A new related message attack on RSA

Coppersmith, Franklin, Patarin, and Reiter show that given two RSA cryptograms x(e) mod N and (ax+b)(e) mod N for known constants a, b is an element of Z(N), one can usually compute x in O(e log(2) e) Z(N)-operations (there axe O(e(2)) messages for which the method fails). We show that given e cryptograms c(i)equivalent to(a(i)x+b(i))(e) mod N, i=0, 1,...e-1, for any known constants a(i), b(i) is an element of Z(N), one can deterministically compute x in O(e) Z(N)-operations that depend on the cryptograms, after a pre-processing that depends only on the constants. The complexity of the pre-processing is O(e log(2) e) Z(N)-operations, and can be amortized over many instances. We also consider a special case where the overall cost of the attack is O(e) Z(N)-operations. Our tools are borrowed from numerical-analysis and adapted to handle formal polynomials over finite-rings. To the best of our knowledge their use in cryptanalysis is novel.