New Attacks on PKCS#1 v1.5 Encryption

  • Jean-Sébastien Coron
  • Marc Joye
  • David Naccache
  • Pascal Paillier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


This paper introduces two new attacks on PKCS#1 V1.5, an RSA-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher’s attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts corresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmith’s low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an RSA-based encryption standard that yields to practical results for any public exponent.


Plaintext Attack Decryption Oracle Related Message Public Exponent Trial Division 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Advances in Cryptology — Eurocrypt’ 94, vol. 950 of Lecture Notes in Computer Science, pp. 92–111, Springer-Verlag, 1994.CrossRefGoogle Scholar
  2. 2.
    D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1, Advances in Cryptology — Crypto’ 98, vol. 1462 of Lecture Notes in Computer Science, pp. 1–12, Springer-Verlag, 1998.CrossRefGoogle Scholar
  3. 3.
    D. Boneh, Personal communication.Google Scholar
  4. 4.
    R. Brent, An improved Monte Carlo factorization algorithm, Nordisk Tidskrift för Informationsbehandling (BIT) vol. 20, pp. 176–184, 1980.zbMATHMathSciNetGoogle Scholar
  5. 5.
    D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 155–165, Springer-Verlag, 1996.Google Scholar
  6. 6.
    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. of Cryptology, 10(4), pp. 233–260, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, Low exponent RSA with related messages, Advances in Cryptology — Eurocrypt’ 96, vol. 1070 of Lecture Notes in Computer Science, pp. 1–9, Springer-Verlag, 1996.Google Scholar
  8. 8.
    Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Advances in Cryptology — Crypto’ 85, vol. 218 of Lecture Notes in Computer Science, pp. 516–522, Springer-Verlag, 1986.Google Scholar
  9. 9.
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.Google Scholar
  10. 10.
    G.H. Hardy and E.M. Wright, An Introduction to the theory of numbers, Fifth edition, Oxford University Press, 1979.Google Scholar
  11. 11.
    H. Lenstra, Factoring integers with elliptic curves, Annals of mathematics 126, 1987.Google Scholar
  12. 12.
    Multiprecision Integer and Rational Arithmetic C/C++ Library (MIRACL), available at
  13. 13.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol. 21–2, pp. 120–126, 1978.CrossRefMathSciNetGoogle Scholar
  14. 14.
    RSA Data Security, PKCS #1: RSAEncryption Standard, Nov. 1993. Version 1.5.Google Scholar
  15. 15.
    RSA Laboratories, PKCS #1: RSACryptography Specifications, Sep. 1998, version 2.0.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
    • 3
  • Marc Joye
    • 2
  • David Naccache
    • 3
  • Pascal Paillier
    • 3
  1. 1.École Normale SupérieureParisFrance
  2. 2.Parc d’Activités de GémenosGemplus Card InternationalGémenosFrance
  3. 3.Gemplus Card InternationalIssy-les-MoulineauxFrance

Personalised recommendations