Low-Exponent RSA with Related Messages

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


In this paper we present a new class of attacks against RSA with low encrypting exponent. The attacks enable the recovery of plain- text messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent.


Secret Sharing Scheme Linear Polynomial Univariate Polynomial Verifiable Signature Polynomial Relation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology—EUROCRYPT’ 94 (Lecture Notes in Computer Science 950), A. De Santis, Ed. 1995, pp. 92–111, Springer-Verlag.CrossRefGoogle Scholar
  2. 2.
    D. Coppersmith. Finding a small root of a univariate modular equation. In Advances in Cryptology—EUROCRYPT’ 96, U. Maurer, Ed. 1996, Springer-Verlag.Google Scholar
  3. 3.
    M. K. Franklin and M. K. Reiter. Verifiable signature sharing. In Advances in Cryptology—EUROCRYPT’ 95 (Lecture Notes in Computer Science 921), L. C. Guillou and J. Quisquater, Eds. 1995, pp. 50–63, Springer-Verlag.Google Scholar
  4. 4.
    M. K. Franklin and M. K. Reiter. A linear protocol failure for RSA with exponent three. Presented at the CRYPTO’ 95 Rump Session, Aug. 1995.Google Scholar
  5. 5.
    J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal of Computing 17:336–341, 1988.CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    J. H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE 76(5), May 1988.Google Scholar
  7. 7.
    C. Park, K. Kurosawa, T. Okamoto, and S. Tsujii. On key distribution and authentication in mobile radio networks. In Advances in Cryptology—EUROCRYPT’ 93 (Lecture Notes in Computer Science 765), T. Helleseth, Ed. 1994, pp. 461–465, Springer-Verlag.Google Scholar
  8. 8.
    R. L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2):120–126, Feb. 1978.CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    A. Shamir. How to share a secret. Communications of the ACM 22(11):612–613, Nov. 1979.CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    G. Simmons. A “weak” privacy protocol using the RSA cryptoalgorithm. Cryptologia 7:180–182, 1983.CrossRefzbMATHGoogle Scholar
  11. 11.
    G. Simmons. Proof of soundness (integrity) of cryptographic protocols. Journal of Cryptology 7:69–77, 1994.CrossRefzbMATHGoogle Scholar
  12. 12.
    V. Strassen. The computational complexity of continued fractions. SIAM Journal of Computing 12(1):1–27, 1983.CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    M. Tatebayashi and N. Matsuzakai and D. B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology—CRYPTO’ 89 (Lecture Notes in Computer Science 435), G. Brassard, Ed. 1990, pp. 324–333, Springer-Verlag.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  1. 1.IBM ResearchYorktown HeightsUSA
  2. 2.AT&T ResearchMurray HillUSA
  3. 3.CP8 TransacLouveciennesFrance
  4. 4.AT&T ResearchMurray HillUSA

Personalised recommendations