Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
20
votes
2 answers

Why is it insecure to use a randomized IV for CBC-MAC instead of an all-zero IV?

A fixed length CBC-MAC uses an all-zero block as the initialization vector. Suppose that we used a randomized IV instead, and sent the IV along with the tag. So if the message $m$ will be $m = b_1 || b_2 || b_3 || ... || b_l$, the MAC will be $(IV,…
Bobby S
  • 1,943
  • 4
  • 23
  • 30
20
votes
1 answer

Is the inverse of a secure PRP also a secure PRP?

If a block cipher is a secure PRP, is its inverse a secure PRP as well? My intuition says yes but I'm not exactly sure. On a related note, if a block cipher is a secure sPRP, is its inverse a secure sPRP? I'm using the terminology "PRP = secure…
orlp
  • 4,230
  • 20
  • 29
20
votes
2 answers

What stops the Multiply-With-Carry RNG from being a Cryptographically Secure PRNG?

Despite the fact that Marsaglia's MWC PRNG (multiply-with-carry random number generator) is considered to be "the mother of all RNGs", it does not seem to be considered to be a CSPRNG (cryptographically secure pseudo-random number generator) even…
e-sushi
  • 17,891
  • 12
  • 83
  • 229
19
votes
2 answers

Does AES have any fixed-points?

Is there any pair of 128-bit strings M and K such that AES$_K$(M) = M? If yes, how do I go about (efficiently) finding such a pair?
Fixee
  • 4,158
  • 2
  • 25
  • 39
19
votes
1 answer

Why is the Pedersen commitment computationally binding?

This is how the Pedersen commitment seems to work: Let $p$ and $q$ be large primes such that $q \mid (p-1)$, let $g$ be a generator of the order-$q$ subgroup of $Z_p^{\star}$. Let $a$ be a random secret from $Z_q$, and $h=g^a \bmod p$. The values…
LRM
  • 1,356
  • 10
  • 24
19
votes
5 answers

AES GCM : is it acceptable to return the wrong plaintext if the tag is incorrect?

Let's start by saying I'm no cryptography expert, I'm just a developer, so feel free to correct me (using words, not downvotes) if what I'm saying is non-sense. Context: I'm doing some crypto as a service for embedded devices. Users of this service…
ShellCode
  • 293
  • 2
  • 7
19
votes
2 answers

Difference between X25519 vs. Ed25519

I am reading https://en.wikipedia.org/wiki/Curve25519 and it states Also in 2018, RFC 8446 was published as the new Transport Layer Security v1.3 standard. It requires mandatory support for X25519, Ed25519, X448, and Ed448 algorithms.[24] I…
ams
  • 631
  • 1
  • 6
  • 14
19
votes
5 answers

RSA leak bits to factor N

Suppose you randomly generate large primes p and q as in RSA, and then tell me N=pq but not p or q. Then, you would like to actually let me factor N, except you should tell me as few bits of information as possible. Say p and q are 4096 bits, then…
javic
  • 293
  • 2
  • 5
19
votes
4 answers

Why are RSA key sizes almost always a power of two?

I know that other bit sizes are possible, e.g. this HTTPS server seems to have a 9000 bit key https://www.ssllabs.com/ssltest/analyze.html?d=qqq.gg, but it's very rare that one sees a key not of size 1024, 2048, 4096, etc. bits in common usage -…
Gregory Catchpole
  • 191
  • 1
  • 3
19
votes
1 answer

What systems of robust steganography are out there?

By robust, I mean resistant to common image transforms (reversal, crop a non-multiple of 8 pixels off and recompress, blur, solarize to 64 levels, then interpolate, and sharpen, change compression levels, optimize for download, scale... Suppose…
Sherwood Botsford
  • 301
  • 1
  • 6
19
votes
4 answers

Are encryption algorithms with fixed-point free permutations inherently flawed?

Flaw in Enigma One of the Enigma machine's flaw was the derangement (fixed-point free permutation) of the produced ciphertext, or simply put: No plaintext-letter can be enciphered to itself. See this example from Wikipedia of how this text (in…
AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
19
votes
2 answers

Can neural cryptanalysis be applied to AES?

In this Wikipedia article about Neural cryptography (section applications) it states: In 1995, Sebastien Dourlens applied neural networks to cryptanalyze DES by allowing the networks to learn how to invert the S-tables of the DES. The bias in DES…
AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
19
votes
9 answers

Is one-time pad encryption vulnerable when near identical data is sent many times with different OTP?

Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical. Of course nothing can…
Dreamspace President
  • 331
  • 2
  • 9
19
votes
1 answer

If a single bit was known through all states in AES, which would cause the most information to leak?

This question is motivated by some bad Verilog. Due to someone being sloppy with port assignments and a output statement, I have an AES core that has a single-bit from a S-Box in the key schedule tied to a pin. This was caught in my audit of the…
b degnan
  • 4,810
  • 1
  • 24
  • 48
19
votes
5 answers

Why does the recommended key size between symmetric and asymmetric encryption differ greatly?

In various articles it is mentioned that for secure communications, the recommended key sizes are 128-bit key size for symmetric encryption (which makes it $2^{128}$ possible keys?) and 2048-bit key size for asymmetric encryption ($2^{2048}$…
Bailala
  • 191
  • 1
  • 1
  • 3
1 2 3
99 100