Highest Voted Questions - Cryptography Stack Exchange

12

votes

3 answers

How to attack a fixed LCG with partial output?

To show some colleague programmers exactly how broken C's rand() is (at least on Windows) I decided to break it. So everyone knows the exact parameters, MSVC's implementation is as follows: uint32_t state; int rand() { state = state * 214013 +…

cryptanalysis pseudo-random-generator

asked Sep 28 '13 at 05:30

orlp

4,355
21
31

12

votes

3 answers

How broken is a xor of two LCGs?

Suppose we define a PRG as the xor of two LCGs modulo a 64-bit prime: something like the following Python code. p = 14692456042302986707 alpha, beta = 1416483285059710267, 1922202445720274864 gamma, delta = 8868330555542893802,…

random-number-generator

asked Sep 23 '13 at 12:06

Robin Houston

233
1
9

12

votes

1 answer

How much entropy is lost via hashing when you add known or low entropy data?

(I updated the title, as I think there was some confusion as to the question) Here's the question: For example, if I have a bit stream that is 64K bytes long and there is about 16 *8 bits worth of entropy randomly dispersed in that byte stream, so…

entropy reference-request random-number-generator fortuna

asked Sep 17 '13 at 20:04

Blaze

551
1
4
13

12

votes

1 answer

Why doesn't preimage resistance imply the second preimage resistance?

Let the preimage resistance be defined as »given a hash value $h$, it is hard to find any message $m$ such that $\operatorname{hash}(m)=h$«, and let the second preimage resistance be defined as »given a message $m_1$, it is hard to find any message…

hash collision-resistance preimage-resistance 2nd-preimage-resistance

asked Oct 21 '11 at 06:02

huyichen

783
1
6
16

12

votes

1 answer

Diffie-Hellman: choosing wrong generator "g" parameter and its implications of practical attacks

In traditional DH one chooses two shared parameters: a large prime $p$ and base $g$, which is primitive root $\bmod p$. Suppose that the generation algorithm is broken and $g$ generates only a subgroup (the group with fewer elements than the number…

diffie-hellman

asked Aug 27 '13 at 15:02

Pat Kug

123
1
4

12

votes

1 answer

Why restricting SHA3 to have only two possible capacities?

I just read the presentation slides of John M. Kesley (from NIST) for his invited talk at CHES 2013 about SHA-3 and learned that NIST is going to standardize Keccak with a possibly modified padding scheme. Ok, so far so good. But what I don't…

hash keccak sha-3

asked Aug 27 '13 at 15:10

sellibitze

321
1
9

11

votes

4 answers

Is there a public key encryption scheme with optimal key size?

Symmetric encryption schemes such as AES have known security levels equal to their key sizes (i.e. breaking an encryption with an $n$ bit key needs about $2^n$ work steps). Elliptic curve encryption gets halfway towards optimal: its security is…

encryption public-key key-size

asked Aug 24 '13 at 06:55

Geoffrey Irving

404
2
12

11

votes

2 answers

Is a 1024-bit DSA key considered safe?

I created my PGP key in 2000. I’ve revoked the older, weaker sub-keys in favor of a 4096-bit RSA one, but the primary key is 1024-bit DSA. I read on Wikipedia that… NIST 800-57 recommends lengths of 2048 for keys with security lifetimes extending…

pgp

asked Aug 20 '13 at 18:38

bdesham

215
1
2
9

11

votes

2 answers

Why are HOTP and TOTP implementations all using 6 digits and not more?

I was checking the RFC's after wondering for some time. In RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm, it states on the appendix: A simple enhancement in terms of security would be to extract more digits from the HMAC-SHA-1…

hmac randomness one-time-password hotp

asked Aug 18 '13 at 07:54

Mamsaac

343
3
7

11

votes

1 answer

CKM_RSA_PKCS vs CKM_RSA_X_509 mechanisms in PKCS#11

What is the exact difference between the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms in the PKCS#11 v2.20 specification (Please explain with an example)?

rsa signature pkcs11

asked Aug 05 '13 at 13:44

Ehsan Khodarahmi

236
4
12

11

votes

2 answers

RSA Private Exponent Generation according to FIPS 186-4 in openssl v1

I guess this is more of a math problem in a cryptography context so I apologize beforehand if it is not the right place to ask. Basically I have to check whether a certain implementation of RSA key-pair generation adheres to FIPS 186-4. More…

rsa openssl fips-140

asked Sep 07 '21 at 07:45

Farzad Sadeghi

113
6

11

votes

3 answers

How well does scrypt perform on different architectures / OSes?

The scrypt algorithm seems to be a prominent feature in the "CPU friendly" Bitcoin clones for the proof-of-labor part. I've heard claims that it's relatively slow on Windows and/or Intel compared to Linux/AMD. Is this true? By how much? Does anyone…

hash scrypt

asked Oct 10 '11 at 08:47

ripper234

1,077
1
10
13

11

votes

1 answer

How random is the shared secret in the Diffie Hellman key agreement

How random is the value $ZZ$ in the DH protocol? This question was triggered by this somewhat naïve implementation in I2P shown by Sergei at Stackoverflow. Obviously $ZZ$ is distinguishable from a random oracle, as the first byte will be lower or…

diffie-hellman key-derivation randomness random-oracle-model

asked Jul 24 '13 at 23:45

Maarten Bodewes

96,351
14
169
323

11

votes

3 answers

Common Classical Ciphers

When studying cryptography, the first thing every student learns is some historical ciphers. There are way too many of those ciphers to name them all. So my question is: What are the most important classical ciphers (every cryptographer should have…

classical-cipher history

asked Aug 06 '21 at 09:51

Titanlord

2,812
13
37

11

votes

5 answers

Why are finite fields so important in cryptography?

I am just getting into cryptography and currently learning by trying to implement some crypto algorithms. Currently implementing the Shamir secret sharing algorithm, what I have noticed is that finite fields keep coming up. I just don't understand…

finite-field

asked Jun 19 '21 at 18:48

iammadab

121
1
6

Most Popular