RSA question

Joseph Ashwood ashwood at msn.com
Tue Aug 31 20:30:13 EDT 2010


--------------------------------------------------
From: "Justin Ferguson" <jnferguson at gmail.com>
Subject: Re: RSA question

> Correct me if I am wrong, but my understanding is that the padding
> scheme is the only thing that keeps the ciphertext from being
> deterministic. Thus without it, the attacker could generate
> ciphertexts until their ciphertext matched the real one. My question
> is mostly how much does the lack of/determinism in padding help the
> attacker? Or is this the same as more or less brute forcing with the
> padding?

It really depends. It comes down to the number of possible message, and 
their probabilities, typically expressed as entropy. There are message 
recovery attacks against RSA with insufficent message entropy, and this is 
probably widely the case. Worst case for you, there are only two possible 
messages, the attacker only has to test one to determine the message. Best 
case for you is completely entropy saturated messages. The way to bring the 
environment closer to your best case/attackers worst case is through random 
padding like that used in OAEP.

I'm also a bit unclear about how you're using it. You said the attacker 
knows the plaintext, but all encryption can really do is hide the plaintext. 
In many ways it sounds like you're looking for a digital signature 
algorithm, all the good ones have entropy injected.
                    Joe 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list