Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1109/icccs52626.2021.9449268

2021-01-01

Abstract:RSA public key cryptosystem is the “de-facto” standard, provides confidentiality and privacy security services over the internet. At Eurocrypt 1999, Boneh and Durfee proposed a polynomial time attacks on RSA small decryption key exponent. Their attacks worked by exploiting the lattice and sub lattice structure using lattice based Coppersmith's method to solve a modular polynomials, when d <; N 0.284 and d <; N 0.292 respectively. In this work, we propose a new attack on some special case of Boneh and Durfee's attack method with respect to large decryption exponent (i.e. d = N > e = N α , where α and ε are the encryption and decryption exponents respectively) for some α ≤ ε. The condition d > φ(N) - N ε satisfies our devised attack and the experimental outcome certifies that an RSA cryptosystem with large decryption exponent successfully revealed the weak keys through lattice basis reduction method.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1016/j.pnsc.2008.09.013

2009-01-01

Abstract:Boneh and Durfee have developed a cryptanalytic algorithm on low private key RSA. The algorithm is based on lattice basis reduction and breaks RSA with private key d < N-0.292. Later on, an improved version by Blomer and May enhanced the efficiency, while reaching approximately this same upper bound. Unfortunately, in both the algorithms, there is a critical error in theoretical analysis, leading to the overestimated upper bound N-0.292. In this paper we present a more precise analytical model, with which the theoretical upper bound on d is modified to approximately d < N-0.277 for ordinary RSA systems with a 1024-bit public key (N,e). (C) 2009 National Natural Science Foundation of China and Chinese Academy of Sciences. Published by Elsevier Limited and Science in China Press. All rights reserved.

Ping Luo,HaiJian Zhou,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0014-z

2009-01-01

Abstract:In this paper, we study the RSA public key cryptosystem in a special case with the private exponent d larger than the public exponent e . When N 0.258 ⩽ e ⩽ N 0.854 , d > e and satisfies the given conditions, we can perform cryptanalytic attacks based on the LLL lattice basis reduction algorithm. The idea is an extension of Boneh and Durfee’s researches on low private key RSA, and provides a new solution to finding weak keys in RSA cryptosystems.

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-642-34601-9_28

2012-01-01

Abstract:In RSA equation: ed=k·φ(N)+1, we may guess on partial bits of d or p+q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p+q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p+q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N0.284+Δ, where Δ is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to d<N0.328 for an 1024-bit RSA modulus. This is a 37 bits improvement over Boneh and Durfee's boundary.

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Ajay Dabral,S. K. Pal,Arvind Yadav

DOI: https://doi.org/10.1007/s11042-023-17939-6

IF: 2.577

2024-02-01

Multimedia Tools and Applications

Abstract:In recent years, there has been a significant amount of work conducted in the field of Lattice Basis Reduction Techniques, which is one of the crucial areas of Lattice-based Cryptography. This field finds applications in the cryptanalysis of important problems, including SIS, LWE, the Lattice Isomorphism Problem, and more. Another critical role of Lattice reduction is in determining key sizes for various cryptosystems based on Lattices. Therefore, the study and development of Lattice basis reduction techniques are closely tied to the assessment of the Quantum resistance nature of Lattice-based Cryptosystems, making it valuable to investigate Lattice Reduction Techniques. Furthermore, when combined with other techniques, Lattice Reduction Techniques can yield excellent results. In this paper, we delve into various essential Lattice Reduction Techniques, such as LLL, BKZ, Generalized basis reduction in dimension 3, along with their improvements like DeepLLL, DeepBKZ, Self-dual DeepBKZ. We also explore other important techniques, including Hybrid Method, Cubification, LDSF, and recent developments. Additionally, we provide discussions on their comparisons, complexities, and improvements.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.113168

2021-01-01

International Journal of Information and Computer Security

Abstract:In this study, we revisit the RSA public key cryptosystem in some special case of Boneh and Durfee's attack when the private key d assumes to be larger than the public key e . The attack in this study is the variation of an approach adopted by Luo et al. (2009) based on large decryption exponent. They had chosen a large private key ( d > e ) and found the weak keys in some specific range between N 0.258 ≤ e ≤ N 0.857 . We highlight the shortcomings and new improvements in our study with more refined bound analysis up to the range between N 0.104 ≤ e ≤ N 0.923 . Our experimental results revealed more refined bounds using lattice-based Coppersmith's method. In our experimental yield, we find the small roots of the devised polynomial, which helps to factorise the RSA modulus of size up to 1,024-bits. We also measure the probability of a specific range of weak keys, which further certify our results about weak keys in an RSA constrained secret key environment.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

Mengce Zheng,Zhigang Chen,Yaohui Wu

DOI: https://doi.org/10.1109/access.2023.3264590

IF: 3.9

2023-04-14

IEEE Access

Abstract:In this paper, we propose two improved theorems for addressing generalized bivariate integer equations using the lattice-based method. We examine the application of these theorems to the problem of factoring general RSA (Rivest–Shamir–Adleman) moduli of the form where and are prime numbers. These moduli, which are commonly used in the RSA cryptosystem and its variants, have previously been subjected to attacks primarily through the solution of univariate modular equations. In contrast, we investigate the possibility of factoring using leaked most significant bits (MSBs) or least significant bits (LSBs) of the prime numbers by solving generalized bivariate integer equations. We determine the minimum amount of known bits required for implementing the proposed factoring attacks and establish a unifying attack strategy. Furthermore, our results are verified through numerical computer experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yameen Ajani,Curtis Bright

2024-06-29

Abstract:The difficulty of factoring large integers into primes is the basis for cryptosystems such as RSA. Due to the widespread popularity of RSA, there have been many proposed attacks on the factorization problem such as side-channel attacks where some bits of the prime factors are available. When enough bits of the prime factors are known, two methods that are effective at solving the factorization problem are satisfiability (SAT) solvers and Coppersmith's method. The SAT approach reduces the factorization problem to a Boolean satisfiability problem, while Coppersmith's approach uses lattice basis reduction. Both methods have their advantages, but they also have their limitations: Coppersmith's method does not apply when the known bit positions are randomized, while SAT-based methods can take advantage of known bits in arbitrary locations, but have no knowledge of the algebraic structure exploited by Coppersmith's method. In this paper we describe a new hybrid SAT and computer algebra approach to efficiently solve random leaked-bit factorization problems. Specifically, Coppersmith's method is invoked by a SAT solver to determine whether a partial bit assignment can be extended to a complete assignment. Our hybrid implementation solves random leaked-bit factorization problems significantly faster than either a pure SAT or pure computer algebra approach.

Cryptography and Security,Discrete Mathematics,Logic in Computer Science,Symbolic Computation

Mengce Zheng

DOI: https://doi.org/10.1109/ACCESS.2024.3349633

2023-10-19

Abstract:We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.

Cryptography and Security

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Wan Nur Aqlili Ruzai,Muhammad Rezal Kamel Ariffin,Muhammad Asyraf Asbullah,Amir Hamzah Abd Ghafar

DOI: https://doi.org/10.1016/j.jksuci.2024.102074

IF: 9.006

2024-05-25

Journal of King Saud University - Computer and Information Sciences

Abstract:RSA stands as a widely adopted method within asymmetric cryptography, commonly applied for digital signature validation and message encryption. The security of RSA relies on the challenge of integer factorization, a problem considered either computationally infeasible or highly intricate, especially when dealing with sufficiently large security parameters. Effective exploits of the integer factorization problem in RSA can allow an adversary to assume the identity of the key holder and decrypt such confidential messages. The keys employed in secure hardware are particularly significant due to the typically greater value of the information they safeguard, such as in the context of securing payment transactions. In general, RSA faces various attacks exploiting weaknesses in its key equations. This paper introduces a new vulnerability that enables the concurrent factorization of multiple RSA moduli. By working with pairs (Ni,ei) and a fixed value y satisfying the Diophantine equation eixi2−y2φ(Ni)=zi , we successfully factorized these moduli simultaneously using the lattice basis reduction technique. Notably, our research expands the scope of RSA decryption exponents considered as insecure.

computer science, information systems

Majid Mumtaz,Luo Ping

DOI: https://doi.org/10.1016/j.ins.2020.05.075

IF: 8.1

2020-01-01

Information Sciences

Abstract:Standard RSA cryptosystem becomes vulnerable, when private key d < N-0.292 is used inside CryptoChips of constrained devices, thus an alternate scheme is the Common Prime RSA (CP-RSA) variant, which provides cryptographic (decryption/signing) operations. In this paper, we perform a cryptanalytic attack on CP-RSA using lattice basis reduction method that is used to exploit possible vulnerabilities of RSA small private key attacks. In addition, we performed detail experiments on CP-RSA weak or overestimated bounds and compare results to the past studies. Our implemented cryptanalytic attack implicates more precise and direct method to exploit the CP-RSA existing theoretical and experimental bounds. Also, our results prove that CP-RSA is an effective approach that provides resistance against standard RSA small private key attacks. (C) 2020 Elsevier Inc. All rights reserved.

M. Anwar,Mustafa Ismail,H.M. Bahig

2024-03-10

Abstract:In this paper, we present attacks on three types of RSA modulus when the least significant bits of the prime factors of RSA modulus satisfy some conditions. Let $p,$ and $q$ be primes of the form $p=a^{m_1}+r_p$ and $q=b^{m_2}+r_q$ respectively, where $a,b,m_{1},m_{2} \in \mathbb{Z^+}$ $r_p,$ and $ r_q$ are known. The first attack is when the RSA modulus is $N=pq$ where $m_1$ or $m_2$ is an even number. If $\left(r_{p}r_{q}\right)^\frac{1}{2}$ is sufficiently small, then $N$ can be factored in polynomial time. The second attack is when $N=p^{s}q,$ where $q>p$ and $s$ divides $m_2.$ If $r_pr_q$ is sufficiently small, then $N$ can be factored in polynomial time. The third attack is when $N=p^{s+l}q^{s},$ where $p>q,$ $s,l \in \mathbb{Z^+},$ $l < \frac{s}{2}$ and $s$ divides $m_1l.$ If $a^{m_1}>qa^{\frac{m_1l}{s}},$ and $lr^3_p$ is sufficiently small, then $N$ can be factored in polynomial time.

Number Theory

Ziyu Zhao,Jintai Ding

DOI: https://doi.org/10.1007/978-3-031-34671-2_19

2023-01-01

Abstract:Lattice problem such as NTRU problem and LWE problem is widely used as the security base of post-quantum cryptosystems. And currently doing lattice reduction by BKZ algorithm is the most efficient way to solve it. In this paper, we give several further improvements on BKZ algorithm, which can be used for different SVP subroutines base on both enumeration and sieving. These improvements in combination provide a speed up of 23∼4 in total. It is significant in concrete attacks. Using these new techniques, we solved the 656 dimensional ideal lattice challenge in only 380 thread hours (also with a enumeration based SVP subroutine), much less than the previous records (which costs 4600 thread hours in total). With these improvements enabled, we can still simulate the new BKZ algorithm easily. One can also use this simulator to find the blocksize strategy (and the corresponding cost) to make Pot of the basis (defined in section 5.2) decrease as fast as possible, which means the length of the first basis vector decrease the fastest if we accept the GSA assumption. It is useful for analyzing concrete attacks on lattice-based cryptography.

Gilda Rech Bansimba,Regis Freguin Babindamana,Basile Guy R. Bossoto

2023-05-09

Abstract:In this paper we present new arithmetical and algebraic results following the work of Babindamana and al. on hyperbolas and describe in the new results an approach to attacking a RSA-type modulus based on continued fractions, independent and not bounded by the size of the private key $d$ nor the public exponent $e$ compared to Wiener's attack. When successful, this attack is bounded by $\displaystyle\mathcal{O}\left( b\log{\alpha_{j4}}\log{(\alpha_{i3}+\alpha_{j3})}\right)$ with $b=10^{y}$, $\alpha_{i3}+\alpha_{j3}$ a non trivial factor of $n$ and $\alpha_{j4}$ such that $(n+1)/(n-1)=\alpha_{i4}/\alpha_{j4}$. The primary goal of this attack is to find a point $\displaystyle X_{\alpha}=\left(-\alpha_{3}, \ \alpha_{3}+1 \right) \in \mathbb{Z}^{2}_{\star}$ that satisfies $\displaystyle\left\langle X_{\alpha_{3}}, \ P_{3} \right\rangle =0$ from a convergent of $\displaystyle\frac{\alpha_{i4}}{\alpha_{j4}}+\delta$, with $P_{3}\in \mathcal{B}_{n}(x, y)_{\mid_{x\geq 4n}}$. We finally present some experimental examples. We believe these results constitute a new direction in RSA Cryptanalysis using continued fractions independently of parameters $e$ and $d$.

Cryptography and Security,Number Theory

Jintai Ding,Momonari Kudo,Shinya Okumura,Tsuyoshi Takagi,Chengdong Tao

DOI: https://doi.org/10.1007/s13160-018-0316-x

2018-01-01

Japan Journal of Industrial and Applied Mathematics

Abstract:Researching post-quantum cryptography is now an important task in cryptography. Although various candidates of post-quantum cryptosystems (PQC) have been constructed, sizes of their public keys are large. Okumura constructed a candidate of PQC whose security is expected to be based on certain Diophantine equations (DEC). Okumura analysis suggests that DEC achieves the high security with small public key sizes. This paper proposes a polynomial time-attack on the one-way property of DEC. We reduce the security of DEC to finding special short lattice points of some low-rank lattices derived from public data. The usual LLL algorithm could not find the most important lattice point in our experiments because of certain properties of the lattice point. Our heuristic analysis leads us to using a variant of the LLL algorithm, called a weighted LLL algorithm by us. Our experiments suggest that DEC with 128 bit security becomes insecure by our attack.

Duo LIU,Yi-qi DAI

2008-01-01

Abstract:To discuss the security of RSA-type cryptosystem over conic curves on the ring Z/nZ, two algorithms of short private exponent attack on such cryptosystems were presented. Two simple examples illuminating the algorithms were also given. The results showed that the RSA-type cryptosystem over conic curves on the ring Z/nZ can not resist short private exponent attack. In other word, the parameter n can be factored in polynomial time of lnn if the private exponent is too small.

Shixiong Wang,Minghao Sun

DOI: https://doi.org/10.3390/math12213411

IF: 2.4

2024-11-01

Mathematics

Abstract:Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith's method for finding small roots of bivariate modular polynomial equations.

mathematics