RSA decryption with small exponent - no “public keys”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?










share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago














up vote
1
down vote

favorite
1












I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?










share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago












up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?










share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I have an unusual scenario where an RSA key pair is being used to protect the confidentiality of data in transit. The encryption exponent, the decryption exponent and the modulus are all kept secret between the two systems (i.e. there is no "public key"). The decryption exponent is 65537. Appropriate padding for RSA encryption is being used when encrypting.



Does the small decryption exponent create a vulnerability in this case?







rsa






share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 1 hour ago









John

61




61




New contributor




John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago












  • 2




    An attacker may guess it?
    – SEJPM♦
    1 hour ago










  • Possible duplicate of RSA with small decryption exponent
    – kelalaka
    59 mins ago







2




2




An attacker may guess it?
– SEJPM♦
1 hour ago




An attacker may guess it?
– SEJPM♦
1 hour ago












Possible duplicate of RSA with small decryption exponent
– kelalaka
59 mins ago




Possible duplicate of RSA with small decryption exponent
– kelalaka
59 mins ago










1 Answer
1






active

oldest

votes

















up vote
5
down vote













Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



The relation between plaintext, ciphertext and modulus is:



$$C^e equiv P pmod N$$



or



$$C^e - P = kN$$



for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



$$gcd( C_1^e - P_1, C_2^e - P_2 )$$



and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






share|improve this answer






















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    John is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63066%2frsa-decryption-with-small-exponent-no-public-keys%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote













    Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



    The relation between plaintext, ciphertext and modulus is:



    $$C^e equiv P pmod N$$



    or



    $$C^e - P = kN$$



    for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



    $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



    and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



    On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






    share|improve this answer


























      up vote
      5
      down vote













      Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



      The relation between plaintext, ciphertext and modulus is:



      $$C^e equiv P pmod N$$



      or



      $$C^e - P = kN$$



      for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



      $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



      and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



      On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






      share|improve this answer
























        up vote
        5
        down vote










        up vote
        5
        down vote









        Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



        The relation between plaintext, ciphertext and modulus is:



        $$C^e equiv P pmod N$$



        or



        $$C^e - P = kN$$



        for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



        $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



        and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



        On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?






        share|improve this answer














        Actually, someone who gets two plaintext/ciphertext pairs (after padding; randomized padding foils this attack), and guesses the small exponent can recover the modulus, allowing him to decrypt other ciphertexts.



        The relation between plaintext, ciphertext and modulus is:



        $$C^e equiv P pmod N$$



        or



        $$C^e - P = kN$$



        for some integer $k$. Hence, if we have two such plaintext/ciphertext pairs $P_1, C_1, P_2, C_2$, the attacker could compute



        $$gcd( C_1^e - P_1, C_2^e - P_2 )$$



        and that is likely to be a small multiple of $N$; the actual value of $N$ (which has no small factors) is easy to derive from that.



        On the other hand, if everything is kept secret and shared between the two parties, is there any reason you don't go with (say) AES and a shared secret key?







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 13 mins ago









        Ella Rose

        14k43674




        14k43674










        answered 58 mins ago









        poncho

        86.7k2128217




        86.7k2128217




















            John is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            John is a new contributor. Be nice, and check out our Code of Conduct.












            John is a new contributor. Be nice, and check out our Code of Conduct.











            John is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63066%2frsa-decryption-with-small-exponent-no-public-keys%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            What does second last employer means? [closed]

            Installing NextGIS Connect into QGIS 3?

            One-line joke