Questions tagged [protocol-design]

Design of cryptographic protocols, i.e. ways of using algorithms (primitives) to achieve one or more security goals like integrity, confidentiality, authenticity (maybe together with non-security-related goals). If you ask about a specific protocol, tag with its name instead (or additionally, if about its design).

Background:

Wikipedia: Cryptographic protocol

If you want to know about design of cryptographic primitives, see algorithm-design instead.

For example, many protocols involve a data compression algorithm, a secrecy-preserving encryption algorithm, and an authentication algorithm. Questions asking why we apply them in that order -- such as a or b -- should be tagged protocol-design.

Some protocol-specific tags: ssl (also for TLS), https, bitcoin, x509

720 questions

429

votes

13 answers

Should we MAC-then-encrypt or encrypt-then-MAC?

Most of the time, when some data must be encrypted, it must also be protected with a MAC, because encryption protects only against passive attackers. There are some nifty encryption modes which include a MAC (EAX, GCM...) but let's assume that we…

encryption protocol-design mac authenticated-encryption

asked Jul 19 '11 at 21:39

Thomas Pornin

88,324
16
246
315

154

votes

7 answers

Should we sign-then-encrypt, or encrypt-then-sign?

Frequently, we want to send messages that are (a) encrypted, so passive attackers can't discover the plaintext of the message, and (b) signed with a private-key digital signature, so active attackers can't make Alice think that a message came from…

encryption public-key signature protocol-design hash-signature

asked Nov 22 '12 at 16:55

David Cary

5,744
4
22
35

votes

8 answers

Guarding against cryptanalytic breakthroughs: combining multiple hash functions

Assume I want to design a protocol (or data format or similar) including some cryptographic hash, and want it to be as future-proof as possible, i.e. I want to avoid that breakthroughs in cryptography make my old data insecure. If I use only one…

hash protocol-design

asked Jul 29 '11 at 15:52

Paŭlo Ebermann

22,946
7
82
119

votes

3 answers

Signal vs Telegram in terms of protocols?

Some time ago, the question was asked in chat, why MTProto (Telegram's protocol) is supposedly worse than Axolotl (Signal's protocol) as both protocols have been the inventions of their respective companies, thereby "rolling their own crypto", which…

protocol-design protocol-analysis

asked Dec 20 '15 at 21:53

SEJPM

46,697
9
103
214

votes

6 answers

Kerckhoffs’ principles – Why should I make my cipher public?

As I understand it, the less people know about the internals of my protocol or cipher, the more secure the protocol is. However Kerckhoffs's principle states that A cryptosystem should be secure even if everything about the system, except the key,…

cryptanalysis protocol-design algorithm-design terminology

asked Aug 06 '13 at 09:17

rath

2,598
3
27
40

votes

7 answers

One Encryption, Many Decryption Keys

I would like to share access to encrypted data among many recipients. I do not know the recipients ahead of time (when encrypting the data). Once the data is encrypted, I do not have access to the plaintext (so I cannot re-encrypt). Right now, I…

encryption protocol-design

asked Aug 16 '16 at 19:23

Justin Bailey

votes

1 answer

Why do 5G, 4G, etc., use non-conventional algorithms?

Looking up information about 5G and the previous 3GPP standards, why have they been incorporating non-conventional algorithms into the standards? For example, AES has been considered secure for ages and there is lots of support for hardware…

protocol-design stream-cipher standards

asked Jun 05 '20 at 14:52

MCCCS

votes

4 answers

Why is plain-hash-then-encrypt not a secure MAC?

It seems that even in MAC-then-encrypt systems like SSL, something like HMAC is used rather than a plain hash. Why? Suppose we use some stream cipher; then why can't we use $Encrypt(m | H(m))$ as the MAC-then-encrypted version of the message?…

hash protocol-design mac

asked May 28 '14 at 03:23

ithisa

1,111
1
10
23

votes

2 answers

Prevent double-spending with decentralized digital currencies without all transactions being public?

A recent approach to creating a decentralized online currency, called Bitcoin, has been generating some interest. The goal is to have a way to transfer currency without a central authority and without double spending or counterfeiting. Their…

protocol-design cryptocurrency

asked Aug 25 '11 at 10:27

Artem Kaznatcheev

votes

4 answers

How to fairly select a random number for a game without trusting a third party?

Several people are playing a game with random events and require a way to produce a random number. (Such as dice rolls or a lottery.) Can this be done such that each player has the power to be reasonably sure that the random number was fairly…

protocol-design random-number-generator commitments

asked Sep 23 '11 at 23:45

billpg

votes

3 answers

Is this password migration strategy secure?

I want to upgrade the security of some existing databases of users' authentication tokens strictly for the purpose of making sure that if the database is stolen, attackers will not be able to guess any but the weakest passwords in a reasonable…

cryptanalysis protocol-design passwords

asked Jun 17 '12 at 21:41

Major Major

votes

3 answers

How does a rolling code work?

I have general questions regarding rolling codes. Basically there is a sender and a receiver. Both have a sequence generator. The receiver checks if the received sequence matches the newly generated. An example used is KeeLoq. Assuming a car opener…

protocol-design authentication replay-attack

asked Jul 24 '14 at 07:51

matcauthon

votes

1 answer

Zero knowledge proof protocol example?

Alice is color blind. She never knows if her gloves are matched. Her brother Bob always teases her saying her gloves are mismatched and she should go change them. Alice wants to know if Bob is telling the truth about her…

protocol-design zero-knowledge-proofs

asked Dec 18 '13 at 16:14

user10956

votes

3 answers

Selective format-compliant JPEG encryption?

I am working towards building a format-compliant encryption system for pictures. The aim of it is to be able to obscure specific areas of a picture (i.e. faces, car license numbers...) while keeping the rest unaltered. The aim would be, for…

encryption protocol-design reference-request format-preserving compression

asked Feb 13 '13 at 18:36

DashDotDashDot

votes

2 answers

Is it possible for Alice and Bob to both sign a message "simultaneously"?

Let's say that there is a message which is considered valid if signed by both Alice and Bob. Alice could sign the message and then give it to Bob, so that he can sign it and give it back to her. But, for various reasons, Alice doesn't want Bob to…

signature protocol-design

asked Jun 04 '16 at 00:41

Jehan

2 3

…

47 48 Next