The first cryptanalysis is a broadcast attack, allowing the opponent to reveal an identical plaintext sent to different recipients. This is nontrivial because different randomizers are used for different encryptions (in other words, plaintexts coincide only partially).
The second attack predicts, using a single query to a validity checking oracle, which of two chosen plaintexts corresponds to a challenge ciphertext. The attack's success odds are very high.
The two new attacks rely on different mathematical tools and underline the need to accelerate the phase out of PKCS \#1 v1.5.
Category / Keywords: public-key cryptography / PKCS \#1 v1.5, Encryption, Broadcast Encryption, Cryptanalysis Publication Info: To appear in the proceedings of ACNS 2010 (full version) Date: received 12 Mar 2010, last revised 14 Apr 2010 Contact author: aurelie bauer at ens fr Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20100414:084627 (All versions of this report) Short URL: ia.cr/2010/135 Discussion forum: Show discussion | Start new discussion