Protocol analysis is the detailed analysis of the security of an abstract or concrete cryptographic protocol.
Protocol analysis is the detailed analysis of the security of an abstract or concrete cryptographic protocol.
Questions tagged [protocol-analysis]
200 questions
74
votes
3 answers
Signal vs Telegram in terms of protocols?
Some time ago, the question was asked in chat, why MTProto (Telegram's protocol) is supposedly worse than Axolotl (Signal's protocol) as both protocols have been the inventions of their respective companies, thereby "rolling their own crypto", which…
SEJPM
- 46,697
- 9
- 103
- 214
62
votes
4 answers
Why hash the message before signing it with RSA?
The diagram below illustrates the process of digitally signing a message with RSA:
As diagram shows, the message is first hashed, and the signature is then computed on the hash, rather than on the full message.
Why hash the data before signing it?…
evening
- 1,383
- 3
- 15
- 22
59
votes
2 answers
Is the software that uses PGP broken, or is it PGP itself?
PGP is all over the news (even on TV) and there seems to be a lot of confusion about it.
For the time being, people face articles like Attention PGP users: new vulnerabilities require you to take action now which tell readers to deactivate their PGP…
Mike Edward Moras
- 18,161
- 12
- 87
- 240
22
votes
3 answers
Cryptographic Challenge: How to Say Something Confidentially to Snowden?
The Snowden situation raises an intereting cryptograpic problem. At present, how can something be sent confidentially to Snowden?
Claim:
I have no particular political orientation. The above question is merely a cryptographic challenge. The meta…
Pigmann
- 421
- 2
- 7
19
votes
2 answers
Simulation-based proofs and universal composability proofs
I recently read Ran Canetti's famous UC paper but I'm still trying to wrap my head around the concepts. I think this answer has me confused a bit, particularly where it says
The stand-alone simulation-based definitions give you security under…
Luke
- 317
- 1
- 3
- 9
17
votes
0 answers
Has Telegram security been significantly improved with MTProto 2.0?
Telegram messenger's original encryption scheme, MTProto 1.0, has been shunned by most cryptographers for a number of reasons, like being vulnerable to IND-CCA attack; being unorthodox in general, making unusual applications of hashing and key…
Dark Lotus
- 171
- 1
- 3
15
votes
1 answer
What is universal composability guaranteeing, specifically? Where does it apply, and where does it not?
I don't have a proper computer science education, so bear with my misunderstandings.
UC is supposed to "guarantee strong security properties". From what I stand, if you have some secure protocol, such as a strong block cipher mode of operation, you…
Expectator
- 362
- 3
- 10
10
votes
1 answer
Contradiction to the Sequential Self-Composability of Black-Box Zero-Knowledge?
In short: it is well-known that black-box zero-knowledge protocols are sequentially self-composable. However, Goldreich and Krawczyk [GK90] present a protocol which is proven to be zero-knowledge (in a black-box manner to me), but NOT sequentially…
Xiao Liang
- 261
- 1
- 6
10
votes
3 answers
Using weak hash functions to construct a stream cipher
I am in the awkward position of developing a secure encryption scheme that provides data-at-rest security for a very limited embedded system. The system is only guaranteed to have 4 MiB of memory (some systems have an extra 32 MiB), and they do not…
forest
- 15,626
- 2
- 49
- 103
10
votes
2 answers
Why do we implement a protocol?
In general, after we design a secure cryptographic protocol and make sure that it is efficient (e.g., through complexity analysis), we implement it.
Questions:
Do we implement it for proof of concept?
Do we implement it to support our claim that…
user153465
- 1,583
- 12
- 23
9
votes
1 answer
Why does the WhatsApp protocol require elaborate computation when verifying user keys?
Reading through the WhatsApp protocol (PDF), I am trying to understand why the multiple hashing and other stuff done is required. According to the paper, one can compare the hash of the key material on both ends. The hash (60 bytes) is computed like…
user220201
- 881
- 4
- 9
- 15
8
votes
1 answer
Free Start Collision In SHA-3
Given that the five sub-functions that comprise SHA-3 are reversible an individual can produce specific outputs of their choosing. The following is to my knowledge an example of a free start collision in SHA-3(256). Both initial vectors violate the…
Q-Club
- 1
- 3
- 29
8
votes
0 answers
Security proof in (Ciphertext-Policy) Attribute-Based Encryption
I am having hard time understanding the security proof in Attribute-Based Encryption, especially in Ciphertext-Policy Attribute-Based Encryption.
To do reduction in CP-ABE scheme, how do I check that the security proof is correct or works. For…
Nyamaa
- 81
- 1
8
votes
5 answers
Does frequent key change weaken encryption?
Following scenario:
We are using OTR for communication between Alice and Bob which means after each successfull message exchange a re-keying happens for both parties leading to new AES-keys for the encryption and MAC generation.
Lets say Alice and…
Spyro
- 131
- 1
- 4
8
votes
1 answer
Can RSA be securely used for "blind decryption"?
Assume we have the following setup:
A client with trusted storage and computing capabilities (e.g. a smartcard)
A server with trusted computing and short-term storage capabilities (e.g. RAM + CPU, possibly with something like Intel SGX). The server…
SEJPM
- 46,697
- 9
- 103
- 214