[cryptography] RSA question

James A. Donald jamesd at echeque.com
Tue Aug 31 13:07:26 EDT 2010

On 2010-08-31 5:07 PM, Justin Ferguson wrote:
> Hi,
> I'm not really much of a crypto guy so when the details come up it's
> often kind of hard for me to entirely wrap my head around. That said,
> I'm currently dealing with a situation where the public key,
> plain-text and cipher-text are all known to an attacker; furthermore,
> the random oracles/et cetera employed during the OEAP scheme are also
> known to the attacker. Furthermore, the attacker can modify those
> values (id est random oracle values of zero, or whatever the attacker
> wants) and repeat the plain-text to cipher-text process as they see
> fit. Furthermore, the key length exceeds the length of the message.
> Basically, only the private key is not under the attackers control.
>> From that, what I am getting is that this is virtually the same as RSA
> without the padding scheme and should be vulnerable due to it being a
> deterministic algorithm; however my question is how much does it
> really reduce the complexity? Is an attack against this even feasible
> in any practical terms?

RSA allows anyone to encrypt anything they choose using Alice's public 
key, but only Alice can decrypt, for she alone has the private key.

What the attacker can do, on seeing an encrypted message, and wishing to 
decrypt it, is guess all likely plain texts, and try them.

To prevent this, the message must be unguessable.  It must contain a 
large secret random number, (padding) or else must *be* a large secret 
random number.

The usual procedure is to generate a large random number, encrypt it 
using RSA, and use this secret number to symmetrically encrypt the 
actual message.

The answer to your question is a question:  Are you RSA encrypting a 
secret, and if you are, is the secret sufficiently random?

More information about the cryptography mailing list