Latest Crypto related questions

so i have function to decrypt aes ctr. but when i tried to decrypt, the result i got from plaintext is type bytes. i want to get the result of plaintext using decode, because when i encrypt it, i was encode it first.

here's my encrypt func:

def encrypt(key, pt):
    plaintext = read_file(pt)
    if isinstance(plaintext, str):
        pt= plaintext.encode("utf-8")
        print(pt)
        print(type(p ...

I'm reading the fourth edition of "Cryptography: Theory and Practice" by D.R. Stinson and M.B. Paterson. In the book, they have mentioned the concept of "collision-resistant hash" and I've stumbled upon the following question from another source:

Is there a collision resistant hash function $h(x)=h_1(x)\oplus h_2(x)$ so that $h_1$ and $h_2$ are not collision resistant?

It seems interesting to thin ...

So I get how it works for inputs shorter than $512$, but as for larger inputs "In the case where the remaining input data is exactly $448$ bits long, an entire extra block would need to be added for the padding." what do they mean by the 'remaining' input data is exactly $448$ bits long? if input was like, lets say $500$ bits, $1024-64=960$, $960 - 500= 460$, so $500 + 1 + 459$ zero's, followed by the ...

In the paper GM18, they say that the sampling algorithm, SampleG, is shown in Figure 2. It takes as input a modulus $q$, an integer variance $s$, a coset $u$ of $\Lambda^{\perp}(g^T )$, and outputs a sample statistically close to $D_{\Lambda^{\perp}_u(g^T),s}$. SampleG relies on subroutines Perturb and SampleD where Perturb($\sigma$) returns a perturbation, $p$, statistically close to $D_{L(\Sigma_2),\s ...

I am working on a project that uses PAKE (SRP) for authentication. When we send the M1 to the server we are encrypting the payload using AES-GCM. I mention SRP only to set the context:

1. A message is being sent to the server with content we want to protect
2. The client and server have a unique (one-time) symmetric key shared between them (thanks to SRP)

Before I encrypt the payload I generate a unique ...

If I have the password and hash will I be able to find out the Hashing algorithm and salt used. What tools can I can use? Will hashcat work?

I implemented the Pohlig-Hellman algorithm for the general case following Wikipedia but it only seem to work for prime powers (which is what the limited case is meant to solve).

My implementation follows wikipedia exactly: https://gist.github.com/nickponline/2ef6f3456ed6c423239a334c98728324

Some examples where it fails to find a solution are:

39^x = 49 (mod 74) x = 28
19^x = 423 (mod 478) x = 275
71^x ...

I want to compute the multiplicative inverse of 0x2 over $GF(2^{233})$ in hardware.

To do so, I compute $a^{-1} = (a^{2^{m-1}-1})^{2}$. Here's the result of that computation: 0x10000000000000000000000000000000000000002000000000000000000 (where the left-most 1 is bit index 233, not 232).

I verify that I get 1 by multiplying it with the initial number using a binary Karatsuba multiplier.

I'm also able t ...

I want to prove that for every pseudorandom function $F: \{0, 1\}^n \times \{0, 1\}^n \rightarrow \{0, 1\}^n$ and for every polynomial $p$ such that $p(n) > 1$ for every $n$ it is possible to construct, starting from $F$, a pseudorandom generator $G$ having expansion factor equal to $l(n) = p(n) \cdot n$.

I fixed a PRF $F$ and came up with two constructions for $G$ (where || denotes the concatenatio ...

We know that SHA-1 is susceptible to collision attacks, but what about pre-image attacks such as poisoning torrents?

1. I ask because some vendors of HSM try to avoid the export of wrapped secret key from HSM to insecure storage – storage that does not belong to these vendor’s HSM infrastructure.

   For example, Thales prefer to backup keys to another Thales HSM – most of their documentation is about cloning between their devices. But Thales has an option when they send traffic via public networks: Backup HSM Insta ...

I'm reading headlines on the tune of "…bring zero-knowledge encryption to file storage". Googling "zero-knowledge encryption" returns statements like "cloud storage or backup providers know nothing (i.e. have “zero-knowledge”) about the data you store on their servers".

Is there some academic definition of "zero-knowledge encryption" and how is it different from just encryption?

If the Substitution box is 1 to 1 (a specific value can only ever be a specific box value), and the contents of Rijndael S-box is public, how does this offer any additional security?

With AES the frequency of a letter isn't a concern so what other reason is there for this substitution? An explanation fitting for a novice would be very much appreciated!

Additionally, why is Rijndael S-box a multiplic ...

I've been reading for Pohlig-Hellman Algorithm on Elliptic Curve.

My question is, why the simultaneous congruence gives the answer we want, could somebody please provide a proof of it?

i.e., why

\begin{align*} x \equiv x_i \mod p_i^{e_i}, \forall i\in \{1,2,...,n\} \end{align*}

Reference: https://risencrypto.github.io/PohligHellman/

I have seen a few papers on (contributive) group key exchange where users create Keys and broadcast them so they can all contribute to the secret key. In order to protect against active attackers, several schemes use signature primitives.

They generate some sort of hashed session id, sign it with the message (via some method that I did not fully understand) and broadcast the outcome...

What I fail t ...

I know restricting access of a file, is a important measure of security.

If we read the Payment Card Industry's Data Security Standard (aka PCI-DSS), we can see a requirement where control access must be applied to mitigate any risk of a sensitive encrypted data be leaked from the system.

Other important requirement define minimum data to be kept encrypted, again mitigating possible leak.

I would l ...

I'm trying to implement the 1st round attack on RC4 stream cipher according to Attacks on the RC4 stream cipher. For now I am interested in section 4.2 Attack on other key bytes. It works really fine for all the bytes of the random key of length 8, except the 2nd byte. The needed value t is always the second frequent one, whereas the most frequent is 2, which corresponds to the second byte of stream  ...

I'm protecting communication between some microservices using public/private key encryption, where the sending container has a public key and the receiving container has a private key. This both verifies the sender (only sender has the public key via a credential manager), and protects the data in case it may be buffered, e.g. in a Redis.

But for transient communication, I'm wondering if signing  ...

I have been reading about Zero Knowledge Proof (ZKP) protocols for a while now. Among the applications I have seen the most is authentication (https://ethereum.org/en/zero-knowledge-proofs/#authentication). But in practice it is not used; why?

I have also been looking for why these protocols are not used in authentication systems or why they are not used by identity providers (such as Google accoun ...

Is there any PKE scheme that is IND-CPA secure (in a standard model, not RO) under a search problem?

If an attacker has a database of 1,000 users' hashed passwords which are hashed with SHA-256 with a 128-bit salt and all of these users used 10,000 common passwords. How many hashes will the hacker need to do to recover all passwords?

I was thinking it would just be 1,000*10,000 = 10,000,000 hashes but I am not sure how the salt affects the computation in recovering hashes.

I have some doubts regarding AES weakness and AES cryptanalysis. While it is relatively simple to find Cryptanalysis info on previous ciphers, I get confused about understanding various types of Cryptanalysis attacks on AES.

So far, for example, I've found that AES's weakness could be in its algebraic structure. Anyone knows good references where I can find more precise info on AES cryptanalysis ...

The title is a mouthful, allow me to explain my situation.

• I have a SaaS with many users.
• When new users join the platform, I want to create a cryptographic keypair for them (Ed25519).
• But I don't want to have any knowledge about their private key.
• This means the keypair must be generated and stored by a third-party service.

So I'm looking for a service, which has an API endpoint that works as such: ...

I am a Bitcoin enthusiast, but I have never been formally trained in the study of computer science and cryptography.

Recently, I tried a new way to encrypt my private key: I wrote it down on a paper, and used my camera to take a photo of that paper sheet. Then, I encrypted the photo from pgp4win.

Then I noticed that the size of the photo is significantly smaller after encryption.

Can any expert in cryp ...

I can generate a key of any security in bits with any hash function from random source with enough entropy by using the following scheme:

$$H(00||S) || H(01||S) || H(02||S) || H(03||S) || \cdots$$

/\ H is the hash, S the seed and 00, 01, 02 the counters.

BLAKE2X hashes are computed as follows:

$$\operatorname{B2}(0,64,H_0)\mathbin\|\operatorname{B2}(1,64,H_0)\mathbin\|\ldots\mathbin\|\operatorname{B2 ...

I have 3 Pailler encryption p1=E(x1;r1),p2=E(x2;r2);p3=E(x3;r3) such that x1*x2(mod n)=x3. P(Prover) knows (x1,r1);(x2,r2);(x3,r3).

Can I design a ZKP(interactive & non-interactive) for P to convince V(verifier) that values hidden by p1,p2,p3 satisfy x1*x2(mod n)=x3.

Are there examples (in code, or a blog post / writeup) of using Noise and Signal together?

Here is a link to Noise.

For example, using the Double Ratchet per each message to achieve forward secrecy, but leveraging Noise as a foundation for its patterns of initial key exchange. Both Noise and Signal are well-studied and well-known, and so building upon these might be preferred over attempting to c ...

I was looking at the archives for the British national cipher challenge, and a modified version of an ADFGVX cipher came up twice (2003 2011), with block transposition instead of columnar transposition. The question I has is what is this referring to? I tried finding information about block transposition, but there appears to be many different versions of it as per wikipedia. The cipher challenge is ...

I understand that it is easy to compute eth root in Z(P)* but what about with Z(N)? I know that it requires the factorization of N but what does that actually mean? What is an example of calculating the eth root in the set Z(N) (the set of all elements coprime to N)

In this journal paper related to physically unclonable function (PUF) [1], the authors used NIST 800-22 test to check if the bitstreams generated by their PUFs are random, which is described as follows:

NIST tests are performed using 60 sequences of 128 bits each such that 7680 bits (i.e., digitized keys) collected from 30 different PUFs are tested. The chi-squared (χ2) distribution is used to com ...