Highest Voted Questions - Cryptography Stack Exchange

10

votes

3 answers

Why can't Diffie-Hellman be used for signing?

I understand that signing is often a case of hashing data and then encrypting the hash with the private key. What properties keep Diffie-Hellman from being useful for this?

public-key signature diffie-hellman

asked Sep 28 '11 at 16:40

Jeff Ferland

775
2
6
10

10

votes

2 answers

Is the one-more discrete log problem hard in the Generic Group Model?

In the Generic Group Model (GGM), a concrete cyclic group of (known) order $n$ is replaced with an idealized version: a random encoding for group elements is chosen, and the adversary only gets access to the encoded form of any input group elements…

discrete-logarithm hardness-assumptions ggm

asked Aug 21 '20 at 17:53

Pieter Wuille

220
1
10

10

votes

2 answers

Is 512 bits a more secure hashing than 256 bits?

I know that 512 bit hashing is more secure, but I don't really know why. I hope someone can help me to better understand it in more detail.

encryption hash pseudo-random-function

asked Aug 02 '20 at 07:04

Hinton Zsh

331
2
9

10

votes

1 answer

Recommended way of adding a pepper/secret key to password before hashing?

There have been several questions regarding password hashing here and on Security.SE. A "pepper" is sometimes mentioned – an application-specific secret key. The canonical answer on password hashing implies that a adding pepper brings the…

hash passwords

asked May 08 '13 at 17:21

user950

10

votes

0 answers

Is anyone using ORAM in practice?

Oblivious RAM has been around in theory for about 30 years at this point. Is anyone using it in practice? Has it made its way into industry? (Including any variants such as MPC ORAM or ORAM that uses trusted hardware for the client.)

oblivious-ram

asked Jul 03 '20 at 22:26

Daniel-耶稣活着

389
2
10

10

votes

2 answers

AES plaintext is smaller than 128 bits - how to expand?

We are currently developing a little AES implementation in a crypto-course at university. As far as I know, AES uses a 128 bit block length, so all data that will be encrypted gets split up into blocks of 128 bits (16 bytes) into a 2d-array (or 1d…

aes block-cipher modes-of-operation

asked Apr 25 '13 at 14:27

Stefan

255
1
4
9

10

votes

1 answer

Is this a safe way to prove the knowledge of an ECDSA Signature?

I think that I've found a good solution to prove the knowledge of an ECDSA signature without revealing it. In short terms it consists in generating an ECDSA signature using the point $R$ as generator, $s$ as private key and the result of $s*R$ as…

elliptic-curves zero-knowledge-proofs

asked May 30 '20 at 14:58

Jan Moritz

594
1
5
19

10

votes

5 answers

Tamper-proofing log files

Problem Overview I want to securely store log files so the contents are secret, and they can't be modified without detection. The files will be encrypted using authenticated encryption (AES in GCM mode), with a random IV and symmetric key for each…

hash rsa signature authenticated-encryption file-encryption

asked Apr 24 '13 at 15:51

MurrayA

357
4
10

10

votes

4 answers

One round of AES-128

Maybe it’s a silly question, I’m interested in the best known/chosen plaintext attack on only one round of AES-128. More specifically, what is the smallest number of known/chosen plaintext/ciphertext pairs which allow us to recover the key with high…

aes block-cipher chosen-plaintext-attack known-plaintext-attack

asked May 17 '20 at 09:30

zz7948

305
1
10

10

votes

0 answers

Hardness of iterated squaring in Pailler group

The (computational) problem of iterated squaring (IS) in the RSA group is defined as follows, where $\leftarrow$ denotes sampling uniformly at random: Input: $(N,x,T)$, where $N$ is the RSA modulus, $x\leftarrow\mathbb{Z}_N^*$, and $T\in\mathbb{N}$…

factoring complexity hardness-assumptions

asked May 15 '20 at 23:46

ckamath

4,973
2
20
41

10

votes

1 answer

When using Ristretto or Decaf with Ed25519 and Ed448, do scalars still need pruning/trimming/clamping?

Decaf is a point compression method that builds a prime-order group for (twisted) Edwards curves and Montgomery curves with cofactor $h = 4$ based on the Jacobi quartic [H2015]. The promise is to eliminate the cofactor when only operating on points…

elliptic-curves group-theory ed25519

asked Apr 02 '20 at 07:01

xorhash

689
1
7
22

10

votes

1 answer

Need an introduction to SPKI (or "SPKI for dummies")

I am familiar with concepts such as the following: PKI and CAs ID based cryptography Certificateless cryptography PGP web of trust more or less anything in basic Crypto that is taught in a college course I need to quickly understand the main…

authentication certificates

asked Sep 26 '11 at 09:33

Jus12

1,659
1
12
21

10

votes

1 answer

Existential unforgeability vs strong unforgeability

In the article https://crypto.stanford.edu/~dabo/pubs/papers/strongsigs.pdf there are two definitions for the security of a digital signature scheme: existential unforgeability and strong unforgeability. The difference is that while in the…

signature security-definition forgery

asked Feb 06 '20 at 14:05

Evgeni Vaknin

1,048
6
17

10

votes

3 answers

Perfect shuffle possible with limited raw entropy?

I am trying to shuffle a standard 52-card deck in a perfect way (every outcome should be possible at an equal chance). I am not, at this point, concerned with cryptanalysis attacks against it. I have run into some problems/questions that are…

random-number-generator randomness pseudo-random-generator

asked Dec 30 '19 at 11:25

RokL

211
1
5

10

votes

1 answer

Which block cipher parameters should be kept secret?

Which of the parameters of a block cipher (e.g., algorithm name, mode of operation, IV (if any), key length) are essential to keep secret?

block-cipher

asked Sep 16 '19 at 15:48

Emily

101
3

Most Popular