RSA decryption with small exponent - no “public keys”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?






rsa







share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago














up vote
1
down vote

favorite
1












I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?






rsa







share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago












up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?






rsa







share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?






rsa




rsa






share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 1 hour ago









John

61




61




New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago












  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago







2




2




An attacker may guess it?
– SEJPM♦
1 hour ago




An attacker may guess it?
– SEJPM♦
1 hour ago












Possible duplicate of RSA with small decryption exponent
– kelalaka
59 mins ago




Possible duplicate of RSA with small decryption exponent
– kelalaka
59 mins ago










1 Answer
1






active

oldest

votes

















up vote
5
down vote













Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



The relation between plaintext, ciphertext and modulus is:



$$C^e equiv P pmod N$$



or



$$C^e - P = kN$$



for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



$$gcd( C_1^e - P_1, C_2^e - P_2 )$$



and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






share|improve this answer






















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    John is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63066%2frsa-decryption-with-small-exponent-no-public-keys%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote













    Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



    The relation between plaintext, ciphertext and modulus is:



    $$C^e equiv P pmod N$$



    or



    $$C^e - P = kN$$



    for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



    $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



    and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



    On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






    share|improve this answer


























      up vote
      5
      down vote













      Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



      The relation between plaintext, ciphertext and modulus is:



      $$C^e equiv P pmod N$$



      or



      $$C^e - P = kN$$



      for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



      $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



      and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



      On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






      share|improve this answer
























        up vote
        5
        down vote










        up vote
        5
        down vote









        Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



        The relation between plaintext, ciphertext and modulus is:



        $$C^e equiv P pmod N$$



        or



        $$C^e - P = kN$$



        for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



        $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



        and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



        On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






        share|improve this answer














        Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



        The relation between plaintext, ciphertext and modulus is:



        $$C^e equiv P pmod N$$



        or



        $$C^e - P = kN$$



        for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



        $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



        and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



        On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 13 mins ago









        Ella Rose

        14k43674




        14k43674










        answered 58 mins ago









        poncho

        86.7k2128217




        86.7k2128217




















            John is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            John is a new contributor. Be nice, and check out our Code of Conduct.












            John is a new contributor. Be nice, and check out our Code of Conduct.











            John is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63066%2frsa-decryption-with-small-exponent-no-public-keys%23new-answer', 'question_page');

            );

            Post as a guest
































































            Comments

            Post a Comment

            Popular posts from this blog

            Long meetings (6-7 hours a day): Being “babysat” by supervisor

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
            Read more

            What does second last employer means? [closed]

            Image
            Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only
            Read more

            One-line joke

            A one-liner is a joke that is delivered in a single line. A good one-liner is said to be pithy - concise and meaningful. [1] Comedians and actors use this comedic method as part of their act, e.g. Jimmy Carr, Tommy Cooper, Rodney Dangerfield, Norm Macdonald, Ken Dodd, Stewart Francis, Zach Galifianakis, Mitch Hedberg, Anthony Jeselnik, Milton Jones, Shappi Khorsandi, Jay London, Mark Linn-Baker, Demetri Martin, Groucho Marx, Dan Mintz, Emo Philips, Tim Vine, Steven Wright and Henny Youngman and Arnold Schwarzenegger. [ citation needed ] Many fictional characters are also known to deliver one-liners, including James Bond, who usually includes pithy and laconic quips after disposing of a villain. [ citation needed ] Examples "A baby seal walks into a club." "A dyslexic man walks into a bra." (Anonymous) "There are three types of people, those who can count and those who can't." "Venison's dear, isn't it?" (Jimmy Carr) "An escala
            Read more