Questions tagged as ['algorithm-design']

Design of cryptographic primitives (algorithms), like block ciphers, stream ciphers, random-number generators, hash functions, MACs, key exchanges, public-key encryption or signature schemes. Also tag with the relevant type of primitive. If you ask about a known existing algorithm, also tag with its name.
Score: 5
J. Doe avatar
Can a series of triangle reflections be used for cryptography?
at flag

(I guess no but why is this the case? Any way to make it possible?)

Out of a given equilateral triangle T1 (with his 3 vertices A,B,C lying in a finite Field $\mathbb F_N^D $) another equilateral triangle T2 can get constructed by mirroring one of the 3 vertices at the edge in between the two other vertices. This will be repeated multiple times.

Given just two random triangle T1 and T2 (and $\mathbb F_N^ ...

Score: 1
Hunger Learn avatar
Algorithmic game theory and protocol design for communication
ua flag

There is a field of exchanging information that combines cryptography and game theory. I am interested in understanding this field, but it's a little complex for me. To begin with there is a paper of Barany which shows that instead of having a centralized mechanism of information where a mediator can inform the players about what strategy to follow, the players instead can replace the mediator w ...

Score: 6
ming alex avatar
Can we use LEGO bricks to construct a cipher algorithm?
in flag

I read a paper titled "On the entropy of LEGO", which explains how to calculate the number of ways to combine $n$ $b\times w$ LEGO blocks of the same color. For example, six $2\times4$ bricks have $915103765$ ways to combine. I wonder if could we construct a funny cipher algorithm using LEGO bricks.

Some definitions and symbols:

A $2\times4$ brick $i$ can be defined as: $b_i:=\left( \begin{array}{cc} s_0 ...

Score: 0
MR.-c avatar
BA protocol soundness explanation
in flag

I was reading the following paper BA-made it trivial and when talking about BA agreement protocol in page 3, I didn't understand what it meant by soundness here.

A protocol P is an arbitrary-value (respectively, binary) (n, t)-Byzantine agreement (BA) protocol with soundness σ ∈ (0, 1],

so when is the soundness 1 or 0? or is the soundness true if it follows some rules?

Score: 0
Tom avatar
Is it better to XOR rounds or just to make round by round in cipher?
tf flag

Let's consider we have keyed PRNG's and we want to build a cipher. What is better:

  • to xor let's say ten such generators with some input as a plaintext (every generator got different key, but the same input),
  • make 10 rounds, in which every generator output is new input to the next generator.

We see that usually ciphers have a round design. Is it because this is better?

Score: 0
J. Doe avatar
Besides block-cipher which other methods can only be computed step-by-step even with known secret (but fast per step) and can be inverted?
at flag

Depending at the cryptographic function used applying it $i$-times to a given input can be computed in different complexity classes (based at their input size).

$$f^i(m_0) = c_i$$

For example for most block-cipher it takes (even with knowing the secret key) about $i$ times the time as applying it just once (at least as far as I know). Same for $i$ steps backwards. Finding $m_0$ for given $c_i$ also take ...

Score: 0
J. Doe avatar
How can a concatenation of $N$ block-cipher with known keys be more secure?
at flag

General problem / Intro: encrypting the (computable) relation in between two random numbers which are members of a as small as possible set while anything except the order of execution is known to the adversary.
This question is about solving that problem with a concatenation of block-cipher.


  • we only consider block-cipher which are similar to AES
  • instead of $N$ different block-ci ...
Score: 1
Hash function producing cycles with expected max length
nc flag

Is there a known hash function $H_k: X\to X$ such that: $\forall{x\in{X}},\exists{n\in{\mathbb{N}}}, n<k \land H^n(x)=x$

=== EDIT ===

By hash function I mean that any other way of finding the preimage of $x \in X$ than iterating $H_k$ is computably unfeasible or at least significantly harder.

My motivation is using such a function as sequential POW.

Score: 2
Shweta Aggrawal avatar
How do we pick random elements in cryptography?
us flag

While reading papers on cryptography, a lot of time I have seen that people pick random elements $x\in \mathbb{Z}^*_q$ to do something (like setting secret key and all). How does one randomly pick elements in reality. I mean in practical implementation, what procedure do we follow? Do we use some CSPRNG?

Score: 4
Franartur Čech avatar
What would be the requirements for a new-age cipher standard?
in flag

While nowhere near being broken, AES has known attacks like reading from the substitution table, memory-based attacks, etc.

If we keep getting better at breaking ciphers and we eventually get close to taking AES down, what would (in your opinion) be the requirements for a cipher of an era where even Rijndael isn't safe enough?

I'm talking about:

  • key sizes
  • data sizes
  • design (stream/Feistel/PSN, or s ...
Score: 2
Hash functions, bijectiveness, and entropy
cn flag

For those who don't know, a bijective function is one for which each input yields one and only one output. A block cipher, for example, is guaranteed to be bijective or you could not decrypt.

When a hash function like SHA256 or SHA3 is used with an input the same length as its output, AFAIK this is not or at least should not be bijective. (Is that correct?)

If a hash is not bijective, does this mean ...

Score: 1
DannyNiu avatar
Is it possible to create a Dilithium Prime or Falcon Prime?
vu flag

In the NTRU Prime submission, principle author, the well-known DJB is adamant that

[the] primary objective [of NTRU Prime] is to eliminate unnecessary complications in security review

So much so, to the extent that the idea of pure cyclotomic ring, module, decryption errors, etc. are exterminated from the design.

I think this is good, as NTRU Prime serve as a model alternative to the other design ...

Score: 1
RC6 Integer operations in modulo 32 between two 32-bit blocks
us flag

I am new to cryptography and I am trying to code the RC6 (Rivest cipher 6) algorithm. The algorithm requires addition, subtraction and multiplication in modulo 232. If I am performing these operations between two 32-bit blocks how would this work?

Any help would be appreciated because I can't seem to find any detailed explanation on this which would help me write code on how to execute these operations. ...

Score: 0
Shweta Aggrawal avatar
Is there any link between group signature and multi-signature
us flag

Are both of these concepts related in someway. Can a group signature scheme be transformed into a multi-signature scheme?

Score: 0
Understanding non-linearity in Salsa20 over various rings
ru flag

In his design of Salsa20, Bernstein writes to ensure non-linearity he chose

32-bit addition (breaking linearity over $Z/2$), 32-bit xor (breaking linearity over $Z/2^32), and constant-distance 32-bit rotation (diffusing changes from high bits to low bits).

Can you help me understand this? A linear function is one such that $f(ax+by) = af(x) + bf(y)$. It sounds like whether addition and xor are linea ...

Score: 3
DannyNiu avatar
How are the instantiations of RSAES-OAEP and SHA*WithRSAEncryption different in practice?
vu flag

For the spare-time project I had been working on, I'm evaluating the PKCS#1 padded RSA schemes for implementation.

For PKCS#1 v1.5, encryption doesn't seem to require a hash function, and the signature doesn't need additional mask-generating function (MGF) beyond a digest algorithm for hashing the message.

For PKCS#1 v2.x, both encryption and signature are instantiated with a MGF, a hash function, a ...

Score: 1
Shiasu-sama avatar
Encryption of data with multiple possible decryption keys
bd flag

I'm new to the Cryptography Stack Exchange, so my question might be very naive.

What encryption algorithms are out there that will allow different decryption keys to decrypt the same piece of encrypted data?

For example : If the data that I'm encrypting is just a simple string : "Test"

Then applying the encryption algorithm changes it to this : "532EAABD9574880DBF76B9B8CC00832C20A6EC113D682299550D7A6E0F ...

Score: 1
R1w avatar
Extracting genome from a Ciphertext
tn flag

Is it Probable to extract the ciphertext's genome and Visualizing it ?

Converting this:


To this:

ciphers genome

Encryption is like grinding the meat, once yo ...

Score: 17
Noah avatar
How Unique is a "NeuralHash"?
gn flag

I was doing some reading today about a major tech company planning to implement a new system for automatically detecting and reporting CSAM in users' photos. Overall, the system as described in their 12-page technical summary seems to be designed quite well, and may be as close as you can get to true privacy, while still allowing for content surveillance.

That being said, the hacker in me can't h ...

Score: 3
Mahsa Bastankhah avatar
Recognize whether two random values are raised to the same power
de flag

Alice selects two random numbers from a finite field $Z_p$ : $a$ and $b$.

Bob does one of the two following steps randomly (sometimes he does step 1; sometimes step 2):

  1. He chooses a random number $r$ from $Z_p$ and calculates $a^r\;mod\;p$ and $b^r\;mod\;p$ and gives these two values to Alice
  2. He chooses two different random numbers $r$ and $r'$ from $Z_p$ and calculates $a^r\;mod\;p$ and $b^{r'}\;mo ...
Score: 1
Vshi avatar
How do we say that one cryptographic primitive is stronger than another?
vg flag

Can anyone help me understand this: How do we say that one cryptographic primitive is stronger than another?

Score: 2
DannyNiu avatar
What motivated CCM's monstrous design?
vu flag

The formatting function in Appendix A of NIST-SP-800-38C is a monster enabling CCM to support variable-length nonce from 7-13 bytes, variable-length encoding of the length of the payload. Also, the tag length is encoded in the formatting function making naive truncating of the MAC tag potentially incompatible with ciphertext instances with specific parameters.

The GCM mode and ChaCha20-Poly1305 are much  ...

Score: 0
J. Doe avatar
Are there any block ciphers (like AES) which are (or can be) commutative under composition for different keys?
at flag

Let $BC$ be a block cipher with similar security as AES (in ECB mode). This $BC$ is applied to a message $m$ of same bit size. The result is a cipher $c$.


$$BC(key_A,m) = c_A$$ $$BC(key_B,m) = c_B$$

I'm looking for a $BC$ with: $$BC(key_A,c_B) = c_{BA}$$ $$BC(key_B,c_A) = c_{AB}$$ where $$c_{AB}=c_{BA}$$ but for the majority: $$c_{A}\not=c_{B}$$

Is there any way to construct keys $key_A, k ...

Score: -1
Padding and the MD5 algorithm
cn flag

In MD5, if M=100, how can we perform padding on it and how many blocks are needed in each round?

These are general questions for understanding padding and rounds.

Score: 3
fadedbee avatar
Can you create an encryption algorithm from a signing algorithm, or vice versa?
br flag

I remember reading, a few years ago, that you couldn't prohibit encryption without prohibiting signing, as you can always make a public key encryption algorithm from a signing algorithm.

(It might be that you can always make a signing algorithm from a public key encryption algorithm.)

Furthermore I remember than this operated bitwise, so that each bit needed to be signed in some manner in order to e ...

Score: 1
chang jc avatar
Encryption algorithm by a vectored key and the error is Proportional to the difference between input key and real key
id flag

I want to find an encryption algorithm which provides the functionality described below.

Given a key (a vector Vkey) and a data (an image), use this key to encrypt the image; the encrypted image can not be identified afer encryption.

When decrypt, if:

  1. use a key = Vkey to decrypt, the decoded image is the same as original one without error.
  2. use a key = Vkey_1, and diff(Vkey, Vkey_1) < threshold, ...
Score: 1
Tom avatar
Key stream instead of key schedule
tf flag

Let's consider a block cipher in CTR mode. And let's consider a keyed PRNG or just a good PRNG with a seed as the key. The PRNG has to be very fast.

Is it a good idea to put away the key schedule and do "infinite" key scheduling by generating a keystream? Then every block in the cipher will be encrypted with a different key.

Of course, even a fast PRNG needs some time to generate a few 128 -bit keys ...