Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
11
votes
1 answer

Homomorphic (encrypted) comparison to an integer

When working with an additive homomorphic encryption scheme (say Pallier's), is there an efficient way to get the encrypted value of a comparison test to an integer value (I realise that an unencrypted comparison test would make the encryption…
Dave
  • 385
  • 2
  • 11
11
votes
1 answer

Why are the initial states of hashes functions (like SHA-1) often non-zero?

There is already a question asking "Why initialize SHA1 with specific buffer?" and my question follows on from this: Why are the initial states of hash functions often non-zero? For most, I have been able to find a clear explanation of where the…
Cryptographeur
  • 4,317
  • 2
  • 27
  • 40
11
votes
2 answers

Definition of a CSPRNG

I am interested in what conditions are necessary and sufficient to define a cryptographically secure pseudo-random number generator (CSPRNG). Wikipedia lists two defining characteristics: It satisfies the next-bit test. It withstands 'state…
Dave White
  • 213
  • 1
  • 4
11
votes
1 answer

Why does only length prepending improve the security of CBC-MAC

I know that length prepending improves security of CBC-MAC. However, wouldn't inserting the length elsewhere (middle, end or any other part of message) be equally good? After all, even the length is processed by the underlying cipher block.
TheRookierLearner
  • 991
  • 1
  • 10
  • 15
11
votes
3 answers

PBKDF2WithHmacSHA512 Vs. PBKDF2WithHmacSHA1?

I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2-generated hashes, and I'm now trying to decide whether I should use SHA1 or SHA512 as PFR. I'm under the impression that the consensus is that…
Jim
  • 111
  • 1
  • 1
  • 3
11
votes
1 answer

Can an RSA private key have several public keys?

Ok, so my cryptography lecturer in University posed this question at the end of the RSA key generation lecture as a brain teaser. I have been thinking about this and I think I have come up with a way ( I am aware it's not practical and very…
sukhvir
  • 245
  • 1
  • 2
  • 7
11
votes
1 answer

Proof that IND$-CPA implies IND-CPA?

I've read a few papers recently that used a notion of security called "indistinguishability from random bits/strings" under chosen plaintext attack, also called IND\$-CPA. See e.g.…
J.D.
  • 4,445
  • 16
  • 21
11
votes
1 answer

What does 'a reduction is tight' mean rigorously?

As far as I know, when someone says 'a reduction is tight', it means that given that there is an adversary $A$ with advantage $\epsilon$ and running time $t$ and another adversary $B$ utilizing $A$ to solve a problem $P$, the advantage and running…
Lee Seungwoo
  • 363
  • 1
  • 8
11
votes
1 answer

What are the drawbacks of "lightweight crypto"?

Last year I learned about another NIST competition. https://csrc.nist.gov/projects/lightweight-cryptography/finalists And I thought to myself: "why would I continue to use heavyweight cryptography in my desktop and server environments, if we have…
Timur Timak
  • 145
  • 7
11
votes
3 answers

Is there any way to (irrevocably) *transfer* a private key to another person?

Let's say that Alice is the administrator of a group. For each message generated by a group member, Alice uses an administrator's private key ($sk$) to sign it, indicating that this message has been checked by her. One day, Bob takes over from…
Z. Chen
  • 185
  • 1
  • 6
11
votes
3 answers

AES CTR with similar IVs and same key

Let's say there is a piece of software that uses AES CTR to encrypt different messages using the same key but with slightly different IVs. So for example, a 16 byte IV, the 2nd 8 bytes are always the same, but the 1st 8 bytes are random. How…
bwbrowning
  • 243
  • 4
  • 7
11
votes
3 answers

Is If/else vulnerable to timing side-channel attacks?

I have a branching in c++: if (x & 1) { x = function_1(x); } else { x = function_2(x); } If function_1 and function_2 are constant time and it takes the same time to compute them, is such branching still vulnerable for side-channel attacks?…
Tom
  • 1,221
  • 6
  • 16
10
votes
4 answers

Is there a public key encryption scheme with optimal key size?

Symmetric encryption schemes such as AES have known security levels equal to their key sizes (i.e. breaking an encryption with an $n$ bit key needs about $2^n$ work steps). Elliptic curve encryption gets halfway towards optimal: its security is…
Geoffrey Irving
  • 394
  • 1
  • 11
10
votes
1 answer

Why is the maximum record size in TLS 1.3 limited to $2^{14}$ bytes?

RFC 8446 limits the maximum data carried withing single TLSv1.3 message to $2^{14}$ bytes, specifically in section 5.1: The record layer fragments information blocks into TLSPlaintext records carrying data in chunks of 2^14 bytes or less. The…
Vlad
  • 111
  • 1
  • 3
10
votes
2 answers

Will our app be FIPS 140-2 compliant if we use our own AES algorithm implementation?

We are in the processing to understand if our software applications is FIPS 140-2 compliant or not. Currently in our application, we are using our own implementation of AES algorithm. AES is a FIPS 140-2 compliant algorithm. The question would be…
windfly2006
  • 245
  • 2
  • 8
1 2 3
99
100