Abstract
In RSA, the public modulus N = pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy \(ed\equiv 1 \pmod{(p - 1)(q - 1)}\). In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if d < N 0.25. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phase, where \(d_p = d \pmod{(p - 1)}\) and \(d_q = d \pmod{(q - 1)}\) are chosen significantly smaller than p and q. In 2006, Bleichenbacher and May presented an attack on CRT-RSA when the CRT-exponents d p and d q are both suitably small. In this paper, we show that RSA is insecure if the public exponent e satisfies an equation \(ex+y\equiv 0\pmod p\) with \(|x||y|<N^{\frac{\sqrt{2}-1}{2}}\) and \(ex+y\not\equiv 0\pmod N\). As an application of our new attack, we present the cryptanalysis of CRT-RSA if one of the private exponents, d p say, satisfies \(d_p<\frac{N^\frac{\sqrt{2}}{4}}{\sqrt{e}}\). This improves the result of Bleichenbacher and May on CRT-RSA where both d p and d q are required to be suitably small.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)
Blömer, J., May, A.: A Generalized Wiener Attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)
Cohen, H.: A Course in Computational Number Theory. Graduate Texts in Mathematics. Springer (1993)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)
Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable Balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)
Hardy, G.H., Wright, E.M.: An Introduction to the Theory of Numbers. Oxford University Press, London (1965)
Hastad, J.: Solving simultaneous modular equations of low degree. SIAM J. of Computing 17, 336–341 (1988)
Herrmann, M., May, A.: Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)
Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Jochemsz, E., May, A.: A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)
Maitra, M., Sarkar, S.: Cryptanalysis of Dual CRT-RSA. In: WCC 2011 - Workshop on Coding and Cryptography, pp. 27–36 (2011)
Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public key cryptosystem. Electronic Letters 18(21), 905–907 (1982)
Rivest, R., Shamir, A., Adleman, L.: A Method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)
Sun, H.-M., Hinek, M.J., Wu, M.-E.: On the design of rebalanced CRT-RSA. Technical Report CACR 2005–35, University of Waterloo (2005)
Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nitaj, A. (2012). A New Attack on RSA and CRT-RSA. In: Mitrokotsa, A., Vaudenay, S. (eds) Progress in Cryptology - AFRICACRYPT 2012. AFRICACRYPT 2012. Lecture Notes in Computer Science, vol 7374. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31410-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-31410-0_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31409-4
Online ISBN: 978-3-642-31410-0
eBook Packages: Computer ScienceComputer Science (R0)