Highest Voted Questions - Cryptography Stack Exchange

11

votes

4 answers

Theoretical pi-based stream cipher

Let's pretend that all digits of pi are known and arbitrarily long sequences of digits are trivial to get. Further, some mathematician proves that there are no patterns in pi. We could create a stream cipher by grabbing a piece of pi as long as our…

stream-cipher

asked Jan 25 '13 at 23:25

Joshua Galecki

213
2
4

11

votes

0 answers

How to build a security model

What are the minimal components to build a security model proof for a protocol? This question might seem trivial, but having read many papers-- from the IEEE, ACM, etc., that talk about a KMP-- I still don't know where to start. For example, should…

random-oracle-model adversarial-model

asked Jul 31 '18 at 05:50

CipherX

381
3
12

11

votes

3 answers

Is there a length-preserving encryption scheme?

Is there a length-preserving encryption scheme, that preserves the lengths of input sizes such that the length of the input plain text is same as length of the output cipher text ?

algorithm-design format-preserving

asked Jan 24 '13 at 11:41

Digerkam

219
2
5

11

votes

3 answers

Initialize a PRNG with a password

Let's assume that we have a secure PRNG. Is it "safe" to initialize it with password, or seed based on a password like SHA256(password)? If yes, is it "safe" to generate an RSA or DSA key from it? The idea behind this is to initialize a PRNG with a…

rsa random-number-generator passwords

asked Jan 23 '13 at 16:04

esskar

373
1
11

11

votes

1 answer

How to salt PBKDF2, when generating both an AES key and a HMAC key for Encrypt then MAC?

When using Encrypt-then-MAC with AES and HMAC by password, and given 128 bits of payload with the ciphertext to store a random salt, which would be more secure: Using PBKDF2 with then entire 128 bit random salt and generating 512 bits of derived…

key-derivation salt authenticated-encryption pbkdf-2

asked Jan 11 '13 at 17:28

jbtule

278
6
14

11

votes

2 answers

How many trials does it take to break HMAC-MD5?

I know that you can find collision in MD5 with $2^{64}$ trials using Birthday paradox. Now everyone is saying that HMAC-MD5 is significantly more secure. How can I quantify this security? My question is how many trials does it take to find a…

cryptanalysis collision-resistance hmac md5

asked May 21 '18 at 04:09

ladybug

213
2
5

11

votes

2 answers

Why xor the message into the state for sponge hashes?

Sponge hashes like Keccak(SHA-3) and CubeHash, xor a message block into part of the internal state. Why use a reversible operation like xor for that, instead of replacing that part of the state with the message block? It clearly has no effect on…

hash sponge

asked Jan 06 '13 at 10:19

CodesInChaos

25,121
2
90
129

11

votes

1 answer

Example Rainbow Table Generation

I have read up on rainbow tables and think I understand the idea behind them. However, I find that it would be better for me to actually attempt to implement a (very basic) rainbow table generator in order to get a proper feel to using rainbow…

hash cryptanalysis rainbow-table

asked Jan 04 '13 at 03:38

calccrypto

536
1
9
26

11

votes

2 answers

Should I salt an AES password at each encryption?

I saw a sample code where the same password is salted with a different value (using PBKDF2) for each encryption. That means that the salt must be stored for each encrypted message. I don't understand why they do that since AES is used here in CBC…

aes salt pbkdf-2

asked Dec 31 '12 at 14:39

Benoit

113
1
1
6

11

votes

4 answers

Can I find the encryption key if I know the plain text and the encrypted text (DES and AES)?

If I have the plain text and its output after encryption with a key K1, is it algorithmically feasible to find K1? I am specifically interested in the cases of DES and AES encryption algorithms.

encryption aes symmetric des 3des

asked Apr 25 '18 at 11:19

Joezer

213
1
2
6

11

votes

2 answers

Can AES-GCM be broken if initialisation vector is known?

We are using AES encryption in GCM block mode in order to encrypt a number of different kinds of data at rest on a mobile device - Android. The key used for encryption is stored in the protected key-store offered Android so I am assuming that it is…

aes-gcm

asked Apr 13 '18 at 11:30

Suhas

253
3
10

11

votes

3 answers

How to evaluate chi squared result?

I've been recently working on a (supposedly) TRNG. I'm still at the beginning of the project, so it is certainly not cryptographically secure yet, for now I'm just playing around. In fact, I've already discussed the project and the chi square…

random-number-generator randomness

asked Mar 29 '18 at 11:08

valerio_new

268
3
13

11

votes

3 answers

What is RSA-PSS and how is it different from a hash?

I can't find any usable resources about it online (at least ones that make sense to me right now), so any links to articles or if you could explain it to me would be greatly appreciated. What I don't understand is what is PSS? I understand that RSA…

hash signature rsa-pss

asked Mar 19 '18 at 00:31

lougehrig10

123
1
1
5

11

votes

3 answers

Can one have an authentic, but repudiable, message without a previously shared secret?

Bob wants to send a message to Alice, such that Alice can be sure that the message came from Bob, but can't prove it to anyone else. If I understand right, this means that the same message could have possibly also been constructed by Alice, but not…

public-key authentication non-repudiation

asked Dec 12 '12 at 21:11

Paŭlo Ebermann

22,946
7
82
119

11

votes

4 answers

What is the signature scheme with the fastest batch verification protocol for multiple signers?

I'm looking for a scheme where signing may be costly (slow) but batch verification with different signers is the fastest possible. Modified ECDSA allows batch verification for different signers with a 4X speedup [1]. Is there any signature scheme…

signature dsa

asked Aug 30 '11 at 13:40

SDL

1,927
13
25

Most Popular