Lattice Reduction on Low-Exponent RSA

Coppersmith’s algorithm relies on a simple flaw in the RSA algorithm when messages are small compared to the public number N . Consider a message x encrypted with exponent e = 3 using modulus N for the public key where a < 3 √ N . Then the encryption z of x can be decrypted simply by taking the cube root, because the x operation never rotated x over the modulus N . This is a highly specific case, but it can be generalized to other cases, the most interesting being Coppersmith’s short pad attack. In the short pad attack the message has the same conditions as above but also a simple padding P which is known to the code-breaker. When e = 3 the encryption can be considered forming the polynomial (x+P ) = z. Then Coppersmith’s algorithm can be applied – this will solve the polynomial, reducing the case to the simple one above. (For a discussion of good padding that disallows this attack, see the section on Proper Use of Random Padding.) Also of note is the Franklin-Reiter related message attack. If the user sends related messages such that the related part can be considered equivalent to “padding”, the same problem arises. (An example of this might be starting a set of messages with “The password is”.) The sending of similar messages is a user problem, not an programmer problem, and thus cannot be controlled. While it is extremely unlikely the proper conditions will occur, any user action must be accounted for. The discussion here will be restricted to the short pad attack, but the fact the related message attack exists will become important later.