Questions tagged [attack]
A cryptographic attack tries to theoretically and/or practically attack the security properties of a cipher and/or algorithm.
470 questions
6
votes
1
answer
411
views
3DES Security nowadays
A properly implemented 3DES consists of 3 independent keys.
The brute-force meet-in-the-middle attack with known plaintext/ciphertext is the most effective brute-force method against 3DES, but it ...
- 99
1
vote
1
answer
66
views
Is it possible to perform a useful Weil descent against an elliptic curve defined over $F_{q^2}$?
Normally a curve using large characteristics is already secure by being prime, but in my case, I saw a system relying of the hardness of the discrete logarithm of an elliptic curve defined over a ...
- 284
4
votes
0
answers
76
views
Why does sequential encryption for PKEs break IND-CCA but not IND-CPA
In my lecture script there is the following task:
Sequential encryption of multiple messages extends the message set of a PKE from $M$ to $M^*$ (and cipher set to $C^*$).
Proof that this construction ...
- 41
0
votes
1
answer
61
views
Is a $2^{O(\sqrt{n})}$ algorithm known for deployed discrete logarithm problems?
I know number field sieve algorithms get $2^{O(\sqrt[3]{n\log^2n})}$ time and space for computing discrete logarithms of $\mathbb Z_p^*$.
Are there problems currently deployed where even an attack of $...
- 1,045
2
votes
1
answer
120
views
Why are only primal and dual attacks dealt with among the various attacks on LWE?
As we see in https://estimate-all-the-lwe-ntru-schemes.github.io/docs/, only dual and primal attacks are the most important attacks against LWE and NTRU schemes. On the other hand, many attacks such ...
- 515
3
votes
1
answer
165
views
Where should I perform EMSA-PSS-encoding (apart from the first hashing step) in a remote signing scenario, on client or server?
I would like to set up a remote signing scenario in which
local: on a client a document exists that is to be signed
remote: a private key for signing resides on a server
Furthermore, I would like to ...
- 31
2
votes
0
answers
63
views
Can we extend the committing security notion to stream cipher?
Can we consider a stream cipher, which takes a key $K$ and a initial vector $IV$ and generates a keystream. Is it possible to construct an attack similar to the notion of context-committing attack, ...
- 137
1
vote
1
answer
122
views
Is the given Somewhat Homomorphic Encryption over Integers still viable and fast?
In the paper: https://eprint.iacr.org/2009/616.pdf
They talk about a public key SWHE over Integers scheme that is pretty simple (I do not care about the FHE aspect of the paper).
I was wondering if ...
- 195
5
votes
1
answer
419
views
Attacks exploiting decryption failures in KYBER
I am going through the portion mentioned under the heading Original KYBER analysis inside Section 5.5 titled Attacks exploiting decryption failures.
$${\sf Pr}[\|v\|> k\sigma \sqrt{m}]< k^m e^{\...
- 161
3
votes
1
answer
168
views
Is EC_POINT_is_on_curve a necessary check when using EC_POINT_mul in openssl?
I'm using EC_POINT_mul in OpenSSL, and I would like to avoid an invalid curve attack. I can see that there is a check for ...
- 31
2
votes
1
answer
286
views
How to find N and e knowing that e = p and N = p*q?
I've been stuck in this problem for a while, this is a challenge about Symmetric RSA:
We know that
$N = p*q$
$e = p$
$ct = pt^p \bmod N$ (1)
We are given $ct$ (which is the flag encrypted) and 4 ...
- 43
2
votes
0
answers
95
views
3
votes
1
answer
226
views
If KCI allows MitM attacks, how are ephemeral exchanges an effective mitigation?
Key Compromise Impersonation (KCI)(0,1) is a failure mode in Authenticated Key Exchanges (AKE) where a client $A$ has their static Diffie-Hellman (DH) identity key pair $(K_{priv}^{A_{ID}}, \space K_{...
- 1,182
0
votes
1
answer
157
views
Is MOV attack against ECDLP fundamentally impossible?
The main idea of the MOV attack is to map EC additive group of order $n$ to multiplicative group in the finite field extension $p^k$. For this, the groups must have the same order, what fully relies ...
user118321
2
votes
0
answers
65
views
Trying to understand length recovery attack on EAP-MD5
I'm failing to understand how length recovery attack works in EAP-MD5 described in this paper on page 6: https://inria.hal.science/hal-01534313/document
I setup ...
- 71