dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Table 3: DeLaurentis Attack’s Experimental Results<br />
size of N (in bits) time to compute d1 (seconds)<br />
8 0.000019<br />
16 0.000012<br />
32 0.000031<br />
64 0.000031<br />
128 0.000030<br />
256 0.000051<br />
512 0.000058<br />
1024 0.000092<br />
2048 0.000186<br />
4096 0.000387<br />
algorithm running in polynomial time to factor N. So, when implementing<br />
RSA, it is not possible at all to use the same modulus for different<br />
users.<br />
3.2.2 Hastad’s Broadcast Attack<br />
The following attack is due to Hastad[18]. It is also known as Common Plain<br />
text Attack due to the fact that it needs, like the previous attack, that the same<br />
plain text be encrypted more than once. In the original attack, presented below,<br />
we actually need k messages, k ≥ e, where e is a common public exponent used<br />
to encode the k messages. The theorem supporting it follows:<br />
Theorem 21. Suppose a plain text m is encrypted k times with the public keys<br />
< e, N1 >, < e, N2 >, ..., < e, Nk > where k ≥ e and the N1, N2, ..., Nk are<br />
pairwise co-prime. Let N0 = min{N1, N2, ..., Nk} and N = k<br />
i=1 Ni. If the<br />
plain text m satisfies m < N0 then Marvin, knowing ci ∼ = m e (mod Ni) and<br />
< e, Ni > for i = 1, 2, ..., k, can compute the plain text m in time polynomial in<br />
log (N).<br />
Proof. Given that the (Ni’s are co-prime, we can apply the CRT to compute<br />
C ∼ = m e (mod N). As m < N0 we have that m e < N1N2...Nk = N and so<br />
C = m e . Therefore all we need to do is to compute the e-th root of C over<br />
36