Encryption in cipher/rsa.c

thomas.schorpp t.schorpp at gmx.de
Mon Feb 2 08:41:00 CET 2004


Stefan Berthold wrote:
> Hej!
> 
> I belive that question was answered before, but I can't find the right
> link using google.
> 
> The "public" function (lines 220ff in cipher/rsa.c) for encryption on
> the public side implements
> 
>  c = m^e mod n
> 
> Now I learned, there exists a known active attack, if you calculate c in
> the way described above: Given the attacker wants to decrypt c_3, i.e.
> he wants to get
>  
>  m_3 = (c_3^d mod n)
> 
> He chooses an c_1 with an inverse (c_1^(-1)) in Z_n and generate an c_2
> with
> 
>  c_2 = c_3 * c_1^(-1)
> 
> Now if the victim sends c_1^d and c_2^d (mod n) the attacker will get
> 
>  m_3 = c_1^d * c_2^d  (mod n)
> 
> because
> 
>  c_3^d = (c_1 * c_2)^d  (mod n)
>        = c_1^d * c_2^d  (mod n)
> 
> Where is my fault? -- A reference to an older explanation would fit.
> 
> Hej så länge.
> 
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> 
> 

hi,

ive seen this before, too.
maybe try the usenet crypto groups.

y
tom






More information about the Gnupg-devel mailing list