[cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

Alan Braggins alan.braggins at gmail.com
Mon Nov 5 04:51:25 EST 2012

On 03/11/12 09:29, Peter Gutmann wrote:
> In the past there have been a few proposals to use asymmetric cryptosystems,
> typically RSA, like symmetric ones by keeping the public key secret, the idea
> behind this being that if the public key isn't known then there isn't anything
> for an attacker to factor or otherwise attack.  Turns out that doing this
> isn't secure:
>    http://eprint.iacr.org/2012/588
>    Breaking Public Keys - How to Determine an Unknown RSA Public Modulus
>    Hans-Joachim Knobloch
>    [...] We show that if the RSA cryptosystem is used in such a symmetric
>    application, it is possible to determine the public RSA modulus if the
>    public exponent is known and short, such as 3 or F4=65537, and two or more
>    plaintext/ciphertext (or, if RSA is used for signing, signed
>    value/signature) pairs are known.

I've actually encountered a practical application for this. If you
have an HSM that allows unwrapping of private keys but keeps the whole
result entirely secret, and want to implement PKCS#11 C_UnwrapKey and
allow the modulus and public exponent of the private key to be queried
through C_GetAttributeValue, and the user hasn't chosen to import the
matching public key, then you have to do something like this.

Or add a DerivePublicFromPrivate operation to the next release of the
HSM firmware, which also works for DH, DSA, ECDSA, KCDSA, etc. :-)

More information about the cryptography mailing list