5.2 Veriiable Signature Sharing

A linear protocol failure for RSA with exponent three. A method for obtaining digital signatures and public-key cryptosystems. distribution protocol for digital mobile communication systems. are linear combinations of the unknowns b j with known coeecients, S i0 can compute a linear relation that holds among the shares: k X j=0 p j Bi j = 0 m o d N: 2 Since server S i0 knows p 0 Bi 0 , which is nonzero with high probability, it can learn an inhomogeneous linear relation among the other k terms fp j Bi j g 1jk : k X j=1 p j Bi j = ,p 0 Bi 0 m o d N: Using this information, and the easily computable ciphertext p e j Bi j e mod N of each term, it can use the techniques described before to recover each term p j Bi j and hence Bi j. Using Lagrange interpolation, it can then recover the secret polynomial B and the signature b 0. It is interesting to note that this attack fails for a passive e a vesdropper that is not one of the n servers. Such a n e a vesdropper sees only the published RSA encryptions of each share, i.e., fBi e mod Ng 1in. The eavesdropper can again nd a linear equation of the form 2 among any k + 1 of the shares. However, since this equation is homogeneous, it can recover only homogeneous polynomials of degree e in the terms p j Bi j see Section 4.2. 6 Conclusion We h a ve identiied a new class attacks against RSA with low encrypting exponent , which exploit known polynomial relationships among the encrypted messages. This can lead to weaknesses in protocols for which such relationships can be inferred. When the relationships are essential to the correctness of a protocol, as in the case of Section 5.2, the only repair seems to be increasing the size of the encrypting exponent. If the polynomial relationships are not essential, then another repair might be to transform the plaintexts so that those relationships no longer hold. Possible transformations are applying a public permutation, such as DES with a xed key, or padding the plaintext with random bits though this may not always suuce; see 2. Such transformations are discussed, e.g., in 1. Due to the widespread popularity of RSA with low encrypting exponent, our attacks …