Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
12
votes
3 answers

How to attack a fixed LCG with partial output?

To show some colleague programmers exactly how broken C's rand() is (at least on Windows) I decided to break it. So everyone knows the exact parameters, MSVC's implementation is as follows: uint32_t state; int rand() { state = state * 214013 +…
orlp
  • 4,230
  • 20
  • 29
12
votes
3 answers

How broken is a xor of two LCGs?

Suppose we define a PRG as the xor of two LCGs modulo a 64-bit prime: something like the following Python code. p = 14692456042302986707 alpha, beta = 1416483285059710267, 1922202445720274864 gamma, delta = 8868330555542893802,…
Robin Houston
  • 233
  • 1
  • 9
12
votes
1 answer

How much entropy is lost via hashing when you add known or low entropy data?

(I updated the title, as I think there was some confusion as to the question) Here's the question: For example, if I have a bit stream that is 64K bytes long and there is about 16 *8 bits worth of entropy randomly dispersed in that byte stream, so…
Blaze
  • 551
  • 4
  • 13
12
votes
1 answer

What is it meant by a "hybrid argument"?

Can anyone explain (or point to a reference for) what a hybrid argument is in a security proof, and when it's convenient or preferable to use it? Among some of the places where I've seen it mentioned, there is the paper Boneh, Sahai, Waters -…
LRM
  • 1,356
  • 10
  • 24
12
votes
2 answers

Validating an RSA public key

What kind of tests can be performed on a public key to check if it is likely a valid key? The tests should be relatively fast - i.e. not computationally intensive - and not include modular exponentiation. I'm asking this question as developers…
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
12
votes
3 answers

How much security is gained from hiding the nonce?

Public nonces can be problematic for privacy when they can be considered metadata. They can also be troublesome for security if you do things like using a hash of the message as the nonce. PASETO now derives the nonce alongside the key using HKDF on…
samuel-lucas6
  • 1,783
  • 7
  • 17
12
votes
1 answer

Why doesn't preimage resistance imply the second preimage resistance?

Let the preimage resistance be defined as »given a hash value $h$, it is hard to find any message $m$ such that $\operatorname{hash}(m)=h$«, and let the second preimage resistance be defined as »given a message $m_1$, it is hard to find any message…
huyichen
  • 773
  • 1
  • 6
  • 16
12
votes
1 answer

Why did NIST select Kyber and Dilithium?

NIST selected Kyber for key agreement and Dilithium for digital signature applications some days ago. But IDF's MATZOV group, in their paper, broke Kyber and Dilithium and brought the security levels of these schemes below the thresholds defined by…
Daniel
  • 121
  • 1
  • 3
12
votes
1 answer

Why expand keys? Why not rather generate a longer key?

AES-128 takes a 128-bit key (four 32-bit words), and expands it to a 352-bit key schedule (11 words). Speck48/72 takes a 72-bit key (three 24-bit words), and expands it to a 528-bit key schedule (22 words). Key expansion is an extremely popular…
Chris Morgan
  • 213
  • 1
  • 7
12
votes
1 answer

Diffie-Hellman: choosing wrong generator "g" parameter and its implications of practical attacks

In traditional DH one chooses two shared parameters: a large prime $p$ and base $g$, which is primitive root $\bmod p$. Suppose that the generation algorithm is broken and $g$ generates only a subgroup (the group with fewer elements than the number…
Pat Kug
  • 123
  • 1
  • 4
12
votes
1 answer

Why restricting SHA3 to have only two possible capacities?

I just read the presentation slides of John M. Kesley (from NIST) for his invited talk at CHES 2013 about SHA-3 and learned that NIST is going to standardize Keccak with a possibly modified padding scheme. Ok, so far so good. But what I don't…
sellibitze
  • 321
  • 1
  • 9
11
votes
2 answers

Is a 1024-bit DSA key considered safe?

I created my PGP key in 2000. I’ve revoked the older, weaker sub-keys in favor of a 4096-bit RSA one, but the primary key is 1024-bit DSA. I read on Wikipedia that… NIST 800-57 recommends lengths of 2048 for keys with security lifetimes extending…
bdesham
  • 215
  • 1
  • 2
  • 9
11
votes
1 answer

CKM_RSA_PKCS vs CKM_RSA_X_509 mechanisms in PKCS#11

What is the exact difference between the CKM_RSA_PKCS and CKM_RSA_X_509 mechanisms in the PKCS#11 v2.20 specification (Please explain with an example)?
Ehsan Khodarahmi
  • 236
  • 4
  • 12
11
votes
1 answer

What is the difference between Shor's algorithm for factoring and Shor's algorithm for logarithms?

There is a paper from Peter W. Shor from 1994: Algorithms for Quantum Computation: Discrete Logarithms and Factoring, and I have a question about it and the algorithms presented. For integer factoring problem, Shor's algorithm is working as a fast…
osgx
  • 530
  • 6
  • 18
11
votes
2 answers

RSA Private Exponent Generation according to FIPS 186-4 in openssl v1

I guess this is more of a math problem in a cryptography context so I apologize beforehand if it is not the right place to ask. Basically I have to check whether a certain implementation of RSA key-pair generation adheres to FIPS 186-4. More…
Farzad Sadeghi
  • 113
  • 5
1 2 3
99 100