Abstract
This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attack is SSL V.3.0.
Chapter PDF
References
W. Alexi, B. Chor, O. Goldreich, and P. Schnorr. Bit security of RSA and Rabin functions. SIAM Journal of computing, 17(2):194–209, Apr. 1988.
M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-key encryptions schemes. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO '98, Lecture Notes in Computer Science. Springer Verlag, (in press).
M. Bellare and P. Rogaway. Optimal asymmetric encryption. In A. D. Santis, editor, Advances in Cryptology — EUROCRYPT '94, volume 950 of Lecture Notes in Computer Science, pages 92–111, Berlin, 1995. Springer Verlag.
R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO '98, Lecture Notes in Computer Science. Springer Verlag, (in press).
G. I. Davida. Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. Technical Report TR-CS-82-2, Departement of Electrical Engineering and Computer Science, University of Wisconsin, Milwaukee, 1982.
H. Finney. personal communication.
A. O. Freier, P. Karlton, and P. C. Kocher. The SSL Protocol, Version 3.0. Netscape, Mountain View, CA, 96.
S. Goldwasser, S. Micali, and P. Tong. Why and how to establish a private code on a public network. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 134–144, Chicago, 1982.
J. Håstad and M. Näslund. The security of individual ESA bits, manusrcipt, 1998.
P. C. Kocher. Timing attacks on implementations of Diffie-Hellman RSA, DSS, and other systems. In N. Koblitz, editor, Advances in Cryptology — CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 104–113, Berlin, 1996. Springer Verlag.
RSA Data Security, Inc. PKCS #1: RSA Encryption Standard. Redwood City, CA, Nov. 1993. Version 1.5.
E. A. Young. SSLeay 0.8.1. url = http://www.cryptsoft.com/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bleichenbacher, D. (1998). Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (eds) Advances in Cryptology — CRYPTO '98. CRYPTO 1998. Lecture Notes in Computer Science, vol 1462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0055716
Download citation
DOI: https://doi.org/10.1007/BFb0055716
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64892-5
Online ISBN: 978-3-540-68462-6
eBook Packages: Springer Book Archive