dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
public exponent, such as e = 3, is used. This may occur when the encrypting<br />
device has small computational powers, such as a cell phone. The attacks are<br />
far from breaking the system as they do not aim to factor the modulus but<br />
rather to recover specific plain texts or part of them.<br />
3.3.1 Stereotyped Message Attack<br />
When encrypting a plain text m, one should be careful about the size of it. As<br />
the last attack of the previous section shows, the plain text m = 1 is easily<br />
recovered. This, unfortunately, is not the only one, specially when we use a<br />
small public exponent. If the public exponent is sufficiently small, there is a<br />
risk that the cypher text will satisfy c = m e < N. Knowing this, all Marvin has<br />
to do is to calculate the e-th root of c over the integers. So plain texts m such<br />
that m < N 1<br />
e cannot be used. This is relevant because RSA is often used to<br />
share a key to use in a symmetric key cryptosystem. As an example, if we use<br />
a 1024 bit modulus RSA and a public exponent e = 3, then the key to share<br />
should have at least 342 bits!<br />
The success of the stereotyped message attack depends not on the size of<br />
the plain text, but rather on the fraction of its bits we know. To understand<br />
how this can be possible, we introduce a classical example: suppose that each<br />
day in the morning, a central authority encrypts and sends to another user<br />
the plain text ”The secret for 1, September, 2011 is ?????”. Marvin, knowing<br />
this procedure (suppose he worked at the company and now wishes to have its<br />
revenge on it) will know a part of the plain text and ignore only a small part of<br />
it. Coppersmith[9] showed that, if both the unknown part (that is, the ”?????”)<br />
and the public exponent are sufficiently small, then Marvin can recover the part<br />
of the plain text which he still doesn’t know.<br />
Theorem 24. Suppose a plain text m is encrypted with the public key < e, N >.<br />
Knowing < e, N >, c ∼ = m e (mod N) and all the plain text m except a fraction<br />
smaller than 1<br />
e<br />
of consecutive bits of m, we can calculate the unknown fraction<br />
of bits (and therefore m) in time polynomial in log(N) and e.<br />
Proof. Because there is only a fraction of less than 1<br />
e consecutive bits of m that<br />
we do not know, we can write m = m22k2 + m12k1 + m0 where only the value of<br />
m1 is unknown and |m1| < N 1<br />
e . Let fN(x) ∈ ZN[x] be the polynomial defined<br />
41