Leichter, Jerry wrote:

| It is known, that given such an oracle, the attacker can ask for | "decryption" of all primes less than B, and then he will be able to | sign PKCS-1 encoded messages if the representative number is B-smooth, | but is there any way to actually recover d itself?

RSA is multiplicative, so, yes, this follows easily unless the encoding used prevents it.

`Could you describe this attack in more detail. I do not see a scenario`

`where it would be useful.`

`The attacker can encrypt a subset of numbers - those that encrypt to a B`

`smooth number, but for this to be useful to him, he has to find a number`

`in the subset set that corresponds to what he desires to encrypt, which`

`looks like a very long brute force search.`

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]