Latest Crypto related questions

I apologize in advance if this question has been answered already. However, I have not been able to find an existing answer - despite the case being pretty simple and common I imagine. Perhaps there is some terminology that I do not know making me miss the obvious.

So here goes:

Assume we repeatedly SHA256-hash a "secret" value concatenated with different numbers and let an adversary know the hashed ...

I think of a situation that attacker can steal data from AES encrypted table without knowing the key. I tried to search on internet but found nothing about this(may be I were not using the correct keyword), really appreciate if any one can shed some light on it.

Assuming that the table is encrypted with same key but different IV:

1. Attacker signs up for a new account in an application normally.
2. Application ...

The question is basically stated on the title. I have done some introductory reading on Oblivious Transfer and most of them are secure in the semi-honest model. Are there any protocols that are secure under stronger security assumptions (e.g. malicious adversaries) ?

Is it possible that the plaintext encrypted in a ciphertext using paillier encryption is positive without using a zero knowledge range proof?

Alice wants to store key:value pairs with Bob. The goal of the exercise is for Alice to be able to use Bob as a reliable data storage service, even if Bob were untrustworthy. A (correctly implemented) MAC/AEAD/Signature means Bob cannot tamper with records. But basic authentication is not sufficient to ensure that Bob returns the correct record, because it does not stop Bob from replaying old records ...

Recently I noticed that my device generates short-sized Nonces.

Approximately $2 ^ {243} - 2^{244}$.

Could it turn out that there will be a small leak of information about the first 3 bits of Nonces?

Accordingly, if Nonces is short, then it must contain null at the beginning. That is, the first 3 bits of Nonces contain null at the beginning.

Hence, for the sake of safety:

When creating an ECDSA signatur ...

As asked above, what does "counter" mean exactly? Is it the same as nonce?

Also, the book Network Security Essentials (6ed.) from William Stallings states, "Typically the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo $2^b$, where $b$ is the block size)". What does this statement mean exactly?

I got an idea which may be wrong because I may have missed some important factor but for the moment I don't know if I really did. Let BM be the method used to break a reused one-time pad cipher (which is explained here : Taking advantage of one-time pad key reuse? ). I was wondering if we can use the same BM on a vigenere cipher text after determining the key lenght (N for example), and that would be by  ...

I want to use NoiseSocket protocol to connect embedded IoT devices to the server. On the device's side code runs on a small 32bit MCU. For cipher function and hash will use ChaChaPoly and BLAKE2s for best performance on embedded MCU. But I don't choose an authentification pattern that meets my task. The protocol should solve the following tasks:

1. Devices must authenticate the server.
2. Server check devic ...

I have this problem:

I also have the python version of this problem here:

import json
import sys, os, itertools

sys.path.append(os.path.abspath(os.path.join('..')))
from playcrypt.tools import *
from playcrypt.new_tools import *
from playcrypt.primitives import *

from playcrypt.games.game_bind import GameBIND
from playcrypt.simulator.bind_sim import BINDSim

from playcrypt.games.game_hide impor ...

(I guess no but why is this the case? Any way to make it possible?)

Out of a given equilateral triangle T1 (with his 3 vertices A,B,C lying in a finite Field $\mathbb F_N^D $) another equilateral triangle T2 can get constructed by mirroring one of the 3 vertices at the edge in between the two other vertices. This will be repeated multiple times.

Given just two random triangle T1 and T2 (and $\mathbb F_N^ ...

I know that I have to use decryption, but I am confused about how it breaks one-way (preimage resistance)

Anonymous credentials are used to prove certain properties of a specific user without revealing any other information, and transactional pseudonyms are used to authenticate a user as the rightful owner of a specific transaction without revealing any other information. Are transactional pseudonyms a form of anonymous credential, does anonymous credentials use transactional pseudonyms or are they distinct ...

STS Protocol is like this:

1. $A \rightarrow B:~ g^x$
2. $A \leftarrow B:~ g^y, E_K(S_B(g^y, g^x))$
3. $A \rightarrow B:~ E_K(S_A(g^x, g^y))$

My question is why do we say in STS we have mutual authentication? For example:

1. $A \rightarrow C: g^x$
2. $C \rightarrow B: g^x$
3. $C \leftarrow B: g^y, E_K(S_B(g^y, g^x))$
4. $A \leftarrow C: g^y, E_K(S_B(g^y, g^x))$

so A will authenticate C instead of B!

Following the question Can I know from a Bitcoin public key if the private key is odd or even?

The answer there gives a simple algorithm for solving the Discrete Logarithm Problem when given an oracle which gives the LSB of the DLOG. The answer hints this may be possible but not so easy with a probabilistic solution. So naturally I want to follow up with the harder question.

I can think of two such  ...