RSA question

Justin Ferguson jnferguson at
Tue Aug 31 12:20:53 EDT 2010


Correct me if I am wrong, but my understanding is that the padding
scheme is the only thing that keeps the ciphertext from being
deterministic. Thus without it, the attacker could generate
ciphertexts until their ciphertext matched the real one. My question
is mostly how much does the lack of/determinism in padding help the
attacker? Or is this the same as more or less brute forcing with the

Best Regards,

Justin N. Ferguson

On Tue, Aug 31, 2010 at 8:05 AM, Alexander Klimov <alserkli at> wrote:
> On Tue, 31 Aug 2010, Justin Ferguson wrote:
>> I'm not really much of a crypto guy so when the details come up it's
>> often kind of hard for me to entirely wrap my head around. That said,
>> I'm currently dealing with a situation where the public key,
>> plain-text and cipher-text are all known to an attacker; furthermore,
>> the random oracles/et cetera employed during the OEAP scheme are also
>> known to the attacker. Furthermore, the attacker can modify those
>> values (id est random oracle values of zero, or whatever the attacker
>> wants) and repeat the plain-text to cipher-text process as they see
>> fit. Furthermore, the key length exceeds the length of the message.
>> Basically, only the private key is not under the attackers control.
>> From that, what I am getting is that this is virtually the same as RSA
>> without the padding scheme and should be vulnerable due to it being a
>> deterministic algorithm; however my question is how much does it
>> really reduce the complexity? Is an attack against this even feasible
>> in any practical terms?
> What is the goal of an attacker?
> Since he knows plain-text, it is definitely not plain-text; on the
> other hand, no operations with the public key can help the attacker to
> get the private key, whether he does these operations himself or
> observes somebody else doing them.
> --
> Regards,
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list