An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits

Steinfeld, Ron; Zheng, Yuliang

doi:10.1007/3-540-45353-9_5

Ron Steinfeld⁵ &
Yuliang Zheng⁵

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2020))

Included in the following conference series:

Cryptographers’ Track at the RSA Conference

1972 Accesses
9 Citations

Abstract

Let N = pq denote an RSA modulus of length n bits. Call N an (m – LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits . In Asiacrypt &98, Boneh, Durfee and Frankel (BDF) described several interesting ‘partial key exposure’ attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n/4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m — LSbS) RSA moduli by a factor in the order of 2^m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m – LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2^m LS bits of d. Therefore, if low-exponent RSA using (n/4(1 2013; E) – LSbS) moduli for small E is secure, then this result (together with BDF’s result on securely leaking the n/2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic

$34.99 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Practical attacks on small private exponent RSA: new records and new insights

Article 03 September 2023

Small Private Key Attack Against a Family of RSA-Like Cryptosystems

Hashing Solutions Instead of Generating Problems: On the Interactive Certification of RSA Moduli

References

D. Boneh, G. Durfee, and Y. Frankel. An Attack on RSA Given a Small Fraction of the Private Key Bits. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 25–34, Berlin, 1998. Springer-Verlag. See full paper, available from http://crypto.stanford.edu/~dabo/pubs.
Google Scholar
D. Coppersmith. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. of Cryptology, 10:233–260, 1997.
Article MATH MathSciNet Google Scholar
B. de Weger. Cryptanalysis of RSA with small prime difference. Cryptology ePrint Archive, Report 2000/016, 2000. http://eprint.iacr.org/.
A. Lenstra. Generating RSA Moduli with a Predetermined Portion. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 1–10, Berlin, 1998. Springer-Verlag.
Google Scholar
T. Matsumoto, K. Kato, and H. Imai. Speeding Up Secret Computations with Insecure Auxiliary Devices. In CRYPTO’ 88, volume 403 of LNCS, pages 497–506, Berlin, 1989. Springer-Verlag.
Google Scholar
A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of applied cryptography. Discrete mathematics and its applications. CRC Press, 1997.
Google Scholar
P. Nguyen and J. Stern. The Béguin-Quisquater Server-Aided RSA Protocol from Crypto’ 95 is not secure. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 372–379, Berlin, 1998. Springer-Verlag.
Google Scholar
I. Niven, H. Zuckerman, and H. Montgomery. An Introduction to the Theory of Numbers. John Wiley & Sons, fifth edition, 1991.
Google Scholar
G. Poupard and J. Stern. Short Proofs of Knowledge for Factoring. In PKC 2000, volume 1751 of LNCS, pages 147–166, Berlin, 2000. Springer-Verlag.
Google Scholar
D. Redmond. Number Theory: an introduction. Number 201 in Monographs and textbooks in pure and applied mathematics. Marcel Dekker, 1996.
Google Scholar
R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2):120–128, 1978.
Article MATH MathSciNet Google Scholar
R. Silverman. Fast Generation of Random, Strong RSA Primes. CryptoBytes, 3(1):9–13, 1997.
Google Scholar

Download references

Author information

Authors and Affiliations

Laboratory for Information and Network Security, School of Network Computing Monash University, Frankston, 3199, Australia
Ron Steinfeld & Yuliang Zheng

Authors

Ron Steinfeld
View author publications
You can also search for this author in PubMed Google Scholar
Yuliang Zheng
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Gemplus Card International, 34 rue Guynemer, 92447, Issy les Moulineaux, France
David Naccache

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Steinfeld, R., Zheng, Y. (2001). An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits. In: Naccache, D. (eds) Topics in Cryptology — CT-RSA 2001. CT-RSA 2001. Lecture Notes in Computer Science, vol 2020. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45353-9_5

Download citation

DOI: https://doi.org/10.1007/3-540-45353-9_5
Published: 02 April 2001
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41898-6
Online ISBN: 978-3-540-45353-6
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics