Encryption in cipher/rsa.c
Stefan Berthold
dingx at atlantis.wh2.tu-dresden.de
Sat Jan 31 22:14:16 CET 2004
Hej!
I belive that question was answered before, but I can't find the right
link using google.
The "public" function (lines 220ff in cipher/rsa.c) for encryption on
the public side implements
c = m^e mod n
Now I learned, there exists a known active attack, if you calculate c in
the way described above: Given the attacker wants to decrypt c_3, i.e.
he wants to get
m_3 = (c_3^d mod n)
He chooses an c_1 with an inverse (c_1^(-1)) in Z_n and generate an c_2
with
c_2 = c_3 * c_1^(-1)
Now if the victim sends c_1^d and c_2^d (mod n) the attacker will get
m_3 = c_1^d * c_2^d (mod n)
because
c_3^d = (c_1 * c_2)^d (mod n)
= c_1^d * c_2^d (mod n)
Where is my fault? -- A reference to an older explanation would fit.
Hej så länge.
More information about the Gnupg-devel
mailing list