[41413] in cryptography@c2.net mail archive
Re: Raw RSA
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Fri Sep 8 10:36:01 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 7 Sep 2006 10:50:24 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: Alexander Klimov <alserkli@inbox.ru>
Cc: cryptography@metzdowd.com
In-Reply-To: <TheMailAgent.b49be4a1ded74@8f85e41341651717aceb8>
| Hi.
|
| If an attacker is given access to a raw RSA decryption oracle (the
| oracle calculates c^d mod n for any c) is it possible to extract the
| key (d)?
If I hand you my public key, I have in effect handed you an oracle that
will compute c^d mod n for any c. What you are asking is whether you
can then extract my private key e - which is exactly what the security
claims for RSA say you cannot do. (Note that I chose to call my
public key d and by private key e - but since the two keys are
completely equivalent in RSA, that's just naming.)
| It is known, that given such an oracle, the attacker can ask for
| "decryption" of all primes less than B, and then he will be able to
| sign PKCS-1 encoded messages if the representative number is B-smooth,
| but is there any way to actually recover d itself?
RSA is multiplicative, so, yes, this follows easily unless the encoding
used prevents it.
-- Jerry
| --
| Regards,
| ASK
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
