Questions tagged as ['rsa']

An asymmetric (e.g. public-key) cryptosystem, based on modular exponentiation with big exponents and modulus. RSA can be used both for signature and encryption with proper paddings.
Score: 0
Pretty much confused about pretty good privacy-:
cn flag
  1. Authentication-:

I understand that authentication is basically digital signature. But what I don't understand is how it has been explained here specially the RSA key part. It is leading me to huge confusions.

enter image description here

enter image description here

In RSA encrpytion, we use public key(of whose sender or receiver?) for encrpytion and private key(of whom?) for decryption.

They say hash is encrypted using RSA. But why are we using PRIVAT ...

Score: -1
How to decrypt a file using RSA and just a public.pem file?
in flag

I have an encoded file and a public.pem file. Is it possible to decode the file using the public.pem file or do I have to start looking at private keys?

I tried with no luck. The public key (pem) is as below

LpyBXGoIk4Pczeqjwz7/kwYLnQI7VlAzgjC9jD1dX80Z+kLOr5wHIDdfNK55 ...
Score: 1
conflicting definitions for dP / dQ and exponent1 / exponent2 in PKCS 1?
cn flag

In Section 2 dP and dQ are defined thusly:

      dP             p's CRT exponent, a positive integer such that

                       e * dP == 1 (mod (p-1))

      dQ             q's CRT exponent, a positive integer such that

                       e * dQ == 1 (mod (q-1))

In Appendix A.1.2 we have this:

   o  exponent1 is d mod (p - 1).

   o  exponent2 is d mod (q - 1).

I believe exponent1 = dP a ...

Score: 0
Eavesdropping attack on text-book RSA encryption with public nonce
in flag

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $\text{sk}$ and $\text{pk}$ respectively). Bob has an authentic copy of $\text{pk}$. The adversary has an authentic copy of $\text{pk}$.

Now, Bob wants to send his $\text{PIN}$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $N_0$ (a number chosen randomly  ...

Score: 0
7337dtd avatar
How is this step being calculated and why is that getting the factors is able to determine private key or universal forgery?
de flag

In class I, why (4) implies $g\equiv 1 \mod q$

Also even though I get $p$ and $q$ it still can't get $ord_n(g)$ without trying out different possibilities or is there a way to do all forgery?

Score: 0
How to find iteration exponent in a cycling attack?
cn flag

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C1 = C49 , C2 = C149, etc. He will find Cj = C for 1,2,5 or 10

I do not understand how they figured out they will have M = Cj-1 in at most 10 steps? They  ...

Score: 0
krystof18 avatar
How to ensure the data comes from verified source without using asymetric encryption
ag flag

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Score: 3
S.Abbe avatar
Question about white-box rsa algorithm
bd flag

I found a scheme for white-box RSA. It seems to protect the input and output of modular operations.
I'm curious about how to analyze the security of this solution.
Does anybody know anything about it?

Score: 3
Chirag Parmar avatar
Why is confusion and diffusion never talked about in asymmetric crypto?
cn flag

While talking about symmetric encryption schemes like AES we always have a goal of achieving confusion and diffusion. But when it comes to asymmetric encryption schemes like RSA, DH etc. we never talk about diffusion and confusion.

Is it known that modular arithmetic and prime arithmetic ensure confusion and diffusion?

Is there any literature that dives into the information theoretic analysis, in te ...

Score: 3
TheJonaMr avatar
No Final subtraction in Word-level Montgomery Multiplication
tr flag

I am trying to make an RSA module in VHDL, which in turn will be deployed to an FPGA. I am trying to implement a full Montgomery algorithm which means that I am working with the Montgomery Exponetiation algorithm, and the Montgomery Multiplication algorithm. Mostly my tests consists of generating random numbers (keys, modulus, r, messages) that I use to perform encryption/decryption. If the original mes ...

Score: 1
mrose avatar
Comparing complexity of RSA decryption with/without CRT
in flag

(Cross-listed on math stackexchange, received no replies) For context, this is a homework question from an assignment already turned in. I am looking for better understanding of the concepts involved, mainly complexity theory since I have not seen it before outside this class (and prior knowledge was assumed).

I am asked to evaluate the complexity of RSA decryption with and without using CRT, wit ...

Score: 1
george s avatar
What are those RSA Challenges, DES Challenges and RSA Factoring Challenges
gb flag

Can someone explain the differences between the DES challenge, the RSA challenges, and the RSA factoring challenge? What were the aims? I think the factoring challenge was to encourage research, the DES challenge was to show that 56-bit keys are too short. But how do the three challenges relate to each other?

Score: 1
Johny Dow avatar
Why does Shamir's Trick for RSA Work
fr flag

I have read that Shamir's trick can protect RSA with CRT against fault attacks. However, it is not clear to me why the following equations $$ s_{p}^{*}=m^{d \bmod \varphi(p \cdot t)} \bmod p \cdot t \\ s_{q}^{*}=m^{d \bmod \varphi(q \cdot t)} \bmod q \cdot t $$ imply that: $$ s_{p}^{*} = s_{q}^{*} \bmod t $$

Score: 1
J.Valášek avatar
Multiuser encryption, singleuser decryption
cn flag

I have an hybrid encryption (RSA, AES) for a file sharing project I am working on, where I use a single public key for encryption on the sender side and corresponding private key for decryption on the recipient side. I would like for a sender to be able to send files to multiple users each having only their own unique key pair (public keys would be distributed).

I know this is possible using GPG

Score: 3
Brongs Gaming avatar
Is there an easy way to make textbook RSA secure enough so it can be used in real life?
cn flag

I have written a raw (textbook) RSA implementation (just for fun) and I wonder is there an easy way to make it secure enough so it can be used in real life (without implementing OAEP+ and RSASSA-PSS)? Are there any simple algorithms for padding and generating secure digital signatures?

Score: 0
Bondolin avatar
Simple Key Exchange, One Server
gn flag

I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.

However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adver ...

Score: 0
Does the signature length of RS256 depend on the size of the RSA key used for signing?
th flag

The following NodeJS code, when run (v16.8.0), logs 512 to stdout.

const crypto = require("crypto");
const { privateKey } = crypto.generateKeyPairSync("rsa", {
    modulusLength: 4096,
const sign = crypto.createSign("RSA-SHA256").update("somestringtosign");
const signature = sign.sign(privateKey);
console.log(signature.length); // logs 512

If I change the modulus length to 2048, then 256 is logged  ...

Score: 7
Myria avatar
How bad is it to leak $k$ in RSA?
in flag

In RSA using a small public exponent $e$ such as $65537$, how bad is it if the value $k$ leaks? $k$ as in the following equations:

$ed - 1 = k \phi(n)$


$ed - 1 = k \cdot \operatorname{lcm}(p-1,q-1)$

Intuitively, this would only reduce the complexity of the breaking the system by $65535$ times, nowhere near enough to matter, though I assume that GNFS would not be improved by knowing $k$.

EDIT: Thi ...

Score: 2
domiee13 avatar
Need help to understand RSA common modulus attack to get private key
gb flag

I'm learning about common modulus attack and learned that public modulus attacks can find out the private key. Assume there are 2 users with public and private keys $(e_1, d_1)$ and $(e_2, d_2)$. Scenario is attacker has his public and private keys $(e_2, d_2)$ and victim's public key $e_1$ Here are the steps to get the secret key:

  1. $t= e_2\cdot d_2-1$
  2. Attacker uses the extended Euclidean algorithm to  ...
Score: 0
Cryptomathician avatar
RSA: why $( e^{-1} ~\text{mod}~ n \cdot \varphi(n)) ~\text{mod}~ \varphi(n) = e^{-1} ~\text{mod}~ \varphi(n)$ holds for a specific setting of RSA
in flag

Let $p,q$ are primes and $n = pq$ as in every RSA setting and now use a random $e$ that holds the following properties

  • $gcd(e, \phi(n)) \neq 1$
  • $(e^{-1} ~\text{mod} ~\phi(n))^{4}\cdot3 < n$
  • $e^{-1} ~\text{mod} ~\phi(n) < \sqrt[3]{n}$ (integer square root), where $\sqrt[3]{n} \in \mathbb{Z}$

where $\phi$ is euler's totient function. This $e$ is used as the public exponent for the public ke ...

Score: 0
Mohamed Waleed avatar
RSA Blind Signatures Secure Implementation
in flag

note: I am not a crpytographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.
I did a lot of research in the last few days and came out with this:

Signature Issuing Stage

  1. Get the public key; exponent $e$, modulus $n$
  2. Generate a random number $r$ that is les ...
Score: 0
pajacol avatar
Textbook RSA meet in the middle time complexity
in flag

I have a question regarding time complexity of meet in the middle attack on textbook RSA encryption. Let's suppose that I try to encrypt symmetric keys of different length with no padding using RSA algorithm. Example keys:

  • 56 bit DES key (with parity bits): DA13511CAB329E32 (without parity bits can be factored: BC6AF11×12864009)
  • 80 bit Skipjack key: 54C22E82E4E2F5FD9A5D (can be factored: 3 ...
Score: 0
Lê Thành Vinh  avatar
Why a private key is used to encrypt hash in digital signing
in flag

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with his own private key, Alice uses Bob's public key to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

Score: 1
Gianluca Ghettini avatar
RSA encrypt an AES key. What about the AES IV?
pl flag

I need to securely pass an AES key to a remote client. What I did so far is to generate a random AES key and encrypt it using the RSA public key of the client (PKCS#1 v1.5 padding is taken care by the RSA library I'm using, CryptJS).

I didn't realize that AES requires the key but also an IV. I don't know what's the correct way of dealing with the IV. Should I encrypt it as well and basically send ...

Score: 0
simonskof avatar
Generation of RSA key pair and storage of only private key PKCS#11
in flag

I noticed that the PKCS#11 supports C_GenerateKey function for symmetric keys and for asymmetric there's only C_GenerateKeyPair function. So from the definition, this lets us create only both private-key/public-key pair. From my understanding the private key stores public key info (modulus and public exponent), which are needed for public key creation, so it can be fetched every time to generate the publ ...

Score: 1
Élise Navennec avatar
RSA key generation: why use lcm(p-1, q-1) instead of the totient ϕ(n)?
jm flag

As far as I can see, generating a private key from two prime numbers p and q, having calculated n = pq, starts with calculating λ(n) = lcm(p-1, q-1). This is the detailed explanation given in the wikipedia article for RSA, it's also the implementation I've found in most Python cryptography libraries, and, searching through the openssl source code, it's also how they seem to do it, so I'd say this lo ...

Score: 0
ayush7ad6 avatar
RSA implementation not working with large values for plaintext
it flag

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives 1000 as the plaintext, which is correct. Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

Score: 1
Yotam Sofer avatar
Break RSA without padding using a rainbow table attack
cl flag

We are using RSA without OAEP, with a relatively small input domain.

Lets assume we have John and Bob connected on a line, and we are eavesdropping them. Bob first sends John his public key (e,n), then John encrypts his message m and sends it on the line encrypted. When we eavesdrop the line we get his encrypted message, for example 3211 4431 9938 ... (I'm using a low modulo just for the example)

Score: 2
xXLeoXxOne avatar
Factoring a RSA modulus given parts of a Factor
vn flag

e,N,c and around 2/3 of p are given and I need to get the whole p to decrypt c.

N: 831920962257214756401382654251425949868264224385841957482372042416309146170150136001598220999003333652074674457203501497888508388030665515087882611269844918362760437859104547616381568314060144014118133650075504206531935707368804768936984206957688059038290716699862253339535050931352726410898837592450575051490781120052 ...