-------------------------------------------------- From: "Justin Ferguson" <[email protected]> Subject: Re: RSA question
Correct me if I am wrong, but my understanding is that the padding scheme is the only thing that keeps the ciphertext from being deterministic. Thus without it, the attacker could generate ciphertexts until their ciphertext matched the real one. My question is mostly how much does the lack of/determinism in padding help the attacker? Or is this the same as more or less brute forcing with the padding?
It really depends. It comes down to the number of possible message, and their probabilities, typically expressed as entropy. There are message recovery attacks against RSA with insufficent message entropy, and this is probably widely the case. Worst case for you, there are only two possible messages, the attacker only has to test one to determine the message. Best case for you is completely entropy saturated messages. The way to bring the environment closer to your best case/attackers worst case is through random padding like that used in OAEP.
I'm also a bit unclear about how you're using it. You said the attacker knows the plaintext, but all encryption can really do is hide the plaintext. In many ways it sounds like you're looking for a digital signature algorithm, all the good ones have entropy injected. Joe
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
