Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1

  • Daniel Bleichenbacher
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0.


chosen ciphertext attack RSA PKCS SSL 


  1. 1.
    W. Alexi, B. Chor, O. Goldreich, and P. Schnorr. Bit security of RSA and Rabin functions. SIAM Journal of computing, 17(2):194–209, Apr. 1988.MATHMathSciNetCrossRefGoogle Scholar
  2. 2.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryptions schemes. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO '98, Lecture Notes in Computer Science. Springer Verlag, (in press).Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In A. D. Santis, editor, Advances in Cryptology — EUROCRYPT '94, volume 950 of Lecture Notes in Computer Science, pages 92–111, Berlin, 1995. Springer Verlag.Google Scholar
  4. 4.
    R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO '98, Lecture Notes in Computer Science. Springer Verlag, (in press).Google Scholar
  5. 5.
    G. I. Davida. Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. Technical Report TR-CS-82-2, Departement of Electrical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982.Google Scholar
  6. 6.
    H. Finney. personal communication.Google Scholar
  7. 7.
    A. O. Freier, P. Karlton, and P. C. Kocher. The SSL Protocol, Version 3.0. Netscape, Mountain View, CA, 96.Google Scholar
  8. 8.
    S. Goldwasser, S. Micali, and P. Tong. Why and how to establish a private code on a public network. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 134–144, Chicago, 1982.Google Scholar
  9. 9.
    J. Håstad and M. Näslund. The security of individual ESA bits, manusrcipt, 1998.Google Scholar
  10. 10.
    P. C. Kocher. Timing attacks on implementations of Diffie-Hellman RSA, DSS, and other systems. In N. Koblitz, editor, Advances in Cryptology — CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 104–113, Berlin, 1996. Springer Verlag.Google Scholar
  11. 11.
    RSA Data Security, Inc. PKCS #1: RSA Encryption Standard. Redwood City, CA, Nov. 1993. Version 1.5.Google Scholar
  12. 12.
    E. A. Young. SSLeay 0.8.1. url = Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Daniel Bleichenbacher
    • 1
  1. 1.Bell LaboratoriesMurray Hill

Personalised recommendations