# PARTIAL KEY EXPOSURE ATTACKS ON RSA AND ITS VARIANT BY GUESSING A FEW BITS OF ONE OF THE PRIME FACTORS

• Published : 2009.07.31

#### Abstract

Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime p substantially reduces the requirement of MSBs or LSBs of d for the key exposure attack. Further, we consider the RSA variant proposed by Sun and Yang in PKC 2005 and show that the partial key exposure attack works significantly on this variant.

#### References

1. J. Blomer and A. May, New partial key exposure attacks on RSA, Advances in cryptology-CRYPTO 2003, 27–43, Lecture Notes in Comput. Sci., 2729, Springer, Berlin, 2003
2. J. Blomer and A. May, A generalized Wiener attack on RSA, Public key cryptography-PKC 2004, 1–13, Lecture Notes in Comput. Sci., 2947, Springer, Berlin, 2004
3. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (1999), no. 2, 203–213
4. D. Boneh, G. Durfee, and Y. Frankel, Exposing an RSA private key given a small fraction of its bits, AsiaCrypt'98, LNCS 1514, pp. 25–34, Springer-Verlag, 1998
5. D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptology 10 (1997), no. 4, 233–260 https://doi.org/10.1007/s001459900030
6. A. Duejella, Continued fractions and RSA with small secret exponent, Tatra Mt. Math. Publ. 29 (2004), 101–112
7. M. Ernst, E. Jochemsz, A. May, and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in cryptology-EUROCRYPT 2005, 371–386, Lecture Notes in Comput. Sci., 3494, Springer, Berlin, 2005 https://doi.org/10.1007/11836810_15
8. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and coding (Cirencester, 1997), 131–142, Lecture Notes in Comput. Sci., 1355, Springer, Berlin, 1997 https://doi.org/10.1007/BFb0024458
9. E. Jochemsz, Cryptanalysis of RSA variants using small roots of polynomials, Ph. D. thesis, Technische Universiteit Eindhoven, 2007
10. P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, CRYPTO '99, 388–397, Lecture Notes in Comput. Sci., 1666, Springer, 1999 https://doi.org/10.1007/3-540-48405-1_25
11. A. K. Lenstra, H. W. Lenstra, and L. Lov´asz, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534 https://doi.org/10.1007/BF01457454
12. A. Nitaj, Another Generalization of Wiener's Attack on RSA, Progress in Cryptology-AFRICACRYPT 2008, 174–190, Lecture Notes in Comput. Sci., 5023, Springer-Verlag, 2008 https://doi.org/10.1007/978-3-540-68164-9_12
13. J. M. Pollard, Theorems on factorization and primality testing, Proc. Cambridge Philos. Soc. 76 (1974), 521–528 https://doi.org/10.1017/S0305004100049239
14. R. Steinfeld, S. Contini, H.Wang, and J. Pieprzyk, Converse results to the Wiener attack on RSA, Public key cryptography-PKC 2005, 184–198, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
15. D. R. Stinson, Cryptography-Theory and Practice, 2nd Edition, 2nd Edition, 2002
16. H.-M. Sun, M.-E.Wu, and Y.-H. Chen, Estimating the prime-factors of an RSA modulus and an extension of the Wiener attack, Applied Cryptography and Network Security, 116–128, Lecture Notes in Comput. Sci., 4521, Sprigner, 2007 https://doi.org/10.1007/978-3-540-72738-5_8
17. H.-M. Sun and C.-T. Yang, RSA with balanced short exponents and its application to entity authentication, Public key cryptography-PKC 2005, 199–215, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
18. B. de Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput. 13 (2002), no. 1, 17–28 https://doi.org/10.1007/s002000100088
19. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558 https://doi.org/10.1109/18.54902
20. H. C. Williams, A p+1 method of factoring, Math. Comp. 39 (1982), no. 159, 225–234
21. J. Blomer and A. May, Low secret exponent RSA revisited, Cryptography and lattices (Providence, RI, 2001), 4–19, Lecture Notes in Comput. Sci., 2146, Springer, Berlin, 2001 https://doi.org/10.1007/3-540-44670-2_2
22. D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than $N^{0.292}$, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349 https://doi.org/10.1109/18.850673
23. D. Boneh, R. DeMillo, R. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract), Advances in cryptology-EUROCRYPT '97 (Konstanz), 37–51, Lecture Notes in Comput. Sci., 1233, Springer, Berlin, 1997 https://doi.org/10.1007/3-540-69053-0_4
24. J. Hastad, On using RSA with low exponent in a public key network, Advances in cryptology-CRYPTO '85 (Santa Barbara, Calif., 1985), 403–408, Lecture Notes in Comput. Sci., 218, Springer, Berlin, 1986
25. P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, Proc. Crypto'96, 104–113, Lecture Notes in Comput. Sci., 1109, Springer- Verlag, 1996 https://doi.org/10.1007/3-540-68697-5_9
26. A. May, Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007. Available at http://www.informatik.tu-darmstadt.de/KP/alex.html [last accessed 23 December, 2008]
27. R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), no. 2, 120–126 https://doi.org/10.1145/359340.359342
28. E. R. Verheul and H. C. A. van Tilborg, Cryptanalysis of 'less short' RSA secret exponents, Appl. Algebra Engrg. Comm. Comput. 8 (1997), no. 5, 425–435 https://doi.org/10.1007/s002000050082