Latest Crypto related questions

I need to create an id generation function that takes 4-digit number and returns a unique 3-letter identifier.

I already have a function that generates a 2-letter id from 3-digit number with some limitations (between 100 and 775), but I'm not sure how to change it to meet the new requirement.

if order_id < 775:
  alphabet = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ')
  alpha_index = ''
  _i_1 = 0
  _i_2 = 0 ...

Does anyone know of a C++ homomorphic encryption library that supports addition, multiplication and logical right shift over integers? Some set of instructions that allows the implementation of logical shifts would work as well. The range should be at least sufficient to support signed 32-bit integers and the scheme should support arbitrary depth. I tried using Palisade, but found no way of implementing ...

I've came with the following problem from the Theory and Practice book by Stinson-Paterson. It states the following:

2.17

(a) Prove that a permutation $\pi$ in the Permutation Cipher is an involuntory kei iff (if and only if) $\pi(i) = j$ implies $\pi(j) = > i$, for all $i,j \in \{1,...,m \}$.

(b) Determine the number of involutory keys in the Permutation Cipher for $m = 2,3,4,5, $ and 6.

I've prove ...

1. Authentication-:

I understand that authentication is basically digital signature. But what I don't understand is how it has been explained here specially the RSA key part. It is leading me to huge confusions.

In RSA encrpytion, we use public key(of whose sender or receiver?) for encrpytion and private key(of whom?) for decryption.

They say hash is encrypted using RSA. But why are we using PRIVAT ...

Suppose G₁ is an elliptic group and G₂ be a multiplicative group and they are of same prime order p and e is a bilinear pairing, e: G₁ X G₁ -> G₂. The operations e(p,q)^r and e(p^r,q) gives equal result where p, q $\in$ G₁ and r $\in$ Z^*_p.

The computation time of different cryptographic operations are given below source:

I apologize in advance if this question has been answered already. However, I have not been able to find an existing answer - despite the case being pretty simple and common I imagine. Perhaps there is some terminology that I do not know making me miss the obvious.

So here goes:

Assume we repeatedly SHA256-hash a "secret" value concatenated with different numbers and let an adversary know the hashed ...

I think of a situation that attacker can steal data from AES encrypted table without knowing the key. I tried to search on internet but found nothing about this(may be I were not using the correct keyword), really appreciate if any one can shed some light on it.

Assuming that the table is encrypted with same key but different IV:

1. Attacker signs up for a new account in an application normally.
2. Application ...

The question is basically stated on the title. I have done some introductory reading on Oblivious Transfer and most of them are secure in the semi-honest model. Are there any protocols that are secure under stronger security assumptions (e.g. malicious adversaries) ?

Is it possible that the plaintext encrypted in a ciphertext using paillier encryption is positive without using a zero knowledge range proof?

Alice wants to store key:value pairs with Bob. The goal of the exercise is for Alice to be able to use Bob as a reliable data storage service, even if Bob were untrustworthy. A (correctly implemented) MAC/AEAD/Signature means Bob cannot tamper with records. But basic authentication is not sufficient to ensure that Bob returns the correct record, because it does not stop Bob from replaying old records ...

Recently I noticed that my device generates short-sized Nonces.

Approximately $2 ^ {243} - 2^{244}$.

Could it turn out that there will be a small leak of information about the first 3 bits of Nonces?

Accordingly, if Nonces is short, then it must contain null at the beginning. That is, the first 3 bits of Nonces contain null at the beginning.

Hence, for the sake of safety:

When creating an ECDSA signatur ...

As asked above, what does "counter" mean exactly? Is it the same as nonce?

Also, the book Network Security Essentials (6ed.) from William Stallings states, "Typically the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo $2^b$, where $b$ is the block size)". What does this statement mean exactly?

I got an idea which may be wrong because I may have missed some important factor but for the moment I don't know if I really did. Let BM be the method used to break a reused one-time pad cipher (which is explained here : Taking advantage of one-time pad key reuse? ). I was wondering if we can use the same BM on a vigenere cipher text after determining the key lenght (N for example), and that would be by  ...

I want to use NoiseSocket protocol to connect embedded IoT devices to the server. On the device's side code runs on a small 32bit MCU. For cipher function and hash will use ChaChaPoly and BLAKE2s for best performance on embedded MCU. But I don't choose an authentification pattern that meets my task. The protocol should solve the following tasks:

1. Devices must authenticate the server.
2. Server check devic ...

I have this problem:

I also have the python version of this problem here:

import json
import sys, os, itertools

sys.path.append(os.path.abspath(os.path.join('..')))
from playcrypt.tools import *
from playcrypt.new_tools import *
from playcrypt.primitives import *

from playcrypt.games.game_bind import GameBIND
from playcrypt.simulator.bind_sim import BINDSim

from playcrypt.games.game_hide impor ...

(I guess no but why is this the case? Any way to make it possible?)

Out of a given equilateral triangle T1 (with his 3 vertices A,B,C lying in a finite Field $\mathbb F_N^D $) another equilateral triangle T2 can get constructed by mirroring one of the 3 vertices at the edge in between the two other vertices. This will be repeated multiple times.

Given just two random triangle T1 and T2 (and $\mathbb F_N^ ...

I know that I have to use decryption, but I am confused about how it breaks one-way (preimage resistance)

Anonymous credentials are used to prove certain properties of a specific user without revealing any other information, and transactional pseudonyms are used to authenticate a user as the rightful owner of a specific transaction without revealing any other information. Are transactional pseudonyms a form of anonymous credential, does anonymous credentials use transactional pseudonyms or are they distinct ...

STS Protocol is like this:

1. $A \rightarrow B:~ g^x$
2. $A \leftarrow B:~ g^y, E_K(S_B(g^y, g^x))$
3. $A \rightarrow B:~ E_K(S_A(g^x, g^y))$

My question is why do we say in STS we have mutual authentication? For example:

1. $A \rightarrow C: g^x$
2. $C \rightarrow B: g^x$
3. $C \leftarrow B: g^y, E_K(S_B(g^y, g^x))$
4. $A \leftarrow C: g^y, E_K(S_B(g^y, g^x))$

so A will authenticate C instead of B!

Following the question Can I know from a Bitcoin public key if the private key is odd or even?

The answer there gives a simple algorithm for solving the Discrete Logarithm Problem when given an oracle which gives the LSB of the DLOG. The answer hints this may be possible but not so easy with a probabilistic solution. So naturally I want to follow up with the harder question.

I can think of two such  ...

Is there a way to recover the bit sequence of a number ( for example 29 = 0b11101 ) by always dividing it by 2 when in mod 143 for example ?

What I mean by that is recover the number bit by bit by multiplying it by the inverse of 2 mod 143 to simulate the /2 division. for example:
$\begin{array}{} &29\bmod143=&29&\equiv 1 \pmod 2\\ 29\cdot(2^{-1}\bmod143)^1\bmod143=&29\cdot72^1\bmod143= ...

We have encryptions $c_1$ and $c_2$, the person who knows the plaintext and randomness in both wants to prove that they know it. Let $r_1$ and $r_2$ be the randomness values in $c_1$ and $c_2$ respectively. The prover then randomly generates another random number, $z$. They then calculate $a_1 = r_1^n z^n$, $a_2 = r_2^n z^n$. These are the proofs. A verifier would just have to multiply $a_2$ with

I am looking for a theoretical solution to the following problem: Alice receives a signed statement from her bank with information about her account and credit balance. Alice wants to prove this knowledge of the contents and the bank's valid signature to Bob, but at the same time prevent Carol from determining who signed the proof.

To better illustrate my problem, I took the liberty of making a s ...

I am trying to understand the difference between permutation and transposition. I have seen a similar question in the forum but I would like to ask you for proper definitions and examples of each. I'm trying to understand the DES algorithm and I'd like to understand if the halving of the initial block and eventual swapping of the halves would be permutation or transposition. Thank you in advance.

i am on a task in cryptography and need a hint (PLEASE NO SOLUTION).

The Task is:

I can send Messages (Digital Numbers) to a Docker Container. The response are the values p,q,g,z1,s,r and hashvalue(m+z1). So... when i enter the number 1 i get the DSA values used for signing.

Unknown is the value of k, z2 and x (the private key)

Known is that p,q,g,z1,z2 are fixed for every message. So they are the same ev ...

Two add the plaintexts encrypted in a ciphertext, you would just multiply the ciphertext and modulo it. However, how does the randomness value of the new ciphertext change? Assuming you the encryptor knew the randomness values in both ciphertexts, could you calculate the new randomness value?

Are there applications of sanitizable signatures without transparency property ?

The answers to my HW say that a preimage of a single block is easily found. I do not understand how it is easily found. Please help.

Imagine that we have a protocol like this:
B -> A: R_B
A -> B: {R_B,B}_K

Goal: authenticate A to B
K: a shared key between A and B
{}_K: encrypting by K

After receiving {R_B, B}_K by B, B is able to authenticate A. But what if we have something like:
A -> C: {R_B,B}_K
C -> B: {R_B,B}_K
so in this case B will authenticate C instead of A, isn't it?

I have an encoded file and a public.pem file. Is it possible to decode the file using the public.pem file or do I have to start looking at private keys?

I tried https://github.com/Ganapati/RsaCtfTool with no luck. The public key (pem) is as below

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjHDiqVkO1umD2/Tm20Wt
LpyBXGoIk4Pczeqjwz7/kwYLnQI7VlAzgjC9jD1dX80Z+kLOr5wHIDdfNK55 ...