[145793] in cryptography@c2.net mail archive
Re: RSA question
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Sep 1 13:55:21 2010
Date: Wed, 1 Sep 2010 13:48:10 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Justin Ferguson <jnferguson@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <AANLkTi=uiMfmipb4+_YFX2GWwGX6bBigMpOezGKR7+-c@mail.gmail.com>
On Tue, 31 Aug 2010 09:20:53 -0700 Justin Ferguson
<jnferguson@gmail.com> wrote:
> Hi,
>
> Correct me if I am wrong, but my understanding is that the padding
> scheme is the only thing that keeps the ciphertext from being
> deterministic. Thus without it, the attacker could generate
> ciphertexts until their ciphertext matched the real one. My question
> is mostly how much does the lack of/determinism in padding help the
> attacker? Or is this the same as more or less brute forcing with the
> padding?
The function of the padding is to prevent chosen ciphertext
attacks as well. Those are very feasible in the absence of padding.
I'm surprised no one has chimed in so far to mention this.
Padding prevents other attacks including attacks on common exponents.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
