[41427] in cryptography@c2.net mail archive
Re: Raw RSA
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Fri Sep 8 10:44:55 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 8 Sep 2006 10:40:04 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: Alexander Klimov <alserkli@inbox.ru>
Cc: cryptography@metzdowd.com
In-Reply-To: <TheMailAgent.8f305be229dec@1405a1c16f364ab1da592>
| > | If an attacker is given access to a raw RSA decryption oracle (the
| > | oracle calculates c^d mod n for any c) is it possible to extract the
| > | key (d)?
| > If I hand you my public key, I have in effect handed you an oracle that
| > will compute c^d mod n for any c. What you are asking is whether you
| > can then extract my private key e - which is exactly what the security
| > claims for RSA say you cannot do. (Note that I chose to call my
| > public key d and by private key e - but since the two keys are
| > completely equivalent in RSA, that's just naming.)
|
| I want to extract the exponent that is used by the oracle: this is the
| difference between the chosen-plaintext attack (it does not require an
| oracle, since it is a public key scheme) and the chosen-ciphertext
| attack (CCA1).
I don't follow. For RSA, the only difference between encryption and
decryption, and public and private key, and hence between chosen
plaintext and chosen ciphertext, is the arbitrary naming of one of
a pair of mutually-inverse values as the "private" key and the other
as the "public" key.
-- Jerry
| --
| Regards,
| ASK
|
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
