Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
39
votes
7 answers

Why aren't zero-knowledge proofs used in practice for authentication?

I read on Wikipedia that zero-knowledge proofs are not used for authentication in practice. Instead (I think) the server is entrusted with seeing a password in plaintext form, which it should then add a salt to and hash. But for a split moment, the…
wlad
  • 1,259
  • 1
  • 13
  • 24
39
votes
4 answers

Is there a string that's hash is equal to itself?

I was wondering if there's any string that has a hash equal to itself, so that – when using any (none specific) hash function – the hash would be equal to that string? so that: hash(x) = x Note that this is not an assignment or anything. I’m just…
Mostafa Berg
  • 493
  • 1
  • 4
  • 8
39
votes
1 answer

Who first published the interest of more than two prime factors in RSA?

Multi-prime RSA is now a well known technique (described here): it uses $k>2$ distinct secret prime factors in the public RSA modulus, with the advantage that, using the CRT, we can gain a speed boost in private-key operation, with little…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
39
votes
2 answers

Why should I use Authenticated Encryption instead of just encryption?

There are various different modes of operation for block cipher use, some of which provide "encryption" and some of which provide authenticated encryption. Why should I use an authenticated encryption mode rather than just an encryption mode? This…
Cryptographeur
  • 4,357
  • 2
  • 29
  • 40
39
votes
1 answer

Explaining weakness of Dual EC DRBG to wider audience?

I have an audience of senior (non-technical) executives and senior technical people who are taking the backdoor in Dual_EC_DRBG and considering it as a weakness of Elliptic curves in general. I can take a max of about 10 mins in my presentation to…
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24
38
votes
2 answers

Why should I use an Initialization Vector (IV) when I have unique keys?

I took a look at “Why, or when, to use an Initialization Vector?” but my question is not the same. I have unique keys encrypting each plaintext (in CBC mode, AES-256) and I do not use a key to encrypt more than one plaintext. Is it insecure to use…
Ashwin
  • 483
  • 1
  • 4
  • 4
38
votes
3 answers

What are recommended, general strategies to start block-cipher design and/or analysis?

I (and many others for that matter) have always been fascinated by the inner workings of the modern building block of cryptography: block ciphers. Now, the resources on the "black art" of design and analysis of these ciphers are sparse; especially…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
38
votes
4 answers

How can one securely generate an asymmetric key pair from a short passphrase?

Background info: I am planning on making a filehost with which one can encrypt and upload files. To protect the data against any form of hacking, I'd like not to know the encryption key ($K$) used for a file, so the user will have to asymmetrically…
Flumble
  • 485
  • 1
  • 4
  • 6
38
votes
7 answers

Is it feasible to build an index of prime factors?

Would it be possible to break an RSA key, in for example 1 week of time, if the cracker have already spent X number of years building an index of primes by performing every permutation of existing prime keys up to $2^{2048}$? I understand this would…
mjs
  • 483
  • 5
  • 9
37
votes
4 answers

Can ECDSA signatures be safely made "deterministic"?

Using the terminology of the ECDSA Wikipedia page, ECDSA (and DSA) signatures require a random k value for each signature which ensures that the signature is different each time even if the message and key are the same. For some applications, a…
ByteCoin
  • 747
  • 1
  • 6
  • 7
37
votes
5 answers

The GCD strikes back to RSA in 2019 - Good randomness is the only solution?

When someone collects lots of RSA public modulus, the first thing that comes to mind is; $$\text{GCD them all}$$ If you calculate the GCD of two different RSA modulus and if the result is not 1 then you find one of the factors. This has been…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
37
votes
1 answer

What is a tweakable block cipher?

Pretty simple question - but I can't seem to find much information about it. What exactly is a tweakable block cipher? How do they differ from traditional block ciphers? What is the 'tweak'? Is it just a sequence of bytes? Does it have any special…
hunter
  • 4,051
  • 6
  • 29
  • 42
37
votes
3 answers

Does "Shattered" actually show SHA-1-signed certificates are "unsafe"?

Note: I am not advocating anyone continues using SHA1-signed certificates: they are dead as far as security is concerned and should no longer be used. I'm just trying to clarify my understanding of the theoretical implications of Shattered as they…
TripeHound
  • 473
  • 8
  • 15
37
votes
1 answer

What is the advantage of XTS over CBC mode (with diffuser)?

I have some problems in understanding the "advantage" of AES-XTS compared to CBC with diffuser. I read something about FileVault, in this paper they mention the two modes of operations XTS and CBC (with diffuser) and the advantages of XTS. Both…
tommynogger
  • 473
  • 1
  • 4
  • 4
37
votes
4 answers

Why is plain-hash-then-encrypt not a secure MAC?

It seems that even in MAC-then-encrypt systems like SSL, something like HMAC is used rather than a plain hash. Why? Suppose we use some stream cipher; then why can't we use $Encrypt(m | H(m))$ as the MAC-then-encrypted version of the message?…
ithisa
  • 1,111
  • 1
  • 10
  • 23
1 2 3
99 100