Highest Voted Questions - Cryptography Stack Exchange

24

votes

2 answers

Is H(k||length||x) a secure MAC construction?

If $H$ is a typical secure hash function, then $(k,x) \mapsto H(k \mathbin\| x)$ is not a secure MAC construction, because given a known plaintext $x_1$ and its MAC $m_1$, an attacker can extend $k \mathbin\| x_1$ to a longer message with the same…

asked Nov 14 '11 at 18:49

Gilles 'SO- stop being evil'

19,134
4
50
92

24

votes

3 answers

Are there practical upper limits of RSA key lengths?

Suppose one wanted to use RSA encryption for the sole purpose of sending key bits for use in symmetric crypto systems, a dedicated key exchange system so to speak. And say you didn't think that the presently used RSA key lengths were going to be…

asked Nov 14 '11 at 07:20

William Hird

501
1
5
18

24

votes

2 answers

How exactly was the finalist chosen in the NIST AES competition?

I was just reading the Stick Figure Guide to AES and came across an interesting table explaining how the winner was chosen: Unfortunately the NIST site is down so I can't gain further information about the approval process so I was hoping someone…

asked Oct 17 '13 at 02:59

J_M

341
2
3

24

votes

2 answers

Why initialize SHA1 with specific buffer?

SHA-1 is initialize with a specific buffer: h0 = 0x67452301 h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0? Why?

sha-1

asked Oct 07 '13 at 14:13

juaninf

2,701
2
18
28

24

votes

3 answers

How can Cipher Block Chaining (CBC) in SSL be attacked?

I am trying to understand how CBC-mode in SSL/TLS can be attacked. I have been looking around online but all examples and explanations are very hard to understand and follow. Can you give a simple explanation for how such attacks happen?

asked Oct 27 '11 at 02:27

antonpug

341
1
2
4

24

votes

3 answers

Are NIST's changes to Keccak/SHA-3 problematic?

NIST is working on standardizing SHA-3. They have selected Keccak as the basis for SHA-3, and they plan to make some small changes to it; the result (with NIST's changes) will be standardized as SHA-3. A blog post from the CDT raises concerns over…

asked Sep 30 '13 at 05:11

D.W.

36,365
13
102
187

23

votes

1 answer

What is the origin of the word "Keccak"?

Where does the word or acronym Keccak come from? Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. Keccak sponge function family main document. Submission to NIST (updated), 2009. "NIST Selects Winner of Secure Hash Algorithm…

asked Aug 25 '13 at 13:26

user8131

231
2
3

23

votes

2 answers

How can I remove my personal data from my PGP public key?

According to this Q&A-discussion it is possible to remove all personal data (name and mail address) that is attached to a public key. What steps do I have to follow in order to remove all personal data? Will that modified public key still allow me…

asked Jul 24 '13 at 09:58

dialogik

377
1
2
6

23

votes

1 answer

Why exactly is Blowfish faster than AES?

I've not been able to understand exactly the reason behind Blowfish being faster than AES. Is it dependent on the block size? Or is it processor dependent? (if Yes, then lets assume that AES accelerators are not used) I'd like to know the exact…

asked Apr 17 '13 at 00:59

Sid

233
1
2
4

23

votes

2 answers

What makes SHA-256 secure?

For example, RSA relies on a mathematically hard problem, factoring, while ECDSA or similar rely on discrete logarithm problem. What makes SHA-256 and similar hash functions, of the same family, secure against pre-image and collision attacks? What's…

asked Jan 09 '19 at 22:28

rapadura

341
1
2
6

23

votes

3 answers

Are there any practical implementation of a homomorphic hashing or signature scheme?

A homomorphic hash function is a function $H : A \to B$ between two sets with some algebraic structure $(A, *)$ and $(B, \star)$ such that $H$ is collision resistant, i.e. it is hard to find $x \neq y$ such that $H(x) = H(y)$ and $H$ is a…

asked Feb 27 '13 at 06:16

sashank

6,174
4
32
67

23

votes

1 answer

From hash to Cryptographic hash

After reading some excellent papers on SipHash, I understood that good non-cryptographic hashes such as MurmurHash and CityHash are not secure for MAC usage, due to a certain type of DDos attack becoming possible, thanks to a combination of…

asked Feb 20 '13 at 16:06

Cyan

363
2
8

23

votes

2 answers

What is the most practical fully homomorphic cryptosystem?

Craig Gentry recently gave the first fully homomorphic cryptosystem. Quite a bit of work has been done since extending his work. It seems, however, that no system is practical for real world use. What are the current roadblocks making FHE…

homomorphic-encryption

asked Sep 05 '11 at 14:11

mikeazo

38,563
8
112
180

23

votes

1 answer

Distinguishing x25519 public keys from random?

I recently read a piece of protocol that avoided sending ephemeral x25519 keys in the clear as an effort to foil deep-packet inspection. I understand that x25519 public keys are effectively 255 bits, which must be serialized as 256 bits, leaving one…

asked Aug 26 '18 at 16:52

Jonas

779
6
12

23

votes

1 answer

How to break an arbitrary XOR and Rotation based encryption?

I heard encryption based purely on XOR and Rotation is inherently weak. The paper Rotational Cryptanalysis of ARX says: It is also easy to prove that omitting addition or rotation is devastating, and such systems (XR and AX) can always be…

asked Jan 17 '13 at 15:28

Penghe Geng

346
2
8

Most Popular