Raw RSA
James A. Donald
jamesd at echeque.com
Sat Sep 9 18:12:49 EDT 2006
Leichter, Jerry wrote:
> | It is known, that given such an oracle, the attacker can ask for
> | "decryption" of all primes less than B, and then he will be able to
> | sign PKCS-1 encoded messages if the representative number is B-smooth,
> | but is there any way to actually recover d itself?
> RSA is multiplicative, so, yes, this follows easily unless the encoding
> used prevents it.
Could you describe this attack in more detail. I do not see a scenario
where it would be useful.
The attacker can encrypt a subset of numbers - those that encrypt to a B
smooth number, but for this to be useful to him, he has to find a number
in the subset set that corresponds to what he desires to encrypt, which
looks like a very long brute force search.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list