Cryptography Stack Exchange
Cryptography Stack Exchange

Most Popular

more tags
1500 questions
26
votes
3 answers

What size should the HMAC key be with SHA-256?

I'm trying to generate a secret key to be used for HMAC SHA-256 signature processing. I've seen many sample of keys with variable length from 32 characters to 96 characters. What is the ironclad rule for this key size?
user30041
  • 261
  • 1
  • 3
  • 3
26
votes
3 answers

How is the One Time Pad (OTP) perfectly secure?

The Wikipedia entry on One Time Pads (OTPs) states that if this cipher is used properly; ie, the keys are truly random and each part of the key is independent of every other part, it's uncrackable, and yields perfect secrecy, i.e., $H(M|C) =…
xyz
  • 465
  • 1
  • 5
  • 9
26
votes
3 answers

Why do block ciphers need a non-linear component (like an S-box)?

Why is there a requirement of "Non-Linear functions" as a component of many popular block ciphers (e.g. the S-box in DES or 3DES)? How does it make the cipher more secure? The only intuition I have is a non linear function can have many roots…
David
  • 443
  • 1
  • 4
  • 6
26
votes
4 answers

Attacks of the MAC construction $\mathcal{H}(m\mathbin\|k)$ for common hashes $\mathcal{H}$?

Consider a common practically-collision-resistant hash function $\mathcal{H}$ (e.g. SHA-1, SHA-256, SHA-512, RIPEMD-160), perhaps based on the Merkle–Damgård construction as are the first three. We define a Message Authentication Code…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
26
votes
4 answers

How do we know a cryptographic primitive won't suddenly fail?

It took more than a decade from when MD5 looked like it was going to break to the point when it was actually broken. That's more than a decade of warning. One might suspect that we were fortunate that we got all that time. Even so, it took a long…
wlad
  • 1,259
  • 1
  • 13
  • 24
26
votes
2 answers

If you hashed a hash an infinite number of times would you end up with a unique hash?

If you took a hashing algorithm for example MD5 and repeatedly passed the output hash back into the algorithm an arbitrarily large number of times would you eventually end up with one unique hash? My idea is that the maximum number of hashes…
AceLewis
  • 363
  • 3
  • 7
26
votes
1 answer

How does ECDH arrive on a shared secret?

I read a brilliant, three part article on Elliptic Curve cryptography (one, two, three). It was able to explain Elliptic Curves to me in a way that didn't require a math degree to understand. The crux of the article is in page two, namely, when…
Eddie
  • 1,003
  • 3
  • 15
  • 27
26
votes
4 answers

How Brittle Are LCG-Cracking Techniques?

There are published techniques for cracking LCGs, but to my eye those techniques seem very brittle — very minor changes can add nonlinearity that renders techniques like the LLL algorithm unusable. Or, am I mistaken, are these variations still…
Charphacy
  • 546
  • 4
  • 10
26
votes
2 answers

Is HMAC needed for a SHA-3 based MAC?

HMAC does nested hashing in order to prevent Length Extension Attacks. Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure…
hl3mukkel
  • 509
  • 5
  • 10
26
votes
3 answers

Proving knowledge of a preimage of a hash without disclosing it?

We consider a public hash function $H$, assumed collision-resistant and preimage-resistant (for both first and second preimage), similar in construction to SHA-1 or SHA-256. Alice discloses a value $h$, claiming that she (or/and parties she can…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
26
votes
2 answers

Why do we use XTS over CTR for disk encryption?

I'm taking Prof. Boneh's crypto class from Coursera, and am unsure on the requirement for XTS mode for disk encryption. It seems that CTR mode would do exactly what XTS can do, but is simpler to implement? In either mode, I will use the disk sector…
shrek
  • 363
  • 3
  • 5
26
votes
3 answers

What is the ideal cipher model?

What is the ideal cipher model? What assumptions does it make about a block cipher? How does it relate to assuming that my block cipher is a pseudo-random permutation (PRP)? When is the ideal cipher model appropriate to use? How do I tell…
D.W.
  • 36,982
  • 13
  • 107
  • 196
25
votes
3 answers

What does the work "An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor" mean?

In An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor, the author claims they give a polynomial-time quantum algorithm for solving the Bounded Distance Decoding problem with a subexponential…
Eric_Qin
  • 807
  • 7
  • 13
25
votes
4 answers

The exact difference between a permutation and a substitution

I've noticed confusing definitions about permutation and substitution, preventing me from understanding the difference. A permutation changes the order of distinct elements of a set, but this can be written as a function changing one element by…
Dingo13
  • 2,917
  • 3
  • 29
  • 46
25
votes
2 answers

What is the difference between Scrypt and PBKDF2?

After reading these two resources I am wondering am I getting all the differences between Scrypt and PBKDF2. As far as I understood, the similarity is: both are password-based key derivation functions. The difference is: Scrypt is more resource…
Salvador Dali
  • 365
  • 1
  • 3
  • 7
1 2 3
99 100