2

So my question is do padding schemes used in RSA protect it against Least Significant Bit Oracle attack?

The attack I am talking about is described here: RSA least significant bit oracle attack

As far as I know the padding schemes add some random bytes to the end of the block so that it always gives a different value when encrypted. But if it is done this way we can continue doing the LSB oracle attack and get the deciphered block, then easily discard the random bytes. Am i missing something about how padding schemes work?

Hesher
  • 83
  • 4

1 Answers1

4

Actually, the "Least Significant Bit Oracle attack" isn't actually an attack.

Instead, it is the observation that, if you were given a magical black box (an Oracle) that is able to take an RSA encrypted ciphertext, and give you the lsbit of the plaintext, you could use that Oracle to decrypt the entire ciphertext.

What we can conclude from that observation is that determining the lsbit of the plaintext is as difficult as doing a full decryption. We use the phrase "hard bit" when discussing this (and similar) situations.

Since we don't actually have such a magical Oracle, we can't actually perform this in practice.

Since this is not specifically an attack (and in fact, is proof that the lsbit is not specifically weak), padding methods don't need to defend against it.

poncho
  • 154,064
  • 12
  • 239
  • 382