20 Aug
2013
20 Aug
'13
2:11 p.m.
On 20/08/2013 14:43, Warren D Smith wrote:
Second, the way I had in mind to search for M depended on fact that if message (as integer) exceeds M, then modding by M would lose information. So this must be forbidden. Hence by binary search to see what is forbidden an attacker with black box access to crypto box could determine M.
If this were (1) a problem and (2) the only problem, it would be easy to deal with. Just pick some m smaller than M but not too much smaller, and use that instead of M as the bound. But I find this complaint peculiar. Someone says "why not use RSA?" and you then propose a different scheme *which is not RSA* and complain about a weakness this scheme has that isn't shared by RSA. -- g