Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
31
votes
2 answers

What are standard cryptographic assumptions?

I am struggling to understand what is meant by "standard cryptographic assumption". The Wikipedia artice on the Goldwasser–Micali system (GM) reads "GM has the distinction of being the first probabilistic public-key encryption scheme which is…
3nondatur
  • 617
  • 6
  • 11
31
votes
2 answers

What are the implications of the new alleged key recovery attack preprint on SIMON?

Just recently, a new attack was published against SIMON-32/64 which claims to also be applicable to other versions of the cipher. The paper, now archived, is titled A Note on SIMON-32/64 Security and describes a new practical, low-cost key recovery…
forest
  • 15,253
  • 2
  • 48
  • 103
31
votes
2 answers

Fixed point of the SHA-256 compression function

SHA256 Free Start Self Collision (Full 64 rounds) IVec: 72BF9EF1 27B82DFB F298F3B7 22B6C32C 18A54860 4C032D91 ADD7B85B 7ED1A4AC Block: 0000004D 0000006F 00000075 00000073 00000065 00000054 00000072 00000061 00000070 00000000 00000000 00000000…
Nathan.Mariels
  • 319
  • 3
  • 5
31
votes
2 answers

What does "birational equivalence" mean in a cryptographic context?

In a recent question on using the same curve for signing and ECDH it was noted for the Ed25519 curve and Curve25519: Nitpick: the curves are birationally equivalent, not isomorphic. Now this term shows up quite often in cryptography, especially…
SEJPM
  • 45,967
  • 7
  • 99
  • 205
31
votes
3 answers

What's the purpose of key-rotation?

What's the purpose of key-rotation? Does it have any effect on the probability of keys being breached in the first place? Does it refer to avoiding access after a breach to all past data, all future data, both or none?
Filip Haglund
  • 1,043
  • 1
  • 8
  • 17
31
votes
1 answer

Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RLWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply uniformly selecting the coefficients from the set…
Morty
  • 599
  • 3
  • 13
31
votes
4 answers

Why does Neumann think cryptography isn't the solution?

What did Peter G. Neumann mean by: If you think cryptography is the answer to your problem, then you don't know what your problem is. (eg: quoted in the New York Times, February 20 2001)
user2768
  • 357
  • 4
  • 15
31
votes
7 answers

Why does RSA need p and q to be prime numbers?

Despite having read What makes RSA secure by using prime numbers?, I seek clarification because I am still struggling to really grasp the underlying concepts of RSA. Specifically, why can't we choose a non-prime $p$ and $q$? I do understand the key…
sharly
  • 413
  • 1
  • 4
  • 4
31
votes
2 answers

Blum Blum Shub vs. AES-CTR or other CSPRNGs

Following on from D.W.'s comments on a previous question, what properties does Blum Blum Shub have that make it better / worse than other PRNGs? Are there significant implementation difficulties or security issues with BBS?
Polynomial
  • 3,527
  • 4
  • 29
  • 45
31
votes
2 answers

How does a non-prime modulus for Diffie-Hellman allow for a backdoor?

Recently someone found that a Diffie-Hellman modulus used in a unix tool (socat) was not prime. This led some people to shout "backdoor". What I don't understand is, how could this allow for a backdoor? I'm guessing the problem could be small…
David 天宇 Wong
  • 1,535
  • 11
  • 26
31
votes
7 answers

How can SSL secure a two-way communication with only one key-pair?

As I understand it, SSL involved the use of a public-private key pair. How does this enable two-way communication? Suppose I have some server with which I wish to communicate securely. I connect to it, and it supplies me a certificate, which…
GWLlosa
  • 659
  • 1
  • 6
  • 8
31
votes
2 answers

How does one verify a GPG/PGP key revocation?

After revoking a key and sending the revocation to MIT's keyserver, I noticed that the key is listed as such: pub 2048R/XXXXXXXX 2011-01-01 *** KEY REVOKED *** [not verified] Who is responsible for the 'verification of the revocation'? Does the…
earthmeLon
  • 440
  • 6
  • 12
31
votes
4 answers

What is the difference between known-plaintext attack and chosen-plaintext attack?

I am very confused between the concept of known-plaintext attack and chosen-plaintext attack. It seems to me that these two are the same thing, but it definitely is not. Can anyone explain to me how these two differ?
Tom Fabregas
31
votes
2 answers

How do I apply differential cryptanalysis to a block cipher?

I have read a lot of summaries of block ciphers particularly with regards to the NIST competitions stating that reduced-round block ciphers are – for example – vulnerable to differential cryptanalysis. I have a general idea that the application of…
user46
31
votes
3 answers

Is every output of a hash function possible?

Is every output of a hash function (e.g. SHA1, MD5, etc) guaranteed to be possible, or, conversely, are there any output values that cannot possibly be created from any input? In other words, are hash functions surjective? If so, what guarantees…
Polynomial
  • 3,527
  • 4
  • 29
  • 45
1 2 3
99 100