# Questions tagged as ['rsa']

An asymmetric (e.g. public-key) cryptosystem, based on modular exponentiation with big exponents and modulus. RSA can be used both for signature and encryption with proper paddings.
Score: 0
Pretty much confused about pretty good privacy-:
1. Authentication-:

I understand that authentication is basically digital signature. But what I don't understand is how it has been explained here specially the RSA key part. It is leading me to huge confusions.

In RSA encrpytion, we use public key(of whose sender or receiver?) for encrpytion and private key(of whom?) for decryption.

They say hash is encrypted using RSA. But why are we using PRIVAT ...

Score: -1
How to decrypt a file using RSA and just a public.pem file?

I have an encoded file and a public.pem file. Is it possible to decode the file using the public.pem file or do I have to start looking at private keys?

I tried https://github.com/Ganapati/RsaCtfTool with no luck. The public key (pem) is as below

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjHDiqVkO1umD2/Tm20Wt
LpyBXGoIk4Pczeqjwz7/kwYLnQI7VlAzgjC9jD1dX80Z+kLOr5wHIDdfNK55 ...
Score: 1
conflicting definitions for dP / dQ and exponent1 / exponent2 in PKCS 1?

In Section 2 dP and dQ are defined thusly:

      dP             p's CRT exponent, a positive integer such that

e * dP == 1 (mod (p-1))

dQ             q's CRT exponent, a positive integer such that

e * dQ == 1 (mod (q-1))


In Appendix A.1.2 we have this:

   o  exponent1 is d mod (p - 1).

o  exponent2 is d mod (q - 1).


I believe exponent1 = dP a ...

Score: 0
Eavesdropping attack on text-book RSA encryption with public nonce

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $$\text{sk}$$ and $$\text{pk}$$ respectively). Bob has an authentic copy of $$\text{pk}$$. The adversary has an authentic copy of $$\text{pk}$$.

Now, Bob wants to send his $$\text{PIN}$$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $$N_0$$ (a number chosen randomly  ...

Score: 0
How is this step being calculated and why is that getting the factors is able to determine private key or universal forgery?

In class I, why (4) implies $$g\equiv 1 \mod q$$

Also even though I get $$p$$ and $$q$$ it still can't get $$ord_n(g)$$ without trying out different possibilities or is there a way to do all forgery?

Score: 0
How to find iteration exponent in a cycling attack?

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C1 = C49 , C2 = C149, etc. He will find Cj = C for 1,2,5 or 10

I do not understand how they figured out they will have M = Cj-1 in at most 10 steps? They  ...

Score: 0
How to ensure the data comes from verified source without using asymetric encryption

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

Score: 3

I found a scheme for white-box RSA. It seems to protect the input and output of modular operations.
I'm curious about how to analyze the security of this solution.
Does anybody know anything about it?

Score: 3
Why is confusion and diffusion never talked about in asymmetric crypto?

While talking about symmetric encryption schemes like AES we always have a goal of achieving confusion and diffusion. But when it comes to asymmetric encryption schemes like RSA, DH etc. we never talk about diffusion and confusion.

Is it known that modular arithmetic and prime arithmetic ensure confusion and diffusion?

Is there any literature that dives into the information theoretic analysis, in te ...

Score: 3
No Final subtraction in Word-level Montgomery Multiplication

I am trying to make an RSA module in VHDL, which in turn will be deployed to an FPGA. I am trying to implement a full Montgomery algorithm which means that I am working with the Montgomery Exponetiation algorithm, and the Montgomery Multiplication algorithm. Mostly my tests consists of generating random numbers (keys, modulus, r, messages) that I use to perform encryption/decryption. If the original mes ...

Score: 1
Comparing complexity of RSA decryption with/without CRT

(Cross-listed on math stackexchange, received no replies) For context, this is a homework question from an assignment already turned in. I am looking for better understanding of the concepts involved, mainly complexity theory since I have not seen it before outside this class (and prior knowledge was assumed).

I am asked to evaluate the complexity of RSA decryption with and without using CRT, wit ...

Score: 1
What are those RSA Challenges, DES Challenges and RSA Factoring Challenges

Can someone explain the differences between the DES challenge, the RSA challenges, and the RSA factoring challenge? What were the aims? I think the factoring challenge was to encourage research, the DES challenge was to show that 56-bit keys are too short. But how do the three challenges relate to each other?

Score: 1
Why does Shamir's Trick for RSA Work

I have read that Shamir's trick can protect RSA with CRT against fault attacks. However, it is not clear to me why the following equations $$s_{p}^{*}=m^{d \bmod \varphi(p \cdot t)} \bmod p \cdot t \\ s_{q}^{*}=m^{d \bmod \varphi(q \cdot t)} \bmod q \cdot t$$ imply that: $$s_{p}^{*} = s_{q}^{*} \bmod t$$

Score: 1
Multiuser encryption, singleuser decryption

I have an hybrid encryption (RSA, AES) for a file sharing project I am working on, where I use a single public key for encryption on the sender side and corresponding private key for decryption on the recipient side. I would like for a sender to be able to send files to multiple users each having only their own unique key pair (public keys would be distributed).

I know this is possible using GPG

Score: 3
Is there an easy way to make textbook RSA secure enough so it can be used in real life?

I have written a raw (textbook) RSA implementation (just for fun) and I wonder is there an easy way to make it secure enough so it can be used in real life (without implementing OAEP+ and RSASSA-PSS)? Are there any simple algorithms for padding and generating secure digital signatures?

Score: 0
Simple Key Exchange, One Server

I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.

However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adver ...

Score: 0
Does the signature length of RS256 depend on the size of the RSA key used for signing?

The following NodeJS code, when run (v16.8.0), logs 512 to stdout.

const crypto = require("crypto");
const { privateKey } = crypto.generateKeyPairSync("rsa", {
modulusLength: 4096,
});
const sign = crypto.createSign("RSA-SHA256").update("somestringtosign");
const signature = sign.sign(privateKey);
console.log(signature.length); // logs 512


If I change the modulus length to 2048, then 256 is logged  ...

Score: 7
How bad is it to leak $k$ in RSA?

In RSA using a small public exponent $$e$$ such as $$65537$$, how bad is it if the value $$k$$ leaks? $$k$$ as in the following equations:

$$ed - 1 = k \phi(n)$$

or

$$ed - 1 = k \cdot \operatorname{lcm}(p-1,q-1)$$

Intuitively, this would only reduce the complexity of the breaking the system by $$65535$$ times, nowhere near enough to matter, though I assume that GNFS would not be improved by knowing $$k$$.

EDIT: Thi ...

Score: 2
Need help to understand RSA common modulus attack to get private key

I'm learning about common modulus attack and learned that public modulus attacks can find out the private key. Assume there are 2 users with public and private keys $$(e_1, d_1)$$ and $$(e_2, d_2)$$. Scenario is attacker has his public and private keys $$(e_2, d_2)$$ and victim's public key $$e_1$$ Here are the steps to get the secret key:

1. $$t= e_2\cdot d_2-1$$
2. Attacker uses the extended Euclidean algorithm to  ...
Score: 0
RSA: why $( e^{-1} ~\text{mod}~ n \cdot \varphi(n)) ~\text{mod}~ \varphi(n) = e^{-1} ~\text{mod}~ \varphi(n)$ holds for a specific setting of RSA

Let $$p,q$$ are primes and $$n = pq$$ as in every RSA setting and now use a random $$e$$ that holds the following properties

• $$gcd(e, \phi(n)) \neq 1$$
• $$(e^{-1} ~\text{mod} ~\phi(n))^{4}\cdot3 < n$$
• $$e^{-1} ~\text{mod} ~\phi(n) < \sqrt[3]{n}$$ (integer square root), where $$\sqrt[3]{n} \in \mathbb{Z}$$

where $$\phi$$ is euler's totient function. This $$e$$ is used as the public exponent for the public ke ...

Score: 0
RSA Blind Signatures Secure Implementation

note: I am not a crpytographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.
I did a lot of research in the last few days and came out with this:

#### Signature Issuing Stage

1. Get the public key; exponent $$e$$, modulus $$n$$
2. Generate a random number $$r$$ that is les ...
Score: 0
Textbook RSA meet in the middle time complexity

Hello,
I have a question regarding time complexity of meet in the middle attack on textbook RSA encryption. Let's suppose that I try to encrypt symmetric keys of different length with no padding using RSA algorithm. Example keys:

• 56 bit DES key (with parity bits): DA13511CAB329E32 (without parity bits can be factored: BC6AF11×12864009)
• 80 bit Skipjack key: 54C22E82E4E2F5FD9A5D (can be factored: 3 ...
Score: 0
Why a private key is used to encrypt hash in digital signing

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with his own private key, Alice uses Bob's public key to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

Score: 1
RSA encrypt an AES key. What about the AES IV?

I need to securely pass an AES key to a remote client. What I did so far is to generate a random AES key and encrypt it using the RSA public key of the client (PKCS#1 v1.5 padding is taken care by the RSA library I'm using, CryptJS).

I didn't realize that AES requires the key but also an IV. I don't know what's the correct way of dealing with the IV. Should I encrypt it as well and basically send ...

Score: 0
Generation of RSA key pair and storage of only private key PKCS#11

I noticed that the PKCS#11 supports C_GenerateKey function for symmetric keys and for asymmetric there's only C_GenerateKeyPair function. So from the definition, this lets us create only both private-key/public-key pair. From my understanding the private key stores public key info (modulus and public exponent), which are needed for public key creation, so it can be fetched every time to generate the publ ...

Score: 1
RSA key generation: why use lcm(p-1, q-1) instead of the totient ϕ(n)?

As far as I can see, generating a private key from two prime numbers p and q, having calculated n = pq, starts with calculating λ(n) = lcm(p-1, q-1). This is the detailed explanation given in the wikipedia article for RSA, it's also the implementation I've found in most Python cryptography libraries, and, searching through the openssl source code, it's also how they seem to do it, so I'd say this lo ...

Score: 0
RSA implementation not working with large values for plaintext

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives 1000 as the plaintext, which is correct. Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

Score: 1
Break RSA without padding using a rainbow table attack

We are using RSA without OAEP, with a relatively small input domain.

Lets assume we have John and Bob connected on a line, and we are eavesdropping them. Bob first sends John his public key (e,n), then John encrypts his message m and sends it on the line encrypted. When we eavesdrop the line we get his encrypted message, for example 3211 4431 9938 ... (I'm using a low modulo just for the example)

...
Score: 2
Factoring a RSA modulus given parts of a Factor

e,N,c and around 2/3 of p are given and I need to get the whole p to decrypt c.

N: 831920962257214756401382654251425949868264224385841957482372042416309146170150136001598220999003333652074674457203501497888508388030665515087882611269844918362760437859104547616381568314060144014118133650075504206531935707368804768936984206957688059038290716699862253339535050931352726410898837592450575051490781120052 ...