Latest Crypto related questions

Using

montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p

it is possible to transport an Edwards curve point (Ed25519 public key) to the Montgomery curve. Does it have any side effects if the Ed25519 public key is not valid, in case of a small subgroup or invalid curve attack for example?

And if yes, what would be the best solution to handle that properly?

The PRP/PRF switching lemma is usually denoted as follows:

I understand the proof of this version of the bound $\frac{q(q-1)}{2^{n+1}}$ and the game-playing technique behind it.

However, I came across a different version of this lemma recently, which is used more often in papers. It is denoted as follows:

This version of the bound turns out to be $\frac{q^{2}}{2^{n+1}}$ (or something like this). Th ...

I found there are two perplexing and related concept "Collision Resistance" and "Computation Binding in Commitment" in cryptography. I found the wikipedia's explanation is confusing. And no resources clarify their difference

Especially, I found I can't differentiate the two concepts' common ideas which is given certain inputs, there is no more than one output for a particular Hash function.

FIPS 140-2 is a standard which handles cryptographic modules and the ones that organizations use to encrypt data-at-rest and data-in-motion. FIPS 140-2 has 4 levels of security, with level 1 being the least secure, and level 4 being the most secure.

Google Cloud has a lower level (level 3) compared to IBM Cloud (level 4). I wonder why Google choose to accept this lower level? I am assuming that G ...

Some programs use keyfiles as a second factor besides the password. VeraCrypt and its predecessor TrueCrypt, for example, use a function built from CRC-32 that captures the first 1024 bits of a file. Both the processing of keyfiles and the length of generated files (KeePass 32 bytes, DiskCryptor and Kryptor 64 bytes) is very different. It looks like generated keyfiles are often twice as long as t ...

Let $f : \mathcal{U}_{2\lambda} \to \mathcal{U}_{2\lambda}$ be a OWF, and $G : \mathcal{U}_{\lambda} \to \mathcal{U}_{2\lambda}$ be a PRG with $\lambda$-bit stretch. Establish whether the following function $f' : \mathcal{U}_{\lambda} \to \mathcal{U}_{2\lambda}$ is one-way or not: \begin{equation*} f'(x) = f(G(x) \oplus (0^\lambda \| x)) \end{equation*}

I don't know how to solve this. Is this ...

Can we assume without loss of generality that the verifier for non-interactive zero-knowledge proofs in the common reference string model is deterministic, or does random randomization add extra power?

do you know anyone who works in finance/banking who knows about encryption of financial documents? This is for an academic research paper, whereby I would be interested to research further information about encryption that was used in financial documents i.e. before David Chaum's blind signature research that developed into further encryption techniques. So I mean pre-1970s encryption/cryptography/stega ...

As the title says, is sha256 collision-free if the input is 32-byte long (same size as its output)?

In case it's not, what is the most efficient and non-reversible collision-free function? (it doesn't even need to be a hash function).

I have an arbitrary string. I want to know how to implement a hash function $H: \{0,1\}^* \to \mathbb F_q^n$ which takes arbitrary strings to an element of $\mathbb{F}_q^n$. Here $\mathbb{F}_q$ denotes the finite field of order $q$.

Edit: $q=256$

Edit 2: $\mathbb F_q^n$ simply means $n$ dimensional vector space over $\mathbb{F}_q$. If $x \in \mathbb F_q^n$, it means $x$ has the following form

$$x=(x_1,x ...

I am trying to understand the benefits of using blockchain technology in document certifications such as university diplomas. I would like to know the difference between digital certification and blockchain certification. To be more specific, the digital certification that I am considering works as follows. A trusted certification authority issues public-key certificates to universities. A university is ...

I have a question about how RSADP/RSAEP are defined (in RFC2437 https://datatracker.ietf.org/doc/html/rfc2437#section-5.1.2):

RSADP (and RSAEP) are described with the same limits for the message (m) and ciphertext (c), namely 0 <= m < n. In this case the modular exponentiation primitive assumes padding has already occurred, so leaving that out of the picture.

5.1.2 RSADP

   RSADP (K, c)

   Inp ...

I was wondering where did affine cipher get its name from. I am curious to know its origin and how it is related to the cipher. The Affine Transformation page on Wikipedia states:

In Euclidean geometry, an affine transformation, or an affinity (from the Latin, affinis, "connected with"), is a geometric transformation that preserves lines and parallelism (but not necessarily distances and angles) ...