Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [modular-arithmetic]

Modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" upon reaching a certain value… the modulus.

Modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" upon reaching a certain value… the modulus.

Related to modular arithmetic, it is important to know how hard it is to solve a system of congruences. A linear system of congruences can be solved in polynomial time with a form of Gaussian elimination (linear congruence theorem). Algorithms (like the Montgomery reduction) also exist to allow simple arithmetic operations, such as multiplication and exponentiation modulo $n$ (also known as "modular exponentiation"), to be performed efficiently on large numbers. Solving a system of non-linear modular arithmetic equations is NP-complete (see "Computers and Intractability: A Guide to the Theory of NP-completeness" by Michael R. Garey and David S. Johnson, April 1979, W.H.Freeman & Co Ltd).

517 questions
42
votes
4 answers

Calculating RSA private exponent when given public exponent and the modulus factors using extended Euclid

When given $p = 5, q = 11, N = 55$ and $e = 17$, I'm trying to compute the RSA private key $d$. I can calculate $\varphi(N) = 40$, but my lecturer then says to use the extended Euclidean algorithm to compute $d$. That's where I get stuck. Here's my…
DougalMaguire
  • 531
  • 1
  • 5
  • 6
33
votes
2 answers

In RSA, why is it important to choose e so that it is coprime to φ(n)?

When choosing the public exponent e, it is stressed that $e$ must be coprime to $\phi(n)$, i.e. $\gcd(\phi(n), e) = 1$. I know that a common choice is to have $e = 3$ (which requires a good padding scheme) or $e=65537$, which is slower but safer. I…
Martin
  • 341
  • 1
  • 3
  • 4
26
votes
2 answers

Why is it not possible to increase the size of RSA keys indefinitely?

According to this primer on elliptic curves by Ars Technica, when composite numbers get "too" big, they become easier to factorize with Quadratic Sieve and General Number Field Sieve. While this is not explained in detail on the site, it is a common…
fast-reflexes
  • 371
  • 3
  • 5
25
votes
4 answers

Is sharing the modulus for multiple RSA key pairs secure?

In the public-key system RSA scheme, each user holds beyond a public modulus $m$ a public exponent, $e$, and a private exponent, $d$. Suppose that Bob's private exponent is learned by other users. Rather than generating a new modulus, Bob decides to…
Mohammed Fathi
  • 251
  • 1
  • 3
  • 3
19
votes
2 answers

lcm versus phi in RSA

In textbook RSA, the Euler $\varphi$ function $$\varphi(pq) = (p-1)(q-1)$$ is used to define the private exponent $d$. On the other hand, real-world cryptographic specifications require the Carmichael lcm function $$\lambda(pq) =…
user27950
12
votes
1 answer

How to determine the multiplicative inverse modulo 64 (or other power of two)?

I am trying to determine the multiplicative inverse of $47$ modulo $64$. So I have looked for an algorithm or scheme in order to perform this. I found this wiki explaining how to find a multiplicative inverse. I tried to perform all the…
user3834282
  • 139
  • 1
  • 3
12
votes
2 answers

Is it possible to recover an RSA modulus from its signatures?

Let's say that you have some small number of RSA signatures of known data: you know some pairs $(m_k, c_k)$ such that ${c_k}^e \equiv m_k \pmod n$. If you know $e$, because probably it's one of $\{3, 17, 65537\}$, is it possible to recover $n$?
Myria
  • 2,635
  • 15
  • 26
11
votes
1 answer

Shadowed identity in cryptography

I was trying to implement zero knowledge protocol for authentication based on the paper "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory". In that, the first step is… each security…
user5507
  • 1,933
  • 5
  • 21
  • 29
10
votes
2 answers

Difference between FFT and NTT

What are the main differences between the Fast Fourier Transform (FFT) and the Number Theoretical Transform (NTT)? Why do we use the NTT and not the FFT in cryptographic applications? Which one is a generalization of the other?
C.S.
  • 515
  • 3
  • 10
10
votes
1 answer

How does NaCl Poly1305 implementation do modular multiplication?

The NaCl ref implementation of Poly1305 performs modular multiplication to calculate a polynomial $\mod 2^{130} - 5$ using the following modular multiplication function: static void mulmod(unsigned int h[17],const unsigned int r[17]) { unsigned…
archie
  • 1,998
  • 17
  • 28
10
votes
1 answer

Base point in Ed25519?

The paper "High-speed high-security signatures" by Bernstein et al. introduces the Edwards curve Ed25519. Concerning the base point $B$, it says that $B$ is the unique point $(x, 4/5)\in E$ for which $x$ is positive, and $B$ corresponds to the…
Chris
  • 1,029
  • 7
  • 17
9
votes
4 answers

Is encrypting every number separately using RSA secure?

Suppose RSA is considered a "secure" method for encryption. RSA is meant to encode a sequence of integers base $27$. If we use an $n=pq$ that is hard to factor, Is it still secure if we encode every integer (letter) separately rather than the whole…
BoostMatch
  • 103
  • 1
  • 5
9
votes
1 answer

Which one is fastest? Karatsuba or Montgomery multiplication?

Is there any complexity analysis between Karatsuba and Montgomery multiplication algorithms? It seems that Karatsuba is more general in the sense that is not modulo tuned while Montgomery it is. Does a also a hybrid model using Karasuba and…
curious
  • 6,280
  • 6
  • 34
  • 48
9
votes
1 answer

Deterministic RSA blinding

I have an implementation of the RSA private key operation in a context where I don't have access to an entropy source. I'd like to add blinding to it (both message and exponent), to make it resist some side channel attacks. (The subsequent padding…
Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
9
votes
2 answers

Help Finding D from Dq and Dp

Let $$d_p = d~\mathrm{mod}~(p−1)$$ and $$d_q = d~\mathrm{mod}~(q−1).$$ Given $d_p$, $d_q$, $p$ and $q$, how can I reconstruct $d$?
Bennett Yardley
  • 91
  • 1
  • 3
1
2 3
34 35