# Questions tagged as ['rsa']

- Authentication-:

I understand that authentication is basically digital signature. But what I don't understand is how it has been explained here specially the RSA key part. It is leading me to huge confusions.

In RSA encrpytion, we use public key(of whose sender or receiver?) for encrpytion and private key(of whom?) for decryption.

They say hash is encrypted using RSA. But why are we using PRIVAT ...

I have an encoded file and a public.pem file. Is it possible to decode the file using the public.pem file or do I have to start looking at private keys?

I tried https://github.com/Ganapati/RsaCtfTool with no luck. The public key (pem) is as below

```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjHDiqVkO1umD2/Tm20Wt
LpyBXGoIk4Pczeqjwz7/kwYLnQI7VlAzgjC9jD1dX80Z+kLOr5wHIDdfNK55 ...
```

In Section 2 dP and dQ are defined thusly:

```
dP p's CRT exponent, a positive integer such that
e * dP == 1 (mod (p-1))
dQ q's CRT exponent, a positive integer such that
e * dQ == 1 (mod (q-1))
```

In Appendix A.1.2 we have this:

```
o exponent1 is d mod (p - 1).
o exponent2 is d mod (q - 1).
```

I believe exponent1 = dP a ...

Consider the following scenario: Alice has a secret key and public key pair for text-book RSA (denoted $\text{sk}$ and $\text{pk}$ respectively). Bob has an authentic copy of $\text{pk}$. The adversary has an authentic copy of $\text{pk}$.

Now, Bob wants to send his $\text{PIN}$ to Alice which is a four digit number. He encrypts as follows: First he chooses a nonce $N_0$ (a number chosen randomly ...

https://link.springer.com/content/pdf/10.1007/3-540-49649-1_18.pdf

In class I, why (4) implies $g\equiv 1 \mod q$

Also even though I get $p$ and $q$ it still can't get $ord_n(g)$ without trying out different possibilities or is there a way to do all forgery?

In Simmons and Norris paper they demonstrate the cycling attack with the following example:

p = 383 q = 563 s = 49 and t = 56957 ( a prime)

The attacker knows the publicly available r = pq = 215,629 , s = 49 and an encrypted message C. By forming C

_{1}= C^{49}, C_{2}= C_{1}^{49}, etc. He will find C_{j}= C for 1,2,5 or 10

I do not understand how they figured out they will have M = C_{j-1} in at most 10 steps? They ...

I'm building a project that is remotely controlled using LoRa and I want to ensure, that nobody can imitate my transmitter and send packets to my receiver. Just encrypting sent data is not enough since someone can receive for example packet that opens the door and sent the same one from his transmitter. How do I make it so only I can send authorized packets? Another problem is that it's really likely th ...

I found a scheme for white-box RSA. It seems to protect the input and output of modular operations.

I'm curious about how to analyze the security of this solution.

Does anybody know anything about it?

While talking about symmetric encryption schemes like AES we always have a goal of achieving confusion and diffusion. But when it comes to asymmetric encryption schemes like RSA, DH etc. we never talk about diffusion and confusion.

Is it known that modular arithmetic and prime arithmetic ensure confusion and diffusion?

Is there any literature that dives into the information theoretic analysis, in te ...

I am trying to make an RSA module in VHDL, which in turn will be deployed to an FPGA. I am trying to implement a full Montgomery algorithm which means that I am working with the Montgomery Exponetiation algorithm, and the Montgomery Multiplication algorithm. Mostly my tests consists of generating random numbers (keys, modulus, r, messages) that I use to perform encryption/decryption. If the original mes ...

(Cross-listed on math stackexchange, received no replies) For context, this is a homework question from an assignment already turned in. I am looking for better understanding of the concepts involved, mainly complexity theory since I have not seen it before outside this class (and prior knowledge was assumed).

I am asked to evaluate the complexity of RSA decryption with and without using CRT, wit ...

Can someone explain the differences between the DES challenge, the RSA challenges, and the RSA factoring challenge? What were the aims? I think the factoring challenge was to encourage research, the DES challenge was to show that 56-bit keys are too short. But how do the three challenges relate to each other?

I have read that Shamir's trick can protect RSA with CRT against fault attacks. However, it is not clear to me why the following equations $$ s_{p}^{*}=m^{d \bmod \varphi(p \cdot t)} \bmod p \cdot t \\ s_{q}^{*}=m^{d \bmod \varphi(q \cdot t)} \bmod q \cdot t $$ imply that: $$ s_{p}^{*} = s_{q}^{*} \bmod t $$

I have an hybrid encryption (RSA, AES) for a file sharing project I am working on, where I use a single public key for encryption on the sender side and corresponding private key for decryption on the recipient side. I would like for a sender to be able to send files to multiple users each having only their own unique key pair (public keys would be distributed).

I know this is possible using **GPG**

I have written a raw (textbook) RSA implementation (just for fun) and I wonder is there an easy way to make it secure enough so it can be used in real life (without implementing OAEP+ and RSASSA-PSS)? Are there any simple algorithms for padding and generating secure digital signatures?

I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.

However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adver ...

The following NodeJS code, when run (v16.8.0), logs `512`

to stdout.

```
const crypto = require("crypto");
const { privateKey } = crypto.generateKeyPairSync("rsa", {
modulusLength: 4096,
});
const sign = crypto.createSign("RSA-SHA256").update("somestringtosign");
const signature = sign.sign(privateKey);
console.log(signature.length); // logs 512
```

If I change the modulus length to `2048`

, then `256`

is logged ...

In RSA using a small public exponent $e$ such as $65537$, how bad is it if the value $k$ leaks? $k$ as in the following equations:

$ed - 1 = k \phi(n)$

or

$ed - 1 = k \cdot \operatorname{lcm}(p-1,q-1)$

Intuitively, this would only reduce the complexity of the breaking the system by $65535$ times, nowhere near enough to matter, though I assume that GNFS would not be improved by knowing $k$.

EDIT: Thi ...

I'm learning about common modulus attack and learned that public modulus attacks can find out the private key. Assume there are 2 users with public and private keys $(e_1, d_1)$ and $(e_2, d_2)$. Scenario is attacker has his public and private keys $(e_2, d_2)$ and victim's public key $e_1$ Here are the steps to get the secret key:

- $t= e_2\cdot d_2-1$
- Attacker uses the extended Euclidean algorithm to ...

Let $p,q$ are primes and $n = pq$ as in every RSA setting and now use a random $e$ that holds the following properties

- $gcd(e, \phi(n)) \neq 1$
- $(e^{-1} ~\text{mod} ~\phi(n))^{4}\cdot3 < n$
- $e^{-1} ~\text{mod} ~\phi(n) < \sqrt[3]{n}$ (integer square root), where $\sqrt[3]{n} \in \mathbb{Z}$

where $\phi$ is euler's totient function. This $e$ is used as the public exponent for the public ke ...

**note**: I am not a crpytographer

I want to check if my RSA Blind Signatures Implementation is secure to be used in a production-stage application and I also have some questions which I would be so grateful to be answered.

I did a lot of research in the last few days and came out with this:

#### Signature Issuing Stage

- Get the public key; exponent $e$, modulus $n$
- Generate a random number $r$ that is les ...

Hello,

I have a question regarding time complexity of meet in the middle attack on textbook RSA encryption. Let's suppose that I try to encrypt symmetric keys of different length with no padding using RSA algorithm. Example keys:

- 56 bit DES key (with parity bits): DA13511CAB329E32 (without parity bits can be factored: BC6AF11×12864009)
- 80 bit Skipjack key: 54C22E82E4E2F5FD9A5D (can be factored: 3 ...

In common RSA encryption, a public key is used to encrypt message, and private key decrypts it. However, in digital signing, it's the other way around: Bob hashes his message, then encrypts the hash with **his own private key**, Alice uses Bob's **public key** to decrypt the encrypted hash.

What is the purpose of this opposition? Or It doesn't matter which key to encrypt/decrypt?

I need to securely pass an AES key to a remote client. What I did so far is to generate a random AES key and encrypt it using the RSA public key of the client (PKCS#1 v1.5 padding is taken care by the RSA library I'm using, CryptJS).

I didn't realize that AES requires the key but also an IV. I don't know what's the correct way of dealing with the IV. Should I encrypt it as well and basically send ...

I noticed that the PKCS#11 supports `C_GenerateKey`

function for symmetric keys and for asymmetric there's only `C_GenerateKeyPair`

function. So from the definition, this lets us create only both `private-key/public-key pair`

. From my understanding the private key stores public key info (modulus and public exponent), which are needed for public key creation, so it can be fetched every time to generate the publ ...

As far as I can see, generating a private key from two prime numbers `p`

and `q`

, having calculated `n = pq`

, starts with calculating `λ(n) = lcm(p-1, q-1)`

. This is the detailed explanation given in the wikipedia article for RSA, it's also the implementation I've found in most Python cryptography libraries, and, searching through the openssl source code, it's also how they seem to do it, so I'd say this lo ...

While implementing RSA encryption/decryption (using python), the plaintext doesn't match with the decrypted ciphertext for large values of plaintext. Works fine for smaller values for plaintext (numeric value).

Input: p=53 q=59 e=3 plaintext = 1000 (private key computed as 2011)

Here, the decryption gives `1000`

as the plaintext, which is correct.
Now, if

Input: p=53 q=59 e=3 plaintext = 10000 (priv ...

We are using RSA without OAEP, with a relatively small input domain.

Lets assume we have John and Bob connected on a line, and we are eavesdropping them. Bob first sends John his public key (e,n), then John encrypts his message m and sends it on the line encrypted. When we eavesdrop the line we get his encrypted message, for example 3211 4431 9938 ... (I'm using a low modulo just for the example)

...

e,N,c and around 2/3 of p are given and I need to get the whole p to decrypt c.

`N: 831920962257214756401382654251425949868264224385841957482372042416309146170150136001598220999003333652074674457203501497888508388030665515087882611269844918362760437859104547616381568314060144014118133650075504206531935707368804768936984206957688059038290716699862253339535050931352726410898837592450575051490781120052 ...`