Solving systems of modular equations in one variable: how many RSA-encrypted messages does eve need to know?

Authors:
Alexander May;Maike Ritzenhofen
Affiliations:
Faculty of Mathematics, Ruhr-Universität Bochum, Bochum, Germany;Faculty of Mathematics, Ruhr-Universität Bochum, Bochum, Germany
Venue:
PKC'08 Proceedings of the Practice and theory in public key cryptography, 11th international conference on Public key cryptography
Year:
2008

Citing 8
Cited 1

On using RSA with low exponent in a public key network

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Solving simultaneous modular equations of low degree

SIAM Journal on Computing - Special issue on cryptography
Algorithmic number theory

Algorithmic number theory
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
A computational introduction to number theory and algebra

A computational introduction to number theory and algebra
Low-exponent RSA with related messages

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
On the equivalence of RSA and factoring regarding generic ring algorithms

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Floating-Point LLL revisited

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques

Security analysis of an RSA key generation algorithm with a large private key

ISC'11 Proceedings of the 14th international conference on Information security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We address the problem of polynomial time solving univariate modular equations with mutually co-prime moduli. For a given system of equations we determine up to which size the common roots can be calculated efficiently. We further determine the minimum number of equations which suffice for a recovery of all common roots. The result that we obtain is superior to Håstad's original RSA broadcast attack, even if Håstad's method is combined with the best known lattice technique due to Coppersmith. Namely, our reduction uses a slightly different transformation from polynomial systems to a single polynomial. Thus, our improvement is achieved by optimal polynomial modelling rather than improved lattice techniques. Moreover, we show by a counting argument that our results cannot be improved in general. A typical application for our algorithm is an improved attack on RSA with a smaller number of polynomially related messages.