Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
17
votes
2 answers

Is there a contingency plan in the event of a catastrophic attack on AES?

NIST selected Rijndael in 2000 to be AES. In a paper from the Serpent authors, they mention that there was the possibility of choosing a second cipher as a backup in the case of any severe breaks: I believe that there should be only one standard.…
forest
  • 15,253
  • 2
  • 48
  • 103
17
votes
1 answer

Bit Flipping Attack on CBC Mode

To perform a bit flipping attack, the previous block is modified by using XOR. This results in an altered plaintext. However, now the ciphertext of the previous block is altered, hence it will result in an invalid format. Am I correct or am I…
CXB
  • 311
  • 1
  • 2
  • 4
17
votes
2 answers

How did || come to be used in crypto texts to represent concatenation?

In RFC5647, NIST SP 800-38D, etc., || is used to denote concatenation. How did that come to be? In most programming languages || represents "or" and + denotes concatenation and the fact that crypto texts just kind of mixed it up seems to make for an…
neubert
  • 2,927
  • 1
  • 28
  • 54
17
votes
2 answers

Why are the constants so simple in Keccak?

Keccak, the construction selected for SHA-3 is very interesting. It seems unlike other primitives and has chosen very simple constants. (Keccak talk PDF) The initial values of the state in Keccak is all zero, why? The round constants have just a few…
u0b34a0f6ae
  • 273
  • 2
  • 6
17
votes
4 answers

Why doesn't steganography increase the size of an uncompressed image?

So I have this question. I downloaded a .BMP off google due to .BMPs being not compressed. Just a 1024x768 .BMP image which its size os of 2.25Mb. I put the image in a steganography application.. inserted hidden text within it, encrypted and…
Matthew Goodlip
  • 199
  • 1
  • 3
  • 5
17
votes
5 answers

Is a PRG more costly than AES or any other encryption standard?

I know that there are many encryption standards that take a key and sometimes an IV to produce a cipher-text (the most prominent one is AES). These standards usually involve many rounds of addition and multiplication. However, using an OTP is much…
Ninja Bug
  • 319
  • 2
  • 7
17
votes
2 answers

Why is Approximate GCD a hard problem?

There are many Fully Homomorphic Encryption over the Integers schemes whose security is based on the intractability of the Approximate GCD (AGCD) problem. The paper Algorithms for the Approximate Common Divisor Problem surveys several lattice…
robertkin
  • 428
  • 2
  • 11
17
votes
1 answer

Why would anyone choose 3DES over AES in software?

I'm well aware of what NIST and PCI say about the usage of 3DES and its deprecation/disallowance and I also know that AES is the actual recommended standard for software and hardware encryptions. I'm seeing many companies still choosing 3DES when…
franpen
  • 273
  • 3
  • 5
17
votes
3 answers

After Google's collision attack, is RSA-SHA1 signature still safe?

Google succeeded to get a collision in SHA-1 last year in an attack called shattered. Does this fact make certificates based RSA-SHA1 Signature risky for creating fraud certificates? If RSA-SHA1 signature is still safe, why is that (because the…
adi
  • 175
  • 1
  • 1
  • 7
17
votes
3 answers

What does the special form of the base point of secp256k1 allow?

The popular ECC parameters secp256k1 are documented in SEC2 as using curve $y^2\equiv x^3+a\cdot x+b\pmod p$ with $a=0$, $b=7$, $p=2^{256}-2^{32}-\mathtt{3d1_h}$, base point $G$ with the apparently haphazard $(x,y)$ coordinates…
fgrieu
  • 140,762
  • 12
  • 307
  • 587
17
votes
2 answers

Does the elliptic curve (EC) cryptosystem outperform RSA and DL cryptosystems?

Throughout the literature, it is stated that EC cryptosystems outperform RSA and Discrete logarithm cryptosystems, but I cannot understand how ECC would be more efficient than RSA and DL in terms of computation and storage. Is there any pragmatic…
user4665
  • 245
  • 3
  • 6
17
votes
2 answers

Why is h(m||k) insecure?

Here is the post that explains the failure for doing h(k||m) and I understand it. But I don't understand how h(m||k) is subjected to collison attack, or birthday attack. Please explain?
CppLearner
  • 333
  • 3
  • 8
17
votes
5 answers

Creating a small number from a random octet string

I'm trying to figure out the best way to generate a cryptographically secure random number between 0 and 200 (inclusive) from a cryptographically secure random string of bytes (ie. read from /dev/urandom or some such). I could do random[0] % 201 but…
neubert
  • 2,927
  • 1
  • 28
  • 54
17
votes
2 answers

Do identical strings always have the same SHA-256 value?

If you hash a string using SHA-256 on your computer, and I hash the same string using SHA-256 on my computer, will we generate the same value? Does the algorithm depend on a seed (so we'd both need the same seed) or some other such parameter? edit:…
conor
  • 289
  • 1
  • 2
  • 7
17
votes
2 answers

Password hash that can be upgraded without plaintext password

Most password hashes have a cost parameter that indicates how long the algorithm should take. Is there an algorithm where you can increase that cost for a particular hash, without access to the plaintext password? So I have existing hashes in the…
Sjoerd
  • 661
  • 5
  • 16
1 2 3
99 100