Re: RSA_private_decrypt without e and d

Wed, 23 Feb 2011 23:17:24 -0800 

Hi Victor,
Your analysis is not true because the original poster says he has dmp1, dmq1 and iqmp, not only p and q. With these 5 parameters, it is possible to recover the plain text from the ciphered text thanks to the Chinese Reminder Transformation (CRT). Moreover, it is possible to recover the pubic exponent e and the private exponent d from these 5 parameters using a mathematical transformation. I have implemented such a transformation in an open source tool that I put on SourceForge : you can get it along with the mathematics behind it from the following link : http://rsaconverter.sourceforge.net/ . 

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 2/24/2011 5:48 AM, Victor Duchovni wrote:

On Wed, Feb 23, 2011 at 09:03:13PM -0600, Shaheed Bacchus (sbacchus) wrote:


Just to be clear, below is not the actual code, but what I would *like*
to be able to do (or something close).

What you are asking to do is not possible, not because of API limitations,
but as a matter of principle (mathematical property of RSA).


   I have a situation where I have a message that has been encrypted via
RSA_public_encrypt.  On the receiving end I have the n, p, q, dmp1,
dmq1, and iqmp components (I know it might sound odd that I don't have
the e and d components but that is the case).

The RSA algorithm computes a ciphertext M' from a plaintext M via

        M' = (M)^e mod n (i.e. mod pq).

decryption is possible when p, q (and implicitly e) are known because

        M = (M')^d mod n

provided:

     - M<  n (e.g. the message is shorter than the key bit length),
       thus computing the result mod n loses no information.

     - d*e = 1 mod phi(n) = (p-1)(q-1)

        http://en.wikipedia.org/wiki/Euler%27s_totient_function

when e, p and q are known, d can be computed via Euclid's algorithm for
finding the multiplicative inverse of a mod b, when a is co-prime to b.

When e is unknown, any M'' obtained from M via some exponent e' is
as a good a plaintext as M since, if e'*d' = 1 mod phi(n), we have:

     M' = (M^e) = ((M^e')^d')^e = (M'')^(d'*e)

therefore if the public exponent were (d'*e) instead of e, the same
message M' decrypts to M' instead of M. There is no well-defined inverse
to RSA without "e", since e is fundamental parameter of the operation
you want to invert.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to