# Questions tagged as ['block-cipher']

A block cipher is an encryption algorithm which encrypts fixed-size blocks of plaintext to same-sized blocks of ciphertext. For good ciphers every bit of the ciphertext block depends on every bit of the plaintext block and every bit of the key.
Score: 1
Why can't we have AES512 or more?

Look I know AES256 is ridiculously secure but to keep aes secure even after quantum computers, I have a concern.
Using the Grovers theorem aes can be reduced from 256 to 128 bits for brute force attack which is also pretty strong but I don't want to be limited to it
Is it (atleast in theory) possible to implement aes512, aes1024, etc...
I mean what's stopping us like for 128bit aes we use 10 rounds of ...

Score: 0
Use HMAC for every block encryption operation

Is it possible to use HMAC while performing encryption of blocks?
I think that the main problem with the approach would be to get the same output size as the block, from the HMAC function.
Also, the hash function is one-way, so how would one perform the decryption?
Are there any real-world examples for this approach, or is it not feasible?

Score: 0
What is the need of substitution and permutation networks in AES?

I have tried to answer this question for quite some time now. But a complete intuitive understanding still eludes me.

Consider an alternate construction for a block cipher without any substitution and permutation network. This block cipher just XORs the message blocks with different keys which are derived from a master key(similar to ECB mode but with different keys for each message block). If t ...

Score: 2
What would be an O(n) time adversary for this kind of scheme

Suppose we have a block cipher $$E:\{0,1\}^k \text{ x } \{0,1\}^{2k} \rightarrow \{0,1\}^{2n} \quad \text{ with } \quad k,n\geq128$$ K is the key generation algorithm that returns a random k-bit key. Let SE = (K,Enc,Dec) be the symmetric encryption scheme with encryption and decryption algorithms as described below in the code. The message input to Enc is an n-bit string, and the ciphertext input  ...

Score: 2
How do we find differentials in differential cryptanalysis when we don't the details about the S-boxes

I m new to cryptanalysis and trying to understand differential cryptanalysis. I have read the paper by Howard M. Heys. I understood the concept of differentials but I m not able to understand how to calculate the probability of a differential to occur when we don't know any information regarding the S-boxes.

It is given that, we give 2 inputs with a difference of say, x to an S-box and get output ...

Score: 2
Threshold implementation of ciphers

What is the principle behind threshold implementation of block ciphers and how is this protecting against side channel attacks?

Score: 2
ECB... lacks diffusion(?)

I noticed that the wikipedia page for 'block cipher modes of encryption' states, "The disadvantage of this method is a lack of diffusion.", referring to ECB mode for block cipher encryption.

From some reading, ECB takes identical plaintext blocks to identical ciphertext blocks, as long as the key does not change. (making it insecure to use in general, as illustrated with the image of Tux the penguin ...

Score: 0
Why is a two-round Feistel Network not a PRF?

I am a student studying PRP and PRF in school, my prof gave us a thinking question: "Why is a two-round Feistel network not a PRF, even while the component function is a PRF?"

I've seen that why this is a less-secure encryption but not sure how less-secure related to the question that prof gave us.

Score: 2
Which block cipher mode of operation does TLS 1.3 use?

Which block cipher mode of operation does TLS 1.3 use? I assume it is a block cipher mode that provides authentication (like GCM).

Score: 0
Besides block-cipher which other methods can only be computed step-by-step even with known secret (but fast per step) and can be inverted?

Depending at the cryptographic function used applying it $$i$$-times to a given input can be computed in different complexity classes (based at their input size).

$$f^i(m_0) = c_i$$

For example for most block-cipher it takes (even with knowing the secret key) about $$i$$ times the time as applying it just once (at least as far as I know). Same for $$i$$ steps backwards. Finding $$m_0$$ for given $$c_i$$ also take ...

Score: 4
Lack of response to CAESAR competition

Why is there so little response (e.g. implementation in crypto libraries, programs...) after the end of the CAESAR competition? As far as I can see, there is no shift from AES-GCM to any of the CAESAR algorithms. The response to the Password Hashing Competition, for example, was greater, at least in my perception. Is there a reason for that?

Score: 0
How can a concatenation of $N$ block-cipher with known keys be more secure?

General problem / Intro: encrypting the (computable) relation in between two random numbers which are members of a as small as possible set while anything except the order of execution is known to the adversary.
This question is about solving that problem with a concatenation of block-cipher.

Simplification:

• we only consider block-cipher which are similar to AES
• instead of $$N$$ different block-ci ...
Score: 0
RSA implementation not working with large values for plaintext

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives 1000 as the plaintext, which is correct. Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

Score: 1
Can a block-cipher considered secure if a bit-change of the input leads to a 50% chance change for every single output bit? -> round number?

Block-cipher use self-inverse ($$f(f(x)) = x$$) operations which then will be applied to the plaintext and most likely contain some constants which can be based at a key. To get security such operations which interpret the input in different ways are aligned to each other. This process gets repeated multiple rounds with different keys. In optimal case a random input lies inside a closed cycle (if b ...

Score: 0
Calculate number of active S-boxes for a cipher where one word observes multiple times overlapped S-box substitution in a single encryption round

There are many ways in which the number of active sboxes of a cipher for one round can be calculated. Like, a manual approach (all possible input differential are applied in the two plaintexts $$P_0, P_1$$ and then it is observed what is the least amount of nonzero S-box that the xor-sum of the cipher $$C_0, C_1$$ produces, after one round), then MILP and other approaches are also there.

Now, if there is a c ...

Score: 2
Why key reuse is not an issue in a Feistel cipher?

I have a good understanding of stream ciphers and one time pad. I also know the dangers of using the same key in a PRG for a stream cipher.

However as far as I can tell, the Feistel block cipher uses the same key for every block of plain text (which is expanded into keys for each round). If this is true, why is this not a problem? Is it because the function F and specifically the S boxes used are ...

Score: 1
Integrity while using CBC

We have a body we want to encrypt using CBC, and we add to that body one block of known text to both sides. newBody = body + knownBlock now we encrypt newBody using a key known to both sides, then we transfer the encrypted text on a wire to person B. cipherText = encrypt_using_cbc(newBody) If person b decrypts the cipherText and get identical last block, can he trust the data he decrypted (data integrit ...

Score: 2
Have the automorphism groups of block ciphers like the different version of the AES or DES been calculated?

Suppose that $$F:K\times X\rightarrow X$$ is a function. If $$k\in K$$, then let $$F_{k}:X\rightarrow X$$ be the mapping defined by letting $$F_{k}(x)=F(k,x)$$ for each $$x\in X$$. Then we shall call $$F$$ a block cipher round function if $$F_{k}$$ is a bijection for each $$k\in K$$.

The group $$\text{Aut}(F)$$ is the collection of all pairs $$(\phi,\psi)$$ such that $$\phi\in\text{Sym}(K)$$, $$\psi\in\text{Sym}(X)$$, and

Score: 1
"Fixing" PCBC mode?

In PCBC mode, one encrypts and decrypts via $$C_i = E(P_i \oplus P_{i-1} \oplus C_{i-1}) \Longleftrightarrow P_i = D(C_i) \oplus P_{i-1} \oplus C_{i-1}$$ (where $$P_0 \oplus C_0 = IV$$), which has good error propagation in that modifying any $$C_i$$ would break the decryption of all $$P_j$$ where $$j \ge i$$.

However, there is a bug in that swapping $$C_i$$ and $$C_{i+1}$$ does not affect the decryption of sub ...

Score: 1
Rivest Cipher 6 (RC6) Key Scheduler

I am trying to understand the Key Scheduler used in RC6 and I have a total of 3 questions. The RC6 Wikipedia page says that the only difference between the RC5 and RC6 key scheduler is that more words are produced from the key in RC6. In my application, I am using w=32bits, r=20rounds and b=16bytes.

My first question is are these are two separate for loops or is the second for loop that iterates  ...

Score: 1
Are there on-line ways to use a block cipher to generate unique $n$ bits that guarantee collision-freeness for $2^n$ times?

$$n$$ is a run-time variable chosen each time the user runs the implementation.

One way I can think is to use any block cipher, say AES, as a seeded CSPRNG to randomly shuffle list of numbers $$0, 1, \ldots, 2^n-1$$. This way I guarantee collision-freeness up to $$2^n$$ numbers. But this approach is too expensive as it will require me to swap $$2^n$$ numbers.

Another way I can think of is to use the block ciphe ...

Score: 1
Does keeping the IV secret in OFB mode makes brute-force more complex?

If we keep the IV secret, does that increase the complexity of finding the correct key? My first thought is that it increases complexity, but in real world, I can see that IV's aren't kept secret. We can assume that we have reasonable amount pairs of (x,y) plaintext-ciphertext.

Score: 0
key recovery attack vs key extraction attack

I want to know what is the difference between the Key Recovery Attack and the Key Extraction Attack, especially in WhiteBox Cryptography? I guess key recovery is for the BlackBox and key extraction is for the WhiteBox.

Score: 0
does OFB mode has diffusion on the plaintext?

In some block modes, if we change one bit (or more) in the plaintext, the whole block\ciphertext will be changed (i.e ecb: block will be different. cbc: whole ciphertext will be different) Does encryption in OFB mode will defuse the text? if we will change one bit in the plaintext, more than one bit will be changed in the ciphertext ?

Score: 1
RC6 Integer operations in modulo 32 between two 32-bit blocks

I am new to cryptography and I am trying to code the RC6 (Rivest cipher 6) algorithm. The algorithm requires addition, subtraction and multiplication in modulo 232. If I am performing these operations between two 32-bit blocks how would this work?

Any help would be appreciated because I can't seem to find any detailed explanation on this which would help me write code on how to execute these operations. ...

Score: 0
Any number-to-number cipher?

I am curious (not technically informed) if the number-to-number cipher is common/useful in cryptography.

Imagine, we want to cipher integer y to integer x. Using a formula like

x = 2 * y - 1


one can easily decipher by having a few examples of matching x-y. The first problem is that the sequence of y integers is identical to that of x.

Is there a way to cipher integers while the output is a similar inte ...

Score: 0
What is the easiest encryption/cipher to brute force?

This is just a casual exploration of what could be effectively the worst possible block cipher, but I think it has some educational value on how ciphers work.

I've been reading about unicity distance and I am interested in a block cipher that has a decent-sized keyspace (2^8 or more?) that has the smallest unicity distance possible. If the plaintext effectively looks random such that no frequency analysis ...

Score: 0

I have been told to design my own algorithm as a college assignment. What I could have come up with was a random cipher. For example:

Suppose my plaintext is: AND

So I'll take an array the size of my plaintext and keep on storing random values between 0 to 9.

I will use random values and my array becomes {3,5,1}

My encrypted text becomes DSE

I have used a random function for generating random valu ...

Score: 0
Prove that ECB-mode of a block cipher is not EAV-secure

I know that ECB-mode of block cipher is not recommended to use as it is not secure and is not even EAV-secure. However, I still don't get how to prove that it is not EAV-secure and what adversary is associated with this insecurity? Any help would be appreciated. Thanks in advance. Edited: I found a similar article here: Proving a scheme's EAV-insecurity, and also figured it out. Thank you for all your ...

Score: 1
Are blockciphers with 64-bit blocks still relevant (in any scenario)?

Facts

1. Blockciphers are used to build encryption algorithms and compression functions for hash algorithms.

2. (Unkeyed) Permutations are also complementing blockciphers in encryption and hashing.

3. Large block sizes are preferred.

4. But There are embedded/IoT/lightweight systems.

5. There are still mode of operations defined for 64-bit blocks AND there are still 64-bit blockciphers with key lengths that're ...