[cryptography] RSA question

Justin Ferguson jnferguson at gmail.com
Tue Aug 31 10:59:13 EDT 2010

Hi Ralf,

I think I may have missed a point in my explanation. Assume this is a DRM
scheme or some similar use case, with the ciphertext produced locally to the
attacker, such that they can watch, modify, et veterans the OAEP process. My
understanding, and this is a little fuzzy because as best as I can tell this
is an invalid use case for RSAES-OAEP, but the ability to know and control
the padding scheme would render RSA back to a deterministic state would it

Thus my question about what this really gains for the attacker.

Against, thanks for the reply. Sorry for the top post my phone is not a fan
of letting me reply inline.

Best Regards,

Justin N. Ferguson

(sent from my mobile device potentially without spellcheck but more likely
potentially containing bizarre auto-completions)

On Aug 31, 2010 5:45 AM, "Ralf-Philipp Weinmann" <ralf at coderpunks.org>

On 08/31/2010 09:07 AM, Justin Ferguson wrote:
> Hi,
Hi Justin,

> I'm not really much of a crypto guy so when the details come up it's often
kind of hard for me to ...
this is a very, very common situation (knowing the public key and the
actual encryption scheme [with parameters] used): Since you know the
public key & scheme and can choose arbitrary plaintexts, you can also
produce corresponding ciphertexts for them...

> Furthermore, the attacker can modify those
> values (id est random oracle values of zero, or whate...
This is called a adaptive chosen-text scenario in cryptographer's circles.

> Furthermore, the key length exceeds the length of the message. Basically,
only the private key is ...
OK. That's good for the defender :)

> From that, what I am getting is that this is virtually the same as RSA
without the padding scheme ...
The padding scheme is crucial! This is what provides the security over
other RSA variants; also, n.b.: the OAEP padding is randomized.

> however my question is how much does it really reduce the complexity? Is
an attack against this ev...
The proof is in the pudding, errr... padding here. For RSA-OAEP Fujisaki
et al. proved that OAEP provides semantic security against adaptive
chosen-text attacks in a CRYPTO 2001 paper for which you can find the
extended version (published in the Journal of Cryptology) here:


Finally, please be aware that proofs need not necessarily be correct, as
has been demonstrated by an earlier attempt to prove OAEP secure [0,1]
which was later found to be flawed by Shoup [2].

Hope to have helped,

[0] S. Goldwasser and S. Micali: Probabilistic Encryption.
   Journal of Computer and System Sciences,  28:270-299, 1984

[1] C. Racko  and D. R. Simon: Non-Interactive Zero-Knowledge
   Proof of Knowledge and Chosen Ciphertext Attack. In CRYPTO 1991,
   LNCS 576, pages 433-44, Springer-Verlag, Berlin, 1992

[2] V. Shoup. OAEP Reconsidered. In CRYPTO 2001, LNCS 2139,
   pages 239-259. Springer-Verlag,  Berlin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20100831/fd6c476b/attachment.html>

More information about the cryptography mailing list