Leichter, Jerry wrote:
| It is known, that given such an oracle, the attacker can ask for
| "decryption"  of all primes less than B, and then he will be able to
| sign PKCS-1 encoded messages if the representative number is B-smooth,
| but is there any way to actually recover d itself?

RSA is multiplicative, so, yes, this follows easily unless the encoding
used prevents it.

Could you describe this attack in more detail. I do not see a scenario where it would be useful.

The attacker can encrypt a subset of numbers - those that encrypt to a B smooth number, but for this to be useful to him, he has to find a number in the subset set that corresponds to what he desires to encrypt, which looks like a very long brute force search.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to