undefined | Better HN

0 pointsmackman2y ago0 comments

Does each bit flip reveal a bit or less or does somehow a single flip compromise the entire key?

0 comments

It's akin to me having the secret number 17, giving you 221 (17*13) and then, during a solar flare, fucking it up once and giving you 187 (17*11). You know that the numbers are the product of a multiplication, and you know that a common factor is my private secret number. You figure out that the only way to get to 187 and 221 while keeping a common factor is if that factor is 17. That's just computing the GCD.

>An RSA public key consists of a public exponent 𝑒 and a modulus 𝑁 = 𝑝𝑞 that is the product of two primes. The private key consists of the private exponent 𝑑 = 𝑒 −1 mod 𝜙 (𝑁) and 𝑁 . A textbook RSA signature on a message 𝑚 is the value 𝑠 = 𝑚𝑑 mod 𝑁 . To verify the signature, a user checks if 𝑠𝑒 mod 𝑁 = 𝑚

> these attacks exploit the fact that if an error is made while computing modulo one prime, say 𝑞, then the resulting invalid signature ˆ𝑠 is equivalent to the correct signature modulo one prime factor 𝑝, but not 𝑞. 2.2.1 GCD attack on fully known messages. Boneh, DeMillo, and Lipton noted [11] that if an attacker had a correct signature 𝑠 and an incorrect signature ˆ𝑠 of this form then the attacker could compute gcd(𝑁, ˆ𝑠 − 𝑠) = 𝑝

gonzo2y ago

you have to flip two bits to get from 13 (1101) to 11 (1011).

SAI_Peregrinus2y ago

A single bit flip reveals the entire private key, for RSA with PKCS#1v1.5. RSA with PKCS#1v2 (aka RSA-PSS) is not vulnerable.

j / k navigate · click thread line to collapse