A new related message attack on RSA

Abstract

Coppersmith, Franklin, Patarin, and Reiter show that given two RSA cryptograms xe mod N and (ax + 6)e mod N for known constants a, b ∈ ℤN, one can compute x in O(e log 2 e) ℤN-operations with some positive error probability. We show that given e cryptograms ci ≡ (a ix + bi)e mod N, i = 0, 1,...e -1, for any known constants ai, bi, ∈ ℤN, one can deterministically compute x in O(e) ℤN-operations that depend on the cryptograms, after a pre-processing that depends only on the constants. The complexity of the pre-processing is O(e log2 e) ℤN-operations, and can be amortized over many instances. We also consider a special case where the overall cost of the attack is O(e) ℤN-operations. Our tools are borrowed from numerical-analysis and adapted to handle formal polynomials over finite-rings. To the best of our knowledge their use in cryptanalysis is novel. © International Association for Cryptologic Research 2005.