Minor Mathematical Corrections

[sudharshankr]

Correction in Step 2a. - s = N // (3 * B) changed to s = -(-N // (3 * B)) to ceil the value and get the smallest possible value for s₁ ≥ n/(3B).

Correction in Step 2c. - Corrected s = -(-(2 * B + r * N // b)) to s = -(-(2 * B + r * N) // b) to get the lower bound on s_i ≥ (2B + r_in) / b as is required in this step.

The above corrections introduced a marginal improvement in the attack efficiency. For one of my attack demos, the corrections improved the attack by requiring approximately 2000 oracle queries less than before.

[AkechiShiro]

Could this be reviewed please @hannob @scovetta ? Or has it been reviewed already ??

[jurajsomorovsky]

I do not really understand the changes and how they are supposed to improve the attack efficiency. How many evaluations with how many data sets have you performed?

Anyway, 2000 queries are not a lot in the light of BB attack, so I would stay with the original algorithm from the paper.

[AkechiShiro]

Also quick question, how much request are needed on average and is there a relationship between the amount of request and the key lenght in bits of the RSA key of the certificate being used ?

[jurajsomorovsky]

This is quite hard to answer since it depends on the oracle you are given (basically, how the server validates the CKE messages). To decrypt a single message, you need 40k to 200k requests, on average.

You can take a look at the paper of Bardou et al. to get more information (https://eprint.iacr.org/2012/417.pdf). See table 1 for their ealuations