CCA-attack is possible in text-book RSA, but how the decryption key $d$ is known to anyone, as it is kept secret with receiver.
Asked
Active
Viewed 1,183 times
1
-
1Could you describe, mathematically, the attack you are talking about? Also, are you talking textbook (unpadded) RSA? – mikeazo Mar 16 '15 at 14:19
-
1Are you talking about Bleichenbacher's ACCA attack? My understanding is that it's a padding oracle attack against PKCS#1, which inherently affects RSA, rather than an attack against RSA itself. – Polynomial Mar 16 '15 at 14:19
-
In RSA, except for side channel attacks, there's no known way the decryption key $d$ (or some equivalent information) can leak, no matter how disastrous the padding or the attack model, including CCA. – fgrieu Mar 16 '15 at 15:31
1 Answers
3
Chosen Ciphertext Attacks against RSA (such as Bleichenbacher's Attack on PKCS #1 encryption) do not actually reveal the private key.
If they don't, they why do we say that they are a threat? Well, it's because that the keys are generally not of interest to the attacker. Instead, given an encrypted message, the attacker actually wants to know what that message says. He's interested in the key only because the keys would reveal the message. If the attacker can find a way to get the message without the key, he has won the game. Bleichenbacher gives him such a way.
poncho
- 147,019
- 11
- 229
- 360
-
-
1@Aria: same thing -- they do not reveal the keys; they might reveal the text of an encrypted message. – poncho Mar 16 '15 at 14:28
-
@Aria A CCA attack is no total break, i.e., it is not required to reveal the secret key, but only to decide which of your two messages has been encrypted as your challenge ciphertext. Look into random self reducibility of the RSA problem to see how you can exploit that for a CCA attack on textbook RSA. – DrLecter Mar 16 '15 at 14:32