A New Related Message Attack on RSA
نویسندگان
چکیده
Coppersmith, Franklin, Patarin, and Reiter have shown that given two RSA cryptograms xemodN; and (ax + b)emodN for any known constants a; b 2 ZN one can compute x in O(e log e) ZN -operations with some positive error probability. We show that given e cryptograms ci (ax + b i)emodN; i = 0; 1; :::e 1; for any known constants a; b 2 ZN ; where gcd(a;N) = gcd(b;N) = gcd(e!; N) = 1; one can deterministically compute x in O(e) ZN -operations using
منابع مشابه
A new and optimal chosen-message attack on RSA-type cryptosystems
Chosen-message attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSA-type cryptosystems are also susceptible to a chosen-message attack. In particular, we prove that only one message is needed to mount a successful chosen-message attack against the Lucas-based systems and Demytko’s elliptic curve system.
متن کاملManger's Attack Revisited
In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing attack introduced by James Manger in CRYPTO 2001. We show the shortcomings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed countermea...
متن کاملOn the Multiple Fault Attacks on RSA Signatures with LSBs of Messages Unknown
In CHES 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (CJKNP) introduced a fault attack on RSA signatures with partially unknown messages. They factored RSA modulus N using a single faulty signature and increased the bound of unknown messages by multiple fault attack, however, the complexity multiple fault attack is exponential in the number of faulty signatures. At RSA 2010, it was impro...
متن کاملLattice Reduction on Low-Exponent RSA
Coppersmith’s algorithm relies on a simple flaw in the RSA algorithm when messages are small compared to the public number N . Consider a message x encrypted with exponent e = 3 using modulus N for the public key where a < 3 √ N . Then the encryption z of x can be decrypted simply by taking the cube root, because the x operation never rotated x over the modulus N . This is a highly specific cas...
متن کاملAn Equidistant Message Power Attack Using Restricted Number of Traces on Reduction Algorithm
The RSA-CRT algorithm has been widely used for the efficiency of its exponent operation. Research has been announced about the physical susceptibility of RSA-CRT from various side channel attacks. Among them, Boer et al. proposed a brilliant differential power analysis (DPA) of CRT reduction with equidistant chosen messages that is called MRED (Modular reduction on Equidistant Data). This attac...
متن کاملDefeating RSA Multiply-Always and Message Blinding Countermeasures
We introduce a new correlation power attack on RSA's modular exponentiation implementations, defeating both message blinding and multiply-always countermeasures. We analyze the correlation between power measurements of two consecutive modular operations, and use this to e ciently recover individual key bits. Based upon simulation and practical application on a state-of-the-art smart card we sho...
متن کامل