[145788] in cryptography@c2.net mail archive
Re: RSA question
daemon@ATHENA.MIT.EDU (Joseph Ashwood)
Tue Aug 31 21:14:01 2010
From: "Joseph Ashwood" <ashwood@msn.com>
To: <cryptography@metzdowd.com>
In-Reply-To: <AANLkTi=uiMfmipb4+_YFX2GWwGX6bBigMpOezGKR7+-c@mail.gmail.com>
Date: Tue, 31 Aug 2010 17:30:13 -0700
--------------------------------------------------
From: "Justin Ferguson" <jnferguson@gmail.com>
Subject: Re: RSA question
> Correct me if I am wrong, but my understanding is that the padding
> scheme is the only thing that keeps the ciphertext from being
> deterministic. Thus without it, the attacker could generate
> ciphertexts until their ciphertext matched the real one. My question
> is mostly how much does the lack of/determinism in padding help the
> attacker? Or is this the same as more or less brute forcing with the
> padding?
It really depends. It comes down to the number of possible message, and
their probabilities, typically expressed as entropy. There are message
recovery attacks against RSA with insufficent message entropy, and this is
probably widely the case. Worst case for you, there are only two possible
messages, the attacker only has to test one to determine the message. Best
case for you is completely entropy saturated messages. The way to bring the
environment closer to your best case/attackers worst case is through random
padding like that used in OAEP.
I'm also a bit unclear about how you're using it. You said the attacker
knows the plaintext, but all encryption can really do is hide the plaintext.
In many ways it sounds like you're looking for a digital signature
algorithm, all the good ones have entropy injected.
Joe
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
