# Questions tagged as ['hash-signature']

Signature schemes built out of and based on properties of hash functions. **DO NOT USE THIS TAG** if the signature is based on other hard problems and just happen to employ a hash function.
Score: 3
What hash based digital signature algorithms exist that have reasonably small signature sizes?

What hash based digital signature algorithms exist that have reasonably small signature sizes?

• By reasonably small, I mean not much bigger than what you would get with a 256-bit ECDSA (which I believe has a signature of about 64 bytes). If nothing close exists, then what's the smallest signature size I can get?

• I want 128 bit security or better (although its not a hard requirement).

• I will be si ...

Score: 0
Decrypt one cipher with multiple and independent passwords

Consider that an online shop subscribes an embedded external service for their customers. This external webpage is accessible through a clickable banner on the online shop.

On the subscription area of this external service, the registration form asks about the base url domains where the banner will be published:

companya.com
companyb.org
companyc.net


The purpose is to create a query string dynamically f ...

Score: 1
How is a keyImage linked to a ring signature?

I'm trying to understand the concept of ring signatures. So as it seems there is a way where you have a group of public keys which can be signed by only one private key of that group without revealing which private key was actually used. On the other hand you have a keyImage to prevent a double spend, so that the observer can be sure that this specific private key was not used yet.

What I don't g ...

Score: 4
Is $H(k || m) \oplus k$ secure?

It is known that $$H(k || m)$$ (when using SHA1) is an insecure MAC function since it is vulnerable to hash length extension.

But what about $$H(k || m) \oplus k$$? A normal hash length extension seems to be impossible now. Even if the same key is used several times, I see no problem as long as the output of $$H$$ is random enough. Am I right?

Score: 1
Hash function collision importance

Suppose a collision has been found in a certain hash function, such that H(x1) = H(x2)

However, x1 and x2 are both a seemingly 'random' collection of bits which do not convey a coherent message, and cannot be interperted in a coherent way.

Does this collision make the hash function H not secure? if so how can it be exploited, even if the known collision doesn't convey a coherent message? thanks

...
Score: -2
Problem understanding the difference between passphrase and keyfiles

Ok, so I have read a few different articles on subject and am maybe just just having problems understanding the point of view from the program I am using or maybe not IDK. Anyhow, ill get into it. The difference between a passphrase and a keyfile from my Ex. --> So in EncryptPad there are a couple icons at the top of the program. One is a lock or if you just click save on the document it will ask  ...

Score: 10
Why is SHA3 more secure than SHA2?

Why are SHA3 algorithms considered more secure than their SHA2 counterparts? Surely in part, it is due to their resistance to length extension attacks. But specifically, when considering collision resistance they have the same O(n) attack times.

Is it because they are more resistant to preimage attacks?

Score: 0
Can we use symmetric/hashing functions to sign messsages as a quantum-proof replacement of public-private key signing?

Public-private key signing generally works like this:

1. I announce my pubic key.
2. I encrypt something with my private key.
3. If people managed to decrypt (2) with (1) then (2) is from the owner of (1).
4. People then can encrypt things to me using the public key in (1).

Signing can also be done using hashing or symmetric cipher algorithms, but the verification happens when the person publishes his old r ...

Score: 0
How to do the WOTS checksum

As far as I understand, the Winternitz one-time signature is made by:

1. Making an array of private keys.
2. Making an array of public keys by hashing each private key X times, X being the number of different possibilities of characters that can appear in each position of the message (or the hash of the message) to verify.
3. Making an array of hashes as signature by hashing each private key X minus "the charac ...
Score: 0
How many valid signatures can the same message have using ElGamal?

I know that messages in ElGamal are not deterministic, so a message can have more than one valid signature. But is the number of valid subscriptions infinite?

Score: 3
Making WOTS+ public keys shorter

In WOTS+ — as described in section 3 of RFC 8391 — public keys, private keys and signatures all consist of $$len$$ strings with $$n$$ bytes each, where $$len, n \in \mathbb{N}$$. Is it safe to use the hash of the concatenation of all $$len$$ strings as a short public key? Since you just need the message and the signature to compute the (long) public key, the process would be exactly as described in sectio ...

Score: 2
Are my calculations about WOTS parameters correct?

I'm reading the WOTS+ paper, but I'm having some trouble with its notation and specially the involved units. For example, under my interpretation, the parameters n=11, w=16 and m=256 result in a quantum security level of about 81 bits, with a 992 bytes signature length, but that looks incorrect.

To the best of my knowledge, I've made the following script to output public key and signature lengths, and ...

Score: 2
How do I construct the Fn family of functions of WOTS+ using SHA3?

From the WOTS+ paper:

Furthermore, W-OTS+ uses a family of functions Fn : {f_k : {0, 1}^n → {0, 1}^n | k ∈ Kn} with key space Kn. The reader might think of it as a cryptographic hash function family that is non-compressing. Using Fn we define the following chaining function.

I do not understand the meaning of this paragraph. My interpretation of it is that I need a family of n n-bit pseudoran ...

Score: 3
Is NOTS a valid one time signature scheme?

I've just learn about NOTS, a quantum-resistant signature scheme based on hash functions that claims to have much shorter signature and key sizes. Is this signature scheme known to be secure? From looking at the paper, I'm suspicious about the way it uses modulus of indices (couldn't an adversary just generate a hash with the same char counts?). Is it legit?

Score: 0
Algorithm to validate 1 of N inputs is part of output hash

Is there an algorithm that allows proofing that an input x1 was used as 1 out of N inputs to create an output hash y, without knowing the other inputs?

I.e. if there are 5 users providing an input hash for example, can we create an output hash that allows each individual user to verify his input was part of the inputs without him needing to know all other inputs?

(it's ok to learn all inputs during the  ...

Score: 0
Two Different Ciphers with Same MD5

I was wondering if someone could help explain md5 collision abit better. I found this resource: https://www.mscs.dal.ca/~selinger/md5collision/ where they provided an example of where two cipher texts have the same md5. I tried to confirm that their example was correct but when I input their examples into a md5 calculator, I get two different md5s for the two different cipher text. What am I doing ...

Score: 0
How secure is AES 256bitkey generated from PBKDF2

I am using CryptoJS AES 256 encryption:

CryptoJS.AES.encrypt(realData, generateKey(passphrase), {iv: iv});


The secret is generated through:

function generateKey(passphrase) {
const salt = CryptoJS.lib.WordArray.random(128 / 8);
const key256Bits = CryptoJS.PBKDF2(passphrase, salt, {
keySize: 256 / 32,
iterations: randomNumber,
});

return key256Bits;
}


Im new to this and wondering  ...

Score: 0
Can Merkle signatures be leveraged for key exchange?

A Merkle signature scheme is post-quantum-suitable as it relies only on the security of a one-way function. However, this construction seems to only be capable of authentication, and not confidentiality.

Is there any cryptographic protocol enabling key exchange via a Merkle scheme -- that is, without relying on weaker assumptions that might be broken by future cryptographers with a quantum compute ...