Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
11
votes
4 answers

Which risks are associated with deriving multiple keys from the same DH secret Z?

NIST recommends Krawczyk's HMAC-based key derivation function (HKDF) in SP-800-56C (PDF). HKDF shall e.g. be used to create keys from shared secrets after Diffie Hellman key establishment. NIST states in the same doc: Each call to the randomness…
NotACryptographer
  • 111
  • 3
11
votes
0 answers

Is there a pen-and-paper way to securely share a secret via public key encryption?

We have several questions tagged pen-and-paper talking about encryption, hashing, signing, etc. but no question asks about exchanging a secret via public key encryption in a secure way. Does any solution exist, which would allow us to exchange a…
e-sushi
  • 17,891
  • 12
  • 83
  • 229
11
votes
0 answers

Decision R-LWE parameters for spherical error with worst-case hardness

In Peikert et al.'s most recent work (STOC 2017) a direct reduction of worst-case lattice problems to decision R-LWE is achieved for $\alpha q \ge 2 \cdot \omega(1)$ (Theorem 6.2), where $\alpha q$ is the Gaussian standard deviation. However, it is…
Daniela
  • 111
  • 2
11
votes
3 answers

Can there be two hash functions without common collisions?

Is there a way to prove/create (or are there known hash functions) two hash functions that never have the same collision? I mean, like provable in way that someone who took one cryptography class in university can prove. For example, I want hash…
kyliod
11
votes
1 answer

Collision resistance of hash function built on modular exponentiation

Consider the following hash function family for hashing integers: $Gen(1^k)$: generate 2 $k$-bit primes p,q. Let $n = pq$. Choose random $y \rightarrow QR_n$ and output $n,y$. $H_{(n,y)}(x) = y^x \bmod n$ My question is this hash function collision…
chelsea
  • 404
  • 2
  • 12
11
votes
2 answers

Real world use cases of Multi-Party Computation

Most of the research papers give imaginary applications of multi-party computation. Either they talk about Yao's millionares' problem or two or more corporates willing to compute some intrustion detection stuff collectively on their private data…
sashank
  • 6,174
  • 4
  • 32
  • 67
11
votes
1 answer

Why was WEP apparently not reviewed by many cryptographers?

According to this analysis of WEP, These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided. It is my…
Henry Elliott
  • 211
  • 1
  • 2
11
votes
1 answer

Are pairings still the most efficient implementation for identity and attribute-based encryption?

I read on Wikipedia: [...] pairings have also been used to construct many cryptographic systems for which no other efficient implementation is known, such as identity based encryption or attribute based encryption schemes. Is this still the…
Shalec
  • 407
  • 2
  • 10
11
votes
3 answers

Is Poly1305 an information-theoretically secure MAC?

I have heard some people say that the Poly1305 authenticator is a "nuclear" MAC i.e. it is information-theoretically secure. After reading the paper I see it is based on the Wegman-Carter MAC which is supposedly the natural authentication pairing…
lightspeeder
  • 368
  • 2
  • 9
11
votes
1 answer

Is it easy to factorize a number of the form $n = t^{2} \cdotp p$?

Is it easy to factorize a number of the form $n = t^{2} \cdotp p$, where $t$ and $p$ are large primes?
AdveRSAry
  • 624
  • 3
  • 14
11
votes
1 answer

Why are elliptic curves over a field of characteristic 2 or 3 insecure?

The following is a quotation from my cryptography course: Recent results on the discrete logarithm raise big concerns on the security of elliptic curves over a binary field. What are these results? Also, is characteristic three safe?
user1868607
  • 1,243
  • 12
  • 29
11
votes
1 answer

XOR a set of random numbers

Basic question about XOR and entropy - given a set $S$ of pseudo-random numbers in the range $[0,b]$, will XORing them produce a new pseudo-random number in $[0,b]$ or will the operation decrease the entropy? In the case that some numbers in $S$ not…
avive
  • 221
  • 2
  • 6
11
votes
2 answers

Why can't they just fix SHA-1 if it's broken?

Presently 160 bits of hash block width seems to provide adequate security against brute force attacks. The recent developments concerning SHA-1 have reduced the effort to force collisions by 5 orders of magnitude according to the latest Wikipedia…
Paul Uszak
  • 15,390
  • 2
  • 28
  • 77
11
votes
1 answer

Does IND-CPA imply PRF?

It is well-known that a pseudorandom function (PRF) can be used to build a CPA-secure symmetric cryptosystem. My question: is PRF necessary for this, i.e., can one show something like "If there exists an IND-CPA scheme then there exist PRF?"
Martin Hofmann
  • 171
  • 1
  • 6
11
votes
1 answer

Should I use SHA256 or Blake2 to checksum and sign scrypt headers?

I use scrypt as a key derivation function (not to store passwords). To pass around the detached key header I use the standard encoding as implemented in Colin Percival's scrypt implementation (scryptenc.c#L224). The original scrypt key header…
RobS
  • 113
  • 1
  • 1
  • 6
1 2 3
99 100