Abstract
As a typical representative of the public key cryptosystem, RSA has attracted a great deal of cryptanalysis since its invention, among which a famous attack is the small private exponent attack. It is well-known that the best theoretical upper bound for the private exponent d that can be attacked is \(d\le N^{0.292}\), where N is a RSA modulus. However, this bound may not be achieved in practical attacks since the lattice constructed by Coppersmith method may have a large enough dimension and the lattice-based reduction algorithms cannot work so well in both efficiency and quality. In this paper, we propose a new practical attack based on the binary search for the most significant bits (MSBs) of prime divisors of N and the Herrmann-May’s attack in 2010. The idea of binary search is inspired by the discovery of phenomena called “multivalued-continuous phenomena”, which can significantly accelerate our attack. Together with several carefully selected parameters according to our exact and effective numerical estimations, we can improve the upper bound of d that can be practically achieved. More specifically, without the binary search method, we successfully attack RSA with a 1024-bit-modulus N when \(d\le N^{0.285}\). Moreover, by our new method, we can implement a successful attack for a 1024-bit-modulus RSA when \(d\le N^{0.292}\) and for a 2048-bit-modulus RSA when \(d\le N^{0.287}\) in about a month. We believe our method can provide some inspiration to practical attacks on RSA with mainstream-size moduli.
Similar content being viewed by others
References
Blömer J., May A.: Low secret exponent RSA revisited. In: Silverman J.H. (ed.) CaLC 2001. Lecture Notes in Computer Science, vol. 2146, pp. 4–19. Springer, Heidelberg (2001).
Blömer J., May A.: A generalized wiener attack on RSA. In: Bao F., Deng R., Zhou J. (eds.) PKC 2004. Lecture Notes in Computer Science, vol. 2947, pp. 1–13. Springer, Heidelberg (2004).
Boneh D., Durfee G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). In: Stern J. (ed.) EUROCRYPT 1999. Lecture Notes in Computer Science, vol. 1592, pp. 1–11. Springer, Heidelberg (1999).
Boneh D., Durfee G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000).
Bunder M., Tonien J.: A new attack on the RSA cryptosystem based on continued fractions. Malays. J. Math. Sci. 11(S3), 45–57 (2017).
Coppersmith D.: Finding a small root of a univariate modular equation. In: Maurer U.M. (ed.) EUROCRYPT 1996. Lecture Notes in Computer Science, vol. 1070, pp. 155–165. Springer, Heidelberg (1996).
Coppersmith D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer U. (ed.) EUROCRYPT 1996. Lecture Notes in Computer Science, vol. 1070, pp. 178–189. Springer, Heidelberg (1996).
Coppersmith D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997).
de Weger B.: Cryptanalysis of RSA with small prime difference. AAECC 13, 17–28 (2002). https://doi.org/10.1007/s002000100088.
Durfee G.: Public key cryptanalysis using algebraic and lattice methods. Ph.D. thesis. Stanford University, Stanford (2002).
Hashimoto Y: On small secret key attack against RSA with high bits known prime factor. In: Cryptology ePrint Archive (2010).
Herrmann M., May A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui M. (ed.) ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 5912, pp. 487–504. Springer, Heidelberg (2009).
Herrmann M., May A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010. Lecture Notes in Computer Science, vol. 6056, pp. 53–69. Springer, Heidelberg (2010).
Hinek M.J.: Cryptanalysis of RSA and Its Variants. CRC Press, Boca Raton (2009).
Howgrave-Graham N.: Finding small roots of univariate modular equations revisited. In: Darnell M.J. (ed.) Cryptography and Coding 1997. Lecture Notes in Computer Science, vol. 1355, pp. 131–142. Springer, Heidelberg (1997).
Lenstra A.K., Lenstra H.W., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982).
Liu C., Yang C.: Factoring RSA modulo \(N\) with high bits of \(p\) known revisited. In: 2009 IEEE International Symposium on IT in Medicine & Education, vol. 1, pp. 495–500. IEEE (2009).
Lu Y., Zhang R., Lin D.: Factoring RSA modulus with known bits from both \(p\) and \(q\): a Lattice method. In: Lopez J., Huang X., Sandhu R. (eds.) Network and System Security 2013. Lecture Notes in Computer Science, vol. 7873, pp. 393–404. Springer, Heidelberg (2013).
Miller S.D., Narayanan B., Venkatesan R.: Coppersmith’s lattices and “focus groups’’: an attack on small-exponent RSA. J. Number Theory 222, 376–392 (2021).
Nguyen P.Q., Stehlé D.: Floating-point LLL revisited. In: Cramer R.J.F. (ed.) EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 215–233. Springer, Heidelberg (2005).
Nguyen P., Stehlé D.: LLL on the average. In: Hess F., Pauli S., Pohst M. (eds.) ANTSVII. Lecture Notes in Computer Science, vol. 4076, pp. 238–256. Springer, Heidelberg (2006).
Nitaj A., Ariffin M.R.K., Adenan N.N.H., et al.: Exponential increment of RSA attack range via lattice based cryptanalysis. Multimed. Tools Appl. 81, 36607–36622 (2022).
Peng L., Hu L., Huang Z., et al.: Partial prime factor exposure attacks on RSA and its Takagi’s variant. In: Lopez J., Wu Y. (eds.) ISPEC 2015. Lecture Notes in Computer Science, vol. 9065, pp. 96–108. Springer, Cham (2015).
Rivest R.L., Shamir A.: Efficient factoring based on partial information. In: Pichler F. (ed.) EUROCRYPT 1985. Lecture Notes in Computer Science, vol. 219, pp. 31–34. Springer, Heidelberg (1986).
Rivest R.L., Shamir A., Adleman L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).
Sarkar S., Maitra S.: Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors. In: Lee P.J., Cheon J.H. (eds.) ICISC 2008. Lecture Notes in Computer Science, vol. 5461, pp. 37–51. Springer, Heidelberg (2009).
Sarkar S., Maitra S., Sarkar S.: RSA cryptanalysis with increased bounds on the secret exponent using less lattice dimension. In: IACR Cryptology ePrint Archive, vol. 315 (2008).
Schnorr C.P.: A more efficient algorithm for lattice basis reduction. J. Algorithm. 9(1), 47–62 (1988).
Suk A.H.: Cryptanalysis of RSA with lattice attacks. University of Illinois, Illinois, Ph.D.thesis (2003).
Susilo W., Tonien J., Yang G.: The Wiener attack on RSA revisited: a quest for the exact bound. In: Australasian Conference on Information Security and Privacy. Lecture Notes in Computer Science, vol. 11547, pp. 381–398. Springer, Cham (2019).
Takayasu A., Kunihiro N.: A tool kit for partial key exposure attacks on RSA. In: Handschuh H. (ed.) CT-RSA 2017. Lecture Notes in Computer Science, vol. 10159, pp. 58–73. Springer, Cham (2017).
Wiener M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990).
Acknowledgements
This research was supported by NSF of China (No. 12371526, No. 61872383).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by K. Matsuura.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Proof of Lamma 3
Proof
Take \(\tau =t/m\), then we have
The proof of Lamma 3 has completed. \(\square \)
Appendix B: Proof of Proposition 1
Proof
It must be pointed out that the largest size of the vector norm B can be perfectly approximated by the maximum component of all the vectors in the lattice basis, e.g., the maximum coefficient of the term in all the polynomials.
At first we compute B in the lattice of the HM2010 attack. Note that vectors are produced by x-shift polynomials and y-shift polynomials:
where \(\tilde{f}(u,x)=A+ux\) and \(t=\tau m\).
(I) The size of the maximum coefficient in \( {\varvec{x}}\) -shift polynomials
Note that
Terms in \(\tilde{g}_{i,k}(u,x)\) are of the form \(\left( {\begin{array}{c}k\\ a\end{array}}\right) u^{a}A^{k-a}x^{k-a+i}e^{m-k}.\) The final coefficients of such terms (i.e., the values of vector components when constructing lattices) is \(\left( {\begin{array}{c}k\\ a\end{array}}\right) U^{a}A^{k-a}X^{k-a+i}e^{m-k}\) with a size of
The size of the maximum coefficient is \(\varvec{(m+m\delta )\log N}\) according to the formula above since \(0\le a\le k<m,0\le k+i\le k+m-k=m.\)
(II) The size of the maximum coefficient in \( {\varvec{y}}\) -shift polynomials
Note that Terms in \(\tilde{h}_{j,k}(u,x,y)\) is of the form \(\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j}u^{b}A^{k-b}x^{k-b}e^{m-k}.\)
Case A
When \(j\ge k-b\),
Therefore, the term which has the maximum coefficient is \(\left( {\begin{array}{c}k\\ b\end{array}}\right) y^{j-(k-b)}A^{k-b}u^{k}e^{m-k}\) with the final coefficient \(\left( {\begin{array}{c}k\\ b\end{array}}\right) Y^{j-(k-b)}A^{k-b}U^{k}e^{m-k}.\) In this case the size of the maximum coefficient is
We get \(\left( \frac{1}{2}j-\frac{1}{2}b+\delta k+m\right) \log N\le ( \frac{1}{2}j-\frac{1}{2}b+\delta j+\delta b+m)\) for \(k\le j+b.\) Finally, the size of the maximum coefficient is \(\varvec{(m+\tau \delta m+\frac{1}{2}\tau m)\log N}\) when \(j=\tau m, b=0\) as \(0\le b\le k\le m,1\le j\le \tau m.\)
Case B
When \(j< k-b\), after a similar discussion as Case A, we can get the size of the maximum coefficient in \(y^{j}\tilde{f}^{k}e^{m-k}\) is
Finally, since \(j< k-b,0\le b\le k,1\le j\le \tau m,\lfloor 1/\tau \rfloor j\le k\le m\), the size of the maximum coefficient is \(\varvec{(m+\delta m+ \frac{1}{2}\tau m)\log N}\) when \(j=\tau m,b=0,k=m\).
According to the detailed discussion, we obtain that
At the second step we compute B in our lattice. Use the notations above, the upper bound of each variable becomes to
where \(2^{s}=N^{\xi }\) and s is the amount of MSBs exhaustion. Note that the terms in the polynomials do not change while the bounds of variables differs comparing the lattice of HM2010 with ours. With a simple analysis as former, we can obtain the maximum sizes of coefficient in \(x^{\prime }\)-shift polynomials and \(y^{\prime }\)-shift polynomials are \((m+m\delta )\log N\) and \((m+\delta m+(\frac{1}{2}-\xi ) \tau m)\log N\). Finally we obtain \(\varvec{B=(m+\delta m+(\frac{1}{2}-\xi )\tau m)\log N}.\)
Based on the discussion above, we can see that the largest size of vector norm B is \(\varvec{(m+\delta m+(\frac{1}{2}-\xi )\tau m)\log N}\). The proof of Proposition 1 has completed. \(\square \)
Appendix C: Detailed parameters of the three experiments in Table 9
Exp. 1
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Exp. 2
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Exp. 3
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Appendix D: Detailed parameters of the three experiments in Table 10
Exp. 4
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Exp. 5
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Exp. 6
\(N=\)
\(e=\)
\(p=\)
\(q=\)
\(d=\)
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Li, Q., Zheng, Qx. & Qi, Wf. Practical attacks on small private exponent RSA: new records and new insights. Des. Codes Cryptogr. 91, 4107–4142 (2023). https://doi.org/10.1007/s10623-023-01295-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01295-5
Keywords
- Practical attack
- Small private exponent attack
- MSBs guess
- Multivalued-continuous phenomena
- Binary search