RSA decryption with small exponent - no âpublic keysâ
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.
Does the small decryption exponent create a vulnerability in this case?
rsa
New contributor
add a comment |Â
up vote
1
down vote
favorite
I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.
Does the small decryption exponent create a vulnerability in this case?
rsa
New contributor
2
An attacker may guess it?
â SEJPMâ¦
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.
Does the small decryption exponent create a vulnerability in this case?
rsa
New contributor
I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.
Does the small decryption exponent create a vulnerability in this case?
rsa
rsa
New contributor
New contributor
New contributor
asked 1 hour ago
John
61
61
New contributor
New contributor
2
An attacker may guess it?
â SEJPMâ¦
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago
add a comment |Â
2
An attacker may guess it?
â SEJPMâ¦
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago
2
2
An attacker may guess it?
â SEJPMâ¦
1 hour ago
An attacker may guess it?
â SEJPMâ¦
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
5
down vote
Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.
The relation between plaintext, ciphertext and modulus is:
$$C^e equiv P pmod N$$
or
$$C^e - P = kN$$
for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute
$$gcd( C_1^e - P_1, C_2^e - P_2 )$$
and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.
On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.
The relation between plaintext, ciphertext and modulus is:
$$C^e equiv P pmod N$$
or
$$C^e - P = kN$$
for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute
$$gcd( C_1^e - P_1, C_2^e - P_2 )$$
and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.
On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?
add a comment |Â
up vote
5
down vote
Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.
The relation between plaintext, ciphertext and modulus is:
$$C^e equiv P pmod N$$
or
$$C^e - P = kN$$
for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute
$$gcd( C_1^e - P_1, C_2^e - P_2 )$$
and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.
On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?
add a comment |Â
up vote
5
down vote
up vote
5
down vote
Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.
The relation between plaintext, ciphertext and modulus is:
$$C^e equiv P pmod N$$
or
$$C^e - P = kN$$
for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute
$$gcd( C_1^e - P_1, C_2^e - P_2 )$$
and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.
On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?
Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.
The relation between plaintext, ciphertext and modulus is:
$$C^e equiv P pmod N$$
or
$$C^e - P = kN$$
for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute
$$gcd( C_1^e - P_1, C_2^e - P_2 )$$
and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.
On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?
edited 24 mins ago
Ella Rose
14k43674
14k43674
answered 1 hour ago
poncho
86.7k2128217
86.7k2128217
add a comment |Â
add a comment |Â
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
John is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63066%2frsa-decryption-with-small-exponent-no-public-keys%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
An attacker may guess it?
â SEJPMâ¦
1 hour ago
Possible duplicate of RSA with small decryption exponent
â kelalaka
1 hour ago