Hung-Min Sun,Cheng-Ta Yang,Mu-En Wu

DOI: https://doi.org/10.1587/transfun.e92.a.912

2009-01-01

Abstract:In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However. in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order Of magnitude as phi(N). Sun et al. devised three RSA variants Using unbalanced prime factors p and q to lower the computational cost. Unfortunately. Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances With Unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the Security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, We provide the security analysis and feasibility analysis of the proposed schemes.

Mengce Zheng,Noboru Kunihiro,Yuanzhi Yao

DOI: https://doi.org/10.1016/j.tcs.2021.08.001

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:RSA (Rivest-Shamir-Adleman) cryptosystem is the most popular asymmetric key cryptographic algorithm used in computer science and information security. Recently, an RSA-like cryptosystem was proposed using a novel product that arises from a cubic field connected to the cubic Pell equation. The relevant key equation is e d ≡ 1 mod ( p 2 + p + 1 ) ( q 2 + q + 1 ) with N = p q. This RSA variant is claimed to be robust against the Wiener's attack and hence the bit-size of the private key could be shorter, namely d < N 1 / 4. In this paper, we explore the further security analysis and investigate the potential small private exponent attack. We show that such RSA variant is particularly vulnerable to the lattice-based method. To be specific, we can carry out the lattice-based small private exponent attack if d < N 2 − 2, which is less secure than the standard RSA. Furthermore, we conduct numerical experiments to verify the validity of the proposed attack.

Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1109/icccs52626.2021.9449268

2021-01-01

Abstract:RSA public key cryptosystem is the “de-facto” standard, provides confidentiality and privacy security services over the internet. At Eurocrypt 1999, Boneh and Durfee proposed a polynomial time attacks on RSA small decryption key exponent. Their attacks worked by exploiting the lattice and sub lattice structure using lattice based Coppersmith's method to solve a modular polynomials, when d <; N 0.284 and d <; N 0.292 respectively. In this work, we propose a new attack on some special case of Boneh and Durfee's attack method with respect to large decryption exponent (i.e. d = N > e = N α , where α and ε are the encryption and decryption exponents respectively) for some α ≤ ε. The condition d > φ(N) - N ε satisfies our devised attack and the experimental outcome certifies that an RSA cryptosystem with large decryption exponent successfully revealed the weak keys through lattice basis reduction method.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-07536-5_10

2014-01-01

Abstract:In Crypto'03, Blomer and May provided several partial key exposure attacks on CRT-RSA. In their attacks, they suppose that an attacker can either succeed to obtain the most significant bits (MSBs) or the least significant bits (LSBs) of d(p) = d mod (p - 1) in consecutive order. For the case of known LSBs of dp, their algorithm is polynomial-time only for small public exponents e (i.e. e = poly(log N)). However, in some practical applications, we prefer to use large e (Like e approximate to d(p), to let the public and private operations with the same computational effort). In this paper, we propose some lattice-based attacks for this extended setting. For known LSBs case, we introduce two approaches that work up to e < N-3/8. Similar results (though not as strong) are obtained for MSBs case. We also provide detailed experimental results to justify our claims.

Mengce Zheng,Honggang Hu,Zilong Wang

DOI: https://doi.org/10.1007/s11432-015-5325-7

2016-01-01

Science China Information Sciences

Abstract:In this paper, we demonstrate that there exist weak keys in the RSA public-key cryptosystem with the public exponent e = N α ≤ N 0.5. In 1999, Boneh and Durfee showed that when α ≈ 1 and the private exponent d = N β < N 0.292, the system is insecure. Moreover, their attack is still effective for 0.5 < α < 1.875. We propose a generalized cryptanalytic method to attack the RSA cryptosystem with α ≤ 0.5. For \(c = \left\lfloor {\frac{{1 - \alpha }}{\alpha }} \right\rfloor \) and e γc ≡ d (mod e c), when γ, β satisfy \(\gamma < 1 + \frac{1}{c} - \frac{1}{{2\alpha c}}and\beta < \alpha c + \frac{7}{6} - \alpha \gamma c - \frac{1}{3}\sqrt {6\alpha + 6\alpha c + 1 - 6\alpha \gamma c} \), we can perform cryptanalytic attacks based on the LLL algorithm. The basic idea is an application of Coppersmith’s techniques and we further adapt the technique of unravelled linearization, which leads to an optimized lattice. Our advantage is that we achieve new attacks on RSA with α ≤ 0.5 and consequently, there exist weak keys in RSA for most α.

M. Anwar,Mustafa Ismail,H.M. Bahig

2024-03-10

Abstract:In this paper, we present attacks on three types of RSA modulus when the least significant bits of the prime factors of RSA modulus satisfy some conditions. Let $p,$ and $q$ be primes of the form $p=a^{m_1}+r_p$ and $q=b^{m_2}+r_q$ respectively, where $a,b,m_{1},m_{2} \in \mathbb{Z^+}$ $r_p,$ and $ r_q$ are known. The first attack is when the RSA modulus is $N=pq$ where $m_1$ or $m_2$ is an even number. If $\left(r_{p}r_{q}\right)^\frac{1}{2}$ is sufficiently small, then $N$ can be factored in polynomial time. The second attack is when $N=p^{s}q,$ where $q>p$ and $s$ divides $m_2.$ If $r_pr_q$ is sufficiently small, then $N$ can be factored in polynomial time. The third attack is when $N=p^{s+l}q^{s},$ where $p>q,$ $s,l \in \mathbb{Z^+},$ $l < \frac{s}{2}$ and $s$ divides $m_1l.$ If $a^{m_1}>qa^{\frac{m_1l}{s}},$ and $lr^3_p$ is sufficiently small, then $N$ can be factored in polynomial time.

Number Theory

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-642-34601-9_28

2012-01-01

Abstract:In RSA equation: ed=k·φ(N)+1, we may guess on partial bits of d or p+q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p+q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p+q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N0.284+Δ, where Δ is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to d<N0.328 for an 1024-bit RSA modulus. This is a 37 bits improvement over Boneh and Durfee's boundary.

Hung-Min Sun,Cheng-Ta Yang

DOI: https://doi.org/10.1007/978-3-540-30580-4_14

2005-01-01

Abstract:In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt'99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N0.25 and N0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length $\frac{1}{2}\log _{2}N+56$. The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt'2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1109/csie.2009.890

2009-01-01

Abstract:Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA systems. A typical application is Boneh-Durfee's seminal work for breaking low private key RSA (and its successors in other applications). Although it's well known that this technique is not guaranteed to succeed, there is no thorough proof yet when it fails. In this paper, we summarize the Boneh-Durfee-like algorithms using generalized terminology. We also show that when the number of solutions in given bounded range is larger than $8(w/3)^7$, where $w$ is the dimension of the lattice involved in the reduction procedure, then the algorithm always fails. As a result, it is proven that MSB (Most Significant Bits)partial key exposure attacks on low public key RSA using this technique is difficult, if we have not sufficient private key exposed.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-38631-2_29

2013-01-01

Abstract:This paper investigates the problem of factoring RSA modulus N = pq with some known bits from both p and q. In Asiacrypt'08, Herrmann and May presented a heuristic algorithm to factorize N with the knowledge of a random subset of the bits (distributed over small contiguous blocks) of a factor. However, in a real attack, an adversary often obtain some bits which distributed in both primes. This paper studies this extended setting and introduces a lattice-based approach. Our strategy is an extension of Coppersmiths technique on more variables, thus it is a heuristic method, which we heuristically assumed that the polynomials resulting from the lattice basis reduction are algebraically independent. However, in our experiments, we have observed that the well-established assumption is not always true, and for these scenarios, we also propose a method to fix it. © 2013 Springer-Verlag.

Shixiong Wang,Minghao Sun

DOI: https://doi.org/10.3390/math12213411

IF: 2.4

2024-11-01

Mathematics

Abstract:Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith's method for finding small roots of bivariate modular polynomial equations.

mathematics

Mengce Zheng,Noboru Kunihiro,Honggang Hu

DOI: https://doi.org/10.1587/transfun.2019EAP1170

2020-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:We address the security issue of RSA with implicitly related keys in this paper. Informally, we investigate under what condition is it possible to efficiently factorize RSA moduli in polynomial time given implicit relation of the related private keys that certain portions of bit pattern are the same. We formulate concrete attack scenarios and propose lattice-based cryptanalysis by using lattice reduction algorithms. A subtle lattice technique is adapted to represent an unknown private key with the help of known implicit relation. We analyze a simple case when given two RSA instances with the known amount of shared most significant bits (MSBs) and least significant bits (LSBs) of the private keys. We further extend to a generic lattice-based attack for given more RSAinstances with implicitly related keys. Our theoretical results indicate that RSA with implicitly related keys is more insecure and better asymptotic results can be achieved as the number of RSA instances increases. Furthermore, we conduct numerical experiments to verify the validity of the proposed attacks.

Mengce Zheng,Noboru Kunihiro,Honggang Hu

DOI: https://doi.org/10.1007/978-3-319-60055-0_17

2017-01-01

Abstract:In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is based on combining r equations to solve one multivariate modular equation by a generic lattice approach. Since the equation form is similar to multi-prime Phi-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.

Hung-Min Sun,Mu-En Wu,Huaxiong Wang,Jian Guo

DOI: https://doi.org/10.1007/978-3-540-70500-0_7

2008-01-01

Abstract:An $\left( \alpha ,\beta ,\gamma \right) $-LSBS RSA denotes an RSA system with primes sharing 驴least significant bits, private exponent dwith βleast significant bits leaked, and public exponent ewith bit-length 驴. Steinfeld and Zheng showed that LSBS-RSA with small eis inherently resistant to the BDF attack, but LSBS-RSA with large eis more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS-RSA by reducing the cost of exhaustive search for k, where kis the parameter in RSA equation: $ed=k\cdot \varphi \left( N\right) +1$. Consequently, the complexity of the BDF attacks on LSBS-RSA can be further reduced. Denote 驴as the multiplicity of 2 in k. Our method gives the improvements, which depend on the two cases:1In the case $\gamma \leq \min \left\{ \beta ,2\alpha \right\} -\sigma $, the cost of exhaustive search for kin LSBS-RSA can be simplified to searching kin polynomial time. Thus, the complexity of the BDF attack is independent of 驴, but it still increases as 驴increases.1In the case $\gamma \min \left\{ \beta ,2\alpha \right\} -\sigma $, the complexity of the BDF attack on LSBS-RSA can be further reduced with increasing 驴or β.More precisely, we show that an LSBS-RSA is more vulnerable under the BDF attack as $\max \left\{ 2\alpha ,\beta \right\} $ increases proportionally with the size of N. In the last, we point out that although LSBS-RSA benefits the computational efficiency in some applications, one should be more careful in using LSBS-RSA.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-39059-3_5

2013-01-01

Abstract:Factoring large integers is a fundamental problem in algebraic number theory and modern cryptography, which many cryptosystems, e.g. RSA, are based on. Up to now, there is no known polynomial-time algorithm to solve it with classical computers. However, in practice side-channel attacks usually cause serious damage: Even if a small proportion of bits in the secret primes is leaked, one may efficiently factor. In this paper, we study the problem of factoring with partial known bits for multi-power RSA modulus N = pr q. In 1999, Boneh, Durfee and Howgrave-Graham showed that this problem can be solved efficiently given a 1/r+1-fraction of the most significant bits (MSB) of p. In their attack, the unknown bits are located in one consecutive block. We propose two lattice-based approaches that extend the number of unknown blocks to arbitrary n (n ≥ 1). The advantage of our approaches is that now knowledge of a ln(1+r)/r-fraction of the bits of p is already sufficient (for any n). In fact, our result is a first step towards unifying and extending previous works by Boneh-Durfee-Howgrave (Crypto'99) and Herrmann-May (Asiacrypt'08). © 2013 Springer-Verlag.

Mengce Zheng,Noboru Kunihiro,Honggang Hu

DOI: https://doi.org/10.1007/978-3-319-89339-6_15

2018-01-01

Abstract:The standard RSA scheme provides the key equation (edequiv 1pmod {varphi (N)}) for (N=pq), where (varphi (N)=(p-1)(q-1)) is Euler quotient (or Euler’s totient function), e and d are the public and private keys, respectively. It has been extended to the following variants with modified Euler quotient (omega (N)=(p^2-1)(q^2-1)), which in turn indicates the modified key equation is (edequiv 1pmod {omega (N)}).

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener sug- gested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA en- cryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e =2 511 +1such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

Ping Luo,HaiJian Zhou,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0014-z

2009-01-01

Abstract:In this paper, we study the RSA public key cryptosystem in a special case with the private exponent d larger than the public exponent e . When N 0.258 ⩽ e ⩽ N 0.854 , d > e and satisfies the given conditions, we can perform cryptanalytic attacks based on the LLL lattice basis reduction algorithm. The idea is an extension of Boneh and Durfee’s researches on low private key RSA, and provides a new solution to finding weak keys in RSA cryptosystems.

Hung-Min Sun,Mu-En Wu,Cheng-Ta Yang

DOI: https://doi.org/10.1587/transfun.e92.a.2326

2009-01-01

Abstract:This investigation proposes two methods for embedding backdoors in the RSA modulus N = pq rather than in the public exponent e. This strategy not only permits manufacturers to embed backdoors in an RSA system, but also allows users to choose any desired public exponent, such as e = 2(16) + 1, to ensure efficient encryption. This work utilizes lattice attack and exhaustive attack to embed backdoors in two proposed methods, called RSA(SBLT) and RSA(SBES), respectively. Both approaches involve straightforward steps, making their running time roughly the same as that of normal RSA key-generation time, implying that no one can detect the backdoor by observing time imparity.