Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
10
votes
1 answer

How inefficient are current Indistinguishability Obfuscation (IO) candidates?

Since last year, IO finally seems to be within our reach. Several papers (https://eprint.iacr.org/2020/1003, https://eprint.iacr.org/2020/1024 and https://eprint.iacr.org/2020/1042) proved the existence of IO based on almost-standard…
CryptoPerson
  • 121
  • 4
10
votes
1 answer

Are stream ciphers no longer considered by NIST?

While reading NIST SP 800-90A, "Recommendation for Random Number Generation Using Deterministic Random Bit Generators", I noted that no stream cipher was included among the various specified solutions. I also noted that, at least as far as I could…
william_fr
  • 653
  • 5
  • 14
10
votes
2 answers

uniqueness of the RSA public modulus

What is the probability that two separate RSA public moduli are the same? For example, consider a 2048-bit modulus. The number seems to be huge, but the choice for prime factors p and q is much more restrictive: They both should be 1024-bit in…
Naka Wai
  • 143
  • 2
  • 5
10
votes
0 answers

Do CCM and EAX provide key commitment?

In an interesting paper called "Partitioning Oracle Attacks" by Julia Len, Paul Grubbs & Thomas Ristenpart an attack is presented on 1.5 pass AEAD schemes that utilize GMAC (GCM, AES-GCM, AES-GCM-SIV) and Poly1305 which is often used with a…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
10
votes
0 answers

How many additions modulo $2^k$ and multiplications in $\mathbb F_{2^k}$ are needed to resist cryptanalysis?

Consider a $k$-bit block cipher with $r$ rounds, and key composed of $r$ subkeys $K_i\in\{0,1\}^k-\{0^k\}$ (that is, non-zero $k$-bit bitstrings), for $i\in[0,r)$. Plaintext is $P=S_0\in\{0,1\}^k$, ciphertext is $C=S_r\in\{0,1\}^k$. At round…
fgrieu
  • 131,696
  • 12
  • 284
  • 553
10
votes
4 answers

Does a hash function necessarily need to allow arbitrary length input?

I always assumed that a hash function allows input of arbitrary length, since that's what all the hash functions I was aware of did. Wikipedia's definition of a hash function is as follows: A hash function is any function that can be used to map…
MechMK1
  • 445
  • 5
  • 18
10
votes
3 answers

Is double SHA-256 the best choice for Bitcoin?

So I was just curious. I really look up to Blockchain technology and I have read that Bitcoin uses double SHA-256 for hashing. ( from what I understood, double sha256 is essentially $\operatorname{SHA-256}(\operatorname{SHA256}(value))$ ). Is double…
Pinkovai Krisztian
  • 111
  • 1
  • 6
10
votes
2 answers

What is a "constant time" work around when dealing with the point at infinity for prime curves?

I've been working for some time, on designing a constant time solution for dealing with the "point at infinity" for prime curves. So, far I'm using the Standard Projective Coordinates for doing fast, Point Addition and Doubling operations, and my…
Vivekanand V
  • 968
  • 6
  • 18
10
votes
1 answer

ECIES vs. RSA + AES

I am confused about the distinction between RSA and ECC (Elliptic curve) regarding encryption and would appreciate it if someone could confirm whether my understanding is correct. To encrypt a large file using RSA: Generate a random symmetric…
Vlad
  • 509
  • 1
  • 4
  • 11
10
votes
2 answers

Why is this not a viable key exchange algorithm?

I was just wondering why this kind of algorithm can't be used instead of, say, Diffie-Hellman to exchange keys: Alice decides on a key she wishes to share with Bob. Alice generates a stream of bytes with the same length as the key (securely, say,…
guest
  • 109
  • 3
10
votes
3 answers

Where can I get information on how to implement AES?

I want to write AES from scratch without using the built in libraries of java. I know there are hundreds of AES programs (and websites) out there but I can't seem to find a site that gives me the details I think I would/should need to write my own…
Dennis Hayden
  • 103
  • 1
  • 4
10
votes
1 answer

Why are the ciphertexts of Ansible Vault's AES256-encrypted files disproportionately composed of '3' and '6'?

I was encrypting some Ansible secrets this morning and noticed that the ciphertexts seemed to have a lot of 3s and 6s in them. I did some frequency counts and found that yes, in fact, about 40% of the digits are 3s, and more than 20%…
David Moles
  • 205
  • 1
  • 7
10
votes
1 answer

Why use $(r,s)$ instead of $(r,s^{-1})$ as DSA signature?

A DSA signature consists of two scalars $(r,s)$. When signing $s$ is generated as: $s=k^{-1}(H(m)+xr) \mod q$ The signature is $(r,s)$ When verifying $s$ is only used to compute $w = s^{-1}$. So why does DSA store $s$ in the signature instead of…
CodesInChaos
  • 24,583
  • 2
  • 87
  • 127
10
votes
1 answer

What are the rules for using AES-GCM correctly?

When using AES-GCM I know that I am supposed to use a new initialization vector every time I call the AES-GCM algorithm with the same key. What are other rules must be followed to use AES-GCM correctly? I am looking for a bullet point checklist with…
ams
  • 531
  • 4
  • 14
10
votes
3 answers

Error-correcting Code VS Lattice-based Crypto

I'm not an expert in PQ-crypto, but as I understand error-correcting code and lattice-based crypto, the cryptographic assumptions are very similar. The key difference for me is the nature of the noise. In one case, the noise is inspired by the…
Ievgeni
  • 2,513
  • 1
  • 8
  • 30
1 2 3
99 100