A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
The Design and Analysis of Computer Algorithms
The Design and Analysis of Computer Algorithms
RSA-OAEP Is Secure under the RSA Assumption
Journal of Cryptology
Low-exponent RSA with related messages
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Hi-index | 5.23 |
Coppersmith, Franklin, Patarin, and Reiter show that given two RSA cryptograms xe mod N and (ax+b)e mod N for known constants a,b∈ℤN, one can usually compute x in O(elog 2e) ℤN-operations (there are O(e2) messages for which the method fails). We show that given e cryptograms ci≡ (aix+bi)e mod N, i=0,1,...e–1, for any known constants ai,bi∈ℤN, one can deterministically compute x in O(e) ℤN-operations that depend on the cryptograms, after a pre-processing that depends only on the constants. The complexity of the pre-processing is O(elog 2e) ℤN-operations, and can be amortized over many instances. We also consider a special case where the overall cost of the attack is O(e) ℤN-operations. Our tools are borrowed from numerical-analysis and adapted to handle formal polynomials over finite-rings. To the best of our knowledge their use in cryptanalysis is novel.