key
When AWS CLI sends…
user855
- 331
- 4
- 7
10
votes
4 answers
Encrypting small values with RSA private key
I'm looking for best practices when it comes to encrypting small (< 128 bytes) amounts of data with the RSA private key. Signing it would make the resulting payload too large.
joe
- 201
- 2
- 4
10
votes
1 answer
Why Static RSA and Diffie-Hellman cipher suites have been removed in TLS 1.3?
Why Static RSA and Diffie-Hellman cipher suites have been removed in TLS 1.3?
How keys can be exchanged then?
https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-28
Nathan Aw
- 2,177
- 3
- 14
- 20
10
votes
0 answers
Offline Group Key Agreement - Cross Device Syncing
I have a specific use case I am interested in. I have spent the better part of the night reading research papers. I am beginning to believe what I want is not possible so I wanted to confirm here.
Scenario: I have customers with a private key.…
Mark
- 201
- 1
- 4
10
votes
2 answers
Concrete evidence for the asymptotics of $\lambda_1(\Lambda^\perp(A))$?
A recent eprint paper claims to bound $\lambda_1(\Lambda^\perp(\mathbf{A}))$ for $\mathbf{A}\in\mathbb{Z}^{n\times m}$, a uniformly random matrix, by $O(1)$, specifically by $4$. This has applications to solving $\mathsf{SIS}_{n,m,q,4}$ in…
Mark
- 10,439
- 16
- 35
10
votes
1 answer
how does BearSSL's GCM modular reduction work?
BearSSL (in src/hash/ghash_ctmul.c) seems to be doing a modular reduction that I don't completely understand. Here's the code:
/*
* GHASH specification has the bits "reversed" (most
* significant is in fact least significant), which does
* not…
neubert
- 2,855
- 1
- 25
- 48
10
votes
1 answer
Understanding Feldman's VSS with a simple example
I'm trying to understand Feldman's VSS Scheme. The basic idea of that scheme is that one uses Shamir secret sharing to share a secret and commitments of the coefficients of the polynomial to allow the other party to verify that the share they…
mikeazo
- 38,133
- 8
- 110
- 176
10
votes
4 answers
If Kerckhoff's Principle holds, why do we need a cipher at all?
I understand Kerckhoff's principle, in a very practical sense, that the best attack that can be performed on a given cryptographic algorithm should be only as practical, if not less practical, than an exhaustive key search, that is, testing every…
Will Burghard
- 117
- 1
- 3