Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1
vulnerability caused by the common prime factor shared by two
seemingly distinct public keys.
We know that the system of linear congruences x ≡ c1 (mod n1);
x ≡ c2 (mod n2 ); ... ;
x ≡
c k (mod
n k), where
c 1, ...,
c k are integers
such that 0 ≤ ci < ni for every i and n1, ..., nk are positive integers
such that gcd(ni,nj ) = 1 for i ≠ j, has a simultaneous unique solution
0 ≤ x < N where N = n1 x n2...nk by the Chinese remainder theorem (CRT)
(Chinese remainder theorem). So, given a single plaintext message m
encrypted with three different public keys N1, N2, N3,
all of which
share the same small public exponent e = 3, resulting in three
different ciphers C1, C2, C3 denoted C1 ≡ m3 (mod N1); C2 ≡ m3 (mod N2 );
C3 ≡ m3 (mod N3 ),
w e can construct a system
o f linear congruences
x ≡ C1 (mod N1 ); x ≡ C2 (mod N2); x ≡ C3 (mod N3) such that
3
x ≡ m (mod N1 x N2 x N3) (Coppersmith’s attack). Assuming that any
given pair of the seemingly distinct public keys do not share a
common prime factor (and are not vulnerable to the attack described
in Task 3) such that gcd(Ni, Nj) = 1 for i ≠ j, we can utilize a method
of solving simultaneous linear congruences attributed to Gauss (The
Chinese Remainder Theorem) to find x. Since we know that RSA PKCS1
(cryptography - RSA Encryption Problem [Size of payload data] - Stack
Overflow) dictates that any message we encrypt must be smaller than
the modulus, we know that m < min(N1 , N2 , N3 ),
which means
m3 < (N1 x N2 x N3) and m3 = x because x ≡ m3 (mod N1 x N2 x N3 ) and x is
the unique solution by CRT. Therefore, after computing √3 x , a
computationally trivial task, we have a viable attack vector for
recovering the plaintext message m.
2
efficient algorithm that repeatedly divides the search interval in
half, due to the vulnerability caused by the use of the same small
public exponent with three different public keys to encrypt the same
message.
3
4