Highest Voted Questions - Cryptography Stack Exchange

13

votes

1 answer

How can I convert a DER ECDSA signature to ASN.1?

I having trouble verifying an ECDSA signature signed using client side javascript with Java/BouncyCastle. The javascript signing function source: sign: function (hash, priv) { var d = priv; var n = ecparams.getN(); var e =…

asked Feb 01 '12 at 22:11

Ben

241
1
2
6

13

votes

8 answers

Two mutually untrusted parties want to exchange data: how to ensure each one gets the data it needs?

I am trying to come up with what could maybe be a novel algorithm for an application I am writing. Client A has a file fA. Client B has file fB. Each party is untrustworthy and will try to rip off the other party. Client A wants the fB and client B…

protocol-design

asked Jan 12 '12 at 00:05

Anon21

237
1
7

13

votes

5 answers

Why is XOR preferred over XNOR?

The XOR operator seems to be a frequently used building block inside many cryptographic primitives. As far as I can see, its most desirable properties seem be that for the XOR of two bits $a\oplus b=c$: The information is preserved. Either $a$ or…

xor

asked May 18 '14 at 22:46

Frumple

131
1
3

13

votes

3 answers

Difference between a nonce and IV

I know the generic difference between a nonce and an IV. I am specifically looking for a clarification on these terms as used in the "Evaluation of Some Blockcipher Modes of Operation" by Phil Rogaway. In that when describing the block cipher modes…

asked May 04 '14 at 17:46

user220201

861
3
9
14

13

votes

1 answer

Why does HMAC use two different keys?

Suppose $H$ is a hash function; why is $$H(k\mathbin\|H(k\mathbin\|m))$$ not secure? See this HMAC definition. In there, indeed two keys are used and the mac algorithm is $$H(k_1\mathbin\|H(k_2\mathbin\|m)).$$ Why don't we use…

asked Apr 23 '14 at 02:07

abdolahS

429
3
11

13

votes

3 answers

One time pad: why is it useless in practice?

The symmetric cryptosystem one-time pad (OTP) seems to be very beautiful since it is perfectly secret according to Shannon. Many books, however, point out the main drawback: one must create a secret key the same length as the plaintext. For this…

asked Apr 17 '14 at 19:20

Dubious

273
1
2
6

13

votes

3 answers

Counter mode secure hash algorithm

Ever since the SHA-3 competition, I've been wondering if it is possible to create a hash algorithm that is easier to parallelize. The current algorithms all seem to require building a tree of hashes. This has however rather serious drawbacks: as…

asked Jan 02 '12 at 16:10

Maarten Bodewes

92,551
13
161
313

13

votes

1 answer

Why do we encrypt-then-mac but sign-then-encrypt?

This question was asked in comments on my answer to Should we MAC-then-encrypt or encrypt-then-MAC? I think posing the question as a separate entity is best, so: The general advice for applying MACs seems to be that we should encrypt first, then…

asked Apr 09 '14 at 09:17

user46

13

votes

2 answers

Is it safe to reuse ECDH asymmetric keys for authentication?

Alice, Bob, and Carol each generate ECDH keypairs. Alice and Bob establish a communication channel and negotiate an AliceBob secret. The question is: Is it safe for Alice and/or Bob to reuse their keypairs to negotiate a new AliceCarol and/or…

asked Mar 23 '14 at 15:33

Edward Ned Harvey

833
7
14

13

votes

2 answers

How is HMAC(message,key) more secure than Hash(key1+message+key2)

I understand how for hash functions which are vulnerable to length extension attacks (such as SHA1 and SHA2) it is safer to use a HMAC construction. What I don't understand is, how or why is…

asked Mar 20 '14 at 18:40

RocketNuts

1,387
1
11
23

13

votes

1 answer

Entropy when iterating cryptographic hash functions

Consider a cryptographic hash function that maps $n$-bit strings to $n$-bit strings: $$ \DeclareMathOperator{\H}{H} \DeclareMathOperator{\SHA}{SHA-256} \H(x) : \left\{0,1\right\}^{n} \mapsto \left\{0,1\right\}^{n}. $$ Let $\H^i$ denote the result of…

asked Mar 18 '14 at 00:10

Stephen Touset

11,002
1
38
53

13

votes

5 answers

Reduction from signatures to encryption?

Is it possible to construct an (asymmetric) encryption scheme from a signature scheme? If the signature scheme is deterministic and allows existential forgery (e.g. RSA), then the answer is yes (create a forgery (m, sig); encrypt plaintexts using…

asked Jul 16 '11 at 19:28

Jus12

1,659
1
12
21

13

votes

3 answers

Using ECDSA keys for encryption

I know that ECDSA is used for signature only, but I wonder if I can use the public/private Elliptic Curve keys for encryption too. I have ECDSA SSH public keys and I wonder if I can use them to encrypt data that only the matching machine could…

asked Feb 23 '14 at 23:34

jcea

343
1
3
9

13

votes

1 answer

Proofs by reduction and times of adversaries

I have some difficulties to understand, when we construct a reduction, how we determine the time for the constructed adversary to break a target security property. In general these details are not explained in books. Do you have some examples in…

asked Feb 11 '14 at 13:08

Dingo13

2,867
3
27
46

13

votes

2 answers

If attacker knows salt and hash, how is salt effective?

Maybe I'm missing something, but if my salt and hashed/salted password are stored in the same place, how is salting any more secure than just hashing? Does this just rely on attackers not knowing how the salt is incorporated into the hash?

asked Feb 10 '14 at 17:39

Clint Powell

233
2
5

Most Popular