Solving simultaneous modular equations of low degree
Citations
13,597 citations
Cites background from "Solving simultaneous modular equati..."
...2(ii)) is discussed by Håstad [544], who showed more generally that sending the encryptions of more than e(e+ 1)/2 linearly related messages (messages of the form (aim + bi), where the ai and bi are known) enables an eavesdropper to recover the messages provided that the moduli ni satisfy ni > 2(e+1)....
[...]
2,893 citations
Cites methods from "Solving simultaneous modular equati..."
...The motivation for their work was to account for attacks such as Håstad’s attacks [195] whereby an adversary can easily recover a plaintext m if the same m (or linearly related m) is encrypted for three legitimate entities using the basic RSA encryption scheme with encryption exponent e = 3....
[...]
743 citations
673 citations
620 citations
Cites methods from "Solving simultaneous modular equati..."
...The following theorem is a stronger version of Hastad’s original result....
[...]
...As a first application of Coppersmith’s theorem, we present an improvement to an old attack due to Hastad [11]....
[...]
...Hastad’s Broadcast Attack As a first application of Coppersmith’s theorem, we present an improvement to an old attack due to Hastad [11]....
[...]
...Theorem 6 (Hastad)....
[...]
...Unfortunately, Hastad showed that this linear padding is insecure....
[...]
References
14,340 citations
"Solving simultaneous modular equati..." refers methods in this paper
...Two of their essential ingredients were Shamir's method of sharing a secret [11] and the use of a deterministic PKC....
[...]
1,292 citations
"Solving simultaneous modular equati..." refers background in this paper
...Another way of encrypting messages was proposed by Rabin [9]....
[...]
...References: [1] Alexi W., Chor B., Goldreich O. and Schnorr C.P. \RSA/Rabin Bits are 12+ 1 poly(logN) Secure" Proceedings of 25th Annual IEEE Symposium on Foundations of Computer Science, 1984, 449-457....
[...]
...Using the same methods we get: Application 2: Sending linearly related messages using the Rabin encryption function is insecure....
[...]
...[9] Rabin M....
[...]
1,257 citations
"Solving simultaneous modular equati..." refers background in this paper
...Hermite's constant is not known exactly for n > 8 but Minkowski,s convex body theorem ([5], ix....
[...]
46 citations
"Solving simultaneous modular equati..." refers background in this paper
...By [1],[3] this can be done with as much e ciency as in the deterministic case....
[...]