Latest Crypto related questions

I have been involved in a discussion the other day regarding the implementation of backend-to-backend authentication. The communications between each backend happen via SOAP (XML) message protocol.

Objective:

Authenticate calls originating from Backend A <> Backend B. All communications can be considered to go through TLS tunneling first

Their proposed solution:

Append a Signature in a XML Heade ...

Let's use AES as stream cipher, and let's use as an input numbers $1,2,3,...$. This way we should get the random blocks and every block will be different from each other.

But I have a pseudorandom blocks generator which generate not always different blocks. So we could get block $B$ once and then for example again after let's say milion blocks it is possible to get again the same block $B$ (but it  ...

Theoretically, is it secure to first encode a string using Base64 and then XOR it with a random key or are there potential weaknesses that could be exploited?

Obviously this doesn't make any sense in practice, but I was curious whether this would be just as secure as XORing and then Base64ing.

To write a CTF challenge, I want to create an RSA key pair of size 228-bit. I want the keys exactly in the same format as OpenSSL-generated keys. But, OpenSSL is not supporting less than 512-bit long keys. What could be a solution?

While The cofactor of the Edwards curve is chosen $4$ in standards, the cofactor of the twisted Edwards curve is chosen $8$. I can't understand the reason for this. Can we choose cofactor $4$ for the twisted Edwards curve? What happens in this case? Is there any security problem in this case?

I'm new to the Cryptography Stack Exchange, so my question might be very naive.

What encryption algorithms are out there that will allow different decryption keys to decrypt the same piece of encrypted data?

For example : If the data that I'm encrypting is just a simple string : "Test"

Then applying the encryption algorithm changes it to this : "532EAABD9574880DBF76B9B8CC00832C20A6EC113D682299550D7A6E0F ...

I am looking for possible ways of attacking a modified Vigenère cipher. Let's say we have two keys e.g. 'stackoverflow' and 'Vigenère'. The V cipher starts with one of those keys but switches as soon as it would create a doublet [so the next plaintext letter would decrypt to the same ciphertext letter like (example for ciphertext:) 'LDJAAIWE' or 'FMGGBPV')].

How is it possible to attack this if you ...

I have a Merkle tree that contains the balances of users in each leaf. Periodically, users are paid more, and their corresponding Merkle leaves are updated, which results in a new Merkle root.

Is it possible to use a zero-knowledge proof to verify that between two Merkle roots:

a) No individual leaf (user balance) was decreased

b) The sum of all leaves increased by a known amount

The goal is to prevent a  ...

I'm relatively new to the world of crypto (But as far as the math goes, I am familiar with the inner workings. I used to rarely use it for privacy, but now I use it for many things).

Anyway, I was taking a look at this URL, and of course I noticed that NIST curves seem to have a lot of weaknesses. More than other curves, such as E-521, which, as I understand, has been mathematically proven to be secu ...

Consider that I wish to prove knowledge of some RSA private key corresponding to a public key $(e,N)$. A naive interactive proof scheme would proceed as follows:

• $V$ generates some random message $m$ and encrypts it, sending the encrypted data $c$ to $P$
• $V$ then requests $m$ back from $P$. Assuming $P$ could have no knowledge of $m$ outside of $c$, then $P$ can prove knowledge of $d$ by responding with ...

I've often read about the security of a signature scheme in the multi-user setting Link1 Link2, but I couldn't find a real definition. I would like to be sure that I understand it correctly. So my question is: If we consider Def 1, would Def 2 make sense for the multi-user setting?

Def 1: The signature scheme yields k-bits of security in the single-user setting if the probability that an attacker can  ...

Thanks to reverse engineering papers on Mifare Classic, one can study the authentication protocol. However, I have a problem understanding how it works.

In the above document, after the reader responds with $\{n_R\}$ $\{a_R\}$, the tag can now calculate $b_{32}$ (keystream) to $b_{63}$ (thanks to $n_T$, $\text{uid}$ and the tag's key) so XOR it with $\{n_R\}$ to retrieve $n_R$. But how can we be sure t ...

Let's say we have a BGV style homomorphic encryption scheme. The message space will be the ring $$R_p = \mathbb Z_p[x]/(x^d + 1)$$ where $p$ is a prime congruent to $1$ modulo $2d$. Now let's say we say messages $m_1(x), m_2(x) \in R_p.$ How do we obtain a ciphertext encrypting both $m_1(x)$ and $m_2(x)$? The BGV paper mentions the CRT isomorphism $$R_p \cong R_{\mathscr{p_1}} \times ... \times R_{\mat ...

I was doing the following exercise from the Introduction of Modern Cryptography from Katz and Lindell:

Let $F$ be a length preserving pseudorandom function. For the following constructions of a keyed function $F' : \{0,1\}^n \times \{0,1\}^{n-1} \rightarrow \{0,1\}^{2n}$, state whether $F'$ is a pseudorandom function. If yes, prove it; if not, show an attack.

(d) $F'_k(x) \stackrel{def}{=} F_k(0||x) || ...