基于格的通用私钥攻击(RSA用了同一个d)
假设现在有r组n,e,他们的私钥均为d,则有:
e1*d = k1*phi(N1) + 1
e2*d = k2*phi(N2) + 1
. . .
*erd = kr*phi(N3) + 1
此处默认(N1 < N2 < … < Nr < 2Nr )
令 M = [Nr1/2 ]
phi(Nr )= Ni - si 且ki < d (i = 1,2,…,r)
则有:ei*d - Ni*ki = 1 - ki*si
可以列出下列等式:
dM = dM
e1*d - N1*k1 = 1 - k1*s1
e2*d - N2*k2 = 1 - k2*s2
. . .
er*d - Nr*kr = 1 - kr*sr
可以构造
x
r
∗
B
r
=
v
r
x
r
=
(
d
,
k
1
,
k
2
,
.
.
.
,
k
r
)
x_r*B_r = v_r\\ x_r = (d,k_1,k_2,...,k_r)
xr∗Br=vrxr=(d,k1,k2,...,kr)
B
r
=
[
M
e
1
⋯
e
r
0
−
N
1
⋯
0
⋮
⋮
⋱
⋮
0
0
⋯
−
N
r
]
v
r
=
(
d
M
,
1
−
k
1
∗
s
1
,
.
.
.
,
1
−
k
r
∗
s
r
)
B_r = \begin{bmatrix} {M}&{e_1}&{\cdots}&{e_r}\\ {0}&{-N_1}&{\cdots}&{0}\\ {\vdots}&{\vdots}&{\ddots}&{\vdots}\\ {0}&{0}&{\cdots}&{-N_r}\\ \end{bmatrix}\\ vr = (dM,1-k_1*s_1,...,1-k_r*s_r)
Br=⎣⎢⎢⎢⎡M0⋮0e1−N1⋮0⋯⋯⋱⋯er0⋮−Nr⎦⎥⎥⎥⎤vr=(dM,1−k1∗s1,...,1−kr∗sr)
而后对Br 使用LLL算法得到向量b,最后
d
=
∣
b
∣
M
d = \frac{|b|}{M}
d=M∣b∣