Abstract
So far, several papers have analyzed attacks on RSA when attackers know the least significant bits of a secret exponent d as well as a public modulus N and a public exponent e, the so-called partial key exposure attacks. Aono (ACISP 2013), and Takayasu and Kunihiro (ACISP 2014) generalized the attacks when there are multiple pairs of a public/secret exponent \((e_1,d_1),\ldots ,(e_n,d_n)\) for the same public modulus N. The standard RSA is a special case of the generalization, i.e., \(n=1\). They revealed that RSA becomes more vulnerable when there are more exponent pairs. However, their results have two obvious drawbacks. First, partial key exposure situations which they considered are restrictive. They have proposed the attacks only for small secret exponents, although attacks for large secret exponents have also been analyzed for the standard RSA. Second, they could not generalize the attacks perfectly. More concretely, their attacks for \(n=1\) do not correspond to the currently known best attacks on the standard RSA.
In this paper, we propose improved partial key exposure attacks on RSA with multiple exponent pairs. Our results completely solve the above drawbacks. Our attacks are the first results for large exponents, and our attacks for \(n=1\) correspond to the currently known best attacks on the standard RSA. Our results for small secret exponents are superior to previous results when \(n=1\) and 2, and when \(n \ge 3\) and \(d_1,\ldots ,d_n>N^{3(n-1)/(3n+1)}\).
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
At a glance, a situation (b) seems useless, since d is defined as \(d \in \mathbb {Z}^*_{\phi (N)}\) in many cases, and \( \beta \le 1\) always holds. However, some implementations use an exponent which is larger than N. To decrypt/sign, one may use \(d+k \phi (N)\) in turn for some integer \(k>0\). This implementation offers better resistance against side-channel attacks [9] or faster calculation by setting the exponent as low Hamming weight.
- 2.
- 3.
From May [17] and Coron and May’s [10] results, given whole bits of d then the factorization of N is a trivial. However, it does not immediately suggest that partial key exposure attacks always work when whole bits of d are given. Indeed, Ernst et al. [11] claimed to find such improved attacks is an interesting open problem.
References
Aono, Y.: A new lattice construction for partial key exposure attack for RSA. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 34–53. Springer, Heidelberg (2009)
Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013)
Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Coppersmith, D.: Finding small solutions to small degree polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)
Coron, J.-S., May, A.: Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. J. Cryptol. 20(1), 39–50 (2007)
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)
Herrmann, M., May, A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Howgrave-Graham, N., Seifert, J.-P.: Extending wiener’s attack in the presence of many decrypting exponents. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999)
Joye, M., Lepoint, T.: Partial key exposure on RSA with private exponents larger than N. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 369–380. Springer, Heidelberg (2012)
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)
May, A.: Computing the RSA secret key is deterministic polynomial time equivalent to factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)
May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [21] (2010). http://www.cits.rub.de/permonen/may.html
Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)
Nguyen, P.Q., Valláe, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)
Peng, L., Hu, L., Lu, Y., Sarkar, S., Xu, J., Huang, Z.: Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 105–123. Springer, Heidelberg (2015)
Sarkar, S., Sen Gupta, S., Maitra, S.: Partial key exposure attack on RSA – improvements for limited lattice dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with two decryption exponents. Inf. Process. Lett. 110, 178–181 (2010)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponents. Inf. Process. Lett. 110, 336–340 (2010)
Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)
Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Heidelberg (2014)
Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the boneh-durfee bound. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345–362. Springer, Heidelberg (2014)
Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)
Acknowledgements
The author is supported by a JSPS Fellowship for Young Scientists. This research was supported by CREST, JST, and supported by JSPS Grant-in-Aid for JSPS Fellows 14J08237 and KAKENHI Grant Number 25280001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Takayasu, A., Kunihiro, N. (2016). Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)