CryptoDB
A Weak-Randomizer Attack on RSA-OAEP with e = 3
| Authors: | |
|---|---|
| Download: | |
| Abstract: | Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against low-exponent RSA-OAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith's algorithm to work. In practice, messages are symmetric cipher keys and these are potentially short enough for certain sets of key sizes. Weak randomizers could arise in constrained smart cards or in kleptographic implementations. Because RSA's major use is transporting symmetric keys, this attack is a potential concern. In this respect, OAEP's design is more fragile than necessary, because a secure randomizer is critical to prevent a total loss of secrecy, not just a loss of semantic security or chosen-ciphertext security. Countermeasures and more robust designs that have little extra performance cost are proposed and discussed. |
BibTeX
@misc{eprint-2005-12525,
title={A Weak-Randomizer Attack on RSA-OAEP with e = 3},
booktitle={IACR Eprint archive},
keywords={public-key cryptography / RSA, OAEP},
url={http://eprint.iacr.org/2005/189},
note={ dbrown@certicom.com 12970 received 22 Jun 2005, last revised 6 Jul 2005},
author={Daniel R. L. Brown},
year=2005
}