Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
12
votes
8 answers

Cracking RSA (or other algorithms) manually by a savant

RSA cryptography strength comes from the hardness (or so we believe) of factoring big numbers. For key lengths over 2048 bits, it is infeasible for current or near-future computers to factor those numbers in a reasonable time. But what about the…
derjack
  • 181
  • 1
  • 1
  • 6
12
votes
1 answer

Number of bit-operations required for information set decoding attacks on code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. This paper estimates the concrete number of bit operations required to perform the…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
0 answers

Requirements for security against multi-target attacks, for McEliece and other code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. For these cryptosystems, it seems that an attacker can use a "decoding one out of many" strategy as…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
2 answers

Using a Hash as a secure PRNG

I was just looking at some NIST PRNG recommendations, specifically at Hash_DRBG. I read briefly through the algorithm, and even though it is not overly complex, it still seems unnecessary to me. I asked myself how I would implement a…
cooky451
  • 345
  • 1
  • 3
  • 12
12
votes
1 answer

How much stronger is RSA-2048 compared to RSA-1024?

How much stronger is RSA-2048 compared to RSA-1024? It is hard to imagine very big numbers. So what would be your way to explain the difference to someone who doesn't know much about cryptography?
user27296
  • 121
  • 1
  • 1
  • 4
12
votes
1 answer

Windows 8/Server 2012: Passes FIPS-140-2 despite failing AES-GCM for IV != 96 bits long?

Background Microsoft certifies Windows 7/8 as well as Server 2008 R2 and 2012 to be FIPS-140-2 compliant. Actually they certify just a small crypto core, bcrypt.dll (the library, which is unrelated to bcrypt, the key derivation function).…
DeepSpace101
  • 1,697
  • 2
  • 17
  • 24
12
votes
2 answers

Why NIST insists on post-quantum standardization procedure rather than post-quantum competition?

I have seen in many papers and even in communications from NIST that the ongoing standardization is a "procedure" or a "process". They carefully refrain from using the term competition like AES. I was wondering what is the reason for this? Is there…
Rick
  • 1,265
  • 8
  • 17
12
votes
2 answers

Is Ring-LWE now (2021) broken?

A recent (29 Mar 2021) article "Ring-LWE over two-to-power cyclotomics is not hard" by Hao Chen is available in pre-print here: https://eprint.iacr.org/2021/418 I'm not a cryptographer. Does this article mean that Ring-LWE is unsuitable for…
A. Hersean
  • 934
  • 10
  • 21
12
votes
2 answers

uniqueness of the RSA public modulus

What is the probability that two separate RSA public moduli are the same? For example, consider a 2048-bit modulus. The number seems to be huge, but the choice for prime factors p and q is much more restrictive: They both should be 1024-bit in…
Naka Wai
  • 163
  • 2
  • 5
12
votes
3 answers

What are some disadvantages of homomorphic encryption schemes?

I'm doing some self-teaching / research for my own benefit in homomorphic cryptography. I've studied both additive and multiplicative schemes (Paillier and RSA respectively), but all I can seem to find are the benefits of the schemes. Are there any…
John Smith
  • 121
  • 1
  • 1
  • 3
12
votes
1 answer

What is U2FsdGVkX1?

Using CryptoJS 3.1 I noticed that using 3Des, the encrypted message always start with U2FsdGVkX1 Why is the first part of the encryption always the same? What information does this hold and how does that information become U2FsdGVkX1?
Thomas
  • 1,174
  • 5
  • 16
  • 33
12
votes
2 answers

Encryption scheme for social-network-like data sharing data via untrusted server?

I am thinking quite a lot lately abut the problem of secure, privacy-preserving social networking. Distributing the network among trusted, preferably self-hosted servers (like Diaspora, GNU Social etc. attempt to do) is obviously not a good solution…
Denis Washington
  • 231
  • 1
  • 5
12
votes
1 answer

Why is H(message||secret_key) not vulnerable to length-extension attack?

Given a Merkle-Damgård hash function $H$, I know that an attacker can forge a message protected by a MAC computed as $H(\textrm{secret_key}||\textrm{message})$. Why can't he perform the same extension attack on a MAC construction…
Peter
  • 123
  • 1
  • 4
12
votes
1 answer

What is universal composability guaranteeing, specifically? Where does it apply, and where does it not?

I don't have a proper computer science education, so bear with my misunderstandings. UC is supposed to "guarantee strong security properties". From what I stand, if you have some secure protocol, such as a strong block cipher mode of operation, you…
Expectator
  • 332
  • 3
  • 10
12
votes
2 answers

Linkable ring signature scheme

I need an implementation of linkable ring signature, a ring signature which allows identifying whether two signatures belong to the same signer. It has important privacy-related applications, like e-voting, but unfortunately there seems to be no…
sor.rge
  • 356
  • 2
  • 7
1 2 3
99 100