Low-Exponent RSA with Related Messages
In this paper we present a new class of attacks against RSA with low encrypting exponent. The attacks enable the recovery of plain- text messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent.
- 2.D. Coppersmith. Finding a small root of a univariate modular equation. In Advances in Cryptology—EUROCRYPT’ 96, U. Maurer, Ed. 1996, Springer-Verlag.Google Scholar
- 3.M. K. Franklin and M. K. Reiter. Verifiable signature sharing. In Advances in Cryptology—EUROCRYPT’ 95 (Lecture Notes in Computer Science 921), L. C. Guillou and J. Quisquater, Eds. 1995, pp. 50–63, Springer-Verlag.Google Scholar
- 4.M. K. Franklin and M. K. Reiter. A linear protocol failure for RSA with exponent three. Presented at the CRYPTO’ 95 Rump Session, Aug. 1995.Google Scholar
- 6.J. H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE 76(5), May 1988.Google Scholar
- 7.C. Park, K. Kurosawa, T. Okamoto, and S. Tsujii. On key distribution and authentication in mobile radio networks. In Advances in Cryptology—EUROCRYPT’ 93 (Lecture Notes in Computer Science 765), T. Helleseth, Ed. 1994, pp. 461–465, Springer-Verlag.Google Scholar