Latest Crypto related questions

I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.

However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adver ...

The following NodeJS code, when run (v16.8.0), logs 512 to stdout.

const crypto = require("crypto");
const { privateKey } = crypto.generateKeyPairSync("rsa", {
    modulusLength: 4096,
});
const sign = crypto.createSign("RSA-SHA256").update("somestringtosign");
const signature = sign.sign(privateKey);
console.log(signature.length); // logs 512

If I change the modulus length to 2048, then 256 is logged  ...

In a asymetric pairing context, which size (in bits) should have the elements of $\mathbb{G}_1,\mathbb{G}_2$ and $\mathbb{G}_T$ if we consider the most efficient elliptic curves?

In pairing based cryptography, there will be the finite field $F_{p^k}$ where $p$ is prime number and $k$ is an integer. The elliptic curve is constructed on that finite field as $E(F_{p^k})$.

For example, let $E$ be an elliptic curve $Y^2 = X^3 + aX + b $ over $ F_{q^k}$. What is the meaning of $ F_{q^k}$ here? I only understand prime fields ($F_q$ where q is a prime number).

Suppose we have a block cipher $$E:\{0,1\}^k \text{ x } \{0,1\}^{2k} \rightarrow \{0,1\}^{2n} \quad \text{ with } \quad k,n\geq128$$ K is the key generation algorithm that returns a random k-bit key. Let SE = (K,Enc,Dec) be the symmetric encryption scheme with encryption and decryption algorithms as described below in the code. The message input to Enc is an n-bit string, and the ciphertext input  ...

I don't have a very specific question, but reductions have been a weaker suit of mine and I was wondering if there is a secure MAC scheme, and a derived MAC' that uses MAC but modifies it in some way, how could you prove that MAC' is secure via reduction? I know how to do reductions for PRGs and PRFs, but not sure how to use it for MACs. I don't have a concrete example, but a walkthrough of the general  ...

Does a MAC that's deterministic mean it uses a PRF? Thanks for the help!

I'm using python.cryptography's Fernet with PBKDF2 passphrase hashing to encrypt a piece of data (the value) that is stored, encrypted, in a database. The hashed passphrase is not stored in the database, and for that reason neither is the salt. Instead, the salt comes from a password vault in the application's runtime environment, and then modified to make it unique per value.

One question I hav ...

For a homework question we are obtaining a keystream from a LFSR and I am slightly confused on which digits are used as the key.

For example I have this table here,

b5 → b4 + b1
t   B5  B4  B3  B2  B1
1   1   0   1   0   1
2   1   1   0   1   0
3   1   1   1   0   1
4   0   1   1   1   0
5   1   0   1   1   1
6   1   1   0   1   1
7   0   1   1   0   1
8   0   0   1   1   0
9   0   0   0   1   1
10  ...

I just read through the text book definition of Diffie–Hellman key exchange. And from what i understand, the public key that is shared based on the protocol is calculated from:

g^k mod p

where g is a generator in the multiplicative group, and p is a large prime and k is the private key.

My question is, are all public/private key generated to have this relationship? Or this way of generating the pu ...

I know how to solve this question manually, but I don't know how to solve it using the program gp/pari. It is based on randomised Elgamal

Let p = 739. Given the following ciphertext of some message m1 encrypted using randomized Elgamal, what is the ciphertext of m1 · m2, where m2 ≡ 2 (mod p)? (c1,c2) = (246,609)

In RSA using a small public exponent $e$ such as $65537$, how bad is it if the value $k$ leaks? $k$ as in the following equations:

$ed - 1 = k \phi(n)$

or

$ed - 1 = k \cdot \operatorname{lcm}(p-1,q-1)$

Intuitively, this would only reduce the complexity of the breaking the system by $65535$ times, nowhere near enough to matter, though I assume that GNFS would not be improved by knowing $k$.

EDIT: Thi ...

Say that I encrypt a large file using aes-gcm and upload it somewhere. Can I then download only the first few blocks (as well as IV and tag) and decrypt them?

If not, is there another authenticated encryption that allows this?

Adaptive model: the attacker can adaptively query the challenger for private keys. The challenge message need not be revealed at the start of the security game

Selective model: the attacker has to declare the challenge message at the start of the security game before he can see the public parameters setup.

How does adaptive security offer an advantage to Adversary in comparison to selective security ...