Leichter, Jerry wrote:
| It is known, that given such an oracle, the attacker can ask for | "decryption" of all primes less than B, and then he will be able to | sign PKCS-1 encoded messages if the representative number is B-smooth, | but is there any way to actually recover d itself?
RSA is multiplicative, so, yes, this follows easily unless the encoding used prevents it.
Could you describe this attack in more detail. I do not see a scenario where it would be useful.
The attacker can encrypt a subset of numbers - those that encrypt to a B smooth number, but for this to be useful to him, he has to find a number in the subset set that corresponds to what he desires to encrypt, which looks like a very long brute force search.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
