AW: [smb at Skype security evaluation]

Kuehn, Ulrich Ulrich.Kuehn at
Mon Oct 31 07:14:26 PST 2005

> -----Urspr|ngliche Nachricht-----
> Von: owner-cryptography at 
> [mailto:owner-cryptography at] Im Auftrag von cyphrpunk
> Gesendet: Freitag, 28. Oktober 2005 06:07
> An: cypherpunks at; cryptography at
> Betreff: Re: [smb at Skype security evaluation]
> Wasn't there a rumor last year that Skype didn't do any 
> encryption padding, it just did a straight exponentiation of 
> the plaintext?
> Would that be safe, if as the report suggests, the data being 
> encrypted is 128 random bits (and assuming the encryption 
> exponent is considerably bigger than 3)? Seems like it's 
> probably OK. A bit risky perhaps to ride bareback like that 
> but I don't see anything inherently fatal.
There are results available on this issue: First, a paper by 
Boneh, Joux, and Nguyen "Why Textbook ElGamal and RSA Encryption 
are Insecure", showing that you can essentially half the number 
of bits in the message, i.e. in this case the symmetric key 

Second, it turns out that the tricky part is the implementation 
of the decryption side, where the straight-forward way -- ignoring 
the padding with 0s "They are zeroes, aren't they?" -- gives you a 
system that might be attacked in a chosen plaintext scenario very 
efficiently, obtaining the symmetric key. See my paper "Side-Channel 
Attacks on Textbook RSA and ElGamal Encryption" at PKC2003 for 

Hope this answers your question.


More information about the cypherpunks-legacy mailing list