Common exponent attack

Suppose we're sending the same message to Alice, Bob, and Carol, and they all have the same small exponent. 

[Graphics:Images/rsaB_gr_1.gif]
[Graphics:Images/rsaB_gr_2.gif]
[Graphics:Images/rsaB_gr_3.gif]
[Graphics:Images/rsaB_gr_4.gif]
[Graphics:Images/rsaB_gr_5.gif]
[Graphics:Images/rsaB_gr_6.gif]
[Graphics:Images/rsaB_gr_7.gif]
[Graphics:Images/rsaB_gr_8.gif]
[Graphics:Images/rsaB_gr_9.gif]
[Graphics:Images/rsaB_gr_10.gif]
[Graphics:Images/rsaB_gr_11.gif]
[Graphics:Images/rsaB_gr_12.gif]
[Graphics:Images/rsaB_gr_13.gif]
[Graphics:Images/rsaB_gr_14.gif]
[Graphics:Images/rsaB_gr_15.gif]
[Graphics:Images/rsaB_gr_16.gif]
[Graphics:Images/rsaB_gr_17.gif]
[Graphics:Images/rsaB_gr_18.gif]
[Graphics:Images/rsaB_gr_19.gif]

Message to Alice: 

[Graphics:Images/rsaB_gr_20.gif]
[Graphics:Images/rsaB_gr_21.gif]
[Graphics:Images/rsaB_gr_22.gif]

Message to Bob: 

[Graphics:Images/rsaB_gr_23.gif]
[Graphics:Images/rsaB_gr_24.gif]
[Graphics:Images/rsaB_gr_25.gif]

Message to Carol: 

[Graphics:Images/rsaB_gr_26.gif]
[Graphics:Images/rsaB_gr_27.gif]
[Graphics:Images/rsaB_gr_28.gif]

Eve (an eavesdropper) hears the messages.  Eve knows 

[Graphics:Images/rsaB_gr_29.gif]

and similarly for the second half of the message.  (Everything here except P is public information!)  Then the Chinese Remainder Theorem (c. 1st century C.E.) says Eve can recover 

[Graphics:Images/rsaB_gr_30.gif]

using the magic formula 

[Graphics:Images/rsaB_gr_31.gif]
[Graphics:Images/rsaB_gr_32.gif]
[Graphics:Images/rsaB_gr_33.gif]
[Graphics:Images/rsaB_gr_34.gif]

But now Eve can use the small message attack: 

[Graphics:Images/rsaB_gr_35.gif]
[Graphics:Images/rsaB_gr_36.gif]

This is guaranteed to work if there are at least e messages.  Moral:  don't send identical messages!

Back to Top

Converted by Mathematica      February 7, 2001