Highest Voted Questions - Cryptography Stack Exchange

12

votes

2 answers

How should one implement a delegated shared trust protocol?

Consider the following (probably naive) scenario. Alice, who is very limited in her knowledge of security in general (clueless about securing a private key for example), wishes to delegate certain contractual operations to Trent, an apparent trusted…

public-key protocol-design non-repudiation

asked Sep 21 '11 at 14:40

Gary

873
1
6
12

12

votes

4 answers

Is there any protocol for proving that a message was written at a certain time?

Does there exist a way to cryptographically prove that a message was written at a certain time? I know that one can write messages in bitcoin transactions to that the message is preserved in the blockchain, which can be used to prove the message was…

protocol-design

asked Jul 05 '19 at 22:27

Christine

121
2

12

votes

3 answers

Examples of protocols that are insecure when run concurrently

I was reading Canetti00 Universally Composable security paper. The first page of introduction says that there are some MPC protocols and Zero knowledge protocols that are insecure under concurrent composition. I don't see why protocols might break…

protocol-design zero-knowledge-proofs multiparty-computation universal-composability

asked Jun 16 '19 at 13:37

satya

1,484
10
32

12

votes

0 answers

Why does the Signal protocol use AES/CBC instead of AES/GCM?

AES/GCM has obviously proved itself to be better than AES/CBC. Unless the key is re-used with the same initialization vector (see disadvantages of GCM). More information on its advantages against CBC can be found in source 1 and source 2. Now, most…

aes key-derivation cbc gcm signal-protocol

asked Mar 20 '19 at 18:30

OughtToPrevail

374
4
17

12

votes

1 answer

Why Static RSA and Diffie-Hellman cipher suites have been removed in TLS 1.3?

Why Static RSA and Diffie-Hellman cipher suites have been removed in TLS 1.3? How keys can be exchanged then? https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-28

rsa diffie-hellman tls

asked Feb 25 '19 at 17:47

Nathan Aw

2,357
3
18
22

12

votes

3 answers

Mapping between subgroups and the integers

This question is a companion to the equivalent question on elliptic curves. Preliminaries Diffie-Hellman, Elgamal, DSA, etc. are examples of protocols that work in the integers modulus a large prime $p$. However, for security reasons, we do not use…

discrete-logarithm elgamal-encryption finite-field

asked Sep 09 '11 at 16:55

PulpSpy

8,767
2
31
46

12

votes

1 answer

What is the recommended minimum key length for ECDSA signature

I want to identify the proportion of certificates that use unrecommend ECDSA key length for TLS certificates based on some data I collected. By looking at a standard like NIST for example, I find this in this website: My data shows use of…

elliptic-curves signature dsa key-size

asked Dec 16 '18 at 15:02

user9371654

457
1
6
12

12

votes

5 answers

How to use proof of lack of knowledge?

This is a purely hypothetical example but is provable ignorance useful in cryptography? For example, let's say I have a trapdoor collision resistant function. I know the trapdoor and therefore some $x_0 \neq x_1$ such that $f(x_0) = f(x_1)$. This is…

protocol-design

asked Nov 30 '18 at 12:13

user1936752

778
1
4
17

12

votes

5 answers

Can you explain what an NP statement is when they refer to it in Zero knowledge proofs?

When I read about zero knowledge proof, I keep encountering the term NP-statement. I am aware of complexity classes but I am a little unclear on how it ties up to NP-statement. I came across the following here: C++ library for zkSNARKs A computation…

zero-knowledge-proofs complexity

asked Nov 27 '18 at 10:36

tatepairing

323
2
7

12

votes

1 answer

Relation between entropy and min-entropy

I understand that the entropy is the number of bits that can encode a set of messages. However, I don't understand what the min-entropy is and how it is related to entropy. Let's describe a simple password case: if a password is 100 random bits, is…

entropy

asked Nov 08 '18 at 11:14

graphtheory92

793
5
16

12

votes

0 answers

Do trinomials weaken the Alternating Step Generator?

The Alternating Step Generator was proposed by Christoph G. Günther: Alternating step generators controlled by de Bruijn sequences, in proceedings of Eurocrypt 1987. It's perhaps the conceptually simplest CSPRNG producing bits at a constant rate.…

cryptanalysis alternating-step

asked Nov 04 '18 at 08:11

fgrieu

149,326
13
324
622

12

votes

1 answer

Why does gnupg create 4 separate keys and what does sub and ssb mean?

When using gpg to create a single key, I get: $ gpg --list-keys ------------------------------- pub 2048R/0C0EA301 2018-01-01 uid [ultimate] sub 2048R/023A0509 2018-01-01 $ gpg --list-secret-keys ------------------------------- sec …

public-key pgp

asked Oct 14 '18 at 07:12

zcaudate

233
2
6

12

votes

2 answers

Why do some key derivation functions (like PBKDF2) use a salt?

Let me start by explaining my understanding of the various concepts involved in this question: Salt: Random bytes of data used as secondary input for a password hashing function, like so: hashfunc(, ) -> And both the …

key-derivation salt

asked Oct 02 '18 at 13:05

Aran-Fey

222
2
8

12

votes

1 answer

Algorithm to factorize $N$ given $N$, $e$, $d$

I have an RSA public key (public modulus $N$ and public exponent $e$), and the private exponent $d$ of matching private key. How can I compute $p$ and $q$, the primes factor of $N$ ?

rsa factoring

asked Sep 19 '18 at 05:45

user61922

123
1
4

12

votes

3 answers

How small is negligible?

When proving theorems in crypto we often make use of the concept of negligible functions or, more simply, negligible parameters. As a rule of thumb, given today (2018) computational power, what is the smallest inverse power of 2 that we can consider…

security-definition negligible

asked Aug 24 '18 at 20:46

Rexcirus

333
3
14

Most Popular