Common modulus attack

Suppose Alice sends the RSA encryptions of the same message $m$ to two people using the same RSA modulus $n$ and relatively prime public exponents $e_1$ and $e_2$. An attacker can retrieve the message $m$ only from the public data (i.e., the modulus $n$, the public exponents $e_1$ and $e_2$, and the encryptions $c_i = m^{e_i} \bmod{n}$ for $i = 1, 2$).

By using the extended Euclidean algorithm, one can compute integers $a$ and $b$ such that $a e_1 + b e_2 = 1$. Then the message $m$ can be retrieved as $c_1^a c_2^b \equiv m^{a e_1 + b e_2} \equiv m \pmod{n}$.

Example

Let $n = 55$, $e_1 = 3$, $e_2 = 7$, $c_1 = 8$ and $c_2 = 18$.

In [1]:
from algorithms.euclidean import eea
n = 55
e1, e2 = 3, 7
c1, c2 = 8, 18

Let us compute $a$ and $b$.

In [2]:
a, b = eea(c1, c2)
a, b
Out[2]:
(-2, 1)

We can now retrieve the message.

In [3]:
m = c1^a * c2^b % n
m
Out[3]:
2

Let us verify that the decryption really encrypts to the given ciphertexts.

In [4]:
[m^e % n for e in (e1, e2)]
Out[4]:
[8, 18]