dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Notice that gi(m) ∼ = 0 (mod Ni) for i = 1, ..., k, so we can use the Chinese<br />
Remainder Theorem using the gi(x) and Ni as inputs and compute a new degree<br />
δ monic polynomial G(x) ∈ ZN [x] satisfying:<br />
G(m) ∼ = 0 (mod N) (44)<br />
where m < N0 < N 1<br />
l < N 1<br />
D . So we are in condition to use Coppersmith’s<br />
result. Therefore, we can compute m in time polynomial in log(N) and δ.<br />
The results obtained with the algorithm presented in the appendix are shown<br />
in Table 5.<br />
Table 5: Related Plain text Attack’s Experimental Results<br />
size of N (in bits) time to compute the polynomial G(x) (seconds)<br />
782 0.000289<br />
1093 0.000308<br />
1793 0.000390<br />
3373 0.000524<br />
6251 0.000736<br />
12246 0.001269<br />
23918 0.0026934<br />
The reason for such fast results is that the final step of the attack, solving<br />
the univariate modular polynomial, was not done.<br />
Actually, May and Ritzenhofen [30] have improved the bound for the number<br />
of cypher texts required. Setting δi = eideg(fi(x)), if the inequality<br />
k 1<br />
≥ 1 (45)<br />
δi<br />
i=1<br />
is satisfied then the plain text m can be recovered from the k cypher texts.<br />
To prevent this broadcast attacks, we need to ensure that this last inequality<br />
is not satisfied. A very straightforward way would be not to transmit the same<br />
(or related) message massively. If there is a need for this, then we should ensure<br />
that inequality (45) is not satisfied. For this we can transform the messages<br />
with polynomials of high degree or alternatively use high public exponents.<br />
38