Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [cryptanalysis]

Analysis of individual security aspects of a cipher or algorithm, not the security of a cipher or algorithm in general (which would lean towards “algorithm-design”).

Cryptanalysis is the analysis of cryptographic algorithms with the aim of finding weaknesses, which allow attackers to "break" them. For ciphers, the aim is to get the key or plaintext, for hashes it is to find collisions or preimages, for signatures/MACs it is to create forgeries. Methods include differential, linear and algebraic cryptanalysis.

Use this tag for Q&As related to the analysis of individual security aspects of a cipher or algorithm, not the security of a cipher or algorithm in general (which would lean towards ).

1638 questions
133
votes
7 answers

Are there two known strings which have the same MD5 hash value?

Is there an example of two known strings which have the same MD5 hash value (representing a so-called "MD5 collision")?
Adban
124
votes
7 answers

Taking advantage of one-time pad key reuse?

Suppose Alice wants to send encryptions (under a one-time pad) of $m_1$ and $m_2$ to Bob over a public channel. Alice and Bob have a shared key $k$; however, both messages are the same length as the key $k$. Since Alice is extraordinary lazy (and…
Elliott
  • 1,711
  • 3
  • 15
  • 9
104
votes
2 answers

What is the new attack on SHA-1 "SHAttered" and how does it work?

There's a new recent Attack on SHA-1 named "SHAttered" by Google and some researchers. I understand that it uses some fancy new techniques, but not the details. My question is: How? How does the attack work (on a high level)? How does it compare to…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
91
votes
5 answers

Is AES-256 weaker than 192 and 128 bit versions?

From a paper via Schneier on Security's Another AES Attack (emphasis mine): In the case of AES-128, there is no known attack which is faster than the 2128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be…
quantumSoup
  • 1,021
  • 1
  • 7
  • 6
79
votes
3 answers

How does one attack a two-time pad (i.e. one time pad with key reuse)?

My question might appear the same as the question Taking advantage of one-time pad key reuse?, but actually I did read all the answers and none of them helped me with the details I need. I am new to cryptography and my problem is with two time pad…
Samer Makary
  • 993
  • 1
  • 8
  • 8
68
votes
4 answers

Why does the FBI ask Apple for help to decrypt an iPhone?

The current debate of the FBI trying to get Apple to assist in decrypting an iPhone made me wonder: Normally, upon turning on an iPhone, everything is decrypted using a 4-digit pin (or actually, a key that is derived from the PIN with a strong KDF,…
RocketNuts
  • 1,397
  • 1
  • 13
  • 24
62
votes
3 answers

Definition of textbook RSA

What is the definition of textbook or "raw" RSA? What are some of the properties of textbook RSA? How does it differ from other schemes based on RSA?
Bobby S
  • 1,973
  • 4
  • 23
  • 30
56
votes
6 answers

Kerckhoffs’ principles – Why should I make my cipher public?

As I understand it, the less people know about the internals of my protocol or cipher, the more secure the protocol is. However Kerckhoffs's principle states that A cryptosystem should be secure even if everything about the system, except the key,…
rath
  • 2,598
  • 3
  • 27
  • 40
54
votes
10 answers

Now that quantum computers have been out for a while, has RSA been cracked?

D-wave systems has released a commercially viable quantum computer. This means in theory, that all asymmetric encryption algorithms — such as RSA — are now useless due to the speed at which quantum computers can factor. Has RSA been cracked yet? If…
bbosak
  • 961
  • 1
  • 6
  • 9
48
votes
4 answers

Security strength of RSA in relation with the modulus size

NIST SP 800-57 §5.6.1 p.62–64 specifies a correspondence between RSA modulus size $n$ and expected security strength $s$ in bits: Strength RSA modulus size 80 1024 112 2048 128 3072 192 7680 256 15360 This…
Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
47
votes
7 answers

How can we reason about the cryptographic capabilities of code-breaking agencies like the NSA or GCHQ?

I have read in Applied Cryptography that the NSA is the largest hardware buyer and the largest mathematician employer in the world. How can we reason about the symmetric ciphers cryptanalysis capabilities of code-breaking agencies like the NSA or…
jokoon
  • 723
  • 1
  • 6
  • 13
46
votes
1 answer

What is a "freestart collision"?

In their work on SHA-1 collisions (cf. the EUROCRYPT-2016 paper “Freestart collision on full SHA-1” by Stevens, Karpman, and Peyrin) Stevens et al show that they are able to generate "freestart collisions" on SHA-1. They say: Even though freestart…
otus
  • 32,462
  • 5
  • 75
  • 167
43
votes
3 answers

Why does nobody use (or break) the Camellia Cipher?

If Camellia is of equivalent security and speed to AES, concerns arise. First of all, assuming the above, why is Camellia so rarely used in practice? Why aren't there any breaks in Camellia? Does that mean that Camellia is currently more secure than…
Chris Smith
  • 1,202
  • 1
  • 11
  • 18
38
votes
3 answers

What are recommended, general strategies to start block-cipher design and/or analysis?

I (and many others for that matter) have always been fascinated by the inner workings of the modern building block of cryptography: block ciphers. Now, the resources on the "black art" of design and analysis of these ciphers are sparse; especially…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
34
votes
1 answer

Proof for the SHA3 claim that 256 bit security is "post-quantum sufficient"?

On page 14 of "Keccak and the SHA-3 Standardization" (February 6, 2013) it says: Instantiation of a sponge function the permutation KECCAK-f 7 permutations: b → {25,50,100,200,400,800,1600} Security-speed trade-offs using the same permutation,…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
1
2 3
99 100