[41910] in cryptography@c2.net mail archive
Re: Raw RSA
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Sep 10 11:19:55 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 10 Sep 2006 08:12:49 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: "Leichter, Jerry" <leichter_jerrold@emc.com>
Cc: Alexander Klimov <alserkli@inbox.ru>, cryptography@metzdowd.com
In-Reply-To: <Pine.SOL.4.61.0609071047030.970@mental>
Leichter, Jerry wrote:
> | It is known, that given such an oracle, the attacker can ask for
> | "decryption" of all primes less than B, and then he will be able to
> | sign PKCS-1 encoded messages if the representative number is B-smooth,
> | but is there any way to actually recover d itself?
> RSA is multiplicative, so, yes, this follows easily unless the encoding
> used prevents it.
Could you describe this attack in more detail. I do not see a scenario
where it would be useful.
The attacker can encrypt a subset of numbers - those that encrypt to a B
smooth number, but for this to be useful to him, he has to find a number
in the subset set that corresponds to what he desires to encrypt, which
looks like a very long brute force search.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
