Bulletin of the Korean Mathematical Society (대한수학회보)

Korean Mathematical Society (대한수학회)
권호 표지
DOI QR코드

DOI QR Code

PARTIAL KEY EXPOSURE ATTACKS ON RSA AND ITS VARIANT BY GUESSING A FEW BITS OF ONE OF THE PRIME FACTORS

  • Published : 2009.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime p substantially reduces the requirement of MSBs or LSBs of d for the key exposure attack. Further, we consider the RSA variant proposed by Sun and Yang in PKC 2005 and show that the partial key exposure attack works significantly on this variant.

Keywords

References

  1. J. Blomer and A. May, Low secret exponent RSA revisited, Cryptography and lattices (Providence, RI, 2001), 4–19, Lecture Notes in Comput. Sci., 2146, Springer, Berlin, 2001 https://doi.org/10.1007/3-540-44670-2_2
  2. J. Blomer and A. May, New partial key exposure attacks on RSA, Advances in cryptology-CRYPTO 2003, 27–43, Lecture Notes in Comput. Sci., 2729, Springer, Berlin, 2003
  3. J. Blomer and A. May, A generalized Wiener attack on RSA, Public key cryptography-PKC 2004, 1–13, Lecture Notes in Comput. Sci., 2947, Springer, Berlin, 2004
  4. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (1999), no. 2, 203–213
  5. D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than $N^{0.292}$, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349 https://doi.org/10.1109/18.850673
  6. D. Boneh, G. Durfee, and Y. Frankel, Exposing an RSA private key given a small fraction of its bits, AsiaCrypt'98, LNCS 1514, pp. 25–34, Springer-Verlag, 1998
  7. D. Boneh, R. DeMillo, R. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract), Advances in cryptology-EUROCRYPT '97 (Konstanz), 37–51, Lecture Notes in Comput. Sci., 1233, Springer, Berlin, 1997 https://doi.org/10.1007/3-540-69053-0_4
  8. D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptology 10 (1997), no. 4, 233–260 https://doi.org/10.1007/s001459900030
  9. A. Duejella, Continued fractions and RSA with small secret exponent, Tatra Mt. Math. Publ. 29 (2004), 101–112
  10. M. Ernst, E. Jochemsz, A. May, and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in cryptology-EUROCRYPT 2005, 371–386, Lecture Notes in Comput. Sci., 3494, Springer, Berlin, 2005 https://doi.org/10.1007/11836810_15
  11. J. Hastad, On using RSA with low exponent in a public key network, Advances in cryptology-CRYPTO '85 (Santa Barbara, Calif., 1985), 403–408, Lecture Notes in Comput. Sci., 218, Springer, Berlin, 1986
  12. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and coding (Cirencester, 1997), 131–142, Lecture Notes in Comput. Sci., 1355, Springer, Berlin, 1997 https://doi.org/10.1007/BFb0024458
  13. E. Jochemsz, Cryptanalysis of RSA variants using small roots of polynomials, Ph. D. thesis, Technische Universiteit Eindhoven, 2007
  14. P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, Proc. Crypto'96, 104–113, Lecture Notes in Comput. Sci., 1109, Springer- Verlag, 1996 https://doi.org/10.1007/3-540-68697-5_9
  15. P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, CRYPTO '99, 388–397, Lecture Notes in Comput. Sci., 1666, Springer, 1999 https://doi.org/10.1007/3-540-48405-1_25
  16. A. K. Lenstra, H. W. Lenstra, and L. Lov´asz, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534 https://doi.org/10.1007/BF01457454
  17. A. May, Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007. Available at http://www.informatik.tu-darmstadt.de/KP/alex.html [last accessed 23 December, 2008]
  18. A. Nitaj, Another Generalization of Wiener's Attack on RSA, Progress in Cryptology-AFRICACRYPT 2008, 174–190, Lecture Notes in Comput. Sci., 5023, Springer-Verlag, 2008 https://doi.org/10.1007/978-3-540-68164-9_12
  19. J. M. Pollard, Theorems on factorization and primality testing, Proc. Cambridge Philos. Soc. 76 (1974), 521–528 https://doi.org/10.1017/S0305004100049239
  20. R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), no. 2, 120–126 https://doi.org/10.1145/359340.359342
  21. R. Steinfeld, S. Contini, H.Wang, and J. Pieprzyk, Converse results to the Wiener attack on RSA, Public key cryptography-PKC 2005, 184–198, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
  22. D. R. Stinson, Cryptography-Theory and Practice, 2nd Edition, 2nd Edition, 2002
  23. H.-M. Sun, M.-E.Wu, and Y.-H. Chen, Estimating the prime-factors of an RSA modulus and an extension of the Wiener attack, Applied Cryptography and Network Security, 116–128, Lecture Notes in Comput. Sci., 4521, Sprigner, 2007 https://doi.org/10.1007/978-3-540-72738-5_8
  24. H.-M. Sun and C.-T. Yang, RSA with balanced short exponents and its application to entity authentication, Public key cryptography-PKC 2005, 199–215, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
  25. E. R. Verheul and H. C. A. van Tilborg, Cryptanalysis of 'less short' RSA secret exponents, Appl. Algebra Engrg. Comm. Comput. 8 (1997), no. 5, 425–435 https://doi.org/10.1007/s002000050082
  26. B. de Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput. 13 (2002), no. 1, 17–28 https://doi.org/10.1007/s002000100088
  27. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558 https://doi.org/10.1109/18.54902
  28. H. C. Williams, A p+1 method of factoring, Math. Comp. 39 (1982), no. 159, 225–234