Highest Voted Questions - Cryptography Stack Exchange

12

votes

2 answers

Should I use HMAC or KMAC for SHA-3?

I am planning to implement a MAC function for the SHA-3. I read that its latest variant is KMAC. I am confused by the comments on the Keccak website. It says: Unlike SHA-1 and SHA-2, Keccak does not have the length-extension weakness, hence does…

hmac sha-3 keccak shake kmac

asked Jan 03 '17 at 23:51

ajith

121
1
3

12

votes

1 answer

Why doesn't Wang's attack work on SHA-1?

Wang's (et al) differential attack works on MD5, MD4, RIPEMD and HAVAL. Why doesn't it work on SHA-1?

hash cryptanalysis collision-resistance sha-1 attack

asked Dec 22 '16 at 21:41

Peppina

121
2

12

votes

3 answers

Usage difference between x86 RDRAND and RDSEED

Modern x86 CPUs often have the RDRAND and RDSEED instructions for hardware generation of random numbers. I just don't understand the difference between them. Intel has this document:…

random-number-generator implementation cryptographic-hardware cpu

asked Dec 16 '16 at 00:55

Myria

2,635
15
26

12

votes

1 answer

Does SHA-512 leak info about SHA-256?

Does the SHA-512 value of an input leak any information about the SHA-256 value of that same input? Specifically, if I'm using SHA-512 to derive encryption and HMAC keys from a 256 bit ECDH shared secret (by splitting it into two 256 bit chunks),…

hash sha-256 sha-512

asked Dec 10 '16 at 17:52

Chris

12

votes

3 answers

Is the number of creatable torrents limited?

Currently, a magnet link containing a 40-digits long SHA-hash value, is assigned to every torrent which is created. Therefore, this hash should be unique to identify a torrent and send the right bytes (packages) to the right people. So therefore,…

hash collision-resistance

asked Aug 16 '11 at 16:13

MechMK1

445
5
18

12

votes

3 answers

Is deriving the IV from the password secure?

I came across an encryption scheme to encrypt files with AES-256. You can see the initialization of the decryption routine below: salt = scrambled_file.read(16) key_and_iv = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 50000, 48,…

aes key-derivation initialization-vector pbkdf-2 sha-512

asked Nov 12 '16 at 09:02

Jonas

223
2
5

12

votes

2 answers

Why must an elliptic curve group for ECC have prime order?

What is the deeper reason, a group must have prime order for usage in cryptography?

elliptic-curves group-theory

asked Nov 11 '16 at 10:15

MichaelW

1,517
1
14
26

12

votes

2 answers

Prove that you have $K$ bytes of memory

Alice has bought a brand new hard disk, $K$ (with $K \sim 10^{12}$) bytes in size. She is very happy about her purchase, and tells Bob about it. Bob claims he also bought a $K$ bytes hard disk. Alice doesn't really trust Bob on this, so she asks him…

proof-of-work memory-hard

asked Oct 25 '16 at 10:38

Matteo Monti

1,477
2
14
19

12

votes

1 answer

Encoding vs. Compression vs. Encryption

In what ways does encryption differ from proprietary/secret compression schemes and codecs?

encryption terminology notation compression encoding

asked Sep 24 '16 at 17:26

ProductionValues

221
1
2
3

12

votes

2 answers

How to show that a one-way function proves that P ≠ NP?

According to this, the existence of a one-way function proves P ≠ NP. What is the proof of this? One way to show this is that if P = NP, then any function is easy to invert. P and NP are about decision problems though, not computation…

one-way-function

asked Sep 10 '16 at 14:26

Christopher King

839
5
20

12

votes

1 answer

Minimalist memory-hard function?

What would be a minimalist memory-hard function, reasonably conjecturable to require $\approx2^k$ bits of memory per running evaluation, $k\approx32$; require $\approx2^n$ R/W accesses to $2^w$-bit words per evaluation, $w\approx6$ (likely $n\ge…

memory-hard

asked Sep 06 '16 at 14:29

fgrieu

149,326
13
324
622

12

votes

2 answers

How can we distribute Shamir's secret sharing scheme shares without a dealer?

Let's say $k$ users have shares to a $(k,n)$ secret sharing scheme, and they want to issue new shares. How can they do this without collecting the shares together? In particular, no set of $k-1$ users (including the new users) should be able to…

multiparty-computation secret-sharing

asked Sep 04 '16 at 23:23

Christopher King

839
5
20

12

votes

2 answers

Definitions of secrecy

I found terms like "forward secrecy", "future secrecy", "backwards secrecy" and "perfect forward secrecy" and I would like to know their definitions and to understand the differences among them. I found several confusing definitions online,…

security-definition perfect-secrecy forward-secrecy

asked Sep 03 '16 at 15:55

M-elman

1,278
3
16
24

12

votes

3 answers

Which algorithms are used to factorize large integers?

Even if RSA decided to cancel the Factoring Challenge, it seems that some teams keep working on it. According to Wikipedia, RSA-768 has been factored in late 2009. What are the current large integer factorization algorithms and what the mathematical…

number-theory factoring

asked Aug 11 '11 at 21:07

Jcs

521
1
7
12

12

votes

3 answers

In the Quadratic Sieve, why restrict the factor base?

In the Quadratic Sieve, when factoring a number $N$, many descriptions and most implementations select as the factor base the set of small primes $p_j$ less than some bound $B$ restricted to having Legendre symbol $\left({N\over p_j}\right)=+1$. Why…

factoring quadratic-residuosity sieve

asked May 27 '16 at 06:47

fgrieu

149,326
13
324
622

Most Popular