New Attacks on PKCS#1 v1.5 Encryption
This paper introduces two new attacks on PKCS#1 V1.5, an RSA-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher’s attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts corresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmith’s low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an RSA-based encryption standard that yields to practical results for any public exponent.
KeywordsPlaintext Attack Decryption Oracle Related Message Public Exponent Trial Division
- 3.D. Boneh, Personal communication.Google Scholar
- 5.D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 155–165, Springer-Verlag, 1996.Google Scholar
- 7.D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, Low exponent RSA with related messages, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 1–9, Springer-Verlag, 1996.Google Scholar
- 8.Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Advances in Cryptology — Crypto’ 85, vol. 218 of Lecture Notes in Computer Science, pp. 516–522, Springer-Verlag, 1986.Google Scholar
- 9.K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.Google Scholar
- 10.G.H. Hardy and E.M. Wright, An Introduction to the theory of numbers, Fifth edition, Oxford University Press, 1979.Google Scholar
- 11.H. Lenstra, Factoring integers with elliptic curves, Annals of mathematics 126, 1987.Google Scholar
- 12.Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL), available at ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip.
- 14.RSA Data Security, PKCS #1: RSAEncryption Standard, Nov. 1993. Version 1.5.Google Scholar
- 15.RSA Laboratories, PKCS #1: RSACryptography Specifications, Sep. 1998, version 2.0.Google Scholar