Abstract
RSA is well known public-key cryptosystem in modern-day cryptography. Since the inception of the RSA, several attacks have been proposed on RSA. The Boneh–Durfee attack is the most prominent and they showed that if the secrete exponent is less than 0.292, RSA is completely vulnerable. In this paper, we further investigate the vulnerability of RSA whenever a secret exponent is large and the composite form with a few most significant bits of one of the primes exposed. Having a large secret exponent can avoid the Boneh–Durfee attack, but in this attack, we show that even though the secret exponent is large and has some specialized structure then RSA is still vulnerable. We follow the Jochemsz and May strategy for constructing the lattice, and the LLL algorithm is used for lattice reduction. Our attack outperforms most of the previous attacks.
Similar content being viewed by others
References
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM. ACM 21(2), 120–126 (1978)
Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36, 553–558 (1990)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N^{0:292}. Advances in Cryptology—Proceedings of Eurocrypt '99, Lecture Notes in Computer Science 1952, pp. 1–11 (1999)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.Cryptol. 10(4), 233–260 (1997)
Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Cohen, H.: A Course in Computational Algebraic Number, 2nd edn. Springer-Verlag, Berlin (1995)
de Weger, B.: Cryptanalysis of RSA with a small prime difference. Appl. Algebra Eng. Commun. Comput.Commun. Comput. 13(1), 17–28 (2002)
Luo, P., Zhou, H., Wang, D., Dai, Y.: Cryptanalysis of RSA for a special case with \(d>e\). Science in China Press, Springer, vol. 52(4), pp. 609–616 (2008)
Mumtaj, M., Ping, L.: An Improved Cryptanalysis of Large decryption exponent with constrained secret key. Int. J. Inf. Comput. Secur.Comput. Secur. 14(2), 102–117 (2021)
Cherkaoui-Semmouni, M., Nitaj, A., Susilo, W., Tonien, J.: Cryptanalysis of RSA variants with primes sharing most significant bits. In: Liu, J.K., Katsikas, S., Meng, W., Susilo, W., Intan, R. (eds.) Information Security. ISC 2021. Lecture Notes in Computer Science, vol. 13118. Springer, Cham (2021)
Mahad, Z., Ariffin, M.R.K., Ghafar, A.H.A., Salim, N.R.: Cryptanalysis of RSA-variant cryptosystem generated by potential rogue CA methodology. Symmetry 14, 1498 (2022)
Ruzai, W.N.A.W.M., et al.: Increment of insecure RSA private exponent bound through perfect square RSA diophantine parameters cryptanalysis. Comput. Stand Interfaces 80, 103584 (2022)
Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA private key given a small fraction of its bits. In: Asiacrypt’98, LNCS 1514, pp. 25–34. Springer-Verlag (1998)
Blomer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial exposure attacks on RSA up to full-size exponents. In: Cramer, R. (ed.) Advances in Cryptology Eurocrypt 2005. Lecture Notes in Computer Science, vol. 3494, pp. 371–386. Springer-Verlag, Berlin (2005)
Aono, Y.: A new lattice construction for partial key exposure attack for RSA. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography, Volume 5443 of Lecture Notes in Computer Science, pp. 34–53. Springer, Berlin (2009)
Sarkar, S., Maitra, S.: Partial exposure attacks on RSA and its variants by considering a few bits of one of the prime factors. Bull. Korean Math. Soc.. Korean Math. Soc. 46(4), 721–741 (2009)
Sarkar, S.: Partial key exposure: generalized framework to attack RSA. In: Berstein, J., Chatterjee, S. (eds.) INDOCRYPT, Lecture Notes in Computer Science, vol. 7107, pp. 76–92. Springer, Berlin (2011)
Huang, Z., Hu, L., Xu, J.: Attacking RSA with a composed decryption exponent using unravelled linearization. In: 10th International Conference on Information Security and Cryptology, In Scrypt 2014, Dec 13–15, (2014)
Huang, Z., Hu, L., Xu, J.: Attacking RSA with a composed decryption exponent using unravelled linearization. In: Lin, D., Yung, M., Zhou, J. (eds.) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science, vol. 8957. Springer, Cham (2012)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with two decryption exponents. Inf. Process. Lett. 110(5), 178–181 (2010)
Santosh Kumar, R., Krishna, S.R.M.: Cryptanalysis of RSA with the small difference of primes and two decryption exponents: Jochemsz and May approach. Cryptologia (2022). https://doi.org/10.1080/01611194.2022.2109943
Hinek, M.J., Yam, C.C.Y.: Common modulus attacks on small private exponent RSA and some fast variants (in practice), Cryptology ePrint Archive, Report 2009/037 (2009)
Rivest, R.L., Shamir, A.: Efficient Factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT, Lecture Notes in Computer Science, vol. 219, pp. 31–34. Springer, Berlin (1986)
Coppersmith, D.: Finding a small root of a bivariate integer equation: factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT, Lecture Notes in Computer Science, vol. 1070, pp. 178–189. Springer, Berlin (1996)
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIA-CRYPT, Lecture Notes in Computer Science, vol. 1514, pp. 25–34. Springer, Berlin (1998)
Hermann, M, May A.: On factoring arbitrary integers with known bits. Cryptology ePrint Archive, Report 374 (2007)
Blomer, J., May, A.: Low secret exponent RSA revisited. In: Silverman, J.H. (ed.) CaLC, volume 2146 of Lecture Notes in Computer Science, pp. 4–19. Springer, Heidelberg (2001)
Nitaj, A.: A new attack on RSA with a composed decryption exponent. Int. J. Cryptogr. Inf. Secur. 3(4), 1121 (2013)
Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the Boneh–Durfee bound. Theor. Comput. Sci.. Comput. Sci. 761, 51–77 (2019)
Suzuki, K., Takayasu, A., Kunihiro, N.: Extended partial key exposure attacks on RSA: improvement up to full-size decryption exponents. Theor. Comput. Sci.. Comput. Sci. 841, 62–83 (2020)
Proos , J.A.: Imperfect Decryption and Partial Information Attacks in Cryptography. PhD thesis, University of Waterloo (2003)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: ASIACRYPT 2006, LNCS, vol. 4284, pp. 267–282. Springer-Verlag (2006)
Howgrave-Graham, N.: Finding small roots univariate modular equations revisited. In: cryptography and coding, LNCS 1355, pp. 131–142. Springer-Verlag (1997)
Stein, W.A., et al.: Sage Mathematical Software. The Sage Development Team (2011), http://www.sagemath.org
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Santosh Kumar, R., Prakash, K.L.N.C. & Krishna, S.R.M. Cryptanalysis of RSA with composed decryption exponent with few most significant bits of one of the primes. J Comput Virol Hack Tech 20, 195–202 (2024). https://doi.org/10.1007/s11416-023-00508-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-023-00508-8