Encryption in cipher/rsa.c

Stefan Berthold dingx at atlantis.wh2.tu-dresden.de
Sat Jan 31 22:14:16 CET 2004


I belive that question was answered before, but I can't find the right
link using google.

The "public" function (lines 220ff in cipher/rsa.c) for encryption on
the public side implements

 c = m^e mod n

Now I learned, there exists a known active attack, if you calculate c in
the way described above: Given the attacker wants to decrypt c_3, i.e.
he wants to get
 m_3 = (c_3^d mod n)

He chooses an c_1 with an inverse (c_1^(-1)) in Z_n and generate an c_2

 c_2 = c_3 * c_1^(-1)

Now if the victim sends c_1^d and c_2^d (mod n) the attacker will get

 m_3 = c_1^d * c_2^d  (mod n)


 c_3^d = (c_1 * c_2)^d  (mod n)
       = c_1^d * c_2^d  (mod n)

Where is my fault? -- A reference to an older explanation would fit.

Hej så länge.

More information about the Gnupg-devel mailing list