Questions tagged [signature]
Algorithms and protocols for creating signatures to documents, and verifying such signatures. These are normally asymmetric, for symmetric signatures see [mac].
1,538 questions
2
votes
1
answer
158
views
Question about some details in SQIsign signing algorithm
The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf.
I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...
- 966
2
votes
0
answers
76
views
Slack in bounds between LWE problem and LWE Sigma protocol extractor
I'm considering the following Sigma protocol based on Lyubashevsky's paper (https://eprint.iacr.org/2024/1287.pdf).
We are given public key $A,b=As+e$ for $A \in \mathbb Z^{n\times m}$ and private key ...
4
votes
2
answers
315
views
On the unfoundedness of signing as "inverse" of public-key decryption
In their book "Introduction to Modern Cryptography," Katz and Lindell wrote:
Digital signatures are often mistakenly viewed as the “inverse” of public-key
encryption, with the roles of the ...
- 204
6
votes
2
answers
1k
views
Is it insecure to use a hash with secret salt instead of a signature?
I have a chunk of data that I need to round-trip through a service that I don't trust, and I want to make sure the data hasn't been tampered with in-transit. I have limited memory and limited storage, ...
- 163
1
vote
1
answer
79
views
Implementing a Kubernetes KMS with a Relatively-Limited HSM
I would like to implement an HSM-backed KMS server for Kubernetes secrets and Talos Linux disk encryption keys for use in my homelab. I have a SmartCard-HSM EA+ for this purpose. Because of the ...
- 133
3
votes
2
answers
177
views
Deuring correspondence in SQIsign
I have some questions to clarify my understanding about Deuring correspondence between quaternions and isogenies in SQIsign(2D) version 2.0.1 https://sqisign.org/
Let $E_0$ be an elliptic curve with ...
- 966
1
vote
1
answer
91
views
Linear relations for ECDSA
I am reading What are elliptic curve pairings? by Marek Leip, specifically the section called Linear Relations.
There, it says that:
Prover has some numbers $(x_1, x_2, ...)$ and uses $c$ to ...
0
votes
1
answer
299
views
ECDSA signature forgery for arbitrary message hash
How feasible is it if someone is able to forge a signature for any arbitrary message hashes, given the public key of a secret key? If it is feasible, then what implications would this have?
What I ...
- 43
0
votes
1
answer
142
views
Probability of aborting in LWE-based Fiat-Shamir with aborts
I'm considering a simplified version of Lyubashevsky's LWE-based sigma protocol as outlined in (https://eprint.iacr.org/2024/1287.pdf).
We are given public key $A,b=As+e$ for $A \in \mathbb Z^{n\times ...
0
votes
0
answers
71
views
Dynamic group signature scheme with revocation for millions of verifiers (constant-size info)
I have some weird requirements for a group signature scheme and I've been having trouble finding something that fits all of them:
I need it to be fully dynamic, and without the ability to correlate ...
- 101
1
vote
0
answers
60
views
Retrieving the Partial Secret Key in Naive Lattice-Based Threshold Signature Scheme
I recently read about TRaccoon, one of the proposed lattice-based threshold signature schemes. The paper first discusses the problem with the naive "thresholdization" of the Lyubashevsky-...
- 277
1
vote
1
answer
117
views
Security reduction advantage bounds
Suppose we have a hard problem, and a signature scheme based on that hard problem. Why do we try and bound the advantage of forger for the signature scheme above by the advantage of an adversary ...
3
votes
2
answers
358
views
In the RSA(SSA)-PSS signature scheme, why does the message need to be hashed twice and why is masking the "salt" needed?
I'm trying to understand the design of RSA(SSA)-PSS, as shown here:
https://upload.wikimedia.org/wikipedia/commons/5/53/RSASSA-PSS_PSS-encode.png
Two things I don't really understand:
Why does the ...
1
vote
0
answers
85
views
Are ID protocols functionally equivalent to digital signatures?
In PKC, it's common knowledge that key exchange and public-key encryption are functionally equivalent, and you can get one from the other. Barring semantic security definition difference of course.
...
- 11.5k
1
vote
0
answers
62
views
Why do MQ-based signature schemes sign an image, and not a preimage?
In multivariate signature schemes like UOV and its variants, the signer signs a message $t\in \mathbb{F}_p^m$ by demonstrating a preimage $s\in \mathbb{F}_p^n$ such that $\mathcal{P}(s)=t$, for a ...
- 111