Latest Crypto related questions

Let $G$ be a finite group of prime order $p$, and $g$ a generator of $G$. The standard DDH is hard to distinguish two distributions $$ \{ (g, g^a, g^b, g^{ab}) : a, b \leftarrow \mathbb{Z}_p\} \text{ and } \{ (g, g^a,g^{b}, g^r) : a, r \leftarrow \mathbb{Z}_p\}. $$

Is still secure DDH with multiple instances? That is, is hard to distinguish two following distributions? $$ \{ (g, g^a, g^{b_i}, g^ ...

I have devices which need to communicate with a server over a mutually authenticated and encrypted channel. Authenticating the server is relatively easy, since I can embed the CA certificate in the device firmware and check the signature of the server's certificate. The problem is to authenticate the device to the server.

Normally I could sign the device's certificate as well, but there is no tru ...

I've got two 1024 bits prime $p$,$q$,and $n$ = $p$ * $q$. now I know the result of $ c^{p} \quad mod \quad n = x$,also the value of c is given, I wonder if it is possible to factorize $n$.

Say $m$ is some clear text, and $h_n(m)$ is its $n$ bits hash.

The question: How can we design $h_n$ so that we can extract maximum information about $m$ from $h_n(m)$?

The reason I ask this is because, I think, if we answer that question, we will identify the perfect lossy compression function.

And the reason I think that's so, is because every bit of the $n$ bits in $h_n(m)$ contain information about e ...

Usually one explains how the R1CS/QAPs and SNARKs work using examples of circuits with multiplication and addition nodes, and constructing polynomials from that is relatively straightforward. SHA-2 hashing uses complicated bit-wise arithmetic applied to itself multiple times, not simple multiplications and additions. How does one even construct a circuit to prove that a string hashes to a hash? Is there ...

When signing using RSA with $e = 65537$ and many pairs of m and c, where $$c^e \bmod (n)=m$$ is there a way to find n (n is 2048 bits)?

I planned on computing $ c^e-m $ and then treating those as a basis for a lattice. But $c^e$ was too large.

I am writing a program in python to encrypt files. This program takes subsequent 1024*1024 (1 mebibyte) chunks of data from a file and encrypts it using AES-128. This is performed in a loop until all the data in the file is encrypted. The issue is that the size of each 1 mebibyte of data is increased when it gets encrypted.

What I need is a way to determine the new chunk size for each 1 mebibyte  ...

I compare the algorithm description of Optimal ate pairing and R-ate pairing, it turns out to me that the formulas are the same. So I'm a little confused, what's the difference between them? or is it just I misunderstand? Thanks very much.

ref: Beuchat J L, González-Díaz J E, Mitsunari S, et al. High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves[C]//Internationa ...

I've heard about several instances where OSINT researchers were able to match user accounts from multiple data leaks purely based on their hashed passwords, assuming accounts had the same password on different sites. (Yes, even when there were no other identifying characteristics, such as re-used usernames, re-used email addresses, browser fingerprints, or IPs.)

As far as I know, these data leaks  ...

The elliptic curve secp256k1 is defined as $y^2 = x^3 + 7$. The prime for the field is set to:

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

So now, one should be able to calculate the order by using the Schoof's Algorithm. There is a Python implementation provided here: https://github.com/pdinges/python-schoof

However, it seems to be too time consuming to calcu ...

I was wondering if anyone is familiar with any historical aspects (as to whether someone was able to) for discovering code using images on the web as a transport method ? As in hiding byte values in pixel data broken up between the component values ?

** Edit** Answer below adds to a good search tree of how hide text but doesn't relate to discovering the ciphertext.

Given an Input string of N bytes where some bytes positions in the string are fixed/immutable (F Bytes) and rest of the bytes positions can contain any value as we want or are configurable/variable (V = N-F Bytes).

SHA256(SHA256(N)) = H (256 bits).

Now, Given an Input string of N bytes, the values of N, F, V and the positions which can change and which can't:

How do we calculate the probability/formula ...

Let $C=\{ c_1, c_2, \cdots,c_n \}$ be a set of $n$ alternatives and $T$ be the set of all strict complete orderings on $C$. For any two $t_1$ and $t2$ in $T$, their (Kendal-tau) distance $d(t_1, t_2)$ is defined as the number of pairwise disagreements between $t_1$ and $t_2$.

My Question: How to find $k$ (much smaller than $n!$) different elements from $T$ such that they are "evenly ditributed" in  ...

This is a bit of a crazy hypothetical, but I think it best illustrates what I'm looking to ask.

Scenario + Question

There's a distributed & decentralized cloud storage network that's starting to get popular. One thing people like about it is the fact that it allegedly grants users tons of privacy they can't get from alternatives like Dropbox.

The company's technical docs state that their so ...

I need help understanding semantic security, in particular, the part on the 'game'.

But first, from my understanding, is semantic security is a 'weaker' and more flexible way to determine that a cryptographic function is secure enough for use? I understand that the definition for perfect secrecy is often too rigid and hence semantic security gives some leeway in defining something that's secure e ...