# Low exponent attack against elliptic curve RSA

Conference paper

First Online:

## Abstract

Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if time-stamp is used for each receiver. For example, let *e*=3. Then if the number of receivers =7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver.

This paper shows that elliptic curve RSA is not secure in the same scenario. It is shown that the KMOV scheme and Demytko's scheme are not secure if *e*=5, *n*≥2^{1024} and the number of receivers =428. In Demytko's scheme, *e* can take the value of 2. In this case, this system is not secure if the number of receiver =11 for *n*≥2^{175}.

## Preview

Unable to display preview. Download preview PDF.

## References

- 1.J.Hastad: On using RSA with low exponent in a public key network. Proc. of Crypto'85, pp.403–408 (1985)Google Scholar
- 2.K.Koyama, U.M.Maurer, T.Okamoto and S.A.Vanstone: New public-key schemes based on elliptic curves over the ring
*Z*_{n}. Proc. of Crypto'91 (1991)Google Scholar - 3.N.Demytko: A new elliptic curve based analogue of RSA. Proc. of Eurocrypt'93, pp.39–48, May 24 (1993)Google Scholar
- 4.D.M.Bressoud: Factorization and primality testing. Springer-Verlag (1989)Google Scholar
- 5.K.Kurosawa and S.Tsujii: Low exponent attack against elliptic curve RSA. Technical Report of IEICE, ISEC94-2, pp.11–17 (1994)Google Scholar
- 6.H.Kuwakado and K.Koyama: On the security of RSA-type schemes over cubic curves against the Hastad attack. Technical report of IEICE, ISEC94-10, pp.23–30 (1994)Google Scholar

## Copyright information

© Springer-Verlag Berlin Heidelberg 1995