User DannyNiu - Cryptography Stack Exchange

15 votes

2 answers

7k views

How reassuring is 64-bit (in)security?

asked Oct 28, 2018 at 12:03

10 votes

2 answers

1k views

Functional difference between stream cipher, XOF, seed expander, KDF, etc

asked Feb 8, 2018 at 4:09

10 votes

1 answer

522 views

Sponge with PRF instead of PRP

asked Dec 6, 2019 at 8:34

10 votes

3 answers

716 views

How to implement arbitrary s-box in a side-channel-free way in C?

asked Jul 20, 2020 at 12:31

9 votes

4 answers

2k views

80-bit collision resistance because of 80-bit x87 registers?

asked Feb 21, 2019 at 8:22

7 votes

2 answers

753 views

Will a SHAKE128 stream cipher be vulnerable to related key attacks?

asked Aug 17, 2016 at 7:36

6 votes

1 answer

317 views

What's the current status of development of hedged ECDSA and EdDSA?

asked May 16, 2023 at 1:05

5 votes

1 answer

976 views

How to build disk encryption system using forward permutations like Gimli?

asked Aug 19, 2017 at 12:28

5 votes

1 answer

362 views

How difficult is inverting a non-square matrix?

asked Sep 15, 2017 at 3:12

5 votes

3 answers

1k views

Anti-spamming hash-based proof-of-work?

asked Dec 11, 2017 at 1:57

5 votes

2 answers

506 views

Recommendation of lightweight RNG for Miller-Rabin primality test

asked Feb 15, 2021 at 7:27

4 votes

1 answer

149 views

Did the formalization of PKCS#1 RSA key formats come before or after X.509?

asked Feb 11, 2021 at 7:08

4 votes

1 answer

316 views

Can modular exponentiation with a public index be considered a secure permutation?

asked Jun 25, 2021 at 8:13

4 votes

1 answer

2k views

What is/was SEC#1 ECC public key leading octet 0x01 for?

asked Nov 13, 2021 at 11:48

4 votes

1 answer

280 views

Is there any "exception-free" coordinates system for Weierstrass curves?

asked Jan 14, 2022 at 9:13

4 votes

2 answers

347 views

(Impossibility of?) Associative Pseudorandom Permutation

asked Sep 16, 2017 at 4:26

4 votes

2 answers

5k views

Any point using CMAC with AES-256?

asked Dec 22, 2018 at 14:31

4 votes

3 answers

2k views

What are the benefits of using AEAD algorithms as MAC

asked Jul 7, 2020 at 5:08

4 votes

1 answer

243 views

What non-trivial benefit does including a "context"/"signer info" provide in SM2-DSS and EdDSA?

asked May 4, 2022 at 2:22

4 votes

1 answer

382 views

Is low Hamming weight problem comparably difficult as SIS?

asked Nov 3, 2025 at 13:12

3 votes

1 answer

138 views

Linearization attack on group with automorphism

asked Apr 10, 2022 at 2:31

3 votes

1 answer

460 views

Why in authenticated encryptions do we need separate keys for cipher and MAC?

asked Apr 4, 2023 at 4:01

3 votes

1 answer

419 views

Kyber-CCA-KEM - Deterministic implicit rejection

asked Aug 11, 2023 at 9:38

3 votes

1 answer

130 views

Why do COSE and JOSE use their own format for SEC#1 and PKCS#1 keys?

asked Apr 10, 2025 at 14:30

3 votes

2 answers

2k views

Can I get away with generating 512-bit k (and d) for ECDSA based on P-521?

asked Feb 23, 2022 at 7:54

3 votes

0 answers

136 views

Why is WalnutDSA specified for COSE?

asked Dec 23, 2021 at 2:31

3 votes

2 answers

969 views

How are the instantiations of RSAES-OAEP and SHA*WithRSAEncryption different in practice?

asked Aug 17, 2021 at 7:00

3 votes

1 answer

72 views

Is there any advantage using this kind of ROM-based randomized hashing in digital signatures?

asked Mar 18, 2021 at 6:39

3 votes

1 answer

946 views

Lattice reduction question regarding the capability of LLL and BKZ

asked Oct 4, 2020 at 4:18

3 votes

0 answers

229 views

Does the security proof of HMAC somehow change if it's instantiated with sponge-based hash functions with small rate and large capacity?

asked Dec 1, 2020 at 5:00

Stack Exchange Network

93 Questions

How reassuring is 64-bit (in)security?

Functional difference between stream cipher, XOF, seed expander, KDF, etc

Sponge with PRF instead of PRP

How to implement arbitrary s-box in a side-channel-free way in C?

80-bit collision resistance because of 80-bit x87 registers?

Will a SHAKE128 stream cipher be vulnerable to related key attacks?

What's the current status of development of hedged ECDSA and EdDSA?

How to build disk encryption system using forward permutations like Gimli?

How difficult is inverting a non-square matrix?

Anti-spamming hash-based proof-of-work?

Recommendation of lightweight RNG for Miller-Rabin primality test

Did the formalization of PKCS#1 RSA key formats come before or after X.509?

Can modular exponentiation with a public index be considered a secure permutation?

What is/was SEC#1 ECC public key leading octet 0x01 for?

Is there any "exception-free" coordinates system for Weierstrass curves?

(Impossibility of?) Associative Pseudorandom Permutation

Any point using CMAC with AES-256?

What are the benefits of using AEAD algorithms as MAC

What non-trivial benefit does including a "context"/"signer info" provide in SM2-DSS and EdDSA?

Is low Hamming weight problem comparably difficult as SIS?

Linearization attack on group with automorphism

Why in authenticated encryptions do we need separate keys for cipher and MAC?

Kyber-CCA-KEM - Deterministic implicit rejection

Why do COSE and JOSE use their own format for SEC#1 and PKCS#1 keys?

Can I get away with generating 512-bit k (and d) for ECDSA based on P-521?

Why is WalnutDSA specified for COSE?

How are the instantiations of RSAES-OAEP and SHA*WithRSAEncryption different in practice?

Is there any advantage using this kind of ROM-based randomized hashing in digital signatures?

Lattice reduction question regarding the capability of LLL and BKZ

Does the security proof of HMAC somehow change if it's instantiated with sponge-based hash functions with small rate and large capacity?