New attacks on PKCS#1 v1.5 encryption

Authors:
Jean-Sébastien Coron;Marc Joye;David Naccache;Pascal Paillier
Affiliations:
École Normale Supérieure, Paris, France and Gemplus Card International, Issy-les-Moulineaux, France;Gemplus Card International, Parc d'Activités de Géemenos, Gémenos, France;Gemplus Card International, Issy-les-Moulineaux, France;Gemplus Card International, Issy-les-Moulineaux, France
Venue:
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Year:
2000

Citing 5
Cited 5

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Low-exponent RSA with related messages

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Finding a small root of a univariate modular equation

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques

On the Security of RSA Encryption in TLS

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Why Textbook ElGamal and RSA Encryption Are Insecure

ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Verifying Anonymous Credential Systems in Applied Pi Calculus

CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Instantiability of RSA-OAEP under chosen-plaintext attack

CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
On the broadcast and validity-checking security of PKCS#1 v1.5 encryption

ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper introduces two new attacks on PKCS#1 v1.5, an RSA-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher's attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts c orresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmith's low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an rsa-based encryption standard that yields to practical results for any public exponent.