dissertacao.pdf

Theorem 25. Let two plain texts m1, m2 satisfy m2 = am1 + b. Suppose this
two plain texts are encrypted with the public key < 3, N >. Then, knowing the
corresponding cypher texts c1, c2, a, b, N and e = 3, it is possible to compute m1
(and therefore m2) in time polynomial in log(N)
Proof. Knowing c1, c2, a, b, e, N we compute:
b(c2 + 2a3c1 − b3 )
a(c2 − a3c1 + 2b3 ) ∼ = m1(3a3bm2 1 + 3a2b2m1 + 3ab3 )
3a3bm2 1 + 3a2b2m1 + 3ab3 ∼ = m1 (mod N) (51)
All calculations are done in time polynomial in log(N), so we have the required
result.
It becomes clear that, when using public exponent e = 3, we cannot send
messages linearly related.
3.3.3 Random Padding Attack
As it was shown before, plain RSA without a prior padding scheme has been
proven to be insecure. So, when implementing RSA, it is mandatory to pad the
messages before encryption, that is, to transform the plain text m in the plain
text m ′ = m+b where b is usually a random number with some special structure
(for example, number of bits). This procedure needs special attention. When
the public exponent is e = 3 and the absolute value of b sufficiently small, an
attack by Coppersmith [9] allows for the recovery of the plain text.
Theorem 26. Let < 3, N > be a public key. Suppose two plain texts m1, m2
satisfying m2 = m1 + b are encrypted with the public key < 3, N >. Knowing
the two cypher texts c1 ∼ = m 3 1 (mod N) , c2 ∼ = m 3 2 (mod N) and the public key
< 3, N >, if |b| < N 1
9 , it is possible to compute m1 and m2 in time polynomial
in log(N).
Proof. We have that m 3 1 − c1 ∼ = 0 (mod N) and (m1 + b) 3 − c2 ∼ = 0 (mod N).
Now lets calculate the resultant, taking this two expressions as polynomials in
b:
Resultantm1 (m3 1 − c1, m1 + b) 3 − c2) ∼ =
∼= b 9 + (3c1 − 3c2)b 6 + (3c 2 1 + 21c1c2 + 3c 2 2)b 3 + (c1 − c2) 3 (mod N)
∼= 0 (mod N)
44