[41415] in cryptography@c2.net mail archive
Re: Raw RSA
daemon@ATHENA.MIT.EDU (Alexander Klimov)
Fri Sep 8 10:37:07 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 7 Sep 2006 18:27:48 +0300 (IDT)
From: Alexander Klimov <alserkli@inbox.ru>
To: "Leichter, Jerry" <leichter_jerrold@emc.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <Pine.SOL.4.61.0609071047030.970@mental>
On Thu, 7 Sep 2006, Leichter, Jerry wrote:
> | If an attacker is given access to a raw RSA decryption oracle (the
> | oracle calculates c^d mod n for any c) is it possible to extract the
> | key (d)?
> If I hand you my public key, I have in effect handed you an oracle that
> will compute c^d mod n for any c. What you are asking is whether you
> can then extract my private key e - which is exactly what the security
> claims for RSA say you cannot do. (Note that I chose to call my
> public key d and by private key e - but since the two keys are
> completely equivalent in RSA, that's just naming.)
I want to extract the exponent that is used by the oracle: this is the
difference between the chosen-plaintext attack (it does not require an
oracle, since it is a public key scheme) and the chosen-ciphertext
attack (CCA1).
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
