On Tue, Aug 20, 2013 at 7:43 AM, Warren D Smith <warren.wds@gmail.com> wrote:
MIke, first of all it does not appear you read my RSA message, I mentioned M for this purpose (secret key mode) need not be p*q, could be merely a prime.
You're right, I didn't read the bit about M being prime, sorry. That's not RSA, that's just a strange one-time pad.
Second, the way I had in mind to search for M depended on fact that if message (as integer) exceeds M, then modding by M would lose information. So this must be forbidden. Hence by binary search to see what is forbidden an attacker with black box access to crypto box could determine M.
Because it's a one-time pad, it can't be used twice, so there's no way to search. If you use this system with a prime M more than once, you're screwed.
Third, even if you do not buy that (for example if crypto box permitted users to lose information and just silently screwed them in such an event), then still just by guessing M, whereupon the other stuff (secret exponents) could be determined by subexponential algorithms, that'd still be a way to break it using only half the guessing normally needed for a key that size, i.e. break time not 2^N but rather 2^(N/2)*subexponential(N).
A one-time pad is information-theoretically secure. -- Mike Stay - metaweta@gmail.com http://www.cs.auckland.ac.nz/~mike http://reperiendi.wordpress.com