Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [prime-field]

A prime field is a field not containing proper subfields.

A prime field is a field not containing proper subfields. Every field contains a unique prime field. A prime field of characteristic 0 is isomorphic to the field of rational numbers. A prime field of characteristic p is isomorphic to the field Z/pZ of integers modulo p, often denoted Fp or

30 questions
21
votes
5 answers

Are there any (asymmetric) cryptographic primitives not relying on arithmetic over prime fields and/or finite fields?

Trying to figure out if any (asymmetric) cryptographic primitives exists, which do not rely on arithmetic over a prime field and/or arithmetic over a finite field, some people might get lost in research. Therefore, here’s the related question…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
6
votes
2 answers

Why does libSTARK use binary fields as opposed to prime fields for zk-SNARKs?

zk-STARKs make use of FRI for low degree testing of polynomials. The zk-STARKs paper states on page 11: we stress that ZK-STARK could also operate over prime fields but we have not realized this in code With a footnote the FRI system requires p…
Owen Delahoy
  • 163
  • 1
  • 5
4
votes
1 answer

Why is the strength of an Elliptic Curve Cryptography (ECC) half the size of the prime field size?

I've looked around and couldn't find a direct answer. As a general rule, I've read from various sources (here here, and here) that the strength of an elliptical curve key is half of the size of the prime field. I.e. for a 256-bit prime field (like a…
THG
  • 183
  • 7
4
votes
2 answers

Randomizing Prime Field Elements

I need my code to generate random elements from $GF(p)$ ($F_p$ or $Z_p$, if you will). The Crypto API I have available provides one with random bit strings. To tailor that to my needs, I can think of two possible solutions, each with its…
Arya Pourtabatabaie
  • 273
  • 2
  • 6
3
votes
1 answer

Questions about the Curve25519-donna implementation

I'm trying to understand the implementation of the following function: Please note questions in comments. int curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) { limb bp[5], x[5], z[5], zmone[5]; // why 5 elements in…
Vega4
  • 244
  • 2
  • 10
3
votes
2 answers

Is the prime P is fixed for an elliptic curve defined over a particular prime field F_p?

I have seen the NIST, SEC and Brainpool standards. They have used same prime for a particular bit curve (128,192,256,521). Is the prime value fixed for a particular security (field size)?
Venkatesh
  • 502
  • 1
  • 8
  • 18
3
votes
2 answers

Comparing elliptic curves over prime fields against EC over binary fields

In which scenarios we go for prime fields or binary fields? Please indicate why we would choose one over the other.
Venkatesh
  • 502
  • 1
  • 8
  • 18
3
votes
2 answers

How to determine proportion of quadratic residues in elliptic curve group?

I'm using a 'try and increment' method to hash to an Elliptic Curve point, explained below. With security parameter $k$, EC equation $y^2 = x^3 + ax + b \mbox{ mod } q$, we have: $ u = sha256(\mbox{message}) $ $\mbox{for } i = 0 \mbox{ to } k - 1,…
bekah
  • 365
  • 1
  • 10
3
votes
0 answers

Post-quantum security of arithmetization-oriented hash functions

While the post-quantum security of "classical" (i.e. bit-oriented) hash functions such as SHA-2 has been a topic of significant discussion, I am finding it challenging to locate detailed information about the post-quantum security of…
Raoul722
  • 3,003
  • 3
  • 23
  • 42
3
votes
1 answer

Discrete log of Goldilocks, Babybear, and Mersenne31 fields

Does anyone know if the discrete log problem of these small prime fields: Goldilocks, Babybear, Mersenne31, has been solved? If not, is there a small prime field in which the discrete log of any element can be computed in poly-logarithmic time of…
Jason
  • 57
  • 8
2
votes
1 answer

Is linear secret sharing over the addittive group of integers modulo $p$ with $p$ non-prime secure?

In Maurer, Ueli. "Secure multi-party computation made simple." Discrete Applied Mathematics 154.2 (2006): 370-381. I have found the following technique for $k$-out-of-$k$ linear secret sharing: And the note regarding the domain says this: Is using…
Lorenzo
  • 149
  • 8
2
votes
1 answer

Simple: Hash Into a Prime Field

If I have some bytes, and I want to compute a secure hash into a prime field which is 300 bits long I can: Use a nice hash, like sha3_512, and then modulo my prime field (introduces some bias). toss bits most significant bits away until the…
Erik Aronesty
  • 470
  • 2
  • 15
2
votes
2 answers

Secret sharing over $Z_n*$

Shamir's secret sharing protocol generates a polynomial over a prime field $F_p$. Is it possible to generates it over $Z_n^*$ as well? The reason is that I want to combine a secret shared value in another scheme. For example sign on it with an RSA…
user1387682
  • 465
  • 2
  • 9
2
votes
1 answer

Questions about the multiplicative mask on the field?

I am considering a field $\mathbb{Z}_p=\{0,1,\cdots,p-1\}$, where $p$ is a prime. Suppose I have a secret $x \in \mathbb{Z}_p$ and a random mask $m \in \mathbb{Z}_p$. Prior answers show $y=x*m \mod p$ does not reveal any information about $x$ if $x…
Hobbit
  • 89
  • 7
2
votes
0 answers

The confusion about the secret setup in Schoenmakers' PVSS

In Schoenmakers' PVSS scheme, the secret distributor selects a random number $s \in \mathbb{Z}_q$, and the secret is defined as $S=h^s\bmod p$. What restricts the PVSS scheme to sharing the secret $h^s$ instead of $s$ itself? Additionally, $S=h^s$…
DSTBP
  • 147
  • 6
1
2