Highest Voted Questions - Cryptography Stack Exchange

26

votes

4 answers

Attacks of the MAC construction $\mathcal{H}(m\mathbin\|k)$ for common hashes $\mathcal{H}$?

Consider a common practically-collision-resistant hash function $\mathcal{H}$ (e.g. SHA-1, SHA-256, SHA-512, RIPEMD-160), perhaps based on the Merkle–Damgård construction as are the first three. We define a Message Authentication Code…

asked May 23 '12 at 11:32

fgrieu

140,762
12
307
587

26

votes

4 answers

How do we know a cryptographic primitive won't suddenly fail?

It took more than a decade from when MD5 looked like it was going to break to the point when it was actually broken. That's more than a decade of warning. One might suspect that we were fortunate that we got all that time. Even so, it took a long…

algorithm-design

asked Jun 03 '15 at 23:12

wlad

1,239
1
13
24

26

votes

2 answers

How to solve MixColumns

I can't really understand MixColumns in the Advanced Encryption Standard, can anyone help me how to do this? I found some topics on the internet about MixColumns, but I still have a lot of questions to ask. Ex. $$ \begin{bmatrix} \mathtt{d4}…

asked Apr 19 '12 at 17:04

goldroger

1,727
8
33
41

26

votes

1 answer

How does ECDH arrive on a shared secret?

I read a brilliant, three part article on Elliptic Curve cryptography (one, two, three). It was able to explain Elliptic Curves to me in a way that didn't require a math degree to understand. The crux of the article is in page two, namely, when…

asked Jan 04 '15 at 00:11

Eddie

983
2
14
26

26

votes

2 answers

How does the MOV attack work?

What exactly is the MOV attack, how does it actually work, and what is it used for? It's explained briefly here and I'd like to know what it is more / what is it fully used for.

asked Feb 17 '12 at 04:25

Ben

699
1
7
13

26

votes

2 answers

Is HMAC needed for a SHA-3 based MAC?

HMAC does nested hashing in order to prevent Length Extension Attacks. Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure…

asked Jun 17 '14 at 10:35

hl3mukkel

499
5
9

26

votes

1 answer

Why are the lower 3 bits of curve25519/ed25519 secret keys cleared during creation?

I am currently experimenting with ed25519 and I noticed that on secret key creation, bit 254 is always set and the lower 3 bits are always cleared. I found that bit 254 is always set to protect against timing attacks in this question: When using…

ed25519

asked Dec 18 '13 at 11:57

MepAhoo

263
3
4

25

votes

4 answers

The exact difference between a permutation and a substitution

I've noticed confusing definitions about permutation and substitution, preventing me from understanding the difference. A permutation changes the order of distinct elements of a set, but this can be written as a function changing one element by…

asked May 30 '13 at 11:56

Dingo13

2,867
3
27
46

25

votes

2 answers

What is the difference between Scrypt and PBKDF2?

After reading these two resources I am wondering am I getting all the differences between Scrypt and PBKDF2. As far as I understood, the similarity is: both are password-based key derivation functions. The difference is: Scrypt is more resource…

asked Apr 29 '13 at 09:21

Salvador Dali

365
1
3
7

25

votes

1 answer

Is openssl rand command cryptographically secure?

I'm wondering if the openssl rand command produces cryptographically secure random bytes. For example when in need for a random password or token: openssl rand -hex 32 The man page unfortunately does neither state it's cryptographically secure, nor…

asked Apr 20 '19 at 14:51

firefexx

407
1
4
7

25

votes

1 answer

Low Public Exponent Attack for RSA

I'm having trouble understanding the algorithm for finding the original message $m$, when there is a small public exponent. Here is the example I'm trying to follow (you can also read it in the 'Low exponent RSA paragraph' of this article-…

asked Mar 17 '13 at 03:45

user1136342

449
1
5
10

25

votes

4 answers

Is sharing the modulus for multiple RSA key pairs secure?

In the public-key system RSA scheme, each user holds beyond a public modulus $m$ a public exponent, $e$, and a private exponent, $d$. Suppose that Bob's private exponent is learned by other users. Rather than generating a new modulus, Bob decides to…

asked Feb 16 '13 at 09:15

Mohammed Fathi

251
1
3
3

25

votes

1 answer

Why is SHA-3 robust against Length-Extension Attacks?

If a length extension attack can occur because of $H(\text{K}\mathbin\|\text{Message})$, what changed in SHA-3 from SHA-2 that prevents this from occurring?

asked Sep 25 '18 at 19:04

elberman

351
3
3

25

votes

3 answers

Is Encrypt+HMAC stronger than AEAD?

There are a few posts that I've come across that seem to imply that using regular encryption and a MAC might be better than using the newer AEAD (ie: AES/GCM)…

asked Jan 22 '13 at 19:48

slipheed

427
4
8

25

votes

5 answers

Can a hard drive store clear text data that is physically impossible to retrieve?

I'm trying to study how HSM and TPM works when storing secret data in clear text. How can they achieve physical impossibility in retrieving secret data? I get the point in software, if you just have input and no outputs then it should be impossible…

asked Feb 06 '18 at 20:59

einstein

421
5
7

Most Popular