Questions tagged [diffie-hellman]
The Diffie–Hellman key agreement is an anonymous, non-authenticated key-agreement protocol.
1,127 questions
5
votes
2
answers
137
views
Do KEMs protect against malicious public (encapsulating) keys?
It is widely known that elliptic curve Diffie-Hellman is vulnerable to maliciously crafted public keys, where a honestly generated private key combined with a malicious public key may result in ...
2
votes
1
answer
61
views
What s the shortest possible number of Miller loops for bn254 and bls12-381 elliptic curves for getting a bilinear pairing?
There s many paper that explore making bilinear pairings efficient, but as far I understand, they also aim at making the final exponentiation simpler.
In my case I have an inversion algorithm whose ...
- 376
-1
votes
1
answer
141
views
Is Diffie-Hellman in $\mathsf{NP}\cap\mathsf{coNP}$ without discrete log witness?
Given prime $p$, generator $g$ of $\mathbb Z_p^*$ and $h_1,h_2,h_3\in\mathbb Z_p^*$ is $$\log_ph_3=(\log_ph_1)(\log_ph_2)$$ where at every $i\in\{1,2,3\}\mbox{ }g^{\log_ph_i}\equiv h_i\bmod p$ holds?
...
- 1,215
0
votes
0
answers
35
views
Is it true that if Miller inversion is easy, then the Weil pairing inversion is easy on BN curves?
I was given the following explaination, some parts of it are wrong but others looks truethefull:
Here is the rigorous mathematical explanation of why this technique works.
The validity of the formula $...
- 376
4
votes
1
answer
508
views
Most efficient discrete log algorithm for RFC3526 primes?
I have been using lifted ElGamal for my binary choice encryption into an exponent $g^m$, where m=0 or m=1. After ciphertext aggregation and decryption I got a message as $g^{m1+m2+m3+...+mn}$ and I ...
- 195
1
vote
1
answer
123
views
Exchanging DH public keys in encrypted handshake packets, during the authentication step - bad idea?
This question is purely to satisfy my curiosity - I'm not attempting to implement my own encryption, I'm just curious.
Let's say Alice and Bob establish a communication channel, and the first thing ...
user137584
4
votes
0
answers
89
views
Is it possible to create a useful hyperelliptic curve cover having Genus 2 for altbn254 or bls12-381?
I m looking for a way to perform pairings without final exponentiation or where the last step is easy to inverse (in order to perform pairing inversion through Miller inversion using https://eprint....
- 376
0
votes
0
answers
79
views
Seeking KDF parameters for Bitpie/imToken 2023 private backup file in {"data":...} JSON format
I have a private wallet backup file from Bitpie/imToken created in June 2023. The new version of the official app no longer supports importing this format.
The file content is a JSON object in this ...
- 1
3
votes
1
answer
324
views
Apple use of One-Pass-Diffie-Hellman
I am trying to understand how Apple Data Protection model works.
I have come across this:
NSFileProtectionCompleteUnlessOpen: Some files may need to be written while the
device is locked or the user ...
- 29
8
votes
2
answers
3k
views
What does this "lightbulb-ish" symbol mean in figure 1 of the Diffie Hellmann paper?
In Diffie and Hellmanns famous paper New Directions in Cryptography from 1976, figure 1 on p. 645 (resp. second page in the linked pdf) visualizes the flow of information in symmetric cryptosystems.
...
- 253
3
votes
1
answer
166
views
Why is X3DH deniable but 3DH is not?
I'm having trouble understanding the difference between 3DH and X3DH when it comes to deniability. According to Signal's X3DH spec, deniability is relatively straight-forward. And indeed, there are ...
- 111
1
vote
0
answers
69
views
Is it possible to use Miller’s inversion algorithms to transfer the ffdlp to the ecdlp if a supersingular curve exist for the given finite field? [closed]
Simple question : everything is in the title : Pairings allows transferring the ecdlp to finite field dlp and I want to do the reverse : the aim isn’t to find a secret point but to transfer the finite ...
- 376
0
votes
1
answer
115
views
Can this algorithm about pairing inversion work in case of pairings that don’t use final exponentiation?
According to this paper page 248 and unlike it’s title subject, it’s possible to invert a pairing on ʙɴ curves if exponentiation inversion is easy… But what about cases where final exponentiation isn’...
- 376
1
vote
1
answer
129
views
In Diffie-Hellman key exchange, is $a=p−2$ a bad choice?
Sorry for my English.
I assume that in Diffie-Hellman key exchange, $a=p−2$ is a bad choice.
Example:
$p=11, g = 7$
Alice chooses a private key $a = 9$ and computes a public key $A = 7^9 \pmod {11} = ...
0
votes
0
answers
30
views
k- out of N oblivious transfer based on "blindable" one-more assumptions?
I was thinking about one paper I was writing and suddenly it occurred to me that I can build k-out of n oblivious transfer using any of the blindable one-more type problems (One more RSA-inversion, ...
- 671