Timeline for Definition of textbook RSA
Current License: CC BY-SA 3.0
14 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 6, 2023 at 5:34 | comment | added | fgrieu♦ | This answer currently uses slightly incorrect notation. For example, in "compute $c\equiv m^e\mod n$", that should be $c=m^e\bmod n$, or $c:=m^e\bmod n$ or $c\gets m^e\bmod n$, for fear that it's understood "compute some $c$ with $c\equiv m^e\pmod n$", as occurred in this question. Also the bound $0\le m<n$ is untold, and that could lead to the different issue in this question. Also, $p\ne q$ is required for decryption to work for all $m$, and for $\varphi(n)=(p-1)\cdot(q-1)$ to hold. | |
| Nov 12, 2019 at 13:33 | comment | added | doughgle | Would the group (e.g. $\mathbf{Z}_N^{*}$) be considered part of the textbook definition? | |
| Nov 22, 2018 at 15:23 | comment | added | Maarten Bodewes♦ | I've tried to get a list of attacks that are possible on textbook RSA here. That kind-of failed as there were a lot more than expected. As indicated correctly in this answer "In no way is my list comprehensive"... And neither should it be, it is a separate topic - if not more - on its own. | |
| Nov 22, 2018 at 13:03 | comment | added | user48832 | @David天宇Wong Can you explain (or give a reference) the Jacobi symbol leakage? | |
| Sep 24, 2016 at 16:35 | comment | added | Ilmari Karonen | For completeness, you might also want to note that textbook RSA is insecure for short messages. In particular, there's an obvious attack whenever $m^e < n$ (just take the non-modular $e$-th root), but there are other attacks that apply even when $e$ is large but $m$ is small. | |
| Aug 3, 2015 at 12:26 | history | edited | mikeazo | CC BY-SA 3.0 | added 101 characters in body |
| Dec 9, 2014 at 1:27 | comment | added | David 天宇 Wong | Also it leaks the jacobi symbole of the message. You can know if your medsage is a quadratic residue | |
| S Jul 3, 2013 at 14:10 | history | suggested | mykhal | CC BY-SA 3.0 | 65567 != 2^16 + 1 |
| Jul 3, 2013 at 14:05 | review | Suggested edits | |||
| S Jul 3, 2013 at 14:10 | |||||
| Dec 13, 2011 at 18:03 | comment | added | fgrieu♦ | Addition: $p$ and $q$ must be distinct, random and secret. Note: Some textbooks, and actual implementations, use $e\cdot d\equiv 1\pmod{\operatorname{lcm}(p-1,q-1)}$, which covers all working $d$, rather than some working $d$. Other require $d=e^{-1}\bmod\operatorname{lcm}(p-1,q-1)$, which uniquely specifies $d$ for given $p,q,e$, and makes $d$ the lowest valid working $d$. | |
| Dec 13, 2011 at 17:41 | history | edited | Paŭlo Ebermann | CC BY-SA 3.0 | some minor additions (and formatting) |
| Dec 12, 2011 at 20:18 | vote | accept | Bobby S | ||
| Dec 12, 2011 at 20:04 | history | edited | mikeazo | CC BY-SA 3.0 | added 19 characters in body |
| Dec 12, 2011 at 19:59 | history | answered | mikeazo | CC BY-SA 3.0 |