Highest Voted Questions - Cryptography Stack Exchange

22

votes

1 answer

What are the roles of the simulator in simulation based proofs

I'm trying to better understand simulation based proofs in the UC model - but the guidelines to construct a simulator confuse me. To my understanding, the simulator is activated in two ways: Outbound: S simulates the real world adv. A and as such,…

asked Aug 31 '15 at 16:46

Indcca

221
1
3

22

votes

2 answers

Is (AES-)GCM parallelizable?

I recentely faced the issue of random access decryption while AES-GCM was being used. I said this person that the underlying CTR should allow parallelization but I have no idea how authentication comes into play. Now I know that one of the cool…

asked Aug 13 '15 at 20:29

SEJPM

45,967
7
99
205

22

votes

2 answers

Why should one prefer Salsa20 over ChaCha?

We are all aware of Google's approach to introduce ChaCha/Poly1305 as TLS cipher suite. The rationale seems clear: ChaCha is newer and seems to provide better security (and maybe speed?) gained from the experiences of the design of Salsa20. But in…

asked Jul 18 '15 at 20:07

SEJPM

45,967
7
99
205

22

votes

4 answers

Cycles in SHA-256

Let's say I start with a particular 256 bit value. Call this $v$. I then hash that value, and get another 256 bit value. Call this $\text{SHA256}(v)$. I take this value and get another 256 bit value. Call this $\text{SHA256}^2(v)$. More generally,…

asked Mar 25 '15 at 07:52

bnsh

323
2
7

22

votes

1 answer

Does collision resistance imply (or not) second-preimage resistance?

I've seen contradictory results. Sometimes hash functions are collision-resistant but not necessarily second-preimage resistant. I've seen this kind of things in papers from Bart Preneel: “Security Properties of Domain Extenders for Cryptographic…

asked Jun 28 '14 at 09:32

Dingo13

2,867
3
27
46

22

votes

1 answer

Related-key attacks on AES

According to Wikipedia: Related-key attacks can break AES-192 and AES-256 with complexities $2^{176}$ and $2^{99.5}$, respectively. What are the requirements for these attacks (i.e how many related keys, what should the relationship between the…

asked Dec 30 '11 at 23:35

Chris Smith

1,192
1
10
18

22

votes

4 answers

What is the relation between Discrete Log, Computational Diffie-Hellman and Decisional Diffie-Hellman?

How are the three problems Discrete Logarithm, Computational Diffie-Hellman and Decisional Diffie-Hellman related? From my understanding, since the Discrete Log (DL) Problem is considered hard, then so is CDH. And since CDH is considered hard, then…

asked Dec 16 '11 at 20:33

Bobby S

1,943
4
23
30

21

votes

1 answer

Reasons for Chinese SM2 Digital Signature Algorithm

In the IETF RFC draft named "SM2 Digital Signature Algorithm" a signature algorithm is specified. The RFC does however not mention why this signature algorithm has been defined. Nor does it specify what the advantages of this scheme are over ECDSA.…

asked Aug 22 '13 at 11:08

Maarten Bodewes

92,551
13
161
313

21

votes

8 answers

How can I understand whether my C implementation is constant-time or not (i.e. resistant to timing attacks)

I have a code for polynomial multiplication and it is written in C. I heard that whether a particular instruction is "constant time" can vary by architecture and by processor model and there isn't any official documentation for this behavior. How…

timing-attack

asked Dec 13 '21 at 14:30

esra

869
10
20

21

votes

1 answer

Why choose an authenticated encryption mode instead of a separate MAC?

What are cryptographic reasons to choose an authenticated-encryption mode of operation (such as GCM) over a traditional encryption mode plus an independent MAC, or vice versa? Assume there is no implementation reason to pick one or the other (crypto…

asked Oct 08 '11 at 18:05

zwol

785
4
12

21

votes

3 answers

How does one calculate a primitive root for Diffie-Hellman?

In the Diffie-Hellman key exchange, one of the steps involves calculating a primitive root of a prime number $p$. How would one go about doing so, considering that $p$ could be very large? Is there some sort of algorithm or equation?

asked Sep 28 '11 at 06:19

yydl

699
3
8
15

21

votes

3 answers

Would the ability to efficiently find Discrete Logs have any impact on the security of RSA?

This answer makes the claim that the Discrete Log problem and RSA are independent from a security perspective. RSA labs makes a similar statement: The discrete logarithm problem bears the same relation to these systems as factoring does to the RSA…

asked Sep 27 '11 at 16:35

Ethan Heilman

2,276
1
20
40

21

votes

1 answer

Why is triple-DES using three different keys vulnerable to a meet-in-the-middle-attack?

Among other sources, this Wikipedia entry states that triple-DES using three separate keys $(k_1, k_2, k_3)$ is vulnerable to meet-in-the-middle-attacks, while triple-DES using only two keys $(k_1, k_2, k_1)$ is not. Why is this attack possible if…

asked Feb 14 '13 at 13:43

malexmave

1,430
2
14
26

21

votes

1 answer

How to attack a "many-time pad" based on what happens when an ASCII space is XORed with a letter?

I've already sent my correct solution to a homework exercise from Dan Boneh's Introduction to Cryptography class on Coursera: "Let us see what goes wrong when a stream cipher key is used more than once. Below are eleven hex-encoded ciphertexts that…

asked Jan 18 '13 at 17:40

sunrise

321
1
2
5

21

votes

1 answer

Difference between Rijndael 128 / 256 blocksize implementations? (and impact of block size in general)

Can anyone shed some light onto the advantages/disadvantages of using Rijndael with 256-bit block size, as opposed to the 128-bit (AES) implementation? (please note: I'm not referring to key-size here). These are standard implementations in…

asked Jan 17 '13 at 15:41

hunter

3,965
6
28
42

Most Popular