Raw RSA
Leichter, Jerry
leichter_jerrold at emc.com
Thu Sep 7 10:50:24 EDT 2006
| Hi.
|
| If an attacker is given access to a raw RSA decryption oracle (the
| oracle calculates c^d mod n for any c) is it possible to extract the
| key (d)?
If I hand you my public key, I have in effect handed you an oracle that
will compute c^d mod n for any c. What you are asking is whether you
can then extract my private key e - which is exactly what the security
claims for RSA say you cannot do. (Note that I chose to call my
public key d and by private key e - but since the two keys are
completely equivalent in RSA, that's just naming.)
| It is known, that given such an oracle, the attacker can ask for
| "decryption" of all primes less than B, and then he will be able to
| sign PKCS-1 encoded messages if the representative number is B-smooth,
| but is there any way to actually recover d itself?
RSA is multiplicative, so, yes, this follows easily unless the encoding
used prevents it.
-- Jerry
| --
| Regards,
| ASK
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list