1

Consider a multi party system where public keys of all receivers are known. Server wants to send message to one of them using (textbook?) RSA. Adversary is given ciphertext and even Message to be send, and all $k$ public keys of participants. Can any attack tell who is the target receiver?

Or in nutshell: Given $C$, $M$ and all $k$ public keys, can an attacker tell with significant probability which public key was used to encrypt $M$ giving $C$ ?

Editor's note: The textbook RSA part is per OP's comment. It was originally plaintext RSA. Alternatively, the question makes (more?) sense with some random encryption padding.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Sam
  • 49
  • 4

1 Answers1

1

Given $C$, $M$ and all $k$ public keys, can an attacker tell with significant probability which public key was used to encrypt $M$ giving $C$ ?

Well, he can eliminate some of the possibilities (which means with $k=2$, he has a decent chance at finding the correct one).

There are two observations he can use:

  • He can eliminate all public keys $K_i$ for which $C \ge K_i$. This is pretty obvious, but (if he is lucky) might eliminate some.

  • For each public key $K_i$, he can compute the Jacobi Symbols $\left( \frac{M}{K_i}{} \right)$ and $\left( \frac{C}{K_i}{} \right)$; if they differ, then he knows that $K_i$ is not the correct key.

This works because we're assuming textbook RSA, and textbook RSA always preserves the Jacobi symbol (which can be efficiently computed). For an incorrect key, this test will disqualify it with probability circa 0.5, and so about half the incorrect ones will be eliminated.

poncho
  • 154,064
  • 12
  • 239
  • 382