Questions tagged [elliptic-curves]
Elliptic curves are algebraic-geometric structures with applications in cryptography. Such a curve consists of the set of solutions to a cubic equation over a finite field equipped with a group operation. Questions relating to elliptic curves and derived algorithms should use this tag and might also consider more specific tags such as discrete-logarithm and ecdsa.
2,216
questions
2
votes
1
answer
140
views
Can we use Super-Elliptic or Supersingular Elliptic Curves in Cryptography?
I am reading in literature articles and journals about Super Elliptic Curves and Super Singular Elliptic Curves such as this: https://arxiv.org/pdf/1906.02373
I have 2 questions:
Do Super Elliptic ...
- 51
-1
votes
1
answer
69
views
Is MOV attack against ECDLP fundamentally impossible?
The main idea of the MOV attack is to map EC additive group of order $n$ to multiplicative group in the finite field extension $p^k$. For this, the groups must have the same order, what fully relies ...
1
vote
0
answers
37
views
Given powers of tau ; the veryfying and the proving key, how can I find the point [f] resulting from the trusted setup in Groth16?
For each circuits, Groth16 requires to compute a point $f$ such as $f=s×G$. While revealing the scalar $s$ used for computing $f$ would allow to produce fake proofs, $f$ can be exposed to the public.
...
- 178
1
vote
0
answers
52
views
Do Curve448 shared secret need to be hashed?
I am planning to implement key agreement in an application, and Curve25519 offers the right properties for 128-bit security (AES-128). In a question I previously asked (Can Curve25519 shared secret be ...
- 1,371
5
votes
2
answers
801
views
Can Curve25519 shared secret be safely truncated to half its size?
I am planning to use a key agreement mechanism in an application needing ephemeral keys, and Curve25519 looks promising, specifically because it offers 128 bits of security, just fine for AES-128 ...
- 1,371
1
vote
1
answer
121
views
How to Generate Low-Order Generator Points on Elliptic Curves
How can one generate a 'Generator Point' on an elliptic curve that has an extremely low order.
Take this Elliptic Curve from HTB Cyber Apocalypse 2024. The order of G is 11.
How can one replicate this ...
- 11
1
vote
1
answer
43
views
How to modify a positive scalar in scalar multiplication in order to get the additive inverse on twisted Edwards curves?
I know this is something possible because of Pedersen Hash : when truncating the hash to keep only the X coordinate, is it possible to compute a collision when the Babyjubjub curve is used? ...
- 178
2
votes
1
answer
121
views
Is it possible to use abstract groups to generalize DSA, ECDSA and EdDSA signature creation and verification?
It is known, that
DSA algorithm is defined as:
Bob
Creates private $x$ and public $Y=G^x\bmod p$ keys, where $G$ - generator, $p$ - group prime order
Selects random value $k$ from $1
\le k\le q-1$
$...
- 77
0
votes
0
answers
25
views
A serious security issue in remote data storage
In order to ensure the integrity of remote data, Ateniese et al. first proposed the idea of provable data possession (PDP). In this proof, the data are computed as elements on a G-group in the form of ...
- 1
0
votes
1
answer
100
views
Using Sagemath, how to exactly find out what the order of a point of an elliptic curve in the twisted Edwards form is?
Simple question and I’m fully aware of the other question, but I need the answer for curves in the twisted Edwards form and I suppose converting the curve and the point to the Weierstrass form would ...
- 178
3
votes
2
answers
514
views
Is ElGamal homomorphic encryption using additive groups works only for Discrete Log ElGamal? What about EC ElGamal?
It is known that in Discrete Log ElGamal encryption, the ciphertext $E$ is encrypted as:
$a\ =\ g^k$, where $k$ - random scalar from $[0,\ p)$, $g$ - group generator
$b\ =\ (Y^k*m)\mod\ p$, where $Y$ -...
- 77
0
votes
0
answers
48
views
Why exactly finding the same result by changing a scalar in such a case is equivalent to solving the discrete logarithm between one or more points?
Let’s say I have 3 randomly sampled points on a curve in Edwards form (sampled only the first time and not at each computation) $P1$ $P2$ $P3$ and 3 scalars $S1$ $S2$ $S3$ such as :
Both $S1$ $S2$ $...
- 178
0
votes
0
answers
44
views
Edwards curve example
I am looking to deepen my understanding of Edwards elliptic curves, specifically focusing on addition operations. Could anyone recommend books or websites that provide detailed examples with numerical ...
2
votes
1
answer
164
views
Is it possible to abstract an ElGamal encryption for EC and Discrete Log by using a Group Law?
ElGamal encryption for Discrete Log is defined as:
Bob side does:
$Y\ =\ (g^x)\ mod\ P$, where $g$ - generator, $x$ - random value among the group elements and $P$ - prime number, typically ultra ...
- 77
1
vote
1
answer
162
views
DH Encrypt by XOR
I'm working in the Curve25519 domain (EC curve, 256-bit key size).
I have a peer pubkey, and need to send it an encrypted message.
For starters we create a "nonce" (ephemeral key), and use ...
- 359