Abstract
In 2007, Sun et al. (IEEE Trans Inf Theory 53(8):2922–2933, 2007) presented new variants of RSA, called Dual RSA, whose key generation algorithm outputs two distinct RSA moduli having the same public and private exponents, with an advantage of reducing storage requirements for keys. These variants can be used in some applications like blind signatures and authentication/secrecy. In this paper, we give an improved analysis on Dual RSA and obtain that when the private exponent is smaller than \(N^{0.368}\), the Dual RSA can be broken, where N is an integer with the same bitlength as the modulus of Dual RSA. The point of our work is based on the observation that we can split the private exponent into two much smaller unknown variables and solve a related modular equation on the two unknown variables and other auxiliary variables by making use of lattice based methods. Moreover, we extend this method to analyze the common private exponent RSA scheme, a variant of Dual RSA, and obtain a better bound than previous analyses. While our analyses cannot be proven to work in general, since we rely on some unproven assumptions, our experimental results have shown they work in practice.
Similar content being viewed by others
References
Boneh D., Durfee G.: Cryptanalysis of RSA with private key d less than N\({}^{\text{0.292 }}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000).
Bosma W., Cannon J.J., Playoust C.: The magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997).
Coppersmith D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997).
Gama N., Nguyen P.Q.: Predicting lattice reduction. In: Smart N. (ed.) EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).
Herrmann M., May A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010. Lecture Notes in Computer Science, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)
Hinek M.J.: On the security of some variants of RSA. Ph.D.thesis, University of Waterloo, Waterloo (2007).
Hoffstein J., Pipher J., Silverman J.H.: An Inroduction to Mathematical Cryptography. Springer, Berlin (2008).
Howgrave-Graham N.: Finding small roots of univariate modular equations revisited. In: Darnell M.J. (ed.) Cryptography and Coding 1997. Lecture Notes in Computer Science, vol. 1355, pp. 131–142. Springer, Heidelberg (1997).
Jochemsz E., May A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai X., Chen K. (eds.) ASIACRYPT 2006. Lecture Notes in Computer Science, vol. 4284, pp. 267–282. Springer, Heidelberg (2006).
Joye M.: RSA moduli with a predetermined portion: techniques and applications. In: Chen L., Mu Y., Susilo, W. (eds.) ISPEC 2008. Lecture Notes in Computer Science, vol. 4991, pp. 116–130. Springer, Heidelberg (2008).
Kleinjung T., Aoki K., Franke J., Lenstra A.K., Thomé E., Bos J.W., Gaudry P., Kruppa A., Montgomery P.L., Osvik D.A., te Riele H.J.J., Timofeev A., Zimmermann P.: Factorization of a 768-bit RSA modulus. In: Rabin T. (ed.) CRYPTO 2010. Lecture Notes in Computer Science, vol. 6223, pp. 333–350. Springer, Heidelberg (2010).
Lenstra A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. Lecture Notes in Computer Science, vol. 1514, pp. 1–10. Springer, Heidelberg (1998).
Lenstra A.K., de Weger B.M.M.: Twin RSA. In: Dawson E., Vaudenay S. (eds.) Mycrypt 2005. Lecture Notes in Computer Science, vol. 3715, pp. 222–228. Springer, Heidelberg (2005).
Lenstra A.K., Lenstra H.W., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982).
Lenstra A.K., Tromer E., Shamir A., Kortsmit W., Dodson B., Hughes J.P., Leyland P.C.: Factoring estimates for a 1024-bit RSA modulus. In: Laih C.S. (ed.) ASIACRYPT 2003. Lecture Notes in Computer Science, vol. 2894, pp. 55–74. Springer, Heidelberg (2003).
Nguyen P.Q., Vallée B. (eds.): The LLL Algorithm—Survey and Applications. Series in Information Security and Cryptography. Springer, Heidelberg (2010).
Peng L., Hu L., Xu J., Huang Z., Xie Y.: Further improvement of factoring RSA moduli with implicit hint. In: Pointcheval D., Vergnaud D. (eds.) AFRICACRYPT 2014. Lecture Notes in Computer Science, vol. 8469, pp. 165–177. Springer International Publishing, Switzerland (2014).
Rivest R.L., Shamir A., Adleman L.M.: A method for obtaining digital signatures and public-key cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983).
Sarkar S., Maitra S.: Cryptanalytic results on ’Dual CRT’ and ’Common Prime’ RSA. Des. Codes Cryptogr. 66(1–3), 157–174 (2013).
Shparlinski I.: On RSA moduli with prescribed bit patterns. Des. Codes Cryptogr. 39(1), 113–122 (2006).
Sun H., Wu M., Ting W., Hinek M.J.: Dual RSA and its security analysis. IEEE Trans. Inf. Theory 53(8), 2922–2933 (2007).
Takagi T.: Fast RSA-type cryptosystem modulo p\({}^{\rm {k}}\)q. In: Krawczyk H. (ed.) CRYPTO 1998. Lecture Notes in Computer Science, vol. 1462, pp. 318–326. Springer, Heidelberg (1998).
Takayasu A., Kunihiro N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. IEICE Trans. 97-A(6), 1259–1272 (2014).
Takayasu A., Kunihiro N.: Partial key exposure attacks on RSA: achieving the boneh-durfee bound. In: Joux A., Youssef A.M. (eds.) SAC 2014. Lecture Notes in Computer Science, vol. 8781, pp. 345–362. Springer International Publishing, Switzerland (2014).
Vanstone S.A., Zuccherato R.J.: Short RSA keys and their generation. J. Cryptol. 8(2), 101–114 (1995).
Wiener M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990).
Acknowledgments
The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Key Basic Research Program of China (Grants 2013CB834203 and 201 1CB302400), the National Natural Science Foundation of China (Grants 61472417, 61402469, 61472416, 61502488 and 61272478), the Strate gic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702 and XDA06010703, and the State Key Laboratory of Information Security, Chinese Academy of Sciences. Y. Lu is supported by Project CREST, JST.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by I. Shparlinski.
Appendices
Appendix 1: Proof of Lemma 3
In this section, we give a simple proof of Lemma 3.
Proof
It is clear that
namely,
Note that the difference \(\frac{(m+1)^{r+1}-t^{r+1}}{r+1}-\frac{m^{r+1}-(t-1)^{r+1}}{r+1}\) contains only the terms \(m^i\) with lower order i than \(m^{r+1}\), the desired claim holds. \(\square \)
Appendix 2: General calculation of the determinant of \({\mathcal {L}}_2\)
The detailed formula for the determinant of the lattice \({\mathcal {L}}_2\) in Sect. 3 is
where
In order to optimize the choice of t, we represent t as \(\tau m\), where \(\tau \in [0,1]\). We have that
Similarly,
Moreover, the dimension of \({\mathcal {L}}_2\) is
Appendix 3: Calculation of \(\epsilon \)
Here, we give the calculation of \(\epsilon \) in Sect. 3. To obtain integer equations, the following inequality should be satisfied,
namely,
Putting the upper bounds of \(U,X,Y,Z,el_{21}'\) into the above inequality, we obtain the following sufficient condition,
or equivalently,
Putting the values of \(S_u,S_x,S_y,S_z,S_e\) and \(\dim ({\mathcal {L}}_2)\) into the above inequality, we obtain that
Putting an optimized value for \(\tau \), which is \(\tau =\frac{\sqrt{21}-3}{6}\), into the above inequality, we obtain
The relation between m and small constant \(\epsilon \) can be expressed as
Obviously, when \(m\rightarrow \infty \), the small constant \(\epsilon \rightarrow 0\).
Appendix 4: A toy example for Dual RSA
In this section, we list a toy example to illustrate how to use our proposed method to factor moduli of Dual RSA.
Let the bitlengths of the moduli be 500-bit and d be 150-bit. According to the generation algorithm of Dual RSA, we obtained a public key \((N_1,N_2,d)\) as follows:
The private key d is 677313117573867402633263524191702602770017893.
Then following the proposed method, we firstly construct a 2-dimensional lattice \({\mathcal {L}}_1\) with basis matrix
where
Then by using the \(L^3\) algorithm, we obtained the reduced basis \(\lambda _1=(l_{11},l_{12}),\lambda _2=(l_{21},l_{22})\), where
Then we represented \(v=(Ad,1-k_1(p_1+q_1-1))\) as \(a_1\lambda _1+a_2\lambda _2\), where \(a_1\) and \(a_2\) are integers. Actually, the unknown coefficients are \(a_1=82889345\) and \(a_2=-24669842\). Thus, we obtained the following equation
where
Then the problem can be reduced into finding small roots \((k_2,-(p_2+q_2-1),a_1)\) of the following modular equation
where \(k_2=\frac{ed-1}{N_2-p_2-q_2+1}\).
Based on the method of selecting polynomials, when \(m=4\) and \(t=1\) we constructed a 40-dimensional lattice. Applying the \(L^3\) algorithm on the lattice, we could collect more than 30 polynomials shared the desired small roots. Using the Gröbner basis technique, we solved out the roots efficiently and this concluded our attack.
Rights and permissions
About this article
Cite this article
Peng, L., Hu, L., Lu, Y. et al. Cryptanalysis of Dual RSA. Des. Codes Cryptogr. 83, 1–21 (2017). https://doi.org/10.1007/s10623-016-0196-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-016-0196-5