## Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS1 (1998)

Citations: | 237 - 1 self |

### BibTeX

@INPROCEEDINGS{Bleichenbacher98chosenciphertext,

author = {Daniel Bleichenbacher},

title = {Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS1},

booktitle = {},

year = {1998},

pages = {1--12},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key operation can be performed if the attacker has access to an oracle that, for any chosen ciphertext, returns only one bit telling whether the ciphertext corresponds to some unknown block of data encrypted using PKCS #1. An example of a protocol susceptible to our attackisSSL V.3.0.

### Citations

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...idea to have a receiver check the integrity of a message immediately after decrypting that message. Even better is to check integrity before decrypting a message, as Cramer and Shoup show is possible =-=[4]-=-. Acknowledgments I thank Markus Jakobsson, David M. Kristol, and Jean-Francois Misarsky, as well as the members of the program committee, for all their comments and suggestions. I am grateful for the... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ded a strong argument to use plaintext-aware encryption schemes, such as the one described by Bellare and Rogaway [3]. Note that plaintext awareness implies security against chosen-ciphertext attacks =-=[2, 3]-=-. In particular, Version 2 of PKCS #1, which makes use of [3], is not susceptible to the attack described in this paper. It is a good idea to have a receiver check the integrity of a message immediate... |

238 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...ing out error messages can present a security risk. We also believe that we have provided a strong argument to use plaintext-aware encryption schemes, such as the one described by Bellare and Rogaway =-=[3]-=-. Note that plaintext awareness implies security against chosen-ciphertext attacks [2, 3]. In particular, Version 2 of PKCS #1, which makes use of [3], is not susceptible to the attack described in th... |

30 |
Signature Cryptanalysis of the RSA (MIT) Public-Key Cryptosystem
- Davida
- 1982
(Show Context)
Citation Context ...laintext attack is called adaptive if the attacker can chose the ciphertexts depending on previous outcomes of the attack. It is well known that plain RSA is susceptible to a chosen-ciphertext attack =-=[5]-=-. An attacker who wishes to nd the decryption m c d (mod n) of a ciphertext c can chose a random integer s and ask for the decryption of the innocent-looking message c 0 s e c mod n. From the answer m... |

29 |
Timing Attacks on Implementations of Di e-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...ature is checked. Hence, by measuring the server's response time, an attacker could determine whether c is PKCS conforming. This timing attack is much easier to perform than is Kocher's timing attack =-=[10]-=-, which measures the time di erence of single modular multiplications { a small fraction of the time used for one exponentiation. In our case, however, we have to distinguish between performing only a... |

26 |
Why and How to Establish a Private Code on a Public Network
- Goldwasser, Micali, et al.
- 1982
(Show Context)
Citation Context ...r m 0 (c 0 ) d , it is easy to recover the original message, because m m 0 s ,1 (mod n). Another well-known result is that the least signi cant bit of RSA encryption is as secure as the whole message =-=[8]-=- (see also [1]). In particular, there exists an algorithm that can decrypt a ciphertext if there exists another algorithm that can predict the least signi cant bit of a message given only the correspo... |

1 |
Bit security of RSA and Rabin functions
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ... , it is easy to recover the original message, because m m 0 s ,1 (mod n). Another well-known result is that the least signi cant bit of RSA encryption is as secure as the whole message [8] (see also =-=[1]-=-). In particular, there exists an algorithm that can decrypt a ciphertext if there exists another algorithm that can predict the least signi cant bit of a message given only the corresponding cipherte... |

1 |
The security of individual RSA bits. manusrcipt
- Hastad, Naslund
- 1998
(Show Context)
Citation Context ...dict the least signi cant bit of a message given only the corresponding ciphertext and the public key. Hastad and Naslund recently extended this result to show that all individual RSA bits are secure =-=[9]-=-. Hence, it is not necessary for an attacker to learn the complete decrypted message in a chosen-ciphertext attack: Single bits per chosen ciphertext may be su cient. The result reported in this paper... |

1 |
SSLeay 0.8.1. url = http://www.cryptsoft.com/ This article was processed using the LaT E X macro package with LLNCS style
- Young
(Show Context)
Citation Context ...er tries to modify the hello messages such that both client and server use the compatibility mode and hence use the Version 2.0, instead of Version 3.0, protocols. One implementation that we analyzed =-=[12]-=- checks the version number only if the server is running in the compatibility mode, because otherwise obviously no rollback attack has occurred. Amuch more secure implementation would check the versio... |

1 |
Bit security of RSA and Rabin functions. SIAM Journal of computing
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...is easy to recover the original message, because m j m0s\Gamma 1 (mod n). Another well-known result is that the least significant bit of RSA encryption is as secure as the whole message [8] (see also =-=[1]-=-). In particular, there exists an algorithm that can decrypt a ciphertext if there exists another algorithm that can predict the least significant bit of a message given only the corresponding ciphert... |

1 |
The security of individual RSA bits. manusrcipt
- Hstad, Nlund
- 1998
(Show Context)
Citation Context ...ict the least significant bit of a message given only the corresponding ciphertext and the public key. H~stad and N~slund recently extended this result to show that all individual RSA bits are secure =-=[9]-=-. Hence, it is not necessary for an attacker to learn the complete decrypted message in a chosen-ciphertext attack: Single bits per chosen ciphertext may be sufficient. The result reported in this pap... |

1 |
Timing attacks on implementations of Difiie-Hellman RSA, DSS, and other systems
- Kocher
- 1996
(Show Context)
Citation Context ...ature is checked. Hence, by measuring the server's response time, an attacker could determine whether c is PKCS conforming. This timing attack is much easier to perform than is Kocher's timing attack =-=[10]-=-, which measures the time difference of single modular multiplications - a small fraction of the time used for one exponentiation. In our case, however, we have to distinguish between performing only ... |

1 |
SSLeay 0.8.1. url
- Young
(Show Context)
Citation Context ...er tries to modify the hello messages such that both client and server use the compatibility mode and hence use the Version 2.0, instead of Version 3.0, protocols. One implementation that we analyzed =-=[12]-=- checks the version number only if the server is running in the compatibility mode, because otherwise obviously no rollback attack has occurred. A much more secure implementation would check the versi... |