Can I calculate below equation? e(g1^a, g2^(b)) / e(g1^a, g2^(b+c)) / e(g1^a, g2^c) = 1 '/' means divide. I think it works, but there is no evidence to prove it ..read more

I'm reading the well-known IKNP protocol for OT extension. In section 3.1, they give proofs for malicious Sender and semi-honest Receiver. I'm very confused about the proof for malicious Sender($S^*$). They say: It is easy to verify that the joint distribution of $(\rho; s^*;Q)$, the values $(y_{j,0}; y_{j,1})$ and all values of $H$ queried by $S^*$ in the ideal process is identical to the corresponding distribution in the real process. I have no idea why it's identical. So in my opinion, what they do in Simulator is choosing some random $(\rho; s^*;Q)$ and just feeding them to $S^*$. But I ..read more

By a substitution cipher I mean one where each character is replaced by another. By confusion my definition is that to solve the question, find key k such that Ek(m) = c, should be difficult and diffusion is where non-uniformities in the message are distributed by the encryption function to make it more uniform. So is it possible for a substitution cipher to achieve both. I believe it can't achieve diffusion since it treats each character independently but it may be able to achieve confusion (Possibly the mono-alphabetic substitution cipher ..read more

I'm proposing a cryptosystem as defined below: Private Key: $(R, A, R^{-1})$, where $R = \left(\mathbf{r_1}, \cdots, \mathbf{r_n}\right)$ is full-rank, with $n \geq 4$, even; $A = \left(a_1\mathbf{e_1}, \cdots, a_n\mathbf{e_n} \right)$ and $a_i \neq 0$; Public Key: $B = RAR^{-1}$; Plaintext: $P \in \mathbb{F}_p^{n\times n}$ represents an ordered basis over $\mathbb{F}_p^n$; Ciphertext: $C = PBP^{-1}$; Decription: $VR^{-1}$, where $V = \left(\mathbf{v_1}, \cdots, \mathbf{v_n}\right)$, where $C\mathbf{v_i} = a_i\mathbf{v_i}$; Document: $d \in \mathbb{F}_p$; Signature: $s = \Pi_{i = 1}^{n/2} (x ..read more

Hello im got stuck with this ECC Problem at CTF Crypto chall, so basicly this challenge will generate random ECC Curve & point, with given parameters like p,a,b,and x, first the chall will ask what is the number of y, after that the chall will generate another random Curve and & point and ask what is the number of a, after that the chall will generate random Curve and & point and ask the number of b,after that the chall will generate Curve and & point and ask for a & b, with with given parameters like p,x,y,x1,y1. Is there any chance to solve it? Here's the question source ..read more

I'm currently implementing the "distinguished points" collision finding algorithm on SHA-3 reduced to a lower number of bits. Let's say I'm going to find one collision on SHA-3-256bits reduced to first n=72 bits (meaning the higher 72 bits should be same). I'm choosing the number of bits d=14 for distinguished points, meaning if the lower 14 bits in those 72 bits are all 0, then this will be considered as a distinguished point(DP). My understanding and implementation can be divided by these steps: Create a number of threads. For each thread, random generate a starting point $x_0$. Create an e ..read more

Is semantic security equivalent to IND-CPA? If a PKE scheme like ElGamal is semantically secure, can we say it is IND-CPA? What's the relationship between semantic security and IND-CPA ..read more

Is it reasonable that using public data and private ML model to generate a ZK-proof which shows that I truly train this model? I don't know it can use the same scheme in ezkl. I really need some help ..read more

I am reading the "Handbook of Applied Cryptography" by Menezes et al. (hashed) ElGamal Signature verification in this book talks about verification of $1\leq r\leq p-1$. Subsequently, this book also provides a justification for this verification step. I attach a picture of the verification description and corresponding justification of the check $1\leq r\leq p-1$ which is marked by $(iv)$. I fail to see how this check is stopping an adversary from just following through the steps mentioned under $(iv)$. Can somebody clarify please ..read more

I have noticed a slight change in the standard documentation of FIPS-202 and ISO/IEC 10118-3 documents for algorithm 5:rc(t) as below: ISO/IEC 10118-3 Algorithm 5: rc(t) Input: integer t Output: bit rc(t) Steps: a)If t mod 255 = 0, return 1. c)For i from 1 to t mod 255, let: b) Let R = 10 000 000. 1) R = 0 || R; 2) R[0] = R[0] ⊕ R[8]; 3) R[6] = R[6] ⊕ R[8]; 4) R[3] = R[3] ⊕ R[8]; 5) R[2] = R[2] ⊕ R[8]; 6) R = Trunc8 FIPS-202 Algorithm 5: rc(t) Input: integer t. Output: bit rc(t). Steps: 1. If t mod 255 = 0, return 1. 2. Let R = 10000000. 3. For i from 1 to t mod 255, let: a. R = 0 || R; b ..read more