Raw RSA
Leichter, Jerry
leichter_jerrold at emc.com
Fri Sep 8 10:40:04 EDT 2006
| > | If an attacker is given access to a raw RSA decryption oracle (the
| > | oracle calculates c^d mod n for any c) is it possible to extract the
| > | key (d)?
| > If I hand you my public key, I have in effect handed you an oracle that
| > will compute c^d mod n for any c. What you are asking is whether you
| > can then extract my private key e - which is exactly what the security
| > claims for RSA say you cannot do. (Note that I chose to call my
| > public key d and by private key e - but since the two keys are
| > completely equivalent in RSA, that's just naming.)
|
| I want to extract the exponent that is used by the oracle: this is the
| difference between the chosen-plaintext attack (it does not require an
| oracle, since it is a public key scheme) and the chosen-ciphertext
| attack (CCA1).
I don't follow. For RSA, the only difference between encryption and
decryption, and public and private key, and hence between chosen
plaintext and chosen ciphertext, is the arbitrary naming of one of
a pair of mutually-inverse values as the "private" key and the other
as the "public" key.
-- Jerry
| --
| Regards,
| ASK
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list