Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
نویسندگان
چکیده
We address the problem of polynomial time solving univariate modular equations with mutually co-prime moduli. For a given system of equations we determine up to which size the common roots can be calculated efficiently. We further determine the minimum number of equations which suffice for a recovery of all common roots. The result that we obtain is superior to Håstad’s original RSA broadcast attack, even if Håstad’s method is combined with the best known lattice technique due to Coppersmith. Namely, our reduction uses a slightly different transformation from polynomial systems to a single polynomial. Thus, our improvement is achieved by optimal polynomial modelling rather than improved lattice techniques. Moreover, we show by a counting argument that our results cannot be improved in general. A typical application for our algorithm is an improved attack on RSA with a smaller number of polynomially related messages.
منابع مشابه
A Local Strong form Meshless Method for Solving 2D time-Dependent Schrödinger Equations
This paper deals with the numerical solutions of the 2D time dependent Schr¨odinger equations by using a local strong form meshless method. The time variable is discretized by a finite difference scheme. Then, in the resultant elliptic type PDEs, special variable is discretized with a local radial basis function (RBF) methods for which the PDE operator is also imposed in the local matrices. Des...
متن کاملFinding a Small Root of a Univariate Modular Equation
We show how to solve a polynomial equation (mod N ) of degree k in a single variable z, as long as there is a solution smaller than “Ik. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an expo...
متن کاملSolving Linear Equations Modulo Unknown Divisors: Revisited
We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor p for a known composite integer N . In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equation...
متن کاملCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
The RSA public key cryptosystem is based on a single modular equation in one variable. A natural generalization of this approach is to consider systems of several modular equations in several variables. In this paper we consider Patarin’s Hidden Field Equations (HFE) scheme, which is believed to be one of the strongest schemes of this type. We represent the published system of multivariate poly...
متن کاملSolving Equations (and Systems of Equations) Under Uncertainty: How Different Practical Problems Lead to Different Mathematical and Computational Formulations
Many practical problems are naturally reduced to solving systems of equations. There are many efficient techniques for solving well-defined systems of equations, i.e., systems in which we know the exact values of all the parameters and coefficients. In practice, we usually know these parameters and coefficients with some uncertainty – uncertainty usually described by an appropriate granule: int...
متن کامل