Low-Exponent RSA with Related Messages

  • Don Coppersmith
  • Matthew Franklin
  • Jacques Patarin
  • Michael Reiter
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


In this paper we present a new class of attacks against RSA with low encrypting exponent. The attacks enable the recovery of plain- text messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent.


  1. 1.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology—EUROCRYPT’ 94 (Lecture Notes in Computer Science 950), A. De Santis, Ed. 1995, pp. 92–111, Springer-Verlag.CrossRefGoogle Scholar
  2. 2.
    D. Coppersmith. Finding a small root of a univariate modular equation. In Advances in Cryptology—EUROCRYPT’ 96, U. Maurer, Ed. 1996, Springer-Verlag.Google Scholar
  3. 3.
    M. K. Franklin and M. K. Reiter. Verifiable signature sharing. In Advances in Cryptology—EUROCRYPT’ 95 (Lecture Notes in Computer Science 921), L. C. Guillou and J. Quisquater, Eds. 1995, pp. 50–63, Springer-Verlag.Google Scholar
  4. 4.
    M. K. Franklin and M. K. Reiter. A linear protocol failure for RSA with exponent three. Presented at the CRYPTO’ 95 Rump Session, Aug. 1995.Google Scholar
  5. 5.
    J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal of Computing 17:336–341, 1988.CrossRefMATHMathSciNetGoogle Scholar
  6. 6.
    J. H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE 76(5), May 1988.Google Scholar
  7. 7.
    C. Park, K. Kurosawa, T. Okamoto, and S. Tsujii. On key distribution and authentication in mobile radio networks. In Advances in Cryptology—EUROCRYPT’ 93 (Lecture Notes in Computer Science 765), T. Helleseth, Ed. 1994, pp. 461–465, Springer-Verlag.Google Scholar
  8. 8.
    R. L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2):120–126, Feb. 1978.CrossRefMATHMathSciNetGoogle Scholar
  9. 9.
    A. Shamir. How to share a secret. Communications of the ACM 22(11):612–613, Nov. 1979.CrossRefMATHMathSciNetGoogle Scholar
  10. 10.
    G. Simmons. A “weak” privacy protocol using the RSA cryptoalgorithm. Cryptologia 7:180–182, 1983.CrossRefMATHGoogle Scholar
  11. 11.
    G. Simmons. Proof of soundness (integrity) of cryptographic protocols. Journal of Cryptology 7:69–77, 1994.CrossRefMATHGoogle Scholar
  12. 12.
    V. Strassen. The computational complexity of continued fractions. SIAM Journal of Computing 12(1):1–27, 1983.CrossRefMATHMathSciNetGoogle Scholar
  13. 13.
    M. Tatebayashi and N. Matsuzakai and D. B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology—CRYPTO’ 89 (Lecture Notes in Computer Science 435), G. Brassard, Ed. 1990, pp. 324–333, Springer-Verlag.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Don Coppersmith
    • 1
  • Matthew Franklin
    • 2
  • Jacques Patarin
    • 3
  • Michael Reiter
    • 4
  1. 1.IBM ResearchYorktown HeightsUSA
  2. 2.AT&T ResearchMurray HillUSA
  3. 3.CP8 TransacLouveciennesFrance
  4. 4.AT&T ResearchMurray HillUSA

Personalised recommendations