A Small Public Exponent

We shall discuss here two particular dangers described in [Håst88] (see also [CoppFPR96]). The first one is the situation that more people have chosen the same (small) public exponent and that a sender wants to transmit the same message to all of them. The second danger is when a sender wants to transmit several mathematically related messages to the same receiver, who happens to have a small public exponent.

Both dangers may appear farfetched to the reader, but since exponentiations modulo large numbers are still rather cumbersome, it remains very appealing in practical situations to select small public exponents.

Sending the Same Message to More Receivers Who All Have the Same Small Public Exponent

Suppose that Alice wants to send the same secret message m to Bob, Chuck, and Dennis. Let the public modulus of these three people be given by the numbers and Now assume that they all happen to have the same public exponent The messages that Alice will transmit are

Almost certainly the three moduli will be coprime (otherwise at least two of moduli are

compromised in a trivial way). The eavesdropper Eve, who intercepts and can use the Chinese Remainder Theorem (Thm. A. 19) to determine from (9.11).

Since it can be assumed that holds. So, the above means that Eve in fact has found the integer To compute m is now straightforward.

Example 9.8

Suppose that and Let the three intercepted messages

be given by and

To solve the system of linear congruence relations

with known right hand sides and known moduli, we use the Mathematica function ChineseRemainderTheorem. To this end we first have to load the package

NumberTheory

We conclude that Since we

even have

To find m is now easy.

Sending Related Messages to a Receiver with Small Public Exponent

Alice wants to send two secret messages, say and to Bob, who happens to have a public exponent that is rather small. Let be Bob's modulus. Now, assume that the two messages of

Alice are related in a linear way, say where a and b are in and assume further that eavesdropper Eve knows this linear relation.

Coppersmith et al. [CoppFPR96] describe two surprising methods for Eve to recover the plaintext

m.

Direct Method

We shall first describe this method for the case

Let the encryptions of and be denoted by resp. So, and Then

With the Mathematica function Simplify one can verify these calculations as follows

Example 9.9

Suppose that and that the messages and are related by So, and Let and Then can be computed with the Mathematica functionsMod andSolve as follows

So, we have found That this is indeed the solution can be verified quite easily as follows

If and a method like the above still exists. In fact, it can be shown [CoppFPR96] that polynomials P(m) and Q(m) exist such that each of them can be expressed as rational

polynomials in and and such that For

these polynomials are given by

To find such a solution, write and Next, substitute and in P and Q to obtain two polynomials in m of degree Now, equate the coefficients of m in This gives

linear equations in the coefficients of P and Q. So, there is in fact a large solution space.

Since the number of terms in P(m) and Q(m) grows quadratic in e the above approach will still be rather cumbersome for larger values of e.

Method through GCD calculation

For arbitrary values of e there is a more direct way to determine and from and when they satisfy a polynomial relation that is known to the eavesdropper. Suppose that

The idea is to compute the gcd of and Indeed, since is a zero of both polynomials, it follows that both are divisible by As a consequence, also the gcd will contain this factor. Almost certainly the gcd will not contain any other factors. We shall demonstrate this idea with an example.

Example 9.10

Let Further suppose that the message and are related by and that they are encrypted into resp. We want to compute

In general, this can not be done since nB is not prime.

Also Mathematica can not do this directly. We shall simply follow the polynomial version of Euclid's Algorithm step for step. Problems may arise, when numbers appear that are not coprime with n. This

happens rarely and is not bad at all. Indeed, one almost always finds in this way a non-trivial factor of n,

In the first step we calculate and and then divide by We use

the Mathematica functions PolynomialMod and Expand.

To keep the division process more manageable, we normalize by multiplying it with the

multiplicative inverse of its leading coefficient We use the Mathematica function

PowerMod.

We conclude that and that

Therefore, the secret message m is 543. One can check this with the Mathematica function PowerMod.

The above approach of finding m by computing a gcd is still practical for e up to 32 bits long ([CoppFPR96]).