Chosen Ciphertext Attack Against RSA: Scenario 2

• Trent is a computer notary public. When Alice wants a document notarized, she sends it to Trent who signs it with an RSA digital signature.

• Mallory wants Trent to sign a message he otherwise wouldn’t, call it m’

• Mallory chooses arbitrary x and computes y = x e mod n (where e is Trent’s public key).

• Then he computes m=ym’ mod n and sends m to Trent to sign.

• Trent returns md mod n = (ym’) d mod n = xm’ d mod n.

• Mallory calculates (md mod n) x -1 mod n = m’ d mod n, which is the signature of m’.

Previous slide

Next slide

Back to first slide

View graphic version