Mu-En Wu,Chien-Ming Chen,Yue-Hsun Lin,Hung-Min Sun

DOI: https://doi.org/10.1155/2014/650537

2014-01-01

The Scientific World JOURNAL

Abstract:RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus N = pq, it is difficult to determine the prime factors p and q efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is 2r + 8 bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from 2r + 8 bits to 2r + 2 bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to 2r - 6 bits when we extend Weiner's boundary r bits. It means that our result is 2(14) times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits.

Shixiong Wang,Minghao Sun

DOI: https://doi.org/10.3390/math12213411

IF: 2.4

2024-11-01

Mathematics

Abstract:Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith's method for finding small roots of bivariate modular polynomial equations.

mathematics

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-642-34601-9_28

2012-01-01

Abstract:In RSA equation: ed=k·φ(N)+1, we may guess on partial bits of d or p+q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p+q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p+q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N0.284+Δ, where Δ is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to d<N0.328 for an 1024-bit RSA modulus. This is a 37 bits improvement over Boneh and Durfee's boundary.

Dan Zhang,Hui Wang,Shuang Li,Baonan Wang

DOI: https://doi.org/10.1007/s11227-023-05876-y

IF: 3.3

2024-01-25

The Journal of Supercomputing

Abstract:Large number factorization is not only the most critical entry point for Rivest–Shamir–Adleman (RSA) security analysis, but also the most direct means of attacking the asymmetric encryption algorithm RSA. In this paper, the factorization methods of large numbers are summarized and analysed: classical integer factoring algorithms, Shor’s circuit model algorithm, quantum adiabatic methods (integer factorization based on a quantum nuclear magnetic resonance (NMR) platform and D-Wave quantum annealing), and hybrid quantum-classical computing. Finally, the feasibility of integer factorization based on quantum adiabatics is discussed. In this paper, quantum annealing is regarded as a quantum attack method that is completely different from the famous Shor algorithm, and the potential of D-Wave factorization of large numbers to crack RSA cryptography is verified, which provides a new idea for a quantum attack on RSA public key cryptography.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

M. Anwar,Mustafa Ismail,H.M. Bahig

2024-03-10

Abstract:In this paper, we present attacks on three types of RSA modulus when the least significant bits of the prime factors of RSA modulus satisfy some conditions. Let $p,$ and $q$ be primes of the form $p=a^{m_1}+r_p$ and $q=b^{m_2}+r_q$ respectively, where $a,b,m_{1},m_{2} \in \mathbb{Z^+}$ $r_p,$ and $ r_q$ are known. The first attack is when the RSA modulus is $N=pq$ where $m_1$ or $m_2$ is an even number. If $\left(r_{p}r_{q}\right)^\frac{1}{2}$ is sufficiently small, then $N$ can be factored in polynomial time. The second attack is when $N=p^{s}q,$ where $q>p$ and $s$ divides $m_2.$ If $r_pr_q$ is sufficiently small, then $N$ can be factored in polynomial time. The third attack is when $N=p^{s+l}q^{s},$ where $p>q,$ $s,l \in \mathbb{Z^+},$ $l < \frac{s}{2}$ and $s$ divides $m_1l.$ If $a^{m_1}>qa^{\frac{m_1l}{s}},$ and $lr^3_p$ is sufficiently small, then $N$ can be factored in polynomial time.

Number Theory

Wan Nur Aqlili Ruzai,Muhammad Rezal Kamel Ariffin,Muhammad Asyraf Asbullah,Amir Hamzah Abd Ghafar

DOI: https://doi.org/10.1016/j.jksuci.2024.102074

IF: 9.006

2024-05-25

Journal of King Saud University - Computer and Information Sciences

Abstract:RSA stands as a widely adopted method within asymmetric cryptography, commonly applied for digital signature validation and message encryption. The security of RSA relies on the challenge of integer factorization, a problem considered either computationally infeasible or highly intricate, especially when dealing with sufficiently large security parameters. Effective exploits of the integer factorization problem in RSA can allow an adversary to assume the identity of the key holder and decrypt such confidential messages. The keys employed in secure hardware are particularly significant due to the typically greater value of the information they safeguard, such as in the context of securing payment transactions. In general, RSA faces various attacks exploiting weaknesses in its key equations. This paper introduces a new vulnerability that enables the concurrent factorization of multiple RSA moduli. By working with pairs (Ni,ei) and a fixed value y satisfying the Diophantine equation eixi2−y2φ(Ni)=zi , we successfully factorized these moduli simultaneously using the lattice basis reduction technique. Notably, our research expands the scope of RSA decryption exponents considered as insecure.

computer science, information systems

Hung-Min Sun,Mu-En Wu,Cheng-Ta Yang

DOI: https://doi.org/10.1587/transfun.e92.a.2326

2009-01-01

Abstract:This investigation proposes two methods for embedding backdoors in the RSA modulus N = pq rather than in the public exponent e. This strategy not only permits manufacturers to embed backdoors in an RSA system, but also allows users to choose any desired public exponent, such as e = 2(16) + 1, to ensure efficient encryption. This work utilizes lattice attack and exhaustive attack to embed backdoors in two proposed methods, called RSA(SBLT) and RSA(SBES), respectively. Both approaches involve straightforward steps, making their running time roughly the same as that of normal RSA key-generation time, implying that no one can detect the backdoor by observing time imparity.

Hung-Min Sun,Cheng-Ta Yang,Mu-En Wu

DOI: https://doi.org/10.1587/transfun.e92.a.912

2009-01-01

Abstract:In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However. in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order Of magnitude as phi(N). Sun et al. devised three RSA variants Using unbalanced prime factors p and q to lower the computational cost. Unfortunately. Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances With Unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the Security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, We provide the security analysis and feasibility analysis of the proposed schemes.

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-642-34601-9_29

2012-01-01

Abstract:Given an integer N=pq, which is a product of two primes, it is difficult to determine the prime factors p and q efficiently. However, for the suitable size of a number N, Fermat's algorithm is one of the most simple method for solving it. In this paper, a method called EPF for estimating the prime factors of a composite number is proposed. We use the technique of continued fractions to output two integers, pE+qE and pE·qE, which are close to p+q and p·q, respectively. Furthermore, we show that EPF can be adopted to reduce the loop count in Fermat's algorithm before factoring a composite number. The effect depends on the size of the prime factor. We believe that there are still other applications as well wherein EPF can be used.

Anthony Overmars,Sitalakshmi Venkatraman

DOI: https://doi.org/10.3390/jcp4010003

2024-01-10

Journal of Cybersecurity and Privacy

Abstract:The RSA (Rivest–Shamir–Adleman) cryptosystem is an asymmetric public key cryptosystem popular for its use in encryptions and digital signatures. However, the Wiener’s attack on the RSA cryptosystem utilizes continued fractions, which has generated much interest in developing competitive factoring algorithms. A general-purpose integer factorization method first proposed by Lehmer and Powers formed the basis of the well-known Continued Fraction Factorization (CFRAC) method. Recent work on the one line factoring algorithm by Hart and its connection with Lehman’s factoring method have motivated this paper. The emphasis of this paper is to explore the representations of PQ as continued fractions and the suitability of lower ordered convergences as representations of ab. These simpler convergences are then prescribed to Hart’s one line factoring algorithm. As an illustration, we demonstrate the working of our approach with two numbers: one smaller number and another larger number occupying 95 bits. Using our method, the fourth convergence finds the factors as the solution for the smaller number, while the eleventh convergence finds the factors for the larger number. The security of the RSA public key cryptosystem relies on the computational difficulty of factoring large integers. Among the challenges in breaking RSA semi-primes, RSA250, which is an 829-bit semi-prime, continues to hold a research record. In this paper, we apply our method to factorize RSA250 and present the practical implementation of our algorithm. Our approach’s theoretical and experimental findings demonstrate the reduction of the search space and a faster solution to the semi-prime factorization problem, resulting in key contributions and practical implications. We identify further research to extend our approach by exploring limitations and additional considerations such as the difference of squares method, paving the way for further research in this direction.

computer science, information systems, interdisciplinary applications, software engineering

Hung-Min Sun,Cheng-Ta Yang

DOI: https://doi.org/10.1007/978-3-540-30580-4_14

2005-01-01

Abstract:In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt'99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N0.25 and N0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length $\frac{1}{2}\log _{2}N+56$. The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt'2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.

Gilda Rech Bansimba,Regis Freguin Babindamana,Basile Guy R. Bossoto

2023-05-09

Abstract:In this paper we present new arithmetical and algebraic results following the work of Babindamana and al. on hyperbolas and describe in the new results an approach to attacking a RSA-type modulus based on continued fractions, independent and not bounded by the size of the private key $d$ nor the public exponent $e$ compared to Wiener's attack. When successful, this attack is bounded by $\displaystyle\mathcal{O}\left( b\log{\alpha_{j4}}\log{(\alpha_{i3}+\alpha_{j3})}\right)$ with $b=10^{y}$, $\alpha_{i3}+\alpha_{j3}$ a non trivial factor of $n$ and $\alpha_{j4}$ such that $(n+1)/(n-1)=\alpha_{i4}/\alpha_{j4}$. The primary goal of this attack is to find a point $\displaystyle X_{\alpha}=\left(-\alpha_{3}, \ \alpha_{3}+1 \right) \in \mathbb{Z}^{2}_{\star}$ that satisfies $\displaystyle\left\langle X_{\alpha_{3}}, \ P_{3} \right\rangle =0$ from a convergent of $\displaystyle\frac{\alpha_{i4}}{\alpha_{j4}}+\delta$, with $P_{3}\in \mathcal{B}_{n}(x, y)_{\mid_{x\geq 4n}}$. We finally present some experimental examples. We believe these results constitute a new direction in RSA Cryptanalysis using continued fractions independently of parameters $e$ and $d$.

Cryptography and Security,Number Theory

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1016/j.future.2013.06.008

IF: 7.307

2014-01-01

Future Generation Computer Systems

Abstract:Although Integer Factorization Problem (IFP) is one of the most difficult problems in the world due to the limited computational capability, there exist some vulnerable integers which are factorable by the development of cloud computing. For example, given an integer N = p q , which is a product of two primes, it is hard to determine the prime factors p and q efficiently. However, for the suitable size of a number N , Fermat's algorithm may be one of the simplest method for solving it. In this paper, a method called EPF for estimating the prime factors of a composite number is proposed. We use the technique of continued fractions to output two integers, p E + q E and p E q E , which are close to p + q and p q , respectively. Furthermore, we show that EPF can be adopted to reduce the loop count in Fermat's algorithm before factoring a composite number. The effect depends on the size of the prime factor. We believe that there are still other applications as well wherein EPF can be used. Proposing a secure and efficient privacy preserving RFID authentication protocol.Using an RFID back-end server with cloud database to reduce the search complexity as well as data consistency.Withstanding desynchronizing attacks and tracking attacks.Providing scalability with O ( log N ) search complexity.

Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.113168

2021-01-01

International Journal of Information and Computer Security

Abstract:In this study, we revisit the RSA public key cryptosystem in some special case of Boneh and Durfee's attack when the private key d assumes to be larger than the public key e . The attack in this study is the variation of an approach adopted by Luo et al. (2009) based on large decryption exponent. They had chosen a large private key ( d > e ) and found the weak keys in some specific range between N 0.258 ≤ e ≤ N 0.857 . We highlight the shortcomings and new improvements in our study with more refined bound analysis up to the range between N 0.104 ≤ e ≤ N 0.923 . Our experimental results revealed more refined bounds using lattice-based Coppersmith's method. In our experimental yield, we find the small roots of the devised polynomial, which helps to factorise the RSA modulus of size up to 1,024-bits. We also measure the probability of a specific range of weak keys, which further certify our results about weak keys in an RSA constrained secret key environment.

Mengce Zheng,Zhigang Chen,Yaohui Wu

DOI: https://doi.org/10.1109/access.2023.3264590

IF: 3.9

2023-04-14

IEEE Access

Abstract:In this paper, we propose two improved theorems for addressing generalized bivariate integer equations using the lattice-based method. We examine the application of these theorems to the problem of factoring general RSA (Rivest–Shamir–Adleman) moduli of the form where and are prime numbers. These moduli, which are commonly used in the RSA cryptosystem and its variants, have previously been subjected to attacks primarily through the solution of univariate modular equations. In contrast, we investigate the possibility of factoring using leaked most significant bits (MSBs) or least significant bits (LSBs) of the prime numbers by solving generalized bivariate integer equations. We determine the minimum amount of known bits required for implementing the proposed factoring attacks and establish a unifying attack strategy. Furthermore, our results are verified through numerical computer experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener sug- gested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA en- cryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e =2 511 +1such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Marco Tesoro,Ilaria Siloi,Daniel Jaschke,Giuseppe Magnifico,Simone Montangero

2024-10-22

Abstract:Classical public-key cryptography standards rely on the Rivest-Shamir-Adleman (RSA) encryption protocol. The security of this protocol is based on the exponential computational complexity of the most efficient classical algorithms for factoring large semiprime numbers into their two prime components. Here, we attack RSA factorization building on Schnorr's mathematical framework where factorization translates into a combinatorial optimization problem. We solve the optimization task via tensor network methods, a quantum-inspired classical numerical technique. This tensor network Schnorr's sieving algorithm displays numerical evidence of a polynomial scaling of the resources with the bit-length of the semiprime. We factorize RSA numbers up to 100 bits encoding the optimization problem in quantum systems with up to 256 qubits. Only the high-order polynomial scaling of the required resources limits the factorization of larger numbers. Although these results do not currently undermine the security of the present communication infrastructure, they strongly highlight the urgency of implementing post-quantum cryptography or quantum key distribution.

Cryptography and Security,Quantum Physics

Craig Gidney,Martin Ekerå

DOI: https://doi.org/10.22331/q-2021-04-15-433

2021-04-13

Abstract:We significantly reduce the cost of factoring integers and computing discrete logarithms in finite fields on a quantum computer by combining techniques from Shor 1994, Griffiths-Niu 1996, Zalka 2006, Fowler 2012, Ekerå-Håstad 2017, Ekerå 2017, Ekerå 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of $10^{-3}$, a surface code cycle time of 1 microsecond, and a reaction time of 10 microseconds. We account for factors that are normally ignored such as noise, the need to make repeated attempts, and the spacetime layout of the computation. When factoring 2048 bit RSA integers, our construction's spacetime volume is a hundredfold less than comparable estimates from earlier works (Van Meter et al. 2009, Jones et al. 2010, Fowler et al. 2012, Gheorghiu et al. 2019). In the abstract circuit model (which ignores overheads from distillation, routing, and error correction) our construction uses $3 n + 0.002 n \lg n$ logical qubits, $0.3 n^3 + 0.0005 n^3 \lg n$ Toffolis, and $500 n^2 + n^2 \lg n$ measurement depth to factor $n$-bit RSA integers. We quantify the cryptographic implications of our work, both for RSA and for schemes based on the DLP in finite fields.

Quantum Physics

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.