Highest Voted Questions - Cryptography Stack Exchange

19

votes

0 answers

What's the difference between a Key Derivation Function and a Password-Hash?

It seems to me that anything that was sufficiently good as a KDF would work just fine as a password hash, though the reverse might not be true. Are there considerations specific to password-hashing that don't apply to KDFs? To clarify: This is…

asked Oct 11 '12 at 21:37

Jason

373
2
7

19

votes

1 answer

Message-Recovery variant of Ed25519 signature?

What would be a Message-Recovery variant of the Ed25519 signature scheme? Ed25519-MR should be simple to use, fast, with a strong security argument, and striving to stay out of the patent minefield, as the original does. [Ed25519] is a signature…

asked Sep 27 '16 at 08:32

fgrieu

140,762
12
307
587

19

votes

3 answers

What's a cryptographic primitive, really?

The more I encounter the term "cryptographic primitive," the less I feel confident that I truly understand what it means. Is it just me, or is there no universal definition for the term? Or does the term have some contextual sensitivity that I'm…

asked Sep 01 '16 at 21:34

Luis Casillas

14,468
2
31
53

19

votes

1 answer

Why are elliptic curve variants of RSA "chiefly of academic interest"?

Yesterday I was thinking about elliptic curve variants of popular protocols/algorithms (ECDH, ECES[1], etc) and the thought occured that I had never seen an elliptic curve variant of RSA. My understanding of RSA and elliptic curves told me that it…

asked Oct 05 '12 at 12:01

mikeazo

38,563
8
112
180

19

votes

2 answers

Argon2 output length and parameter storage?

I just started using the libsodium port for .net today and the output length parameter kind of confused me (I'm using the argon2i implementation). With my limited exposure to hashing, whatever hash algorithm I've used have always returned a constant…

asked Aug 08 '16 at 18:51

coding4fun

313
1
3
6

19

votes

1 answer

Quantum complexity of LWE

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that solves LWE in polynomial time, it will imply that…

asked Jun 20 '16 at 18:37

Rick

1,265
8
17

19

votes

3 answers

Is Using Digital Signatures to prove identity a zero knowledge proof?

Suppose Alice publishes a book with a public key in it, and later wants to prove that she wrote the book. She could sign challenge messages with her private key, and others could verify those signed messages. Alice is proving she knows a private key…

zero-knowledge-proofs

asked May 09 '16 at 12:24

Scott Driscoll

293
2
6

19

votes

2 answers

Practical differences between circuits and turing machines for cryptography

In formal cryptography, we model algorithms (mostly our adversaries) as (Probabilistic) Turing Machines or as boolean circuits. In our lecture on formal cryptography, we learned that circuits are more powerful than turing machines, in the sense that…

asked Apr 26 '16 at 19:01

malexmave

1,430
2
14
26

19

votes

2 answers

Why is Pearson hash not used as a cryptographic hash?

The original algorithm produces 1 byte long hash and is (of course) not suitable for cryptography use. But according to wikipedia, it is possible and easy to produce Pearson hash of any length, simply by increment the first byte of the message for…

asked Mar 15 '16 at 09:38

johnfound

293
2
8

19

votes

1 answer

How does a birthday attack on a hashing algorithm work?

A "normal", brute-force attack on a cryptographic hashing algorithm $H$ should have a complexity of about $2^{n}$ for a hash algorithm with an output length of $n$ bits. That means it takes about $2^{n-1}$ tries on average to find a colliding…

asked Jul 20 '12 at 21:14

lxgr

1,798
1
13
22

19

votes

1 answer

Why do we need Diffie Hellman?

Diffie–Hellman offers secure key exchange only if sides are authenticated. For authentication, sides are using public/private key. So if side A knows the public key of the side B, then A can simply use that key to encrypt the message (or the new…

asked Jul 07 '12 at 11:38

piotrek

293
2
7

19

votes

12 answers

Is it possible to make time-locked encrytion algorithm?

I'm not sure if what I'm asking is even a valid question but here goes. Would it be possible to add a mechanism to an encryption algorithm that would mean it had to be a certain time of the day or a certain day of the year for the encryption to be…

asked Jun 26 '12 at 20:21

bowy tehcTo

299
1
3
7

19

votes

2 answers

Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256

FIPS 202 defines 2 functions, SHAKE128 and SHAKE256, as extendable-output functions (XOFs) that can have variable output length. But in Appendix A.2 marks: it is possible to use an XOF as a hash function by selecting a fixed output length.…

asked Nov 16 '15 at 15:09

Hauleth

326
5
12

19

votes

2 answers

lcm versus phi in RSA

In textbook RSA, the Euler $\varphi$ function $$\varphi(pq) = (p-1)(q-1)$$ is used to define the private exponent $d$. On the other hand, real-world cryptographic specifications require the Carmichael lcm function $$\lambda(pq) =…

asked Oct 04 '15 at 09:22

user27950

19

votes

2 answers

What is "witness encryption"?

I recently skimmed over tho papers on time-lock encryption: “Time-release Protocol from Bitcoin and Witness Encryption for SAT” by Liu, Garcia, and Ryan “How to Build Time-Lock Encryption” by Jager To get the data released on a specific point in…

asked Jun 19 '15 at 12:08

SEJPM

45,967
7
99
205

Most Popular