Highest Voted Questions - Cryptography Stack Exchange

13

votes

3 answers

Does NTRU decrypt correctly now?

The NTRU public-key cryptosystem has a lot of interesting properties (being resistant to quantum computer attacks, being standardized by several important bodies), but it also has a pretty unique property: The decryption algorithm does not always…

asked Sep 04 '11 at 23:23

Jack Schmidt

294
1
9

13

votes

1 answer

How much do we trust KEA1 Assumption?

Let $$(g,h=g^s,q)$$ be a tuple such that $g$ is a generator for a group $\mathbb{G}$ of ord $q$ and $s$ is uniformly random in $\mathbb{Z}_q$. The knowledge of exponent (KEA1) assumption says that for any adversary $\mathcal{A}(g,h,q)$ that outputs…

discrete-logarithm

asked Jan 25 '13 at 10:04

AntonioFa

448
4
8

13

votes

1 answer

Proving multiple products "in the exponent"

I'm trying to come up with a small-sized (non-interactive) proof for a Diffie-Hellman-like statement. I'll start by giving an example. The prover has $g^a, g^b, g^c, g^{ac}, g^{ab}, g^{bc}, g^{abc}$. The verifier only has $g^a, g^b$ and…

asked Jul 23 '18 at 17:40

Alin Tomescu

1,003
10
30

13

votes

7 answers

Any efficient text-based steganographic schemes?

Sophisticated and efficient steganographic schemes with images as cover are available. However, I wonder: are there any that use texts as cover instead? If one could only transfer a few printable natural language texts due to constraints, using…

steganography

asked Jan 21 '13 at 21:49

Mok-Kong Shen

1,312
1
11
15

13

votes

1 answer

Is Pohlig-Hellman Cipher the only option?

I am looking for a cipher which would allow something like this: E(E(M, a), b) = E(M, ab), where a and b are encryption keys, and ab is a combination of the keys that is impractical to separate into a and b. So far, the only cipher I could find that…

asked Apr 05 '18 at 16:23

irakliy

969
7
16

13

votes

1 answer

What is an elliptic curve cofactor?

As the title says, I have some doubts about the term "cofactor" used to describe elliptic curves. AFAIK, it's a factor of the curve order, but why is it explicitly specified in some parameter lists then? How does it apply to the curve point addition…

elliptic-curves

asked Mar 11 '18 at 12:52

Mark

835
6
24

13

votes

2 answers

Pairing-friendly curves in small characteristic fields

There are several well-known techniques to generate pairing-friendly curves of degrees 1 to 36 on prime fields GF(p): Cocks-Pinch, MNT, Brezing-Weng, and several others. In extension fields GF(p^n), however, one is confined to supersingular curves.…

asked Aug 30 '11 at 23:08

Samuel Neves

12,460
43
52

13

votes

3 answers

Can we prove possession of an AES-256 key without showing it?

Imagine this situation: Alice has an AES256GCM key $K$, a plaintext $X$, and $Y$ which is the ciphertext of $X$ encrypted by $K$ Bob has $X$ and $Y$ Alice and Bob can communicate with each other Bob wants to know whether Alice holds the key which…

asked Feb 17 '18 at 08:12

tock203

345
2
4

13

votes

0 answers

Potential Flaws With Lattice Based Cryptography?

From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns which could be used to exploit them.) Hash-based…

asked Jan 10 '18 at 09:55

CoryG

559
2
10

13

votes

3 answers

How to construct a good PRF from a block cipher?

We want to explicitly construct a good (as tentatively defined below) Pseudo-Random Function $F$ with $b$-bit input and output, from (preferably just) one Pseudo-Random Permutation $E$ of $b$-bit, as instantiated in practice by TDEA for $b=64$ or…

pseudo-random-function

asked Nov 21 '12 at 09:49

fgrieu

140,762
12
307
587

13

votes

1 answer

What does Maj and Ch mean in SHA-256 algorithm?

I'm guessing they're some kind of standard function but what do they do and what do the names mean? A little explaination or link me to an article would be great.

asked Nov 13 '12 at 17:33

alex

141
1
4

13

votes

1 answer

Explanation of the Decision Diffie Hellman (DDH) problem.

I'm extremely new to crypto, and very much inexperienced. Lately I've been reading about the Diffie-Hellman key-exchange methods, and specifically about the computational diffie-hellman assumption vs. decision diffie-hellman assumption. Specifically…

diffie-hellman

asked Nov 02 '12 at 16:33

Nico Bellic

525
2
5
8

13

votes

3 answers

Is RSA-OAEP deprecated?

I need asymmetric pub/private keypair encryption in JavaScript. Web browsers support RSA-OAEP, which works exactly as I need. But there is a table which lists supported algorithms for web crypto at https://diafygi.github.io/webcrypto-examples/ ...…

asked Sep 18 '17 at 19:43

Tomas M

239
1
2
6

13

votes

1 answer

Can I use signature(hash(message)) instead of signature(message)?

Background: We use the TweetNaCl crypto library by Bernstein (tweetnacl.cr.yp.to) et al and we would like to stick to it. However, we have the need to sign large messages and the library does not explicitely support signing something that does not…

asked Apr 17 '17 at 11:29

Frans Lundberg

375
1
7

13

votes

2 answers

Can any block cipher in CTR mode be used as a CSPRNG?

I have been learning about block ciphers, modes of operations, and csprngs by myself for a few days and there are some things I'm unsure about. Assuming we only talk about cryptographically secure block ciphers; can any block cipher in CTR mode be…

asked Apr 14 '17 at 12:41

Qøtēx

135
9

Most Popular