Raw RSA

Alexander Klimov alserkli at inbox.ru
Sun Sep 10 16:36:38 EDT 2006


On Sun, 10 Sep 2006, James A. Donald wrote:
> Could you describe this attack in more detail.  I do not see a
> scenario where it would be useful.

Suppose that an attacker runs an activex control on the user's
computer and the control is able to ask a smart card connected to the
computer to perform raw RSA operations with user's private key. The
goal of the attacker is to be able to sign some useful messages with
the user's private key *after* the user disconnect his smart card.

> The attacker can encrypt a subset of numbers - those that encrypt to
> a B smooth number, but for this to be useful to him, he has to find
> a number in the subset set that corresponds to what he desires to
> encrypt, which looks like a very long brute force search.

If the attacker needs to sign a message x, he needs to find a smooth
number y = x + k n, where n is the RSA modulus and k is some arbitrary
number. I forgot what was the algorithm to find such y (I am not even
sure that it exists), IIRC, it was based on LLL.

-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list