Highest Voted Questions - Cryptography Stack Exchange

14

votes

2 answers

Can I still use insecure curves/ciphers for time relevant encryption?

Can Ciphers that are known to be insecure because their keysize is considered too small still be used in appliances that have a tight decryption timeframe? In particular I am looking at ECC2K-130. ecc-challenge.info states, that they need 2466…

asked Jun 17 '20 at 21:25

dmuensterer

378
1
8

14

votes

1 answer

Meaning of "Security can be reduced to a problem"

I'm studying reductions in cryptography and confused about the way people use the word "reduction". My question is almost the same as a past question, but what I want to ask is slightly different. A lot of papers or articles (e.g. Wikipedia…

asked May 26 '20 at 04:39

rapier

141
1
5

14

votes

5 answers

How do I detect a failed AES-256 decryption programmatically?

I have implemented a simple encryption/decryption program based on AES-256 in CBC mode1. Actually, it is more precise to describe it as a compression+encryption / decryption+decompression program. If one provides the wrong key to the…

aes

asked Aug 18 '19 at 00:11

kjo

329
1
2
7

14

votes

3 answers

Recommended key size for DKIM

What is the recommended key length for DKIM? I'm currently thinking about a 1024-bit key vs. a 2048-bit one. From the crypto point of view for RSA, 2048 or 4096 bits is clearly recommended--no discussion on that point. Having glanced over various…

asked Jul 31 '19 at 09:36

Lut

141
1
1
3

14

votes

2 answers

Is it safe to reuse a ECDSA nonce for two signatures if the public keys are different?

We denote the s value of an ECDSA signature $(r, s)$ on a message $m$ as: $s=\frac{H(m)+xr}{k}$ Assume two ECDSA signatures sharing the same nonce $(r, s_1) , (r, s_2)$ on two messages $m_1, m_2$, that verify under two pubkeys $x_1G, x_2G$. If the…

asked Jul 05 '19 at 17:04

Ethan Heilman

2,276
1
20
40

14

votes

3 answers

Converting a stream cipher into a block cipher

The well-known Counter-Mode (CTR) mode of operation for a block cipher essentially converts any block cipher into a stream cipher. Is there a way to do the reverse? In other words, given a "good" stream cipher $G$, can we construct a block cipher…

asked Sep 18 '11 at 14:13

Fixee

4,158
2
25
39

14

votes

1 answer

Curve25519 over Ed25519 for key exchange? Why?

I've been reading up on the Signal Protocol (in this PDF) and it seems to be using Curve25519 for ECDH and EdDSA (with Ed25519) for signatures. My question is why not use only Ed25519? This implementation supports Ed25519 and key exchange so what is…

asked Mar 19 '19 at 10:25

OughtToPrevail

344
3
17

14

votes

1 answer

Why is $e=0$ allowed in Schnorr signatures?

In a Schnorr signature (Wikipedia style), we have: $R = kG$, where $0

schnorr-signature

asked Jan 08 '19 at 06:41

Mark Lundeberg

143
4

14

votes

1 answer

Why is CAMELLIA suddenly so widely used?

When nowadays I point my browser to https sites, the cipher that is on most occasions used is Camellia. My browsers (Chrome and Firefox) seem to prefer it, even when AES is available. Is that not kind of dangerous? Camellia did not receive so much…

asked Mar 01 '13 at 05:22

MKK

251
2
5

14

votes

1 answer

WOTS+: Why does it XOR before running data through the hash function?

I'm implementing WOTS+ in a new language and I can't seem to wrap my head around the fact that WOTS+ XOR's their input with its mask right before hashing it. I tried to look for any reasoning but so far haven't found any. In my mind I also can't…

asked Dec 09 '18 at 22:48

peterwilli

243
1
5

14

votes

2 answers

Why was Davies–Meyer chosen over Miyaguchi–Preneel most of the time?

The only Miyaguchi–Preneel MD hash I know is Whirlpool. I suppose there are likely others. Why do most MD hashes choose Davies–Meyer? If anything, Davies–Meyer relies on related-key resistance while Miyaguchi–Preneel relies on chosen-plaintext…

asked Nov 17 '18 at 07:16

MikeDav77741

173
5

14

votes

3 answers

PBKDF2 for key diversification

I am looking for a secure key diversification function to create individual AES keys for a local smart card deployment. The keys need to be derived from a secret master key and the smart card serial number. Key calculation can happen on the host…

asked Feb 11 '13 at 18:21

ge0rg

243
2
7

14

votes

5 answers

Hash to prime numbers?

Is there some provably secure hash function to prime numbers? Say, a function $H: \{0, 1\}^* \rightarrow \{e: e \in \{0, 1\}^\lambda \land e$ is prime$\}$ I'm asking because there are some constructions to be used only on prime numbers (for example…

asked Oct 10 '18 at 11:33

oleiba

377
2
10

14

votes

7 answers

Possibility of Chosen Plaintext Attack (CPA) in real-world scenario?

In CPA, it is said that the adversaries get ciphertext for the choice of plaintext of adversaries through an encryption oracle. Is this a realistic assumption in real-world, in which the adversaries get ciphertext for the choice of their plaintexts?…

asked Aug 29 '18 at 09:59

Siva Kumar

299
2
5

14

votes

1 answer

Is lattice-based cryptography practical?

How viable is lattice-based cryptography in a "practical" setting? It has been said that lattice-based cryptography would be a "post-quantum" cryptography scheme, but is it feasibly implementable?

asked Aug 19 '18 at 01:05

Steven Sagona

313
1
12

Prev 1 2 3

…

99 100 Next

Most Popular