A New Related Message Attack on RSA
Coppersmith, Franklin, Patarin, and Reiter show that given two RSA cryptograms x e mod N and (ax+b) e mod N for known constants a,b ∈ ℤ N , one can compute x in O(elog 2 e) ℤ N -operations with some positive error probability. We show that given e cryptograms c i ≡ (a i x+b i ) e mod N, i=0,1,...e–1, for any known constants a i ,b i ∈ ℤ N , one can deterministically compute x in O(e) ℤ N -operations that depend on the cryptograms, after a pre-processing that depends only on the constants. The complexity of the pre-processing is O(elog 2 e) ℤ N -operations, and can be amortized over many instances. We also consider a special case where the overall cost of the attack is O(e) ℤ N -operations. Our tools are borrowed from numerical-analysis and adapted to handle formal polynomials over finite-rings. To the best of our knowledge their use in cryptanalysis is novel.
- 1.Hopcroft, A., Ullman: The Design and Analysis of Computer Algorithms. Addison Wesley, Reading (1974); ISBN 0-201-00029-6Google Scholar
- 3.Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: Eurocrypt 1994, pp. 92–111 (1994)Google Scholar
- 8.Whittaker, E.T., Robinson: The Calculus of Observations: A Treatise on Numerical Mathematics, 4th edn., pp. 20–24. Dover, New York (1967)Google Scholar