Highest Voted Questions - Cryptography Stack Exchange

23

votes

5 answers

Desirable S-box properties

What desirable properties should an S-box have? My current standard selection process is to just pick them at random and verify that they fit the following criteria: The probability that any random two bits $S[a]_b$ and $S[c]_d$ are equal (for any…

s-boxes

asked Nov 23 '11 at 14:05

Polynomial

3,527
4
29
45

23

votes

2 answers

Is there a feasible method by which NIST ECC curves over prime fields could be intentionally rigged?

The NIST elliptic curves P-192, P-224, P-256, P-384, and P-521, prescribed in FIPS 186-4 appendix D.1.2, are generated according to a well defined process, but using an arbitrary random-looking seed value of 160 bits. For this reason a page of DJB's…

asked Jan 13 '14 at 17:43

fgrieu

140,762
12
307
587

23

votes

2 answers

Are the SHA family hash outputs practically random?

Say I hashed the output from a random number generator (with nonce), would the resulting SHA256 hash be as random as the inputted number? And If I used the first 5 hex characters, and then used the first 5 ignoring the very first character and so on…

asked Jan 10 '14 at 05:43

John T

477
2
4
9

23

votes

3 answers

Is using slow password hashing on the client side easier attackable than on the server side?

As we know, one should use a slow password hashing algorithm instead of a fast one for storing passwords, to hinder brute force attacks when the database is compromised. The problem with this is that for every login we also need to run this slow…

asked Jul 14 '11 at 10:55

Paŭlo Ebermann

22,656
7
79
117

23

votes

2 answers

What is the purpose of four different secrets shared by client and server in SSL/TLS?

I was looking through the working of SSL V3, and found that a connection state is defined by a set of things, including client write mac secret, server write mac secret, server write key, client write key. I couldn't found the use of these in the…

asked Nov 07 '11 at 13:59

user5507

1,913
5
20
29

23

votes

2 answers

RSA least significant bit oracle attack

I have been reading up on RSA attacks and came across one that could be called a least-significant-bit (LSB) oracle attack. For the sake of clarity lets define RSA primes $(p, q)$, private key $d$ and the public key $(e, N)$ where $N$ is the…

asked Oct 15 '13 at 03:27

Pankrates

593
1
4
13

23

votes

4 answers

When would one prefer a proof of knowledge instead of a zero-knowledge proof?

I've just realized I find it hard to distinguish between these two terms (proof of knowledge, and zero-knowledge proof), specially where only the latter seems to be used in many cryptographic protocols. Zero-knowledge proofs are usually defined as…

zero-knowledge-proofs

asked Sep 27 '13 at 09:38

LRM

1,356
10
24

23

votes

2 answers

Why is TLS susceptible to protocol downgrade attacks?

A recent blog post from Ivan Ristić (expert extraordinaire on all things SSL) says: all major browsers are susceptible to protocol downgrade attacks; an active MITM can simulate failure conditions and force all browsers to back off from attempting…

asked Sep 21 '13 at 06:51

D.W.

36,365
13
102
187

22

votes

3 answers

Cryptographic Challenge: How to Say Something Confidentially to Snowden?

The Snowden situation raises an intereting cryptograpic problem. At present, how can something be sent confidentially to Snowden? Claim: I have no particular political orientation. The above question is merely a cryptographic challenge. The meta…

asked Jul 04 '13 at 00:28

Pigmann

421
2
7

22

votes

6 answers

advances in usability for cryptography/authentication

I'm wondering if there have been any recent advances (say, the past 5-10 years) in human usability for cryptography and/or authentication? By that I mean something that makes it easier for an average person to make use of the benefits of…

authentication

asked Jul 13 '11 at 14:23

Jason S

722
5
13

22

votes

3 answers

Why does key generation take an input $1^k$, and how do I represent it in practice?

In my lecture, the lecturer said: Let $K$ be the key generation algorithm. Given a security parameter represented in unary, $1^k$, $K(1^k)$ will output a keypair $(pk; sk)$, known as the public key and the private (or secret) key, respectively.…

asked Apr 29 '13 at 21:09

juaninf

2,701
2
18
28

22

votes

7 answers

What is the difference between a stream cipher and a one-time-pad?

A (synchronous) stream cipher is an algorithm which maps some fixed-length key to an arbitrary-length key-stream (i.e. a sequence of bits): $C : \{0,1\}^k \to \{0,1\}^{\infty}$. This key-stream is then XOR-ed with the plain text stream, giving the…

asked Sep 27 '11 at 17:54

Paŭlo Ebermann

22,656
7
79
117

22

votes

5 answers

Is there a bulletproof way to know a file has been successfully decrypted?

I am wondering whether there is a bulletproof way to know if one is successful in decrypting a file. As an example, say I encrypt a text file and protect it with a 3 letter password. I use brute force to decrypt it, but two different passwords lead…

encryption

asked Nov 12 '19 at 18:30

untreated_paramediensis_karnik

348
2
12

22

votes

3 answers

How long does it take to crack DES and AES?

Suppose that a single evaluation of a block-cipher (DES or AES) takes 10 operations, and the computer can do $10^{15}$ such operations per second. How long would it take for to recover a DES key, using a brute-force search? How about a 128-bit AES…

asked Sep 23 '11 at 05:29

huyichen

773
1
6
16

22

votes

1 answer

How can one validate with a public key a JWT signature generated with a private key?

As I understand it, a JSON Web Token (JWT) consists of 3 parts: the header, specifying the hashing algorithm to use for the signature; the payload itself; and the signature, which is a hash of the header and the payload using the specified hashing…

asked Jul 11 '18 at 09:52

Anders Rabo Thorbeck

535
1
3
10

Most Popular