Abstract
This paper investigates the security of RSA system with short exponents. Let N = pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed − 1 = kφ(N), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the Pollard’s ρ method. We show that if K is a known upper bound of k, then k can be recovered in time \(\tilde{O}(\sqrt{K})\) and memory \(\tilde{O}(\sqrt{K})\) by using the baby-step giant-step method, and in time \(\tilde{O}(\sqrt{K})\) and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.
This research is partially supported by the National Natural Science Foundation of China (Grant No. 61133013 and No. 60931160442) and the Technology Foundation of Ministry of Education of China (Grant No. 210123).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bai, S., Brent, R.P.: On the efficiency of Pollards rho method for discrete logarithms. In: Harland, J., Manyem, P. (eds.) CATS 2008, pp. 125–131. Australian Computer Society (2008)
Blömer, J., May, A.: A Generalized Wiener Attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)
Coppersmith, D.: Small solutions to polynomial equations and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)
Crandall, R., Pomerance, C.: Prime Number, 2nd edn. Springer (2005)
Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)
May, A.: Using LLL-reduction for solving RSA and factorization problems: a survey. In: LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)
Pollard, J.M.: Monte Carlo methods for index computation (\(\mod p\)). Math. Comp. 32(143), 918–924 (1978)
Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters 18, 905–907 (1982)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. of the ACM 21, 120–126 (1978)
Sarkar, S., Maitra, S.: Partial key exposure attacks on RSA and its variant by guessing a few bits of one of the prime factors. Bull. Korean Math. Soc. 46(4), 721–741 (2009)
Shanks, D.: Class number, a theory of factorization and genera. In: 1969 Number Theory Institute (Proc. Sympos. Pure Math., vol. XX, State Univ. New York, Stony Brook, NY, 1969), pp. 415–440 (1969)
Sun, H.-M., Yang, W.-C., Laih, C.-S.: On the Design of RSA with Short Secret Exponent. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 150–164. Springer, Heidelberg (1999)
Sun, H.M., Yang, C.T., Lai, C.S.: On the design of RSA with short secret exponent. Journal of Information Science and Engineering 18(1), 1–18 (2002)
Sun, H.-M., Yang, C.-T.: RSA with Balanced Short Exponents and Its Application to Entity Authentication. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 199–215. Springer, Heidelberg (2005)
Sun, H.M., Yang, C.T., Wu, M.: Short exponent RSA. IEICE Trans. Fundamentals E92-A(3), 912–918 (2009)
Teske, E.: Speeding Up Pollard’s Rho Method for Computing Discrete Logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)
Teske, E.: A space efficient algorithm for group structure computation. Mathematics Computation 67(224), 1637–1663 (1998)
Teske, E.: On random walks for Pollards rho method. Mathematics of Computation 70(234), 809–825 (2001)
de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering 13, 17–28 (2002)
Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Meng, X., Zheng, X. (2012). Cryptanalysis of RSA with a Small Parameter. In: Susilo, W., Mu, Y., Seberry, J. (eds) Information Security and Privacy. ACISP 2012. Lecture Notes in Computer Science, vol 7372. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31448-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-31448-3_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31447-6
Online ISBN: 978-3-642-31448-3
eBook Packages: Computer ScienceComputer Science (R0)