50 attacks... [NOISE]
Hal
hfinney at shell.portal.com
Thu Oct 19 07:28:13 PDT 1995
fc at all.net (Dr. Frederick B. Cohen) writes:
>3 - I would have figured at least one of you would have looked up the
>chosen plaintext attack and told me why Netscape keys can't be gotten
>at this way. I think there's an off change I could win a grand!
I had missed this in your original posting. Here it is again:
> Concept 3 - There is a chosen plaintext attack against the RSA (published
> in the 1980s in a Crypto conference (IACR?).
>
> Attack 50 - Use your Hot Java capability to sign selected
> message after message till the attacker derives your private key.
> I think this takes one or two messages per bit of private key.
Chosen plaintext attacks against RSA don't work in the context of RSA
signatures, because the input to the RSA algorithm is a hash of the
message being signed. You can't control the hash the way you need to to
implement a chosen plaintext attack. (You can't "choose" the hash.)
For example, one kind of chosen plaintext attack would be to get an RSA
signature on 2, on 3, on 5, on 7, and so on, on all the primes. This
would let you create an RSA signature on any number by factoring the
number and multiplying the RSA signatures of its prime factors. But
there is no way to do this in practice because as RSA-based signatures
are actually implemented only hashes are signed. This is done exactly to
prevent this and similar attacks.
Hal
More information about the cypherpunks-legacy
mailing list