dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
y<br />
fN(x) = 2 −k1e ((m22 k2 + x2 k1 + m0) e − c) (mod N). (50)<br />
Notice that fN(m1) = 0 (mod N). So m1 is a root of fN(x) (mod N) satisfying<br />
|m1| < N 1<br />
e so we can apply Coppersmith’s theorem to compute m1 in time<br />
polynomial in log(N) and e to find out m.<br />
We implemented this attack and obtained the results shown in Table 7.<br />
Table 7: Stereotyped Message Attack’s Experimental Results<br />
size of N average running time (seconds)<br />
8 0.000057<br />
16 0.000073<br />
32 0.000131<br />
64 0.000247<br />
128 0.000550<br />
256 0.001167<br />
512 0.002209<br />
1024 0.004626<br />
2048 0.009513<br />
The reason for such fast results is that the final step of the attack, solving<br />
the univariate modular polynomial calculated, was not done. This is because<br />
we could not implement Coppersmith’s method.<br />
There is ways of easily avoiding this attack. We can just choose e such<br />
that e > log 2(N), which means that Marvin would need to actually know the<br />
whole plain text. An alternative defence consists in applying to the plain text<br />
a random padding which will represent a fraction of more than 1<br />
e<br />
the message.<br />
of the bits of<br />
There is an heuristic extension to this attack. If the unknown bits are not<br />
contiguous, we can still recover them as long as the fraction of the total amount<br />
of bits does not exceed 1<br />
e<br />
of the bits of the message. This result depends on an<br />
heuristic method created by Coppersmith[9] to find small solutions of bivariate<br />
modular polynomials. If these methods can be proved to be right, a stronger<br />
attack would be proved to exist.<br />
42