1

Consider a multi party system where public keys of all receivers are known. Server wants to send message to one of them using (textbook?) RSA. Adversary is given ciphertext and even Message to be send, and all $k$ public keys of participants. Can any attack tell who is the target receiver?

Or in nutshell: Given $C$, $M$ and all $k$ public keys, can an attacker tell with significant probability which public key was used to encrypt $M$ giving $C$ ?

Editor's note: The textbook RSA part is per OP's comment. It was originally plaintext RSA. Alternatively, the question makes (more?) sense with some random encryption padding.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
Sam
  • 49
  • 4
  • 1
    The question is hard to understand. One reason is it is a single long sentence. I strongly recommend to break it down. Also, what's "plaintext RSA"? Is that textbook RSA, where encryption of message $M$ is directly as $C=M^e\bmod n$? In which case it's trivial to match a pair $(M,C)$ with a public key $(n,e)$. Things are more complex with RSA using proper encryption padding, e.g; RSAES-OAEP, especially if public moduli $n$ share their high-order bits. – fgrieu May 04 '21 at 03:11
  • @fgrieu yes it is textbook RSA and yes $C=M^e\bmod n$ but it is not trivial to match M , C with (n,e) because k may be exponential ....there are k public keys for k recipients here, hope i made myself clear – Sam May 04 '21 at 04:07
  • "$k$ may be exponential" is strange. It's a given, thus it's constant, thus not exponential. And the work for the trivial attack (assuming textbook RSA and known $m$) is linear with $k$ (not even polynomial, much less exponential). Are you sure it's textbook RSA (with no random padding) and $M$ is known? That does not seem to make sense. – fgrieu May 04 '21 at 05:49
  • @fgrieu i am sure it is textbook RSA and M is given to adversary and you may be right in order k time he can find out as he just need to make table for all participants on input m and their public key but i still doubt on limit ok k. Can you propose another attack if k is exponential in security parameter to know e value of targeted receiver or can you refer me some text to refer. – Sam May 04 '21 at 06:22
  • $k$ can't be exponential to the security parameter, because the cost of generating the $k$ keys pairs would be exponential too, and we consider only probabilistic polynomial time algorithms for operating a cryptosystem. Really, I think something in the input of textbook RSA encryption must be unknown to the attacker for the problem to make sense. That can be part of $M$ itself, or part of the encryption padding. – fgrieu May 04 '21 at 06:55
  • I agree that there's a trivial $()$ solution and this cannot be exponential. All you need to do is go one by one and match. A more interesting question is given a plaintext, $k$ ciphertexts and $k$ keys with each ciphertext being encrypted with a different key, find all matches. This will cost $\frac{(+1)}2$ checks naively. However, can be done with an EXPECTED cost of about 1/4 of that cost! In addition, I think that with some non-trivial probabilistic (and partially heuristic) arguments, one could do even better. I'll leave the challenge to you all! – Yehuda Lindell May 04 '21 at 07:28
  • @YehudaLindell sir it is somewhat kind of Anonymous public-key encryption , does textbook RSA is anonymous ? . i read in some paper it is not , seeing cipher text adversary can know who is targeted recipient out of K ….i tried to figure out some attack to convince myself but could not....can you please guide me... – Sam May 04 '21 at 07:33
  • It is not anonymous, but it also doesn't reveal everything. There is some partial information that you can derive, and this can help you to an expected number of checks that is less than $k$. Hint, you should expect to about $k/2$ checks to find the right key. – Yehuda Lindell May 04 '21 at 07:37
  • 2
    Does this answer your question? Is it possible to recover an RSA modulus from its signatures? – Gilles 'SO- stop being evil' May 05 '21 at 22:26
  • @Gilles'SO-stopbeingevil' : I don't see this Q is a dupe of Is it possible to recover an RSA modulus from its signatures?, because (A) the present question has no indication of multiple M/C pairs, assumed in the other Q (B) here we have the public key, we only need to identify it. – fgrieu May 06 '21 at 17:38

1 Answers1

1

Given $C$, $M$ and all $k$ public keys, can an attacker tell with significant probability which public key was used to encrypt $M$ giving $C$ ?

Well, he can eliminate some of the possibilities (which means with $k=2$, he has a decent chance at finding the correct one).

There are two observations he can use:

  • He can eliminate all public keys $K_i$ for which $C \ge K_i$. This is pretty obvious, but (if he is lucky) might eliminate some.

  • For each public key $K_i$, he can compute the Jacobi Symbols $\left( \frac{M}{K_i}{} \right)$ and $\left( \frac{C}{K_i}{} \right)$; if they differ, then he knows that $K_i$ is not the correct key.

This works because we're assuming textbook RSA, and textbook RSA always preserves the Jacobi symbol (which can be efficiently computed). For an incorrect key, this test will disqualify it with probability circa 0.5, and so about half the incorrect ones will be eliminated.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • I wonder starting with what $e_i$ performing the Jacobi test has an advantage compared to the obvious: for all moduli $K_i$ with $K_i>C$, test if $M^{e_i}\bmod K_i=C$. – fgrieu May 06 '21 at 17:06
  • @fgrieu: doh! Sorry, I missed the completely obvious... – poncho May 06 '21 at 17:33
  • Still, for some threshold of $e_i$, the Jacobi test might save time. – fgrieu May 06 '21 at 17:34
  • @fgrieu: don't think so; for practically sized $e$ (say, 65537), computing $M^e \bmod K_i$ would actually be faster than Jacobi... – poncho May 06 '21 at 17:35
  • I checked, and in my test with Mathematica the threshold is like 200-bit $e$, give or take, for a possibly improved test that $\left( \frac{M,C}{K_i}{} \right)=+1$. Still it's a nice idea. – fgrieu May 06 '21 at 18:12