# Questions tagged as ['block-cipher']

Look I know AES256 is ridiculously secure but to keep aes secure even after quantum computers, I have a concern.

Using the Grovers theorem aes can be reduced from 256 to 128 bits for brute force attack which is also pretty strong but I don't want to be limited to it

Is it (atleast in theory) possible to implement aes512, aes1024, etc...

I mean what's stopping us like for 128bit aes we use 10 rounds of ...

Is it possible to use HMAC while performing encryption of blocks?

I think that the main problem with the approach would be to get the same output size as the block, from the HMAC function.

Also, the hash function is one-way, so how would one perform the decryption?

Are there any real-world examples for this approach, or is it not feasible?

I have tried to answer this question for quite some time now. But a complete intuitive understanding still eludes me.

Consider an alternate construction for a block cipher without any substitution and permutation network. This block cipher just XORs the message blocks with different keys which are derived from a master key(similar to ECB mode but with different keys for each message block). If t ...

Suppose we have a block cipher $$E:\{0,1\}^k \text{ x } \{0,1\}^{2k} \rightarrow \{0,1\}^{2n} \quad \text{ with } \quad k,n\geq128$$ K is the key generation algorithm that returns a random k-bit key. Let SE = (K,Enc,Dec) be the symmetric encryption scheme with encryption and decryption algorithms as described below in the code. The message input to Enc is an n-bit string, and the ciphertext input ...

I m new to cryptanalysis and trying to understand differential cryptanalysis. I have read the paper by Howard M. Heys. I understood the concept of differentials but I m not able to understand how to calculate the probability of a differential to occur when we don't know any information regarding the S-boxes.

It is given that, we give 2 inputs with a difference of say, x to an S-box and get output ...

What is the principle behind threshold implementation of block ciphers and how is this protecting against side channel attacks?

I noticed that the wikipedia page for 'block cipher modes of encryption' states, "The disadvantage of this method is a lack of diffusion.", referring to ECB mode for block cipher encryption.

From some reading, ECB takes identical plaintext blocks to identical ciphertext blocks, as long as the key does not change. (making it insecure to use in general, as illustrated with the image of Tux the penguin ...

I am a student studying PRP and PRF in school, my prof gave us a thinking question: "Why is a two-round Feistel network **not** a PRF, even while the component function is a PRF?"

I've seen that why this is a less-secure encryption but not sure how less-secure related to the question that prof gave us.

Which block cipher mode of operation does TLS 1.3 use? I assume it is a block cipher mode that provides authentication (like GCM).

Depending at the cryptographic function used applying it $i$-times to a given input can be computed in different complexity classes (based at their input size).

$$f^i(m_0) = c_i$$

For example for most block-cipher it takes (even with knowing the secret key) about $i$ times the time as applying it just once (at least as far as I know). Same for $i$ steps backwards. Finding $m_0$ for given $c_i$ also take ...

Why is there so little response (e.g. implementation in crypto libraries, programs...) after the end of the CAESAR competition? As far as I can see, there is no shift from AES-GCM to any of the CAESAR algorithms. The response to the Password Hashing Competition, for example, was greater, at least in my perception. Is there a reason for that?

**General problem / Intro**: encrypting the (computable) relation in between two random numbers which are members of a as small as possible set while anything except the order of execution is known to the adversary.

This question is about solving that problem with a concatenation of block-cipher.

**Simplification**:

- we only consider block-cipher which are similar to AES
- instead of $N$ different block-ci ...

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives `1000`

as the plaintext, which is correct.
Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

Block-cipher use self-inverse ($f(f(x)) = x $) operations which then will be applied to the plaintext and most likely contain some constants which can be based at a key. To get security such operations which interpret the input in different ways are aligned to each other. This process gets repeated multiple rounds with different keys. In optimal case a random input lies inside a closed cycle (if b ...

There are many ways in which the number of active sboxes of a cipher for one round can be calculated. Like, a manual approach (all possible input differential are applied in the two plaintexts $P_0, P_1$ and then it is observed what is the least amount of nonzero S-box that the xor-sum of the cipher $C_0, C_1$ produces, after one round), then MILP and other approaches are also there.

Now, if there is a c ...

I have a good understanding of stream ciphers and one time pad. I also know the dangers of using the same key in a PRG for a stream cipher.

However as far as I can tell, the Feistel block cipher uses the same key for every block of plain text (which is expanded into keys for each round). If this is true, why is this not a problem? Is it because the function F and specifically the S boxes used are ...

We have a body we want to encrypt using CBC, and we add to that body one block of known text to both sides. newBody = body + knownBlock now we encrypt newBody using a key known to both sides, then we transfer the encrypted text on a wire to person B. cipherText = encrypt_using_cbc(newBody) If person b decrypts the cipherText and get identical last block, can he trust the data he decrypted (data integrit ...

Suppose that $F:K\times X\rightarrow X$ is a function. If $k\in K$, then let $F_{k}:X\rightarrow X$ be the mapping defined by letting $F_{k}(x)=F(k,x)$ for each $x\in X$. Then we shall call $F$ a block cipher round function if $F_{k}$ is a bijection for each $k\in K$.

The group $\text{Aut}(F)$ is the collection of all pairs $(\phi,\psi)$ such that $\phi\in\text{Sym}(K)$, $\psi\in\text{Sym}(X)$, and

In PCBC mode, one encrypts and decrypts via $$ C_i = E(P_i \oplus P_{i-1} \oplus C_{i-1}) \Longleftrightarrow P_i = D(C_i) \oplus P_{i-1} \oplus C_{i-1} $$ (where $P_0 \oplus C_0 = IV$), which has good error propagation in that modifying any $C_i$ would break the decryption of all $P_j$ where $j \ge i$.

However, there is a bug in that swapping $C_i$ and $C_{i+1}$ *does not* affect the decryption of sub ...

I am trying to understand the Key Scheduler used in RC6 and I have a total of 3 questions. The RC6 Wikipedia page says that the only difference between the RC5 and RC6 key scheduler is that more words are produced from the key in RC6. In my application, I am using w=32bits, r=20rounds and b=16bytes.

My first question is are these are two separate for loops or is the second for loop that iterates ...

$n$ is a run-time variable chosen each time the user runs the implementation.

One way I can think is to use any block cipher, say AES, as a seeded CSPRNG to randomly shuffle list of numbers $0, 1, \ldots, 2^n-1$. This way I guarantee collision-freeness up to $2^n$ numbers. But this approach is too expensive as it will require me to swap $2^n$ numbers.

Another way I can think of is to use the block ciphe ...

If we keep the IV secret, does that increase the complexity of finding the correct key? My first thought is that it increases complexity, but in real world, I can see that IV's aren't kept secret. We can assume that we have reasonable amount pairs of (x,y) plaintext-ciphertext.

I want to know what is the difference between the Key Recovery Attack and the Key Extraction Attack, especially in WhiteBox Cryptography? I guess key recovery is for the BlackBox and key extraction is for the WhiteBox.

In some block modes, if we change one bit (or more) in the plaintext, the whole block\ciphertext will be changed (i.e ecb: block will be different. cbc: whole ciphertext will be different) Does encryption in OFB mode will defuse the text? if we will change one bit in the plaintext, more than one bit will be changed in the ciphertext ?

I am new to cryptography and I am trying to code the RC6 (Rivest cipher 6) algorithm. The algorithm requires addition, subtraction and multiplication in modulo 2^{32}. If I am performing these operations between two 32-bit blocks how would this work?

Any help would be appreciated because I can't seem to find any detailed explanation on this which would help me write code on how to execute these operations. ...

I am curious (not technically informed) if the number-to-number cipher is common/useful in cryptography.

Imagine, we want to cipher integer `y`

to integer `x`

. Using a formula like

```
x = 2 * y - 1
```

one can easily decipher by having a few examples of matching `x-y`

. The first problem is that the sequence of `y`

integers is identical to that of `x`

.

Is there a way to cipher integers while the output is a similar inte ...

This is just a casual exploration of what could be effectively the worst possible block cipher, but I think it has some educational value on how ciphers work.

I've been reading about unicity distance and I am interested in a block cipher that has a decent-sized keyspace (2^8 or more?) that has the smallest unicity distance possible. If the plaintext effectively looks random such that no frequency analysis ...

I have been told to design my own algorithm as a college assignment. What I could have come up with was a random cipher. For example:

Suppose my plaintext is: `AND`

So I'll take an array the size of my plaintext and keep on storing random values between 0 to 9.

I will use random values and my array becomes `{3,5,1}`

My encrypted text becomes `DSE`

I have used a random function for generating random valu ...

I know that ECB-mode of block cipher is not recommended to use as it is not secure and is not even EAV-secure. However, I still don't get how to prove that it is not EAV-secure and what adversary is associated with this insecurity? Any help would be appreciated. Thanks in advance. Edited: I found a similar article here: Proving a scheme's EAV-insecurity, and also figured it out. Thank you for all your ...

**Facts**

Blockciphers are used to build encryption algorithms and compression functions for hash algorithms.

(Unkeyed) Permutations are also complementing blockciphers in encryption and hashing.

Large block sizes are preferred.

**But**There are embedded/IoT/lightweight systems.There are still mode of operations defined for 64-bit blocks AND there are still 64-bit blockciphers with key lengths that're ...