On the Broadcast and Validity-Checking Security of pkcs#1 v1.5 Encryption

  • Aurélie Bauer
  • Jean-Sébastien Coron
  • David Naccache
  • Mehdi Tibouchi
  • Damien Vergnaud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6123)


This paper describes new attacks on pkcs#1 v1.5, a deprecated but still widely used rsa encryption standard.

The first cryptanalysis is a broadcast attack, allowing the opponent to reveal an identical plaintext sent to different recipients. This is nontrivial because different randomizers are used for different encryptions (in other words, plaintexts coincide only partially).

The second attack predicts, using a single query to a validity checking oracle, which of two chosen plaintexts corresponds to a challenge ciphertext. The attack’s success odds are very high.

The two new attacks rely on different mathematical tools and underline the need to accelerate the phase out of pkcs#1 v1.5.


pkcs#1 v1.5 Encryption Broadcast Encryption Cryptanalysis 


  1. 1.
    Baudron, O., Pointcheval, D., Stern, J.: Extended notions of security for multicast public key cryptosystems. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 499–511. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Bauer, A., Coron, J.-S., Naccache, D., Tibouchi, M., Vergnaud, D.: On the broadcast and validity-checking security of pkcs#1 v1.5 encryption. Full version of this paper. Cryptology ePrint Archive, Report 2010/135,
  3. 3.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: Security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 549–570. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the rsa encryption standard. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  6. 6.
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Desmedt, Y., Odlyzko, A.M.: A chosen text attack on the rsa cryptosystem and some discrete logarithm schemes. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 516–522. Springer, Heidelberg (1986)Google Scholar
  9. 9.
    Coron, J.-S., Naccache, D., Joye, M., Paillier, P.: New attacks on pkcs#1 v1.5 encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 369–381. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S., Naccache, D., Joye, M., Paillier, P.: Universal Padding Schemes for rsa. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: rsa-oaep is secure under the rsa assumption. Journal of Cryptology 17(2), 81–104 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Håstad, J.: Solving simultaneous modular equations of low degree. siam Journal on Computing 17(2), 336–341 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking rsa variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Kaliski, B.: pkcs#1: rsa Encryption Standard, Version 1.5, rsa Laboratories (November 1993)Google Scholar
  16. 16.
    Kaliski, B.: pkcs#1: rsa Encryption Standard, Version 2.0, rsa Laboratories (September 1998)Google Scholar
  17. 17.
    Kaliski, B.: rsa Laboratories, personal communication (October 2009)Google Scholar
  18. 18.
    Lenstra, A.K., Lenstra, H.W., Lovàsz, L.: Factoring polynomials with rational coefficients. Math. Annalen 261, 513–534 (1982)CrossRefGoogle Scholar
  19. 19.
    Pointcheval, D.: Provable security for public-key schemes. In: Contemporary cryptology. Advanced courses in mathematics, pp. 133–190. Birkhäuser, Basel (2005)CrossRefGoogle Scholar
  20. 20.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the acm 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Aurélie Bauer
    • 1
  • Jean-Sébastien Coron
    • 2
  • David Naccache
    • 1
  • Mehdi Tibouchi
    • 1
    • 2
  • Damien Vergnaud
    • 1
  1. 1.Département d’informatique, Groupe de cryptographieÉcole normale supérieure – C.N.R.S. – I.N.R.I.A.Paris Cedex 05France
  2. 2.Université du LuxembourgLuxembourgLuxembourg

Personalised recommendations