A New Related Message Attack on RSA
- Oded Yacobi ,
- Yacov Yacobi
MSR-TR-2004-65 |
Coppersmith, Franklin, Patarin, and Reiter show that given two RSA cryptograms xe mod N and (ax+b)e mod N for known constants a,b in ZN, one can compute x in O(elog²e) ZN -operations with some positive error probability. We show that given e cryptograms ci =(ai x+bi)emodN, i=0,1,…e-1, for any known constants ai ,bi in ZN one can deterministically compute x in O(e) ZN -operations that depend on the cryptograms, after a pre-processing that depends only on the constants. The complexity of the pre-processing is O(elog²e) ZN -operations, and can be amortized over many instances. We also consider a special case where the overall cost of the attack is O(e) ZN -operations. Our tools are borrowed from numerical-analysis and adapted to handle formal polynomials over finite-rings. To the best of our knowledge their use in cryptanalysis is novel.