Understanding Manger’s Padding Oracle Attack on RSA Encryption

May 14, 2025

The previous article discussed Bleichenbacher’s 1998 attack on RSA encryption, which relies on access to a PKCS#1v15 padding oracle. Just a few years later, in 2001, James Manger published details of a different padding oracle attack on RSA encryption. Manger’s attack is similar to Bleichenbacher’s attack, but relies on a different type of padding oracle. Manger’s paper is shorter and easier to read than Bleichenbacher’s, but even so, understanding the attack may be easier if you read this article first rather than jumping directly into the paper. Further, I explain some points of interest which are not mentioned in the paper.

By the way, if you aren’t familiar with Bleichenbacher’s padding oracle attack, read the previous article before this one (or before reading Manger’s research paper, for that matter).

How does a Manger padding oracle differ from a Bleichenbacher padding oracle?

Bleichenbacher’s attack requires an oracle which tells the attacker whether any attacker-chosen ciphertext decrypts to a plaintext with valid PKCS#1v15 padding. To refresh your memory, this is what PKCS#1v15 padding looks like:

In contrast, Manger’s attack requires an oracle which tells the attacker just one thing: a Manger oracle takes any attacker-chosen ciphertext, decrypts it, and then tells the attacker whether the first (most significant) byte is zero or not.

It might sound like a Manger oracle is “weaker” than a Bleichenbacher oracle, in the sense of providing less information to the attacker. But in fact, a Manger oracle is much more useful to an attacker than a Bleichenbacher oracle; using a Manger oracle, one can crack RSA encryption with far fewer oracle queries. Let’s see how.

What doesn’t change from Bleichenbacher’s attack

In Bleichenbacher’s attack, we multiply the ciphertext by some integer $s^{e} mod N$ , which multiplies the (unknown) plaintext $m$ by $s mod N$ , and submit the result to the padding oracle. If it returns true, we derive some information about the value of $m$ ; specifically, we derive a set of ranges $M_{i}$ which it might be in. The intersection of all sets $M_{i}$ gives a set $M$ , which contains all possible values of $m$ consistent with what the attacker knows so far. When the set $M$ is narrowed down to just one value, then the encryption has been cracked.

All of this applies equally to Manger’s attack, but take note of these differences:

With Manger’s attack, the set $M$ only ever contains a single, contiguous range of integers. So the code for manipulating that set is much simpler than with Bleichenbacher’s attack.
In Bleichenbacher’s attack, the attacker only updates $M$ when the padding oracle returns true. But in Manger’s attack, both true and false return values from the oracle enable the attacker to narrow down the possible values of $m$ .^[1]
Manger’s paper calls the multipliers $f$ instead of $s$ . It also uses the name $B$ for a number (of the same byte length as the RSA message size) which has 1 in the most-significant byte and 0 in all less-significant bytes; this is 256 times larger than the number which is called $B$ in Bleichenbacher’s paper.

The three stages of Manger’s attack

When starting the attack, we assume that the first byte of the plaintext is zero. (More later on what can be done if that’s not the case.)

In Step 1, we check how many high-order bits in $m$ are zero. With very few oracle queries, this gives rough bounds on $m$ , with an upper bound which is less than double the true value of $m$ .

Do it like this: Try $f_{1} = 2$ ; that left-shifts $m$ by one bit position. If the oracle returns true (meaning the high 8 bits of $s m mod N$ are zero), then the left-shift didn’t push a 1 bit up into the top byte, so the next bit after the top byte must be 0. In that case, try $f_{1} = 4$ ; that left-shifts $m$ by two bit positions, and tells whether the next bit in $m$ is 0 or not. Continue until the oracle returns false; then you know which bit is the highest-order 1-bit in $m$ .

In Step 2, we take advantage of our new knowledge of the highest-order 1-bit in $m$ , together with our knowledge of the RSA modulus $N$ .

With those two pieces of information, we can calculate a multiplier $f_{2}$ , larger than $f_{1}$ , with these properties: If $m$ is in the highest part of its possible range, $f_{2} m$ will wrap the modulus $N$ , but not go so high as to reach $N + B$ and make the oracle return false. But if $m$ is in the lower part of its possible range, $f_{2} m$ will not wrap the modulus $N$ , and because $f_{2}$ is larger than $f_{1}$ , that high-end 1-bit will go into the top byte, and the oracle will return false. The formula is:

$f_{2} = ⌊ \frac{n + B}{B} ⌋ \frac{f _{1}}{2}$

If the oracle returns false, chop down the upper bound on $m$ accordingly, and calculate a new value of $f_{2}$ , which (again) is just big enough so that values of $m$ in the higher part of its possible range will wrap the modulus $N$ but not go as high as $N + B$ (so the oracle will return true). And again, values of $m$ in the lower part of its possible range will not cause $f_{2} m$ to wrap the modulus $N$ , and the oracle will return false. Repeat until the oracle returns true.

For each iteration of this procedure, the new value of $f_{2}$ is the old one plus $f_{1} /2$ .

After Step 2, we now have a multiplier $f_{2}$ which maps $M$ into the range $[N, N + B)$ , meaning $M = [⌈ \frac{N}{f _{2}} ⌉, ⌊ \frac{N + B}{f _{2}} ⌋)$ . Depending on the value of $N$ , that upper bound may be around 1.005 times the lower bound. That’s a big improvement from where we were after Step 1, where the upper bound was roughly double the lower bound.

In Step 3, we systematically chop $M$ down by around half with each successive oracle query.

In Step 1, $f_{1} m$ would not wrap the modulus $N$ at all. In Step 2, $f_{2} m$ would wrap the modulus $N$ either 0 or 1 times. But now in Step 3, we will use larger multiplier values $f_{3}$ , which will wrap the modulus $N$ multiple times. However, we will choose $f_{3}$ so that we are sure of exactly how many times $N$ goes into $f_{3} m$ .

Further, we will make $f_{3}$ just big enough so that around half of the possible values of $m$ will be less than $i N + B$ , and the other half greater (or equal). The formulas are:

$f_{a pp ro x} i f_{3} = ⌊ \frac{2 B}{size ( M )} ⌋ = ⌊ \frac{f _{a pp ro x} \cdot m _{min}}{N} ⌋ = ⌈ \frac{i N}{m _{min}} ⌉$

Repeat Step 3 until $M$ is narrowed down to a single value.

Note that there is a mistake in Step 3.5b of Manger’s paper; it says to use the floor function when updating $m_{ma x}$ . That would be OK if $m_{ma x}$ was an inclusive bound (though the bound would not always be as tight as possible), but Step 3.1 clearly shows it’s intended to be an exclusive bound. For an exclusive bound, using the floor function is wrong and can cause the attack to fail.

Comments on the three stages

Take note of why Manger’s Step 1 wouldn’t work with a Bleichenbacher oracle; since a PKCS#1v15-padded message starts with 0x00 0x02, multiplying such a message by 2 and submitting it to a Bleichenbacher oracle would be useless. The high bytes of $s m$ would be 0x00 0x04 or 0x00 0x05, and the oracle would definitely return false. To get any information at all out of a Bleichenbacher oracle, you must use a multiplier big enough to make 0x00 0x02 wrap the modulus $N$ . But because that starting multiplier is so large, only a tiny fraction of the possible values of $m$ will land in the target region, where the Bleichenbacher oracle has a chance of returning true. That causes the Bleichenbacher attack to use many oracle queries when searching for $s_{1}$ .

In Manger’s Step 1, each oracle query gives 1 bit of information on the plaintext $m$ . Again, in Step 3, each query gives close to 1 bit of information. So could we skip Step 2, where each query gives us much less information than that? No; Step 3 only works when the range of possible values $M$ is small enough, and Step 2 narrows it down just enough for Step 3 to work.

The total number of oracle queries required for Manger’s attack is about 10% more than the number of bits in the plaintext. This is far, far less than a Bleichenbacher attack.

A toy example of Manger’s attack

Was my description of the three stages clear enough? If not, maybe a concrete example (using unrealistically small numbers for intelligibility) will help.

Pick two 12-bit primes to start:

p =
q =

That gives us the modulus $N = pq = 9341921$ ; $ϕ (N) = (p - 1) (q - 1) = 9335700$ . How would 1990349 do as private exponent $d$ ? (If you don’t like it, suit yourself; click here and I’ll switch it up.) That would mean the public exponent $e = 1111049$ .

Now give me an 16-bit unsigned integer as message $m$ : . Encode that message in 24 bits (big-endian), and the top byte will be zero; just what we need for Manger’s attack. $B$ is 65536, and the RSA ciphertext is $c = 2661993$ .

OK, now forget that you already know $d$ and $ϕ (N)$ . Also forget that $N$ is so small that it could be factored in microseconds. But, fortuituously, there is a Manger oracle which will gladly decrypt chosen ciphertexts for you and check their leading byte. For fun, we’ll visualize the Manger oracle as a fuzzy creature named Marley.

All we know to start is $M = [0, 65536)$ . In the 16-bit value $m$ , we will call the least significant bit $b_{0}$ , and the most significant bit $b_{15}$ .

Step 1:

Find out how many high-end bits of the 16-bit value $m$ are zero.

3 oracle queries used to determine

M = [8192, 16384)

. Click to see details.

With $f_{1} = 2$ , $(f_{1})^{e} c = 6020136$ . Marley, is the top byte of $decrypt (6020136)$ zero?

Marley Yes!

OK, so $b_{15} = 0$ , and $M = [0, 32768)$ .

With $f_{1} = 4$ , $(f_{1})^{e} c = 8835090$ . Marley, is the top byte of $decrypt (8835090)$ zero?

Marley Yes!

OK, so $b_{14} = 0$ , and $M = [0, 16384)$ .

With $f_{1} = 8$ , $(f_{1})^{e} c = 2433848$ . Marley, is the top byte of $decrypt (2433848)$ zero?

Marley No!

OK, so $b_{13} = 1$ , and $M = [8192, 16384)$ . We can move on to Step 2.

Step 2:

Use multipliers no greater than $⌊ \frac{m _{ma x}}{N + B} ⌋$ to reduce the size of $M$ until $\frac{m _{ma x}}{m _{min}} \leq \frac{N + B}{N}$ .

48 oracle queries used to determine

M = [12293, 12358)

. Click to see details.

With $f_{2} = 572$ , $(f_{2})^{e} c = 4922705$ . Marley, is the top byte of $decrypt (4922705)$ zero?

Marley No!

OK, so $M = [8192, 16333)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 576$ , $(f_{2})^{e} c = 7731817$ . Marley, is the top byte of $decrypt (7731817)$ zero?

Marley No!

OK, so $M = [8192, 16219)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 580$ , $(f_{2})^{e} c = 1898978$ . Marley, is the top byte of $decrypt (1898978)$ zero?

Marley No!

OK, so $M = [8192, 16107)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 584$ , $(f_{2})^{e} c = 6665748$ . Marley, is the top byte of $decrypt (6665748)$ zero?

Marley No!

OK, so $M = [8192, 15997)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 588$ , $(f_{2})^{e} c = 9294707$ . Marley, is the top byte of $decrypt (9294707)$ zero?

Marley No!

OK, so $M = [8192, 15888)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 592$ , $(f_{2})^{e} c = 5733901$ . Marley, is the top byte of $decrypt (5733901)$ zero?

Marley No!

OK, so $M = [8192, 15781)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 596$ , $(f_{2})^{e} c = 8963132$ . Marley, is the top byte of $decrypt (8963132)$ zero?

Marley No!

OK, so $M = [8192, 15675)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 600$ , $(f_{2})^{e} c = 515216$ . Marley, is the top byte of $decrypt (515216)$ zero?

Marley No!

OK, so $M = [8192, 15570)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 604$ , $(f_{2})^{e} c = 257872$ . Marley, is the top byte of $decrypt (257872)$ zero?

Marley No!

OK, so $M = [8192, 15467)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 608$ , $(f_{2})^{e} c = 8144861$ . Marley, is the top byte of $decrypt (8144861)$ zero?

Marley No!

OK, so $M = [8192, 15366)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 612$ , $(f_{2})^{e} c = 5562278$ . Marley, is the top byte of $decrypt (5562278)$ zero?

Marley No!

OK, so $M = [8192, 15265)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 616$ , $(f_{2})^{e} c = 5036530$ . Marley, is the top byte of $decrypt (5036530)$ zero?

Marley No!

OK, so $M = [8192, 15166)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 620$ , $(f_{2})^{e} c = 3697602$ . Marley, is the top byte of $decrypt (3697602)$ zero?

Marley No!

OK, so $M = [8192, 15068)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 624$ , $(f_{2})^{e} c = 5945621$ . Marley, is the top byte of $decrypt (5945621)$ zero?

Marley No!

OK, so $M = [8192, 14972)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 628$ , $(f_{2})^{e} c = 4600474$ . Marley, is the top byte of $decrypt (4600474)$ zero?

Marley No!

OK, so $M = [8192, 14876)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 632$ , $(f_{2})^{e} c = 4911162$ . Marley, is the top byte of $decrypt (4911162)$ zero?

Marley No!

OK, so $M = [8192, 14782)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 636$ , $(f_{2})^{e} c = 198336$ . Marley, is the top byte of $decrypt (198336)$ zero?

Marley No!

OK, so $M = [8192, 14689)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 640$ , $(f_{2})^{e} c = 7809650$ . Marley, is the top byte of $decrypt (7809650)$ zero?

Marley No!

OK, so $M = [8192, 14597)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 644$ , $(f_{2})^{e} c = 2529462$ . Marley, is the top byte of $decrypt (2529462)$ zero?

Marley No!

OK, so $M = [8192, 14507)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 648$ , $(f_{2})^{e} c = 6261334$ . Marley, is the top byte of $decrypt (6261334)$ zero?

Marley No!

OK, so $M = [8192, 14417)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 652$ , $(f_{2})^{e} c = 9101673$ . Marley, is the top byte of $decrypt (9101673)$ zero?

Marley No!

OK, so $M = [8192, 14329)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 656$ , $(f_{2})^{e} c = 5258928$ . Marley, is the top byte of $decrypt (5258928)$ zero?

Marley No!

OK, so $M = [8192, 14241)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 660$ , $(f_{2})^{e} c = 2711059$ . Marley, is the top byte of $decrypt (2711059)$ zero?

Marley No!

OK, so $M = [8192, 14155)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 664$ , $(f_{2})^{e} c = 710641$ . Marley, is the top byte of $decrypt (710641)$ zero?

Marley No!

OK, so $M = [8192, 14070)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 668$ , $(f_{2})^{e} c = 8400130$ . Marley, is the top byte of $decrypt (8400130)$ zero?

Marley No!

OK, so $M = [8192, 13985)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 672$ , $(f_{2})^{e} c = 2861973$ . Marley, is the top byte of $decrypt (2861973)$ zero?

Marley No!

OK, so $M = [8192, 13902)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 676$ , $(f_{2})^{e} c = 8699673$ . Marley, is the top byte of $decrypt (8699673)$ zero?

Marley No!

OK, so $M = [8192, 13820)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 680$ , $(f_{2})^{e} c = 3735461$ . Marley, is the top byte of $decrypt (3735461)$ zero?

Marley No!

OK, so $M = [8192, 13739)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 684$ , $(f_{2})^{e} c = 3106598$ . Marley, is the top byte of $decrypt (3106598)$ zero?

Marley No!

OK, so $M = [8192, 13658)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 688$ , $(f_{2})^{e} c = 3212432$ . Marley, is the top byte of $decrypt (3212432)$ zero?

Marley No!

OK, so $M = [8192, 13579)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 692$ , $(f_{2})^{e} c = 3496321$ . Marley, is the top byte of $decrypt (3496321)$ zero?

Marley No!

OK, so $M = [8192, 13500)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 696$ , $(f_{2})^{e} c = 2162257$ . Marley, is the top byte of $decrypt (2162257)$ zero?

Marley No!

OK, so $M = [8192, 13423)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 700$ , $(f_{2})^{e} c = 6197340$ . Marley, is the top byte of $decrypt (6197340)$ zero?

Marley No!

OK, so $M = [8192, 13346)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 704$ , $(f_{2})^{e} c = 6563193$ . Marley, is the top byte of $decrypt (6563193)$ zero?

Marley No!

OK, so $M = [8192, 13270)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 708$ , $(f_{2})^{e} c = 8369277$ . Marley, is the top byte of $decrypt (8369277)$ zero?

Marley No!

OK, so $M = [8192, 13195)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 712$ , $(f_{2})^{e} c = 4165218$ . Marley, is the top byte of $decrypt (4165218)$ zero?

Marley No!

OK, so $M = [8192, 13121)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 716$ , $(f_{2})^{e} c = 4141811$ . Marley, is the top byte of $decrypt (4141811)$ zero?

Marley No!

OK, so $M = [8192, 13048)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 720$ , $(f_{2})^{e} c = 5222389$ . Marley, is the top byte of $decrypt (5222389)$ zero?

Marley No!

OK, so $M = [8192, 12975)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 724$ , $(f_{2})^{e} c = 4379661$ . Marley, is the top byte of $decrypt (4379661)$ zero?

Marley No!

OK, so $M = [8192, 12904)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 728$ , $(f_{2})^{e} c = 293584$ . Marley, is the top byte of $decrypt (293584)$ zero?

Marley No!

OK, so $M = [8192, 12833)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 732$ , $(f_{2})^{e} c = 5792084$ . Marley, is the top byte of $decrypt (5792084)$ zero?

Marley No!

OK, so $M = [8192, 12763)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 736$ , $(f_{2})^{e} c = 5761954$ . Marley, is the top byte of $decrypt (5761954)$ zero?

Marley No!

OK, so $M = [8192, 12693)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 740$ , $(f_{2})^{e} c = 6177580$ . Marley, is the top byte of $decrypt (6177580)$ zero?

Marley No!

OK, so $M = [8192, 12625)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 744$ , $(f_{2})^{e} c = 8921158$ . Marley, is the top byte of $decrypt (8921158)$ zero?

Marley No!

OK, so $M = [8192, 12557)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 748$ , $(f_{2})^{e} c = 7034023$ . Marley, is the top byte of $decrypt (7034023)$ zero?

Marley No!

OK, so $M = [8192, 12490)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 752$ , $(f_{2})^{e} c = 6436793$ . Marley, is the top byte of $decrypt (6436793)$ zero?

Marley No!

OK, so $M = [8192, 12423)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 756$ , $(f_{2})^{e} c = 3114150$ . Marley, is the top byte of $decrypt (3114150)$ zero?

Marley No!

OK, so $M = [8192, 12358)$ . Continue Step 2, with a larger value of $f_{2}$ .

With $f_{2} = 760$ , $(f_{2})^{e} c = 6214896$ . Marley, is the top byte of $decrypt (6214896)$ zero?

Marley Yes!

OK, so $M = [12293, 12358)$ . We can move on to Step 3.

Step 3:

Use larger multipliers to cut the remaining range of possibilities in half with each query.

5 oracle queries used to determine

m = 12345

. Click to see details.

With $f_{3} = 1520$ , $(f_{3})^{e} c = 1914791$ . Marley, is the top byte of $decrypt (1914791)$ zero?

Marley No!

OK, so $M = [12336, 12358)$ .

With $f_{3} = 5302$ , $(f_{3})^{e} c = 6967897$ . Marley, is the top byte of $decrypt (6967897)$ zero?

Marley Yes!

OK, so $M = [12336, 12347)$ .

With $f_{3} = 11360$ , $(f_{3})^{e} c = 1539953$ . Marley, is the top byte of $decrypt (1539953)$ zero?

Marley No!

OK, so $M = [12342, 12347)$ .

With $f_{3} = 25736$ , $(f_{3})^{e} c = 3020473$ . Marley, is the top byte of $decrypt (3020473)$ zero?

Marley No!

OK, so $M = [12345, 12347)$ .

With $f_{3} = 65080$ , $(f_{3})^{e} c = 5956180$ . Marley, is the top byte of $decrypt (5956180)$ zero?

Marley Yes!

OK, so $M = [12345, 12346)$ .

If you like, try tweaking some of the above parameters and see how the resulting trace of attack steps changes.

How Manger’s attack relates to OAEP padding

The research paper in which Manger published his attack was entitled “A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0”. Much of the paper talks about the OAEP padding scheme (which I’ll describe in a moment). So it may seem strange that I’ve described the entire attack without referring to OAEP yet. Here is why:

Manger’s attack really has nothing to do with OAEP padding. It’s a chosen-ciphertext attack which relies on being able to find out whether the top byte of an RSA plaintext is zero or not; no more, no less.

The connection with OAEP comes in because careless implementations of OAEP may (potentially) leak information on whether the top plaintext byte is zero. In other words, the nature of OAEP creates danger of exposing a Manger oracle to attackers. But it is certainly possible for RSA implementations not using OAEP to expose a Manger oracle. In fact, the authors of the paper “The 9 Lives of Bleichenbacher’s CAT” found Manger oracles in four different TLS libraries (including OpenSSL), none of which were using OAEP. (Rather, they were using PKCS#1v15 padding for RSA messages.)

Nonetheless, this article wouldn’t be complete without a brief overview of OAEP. Let’s do that now.

OAEP in brief

Here’s a slightly simplified diagram. Note that the overall bit length is the same as the RSA modulus $N$ . The symbol ⨁ represents XOR.

Take note of these features:

The leading 0x00 byte ensures that the integer value of an OAEP-padded message will never be larger than the RSA modulus $N$ .
As with PKCS#1v15, some random bytes are included. This makes the encryption non-deterministic; if you encrypt the same data twice, then the resulting ciphertexts will be different. So attackers can’t simply compare ciphertexts to see if you are sending the same data more than once. It also defends against various other attacks, including the RSA broadcast attack featured in Cryptopals #40.
The random seed is used to derive a “data mask” which scrambles the entire lower part of the padded message.
The scrambled lower part is then used to derive a “seed mask” which scrambles the random seed.
The purpose of the scrambling is to destroy RSA malleability, from the perspective of the data payload which is recovered after reversing the OAEP padding.

Was the last point confusing? I thought so. Let me break it down:

RSA encryption is “malleable”, in that you can multiply an RSA ciphertext by (for example) $2^{e}$ , and the corresponding plaintext will be multiplied by 2. That property is the basis for both Bleichenbacher’s and Manger’s attacks. Of course, the same is true of an OAEP-padded RSA ciphertext/plaintext. You can multiply an OAEP-padded ciphertext by $2^{e}$ , and the OAEP-padded plaintext will be multiplied by 2. But, after the OAEP padding is removed, including reversing the seed mask, reversing the data mask, and pulling out the payload bytes (shown as “DATA…” in the above diagram), those payload bytes will not simply by multiplied by 2. They will be completely and irreversibly scrambled.

That is a big part of what OAEP padding is all about. It means that even if you create a service which (ignoring all good judgement) uses RSA encryption to protect confidential data, and even if your service carelessly exposes an oracle on the format of those “DATA…” bytes, attackers can’t mount adaptive chosen-ciphertext attacks^[2] against you.

The one fly in the ointment, the bruise on the apple, the hair in the soup, the ugly blotch on this otherwise rosy picture, is that RSA malleability still does apply to an OAEP-padded message before the OAEP padding is reversed. That is what makes Manger’s attack possible against RSA-OAEP, if the implementation is not careful to defend against it.

Manger’s attack against non-OAEP plaintexts

Manger’s paper doesn’t describe how to use his attack against messages which don’t start with a zero byte. But it’s easy; just use the same idea as Step 1 of Bleichenbacher’s attack. Generate a random RSA blinding value $r$ , and use it to blind the target ciphertext:

$c_{b} = c r^{e} mod N$

Submit that to the oracle to see whether the blinded plaintext starts with a zero byte or not. If it doesn’t, try again until you find a blinding value which works. Use Manger’s attack to decrypt the blinded ciphertext $c_{b}$ , then remove the blinding:

$m = m_{b} r^{- 1} mod N$

Just as for Bleichenbacher’s attack, with this trick, Manger’s attack can be used to forge RSA signatures.

One more point about using Manger’s attack against non-OAEP messages; if the plaintext is a relatively small number (many high-order bytes are zero), then Step 3 sometimes gets stuck in an infinite loop. This is because when $m$ is small and the range $M$ is also very small, it can happen that multiplying by $f_{3}$ maps the entire range $[m_{min}, m_{ma x})$ to one side of $N + B$ ; then the oracle always returns the same value, regardless of where $m$ actually is in that range, and Step 3 becomes unable to trim the size of $M$ down further. This can be avoided by validating $f_{3}$ and fiddling with it when necessary; another solution is to do a brute-force search of $M$ once it gets very small, rather than using oracle queries to run $M$ all the way down to a single value. (This doesn’t happen with OAEP-padded messages; no wonder Manger didn’t mention it in his paper.)

Generalizing the idea of a Manger oracle

Manger’s attack is described in terms of an oracle which reveals whether the first byte (8 bits) of an RSA plaintext is zero. This is because of the property of OAEP padding whereby the first byte of the plaintext is expected to be zero. But there is nothing magic about “8 bits”; if an RSA implementation exposed an oracle revealing whether the first 7 bits were zero, or whether the first 9 bits were zero, it could still be exploited with Manger’s attack. Just adjust the value of $B$ accordingly; $B$ should be the smallest number with a single 1-bit in the region checked by the oracle.

If the oracle only reveals whether one bit (the most-significant bit) is zero or not, Manger’s attack needs some adjustment. Also, if the RSA modulus $N$ is unusually small, such that there is only a single bit in the region checked by the oracle which isn’t also greater than the modulus, the same problem arises. Section 3.2 of Manger’s paper briefly describes how this situation affects his attack, but doesn’t develop an adjusted algorithm in detail.

The ideas behind Manger’s attack can also be adapted to an oracle which reveals whether $m$ falls in some interval $[0, B)$ , where $B$ is not a power of 2, and is smaller than $N /2$ . Actually, very little changes about the Manger attack algorithm in that case.

Lessons?

Really, please don’t use RSA encryption. Please?

[1] This might seem like an obvious deficiency in Bleichenbacher’s attack, but it’s not. A Bleichenbacher oracle is expected to return false most of the time, so there is very little marginal information gain which an attacker could possibly derive from a false return. Further, as explained in the previous article, a Bleichenbacher oracle may return false for various reasons, irrespective of whether $s m mod N$ is in the “target” range $[2 B, 3 B)$ or not. In contrast, in Manger’s attack, there is usually around a 50% chance of getting back either true or false from the padding oracle, so the attacker can derive close to one bit of information from each oracle query. And Manger oracles return true if and only if $f m mod N$ is inside the target range $[0, B)$ . ⏎

[2] If you don’t know the term “adaptive chosen-ciphertext attack”, think of it as “attacks roughly like Bleichenbacher’s or Manger’s”. ⏎