2

Let say we have the following information: $$ e = 3 $$ $C$ is the Cipher text and $M$ is the Plain text with $C=M^3\pmod N,$ and $N$ is a product of two primes.

and we have the size of the original message $M$ which is 342 bits. Also we have $N$ which is $1024$ bits. So the goal is the recover the original message $M$ based on the given information. I know that if $$M^e < N$$ then I can just apply $$ \sqrt[e]{C} $$ and I can get back the original message. In this case it will be $$ \sqrt[3]{C} $$ However, it is possible that $M^3$ is greater than $N$ in this case as $(2^{342})^3 = 2^{1026} > 2^{1024}$. So this method sometimes doesn't work when $M^3 > N$. Are there any way to brute force or compute the remaining so that I can still get the original message when $M^3 > N$ ? I feel like the size of $N$ and $M$ is quite important but I can't quite figure out the way to do this.

qweqwqwe
  • 123
  • 3

1 Answers1

3

We know that $C=M^e\bmod N$, that is $M^e=k\,N+C$ for some $k$. If as in the title

$M^e$ and $N$ are close

for some definition of "close", then $k$ is "small" and perhaps small enough that it can be found by (implicit) enumeration:

  • $X:=C$
  • repeat
    • if $\sqrt[e]X$ is an integer, output it, which is $M$, and stop.
    • $X:=X+N$ (this is executed exactly $k$ times)

When the "$\sqrt[e]X$ is an integer" test is with Newton-Raphson, that dominates the cost. But some speedups are possible. For example, for $e=3$, we can speed up that test by computing $X\bmod m$ for $m=2^3×3^3×7×13×19=373464$ and checking if the result is one of the $3675$ (<1%) possible values for a cube. Even better, we can compute which multiple of $N$ we should add to go from one $X$ passing this test to the next, and this will speed up things by almost a hundred. By considering several small moduli, we can get a speedup of several thousands, and solve the problem for $k$ many billions.

I guess there are better methods using Coppersmith's theorem. This unanswered question asks how low $M$ can safely be for $e=3$ and 2048-bit $N$.

fgrieu
  • 149,326
  • 13
  • 324
  • 622