Hung-Min Sun,Cheng-Ta Yang

DOI: https://doi.org/10.1007/978-3-540-30580-4_14

2005-01-01

Abstract:In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt'99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N0.25 and N0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length $\frac{1}{2}\log _{2}N+56$. The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt'2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.

K. R. Raghunandan,Rovita Robert Dsouza,N. Rakshith,Surendra Shetty,Ganesh Aithal

DOI: https://doi.org/10.1007/978-981-15-3514-7_60

2020-08-14

Abstract:Public key cryptography generates two distinct keys: one for encryption and another separate but related key for decryption. There exists only one private key for every public key to decipher the message. A variant of RSA, called the Dual RSA, has two different key pairs having separate private and public key exponents. Security of the RSA is compromised using mathematical attacks, by the factorization of ‘n’. This paper proposed an enhanced approach to Dual RSA with the help of Pell’s equation and a fake modulus key. The algorithm eliminates the distribution of ‘n’, whose factors compromise the RSA algorithm. Also, the solutions to Pell’s equation are shared instead of the public key components. A comparative analysis is carried out with respect to RSA, Dual RSA and the proposed algorithm based on the complexity of each step of the algorithm. It is observed that the proposed system provides more security to the public key exponents and the system modulus ‘n’, than RSA and Dual RSA.

Hung-Min Sun,Cheng-Ta Yang,Mu-En Wu

DOI: https://doi.org/10.1587/transfun.e92.a.912

2009-01-01

Abstract:In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However. in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order Of magnitude as phi(N). Sun et al. devised three RSA variants Using unbalanced prime factors p and q to lower the computational cost. Unfortunately. Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances With Unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the Security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, We provide the security analysis and feasibility analysis of the proposed schemes.

Hung‐Min Sun,Cheng‐Ta Yang,Vincent S. Tseng

2009-01-01

Abstract:—A digital multisignature is a normal digital signature of a message generated by multiple signers with knowledge of multiple private keys. In this paper, we point out that two CRTequations can be totally independent in Rebalanced-RSA. This means that we can choose different public exponents when using Rebalanced-RSA. From this point of view, we proposed the new multisignature-like scheme based on RSA with CRT-Exponents.

Gongyu Shi,Geng Wang,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-22390-7_9

2022-01-01

Abstract:To enhance the security or the efficiency of the standard RSA cryptosystem, some variants have been proposed based on elliptic curves, Gaussian integers or Lucas sequences. A typical type of these variants which we called Type-A variants have the specified modified Euler's totient function psi(N) = (p(2) - 1)(q(2) - 1). But in 2018, based on cubic Pell equation, Murru and Saettone presented a new RSA-like cryptosystem, and it is another type of RSA variants which we called Type-B variants, since their scheme has psi(N) = (p(2) + p+ 1)(q(2) + q+ 1). For RSA-like cryptosystems, four key-related attacks have been widely analyzed, i.e., the small private key attack, the multiple private keys attack, the partial key exposure attack and the small prime difference attack. These attacks are well-studied on both standard RSA and Type-A variants. Recently, the small private key attack on Type-B variants has also been analyzed. In this paper, we make further cryptanalysis of Type-B variants, that is, we propose the first theoretical results of multiple private keys attack, partial key exposure attack as well as small prime difference attack on Type-B variants, and the validity of our attacks are verified by experiments. Our results show that for all three attacks, Type-B variants are less secure than standard RSA.

Shixiong Wang,Minghao Sun

DOI: https://doi.org/10.3390/math12213411

IF: 2.4

2024-11-01

Mathematics

Abstract:Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith's method for finding small roots of bivariate modular polynomial equations.

mathematics

Liangliang Wang,Mi Wen,Kefei Chen,Zhongqin Bi,Yu Long

DOI: https://doi.org/10.1007/978-3-319-69471-9_19

2017-01-01

Abstract:Through the application of certificateless signature, certificate management in traditional signatures can be simplified. Furthermore, the key escrow problem in identity-based signatures can be solved as well. As history has shown, there has not been a general pairing-free certificateless signature scheme which is mainly designed with modular exponentiation and modular multiplication that can possess resistance to Type I and Type II adversaries so far. Therefore, a new hard mathematic problem is firstly defined in this paper, which is called variant of RSA problem. In the next step, a new general pairing-free certificateless signature scheme is proposed based on the newly defined variant of RSA problem and the well known discrete logarithm problem. Fortunately, the proposed scheme is also the first RSA-based certificateless signature scheme that can possess resistance to Type I and Type II adversaries. In addition, a formal security proof is provided to demonstrate that, under adaptively chosen message attacks, the proposed scheme is provably secure against Type I and Type II adversaries in the random oracle model. When compared with other known pairing-free certificateless signature schemes of the same type, the computation cost of our scheme is slightly higher, however, a higher security level can be achieved.

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Mengce Zheng,Noboru Kunihiro,Honggang Hu

DOI: https://doi.org/10.1007/978-3-319-89339-6_15

2018-01-01

Abstract:The standard RSA scheme provides the key equation (edequiv 1pmod {varphi (N)}) for (N=pq), where (varphi (N)=(p-1)(q-1)) is Euler quotient (or Euler’s totient function), e and d are the public and private keys, respectively. It has been extended to the following variants with modified Euler quotient (omega (N)=(p^2-1)(q^2-1)), which in turn indicates the modified key equation is (edequiv 1pmod {omega (N)}).

Mengce Zheng,Honggang Hu,Zilong Wang

DOI: https://doi.org/10.1007/s11432-015-5325-7

2016-01-01

Science China Information Sciences

Abstract:In this paper, we demonstrate that there exist weak keys in the RSA public-key cryptosystem with the public exponent e = N α ≤ N 0.5. In 1999, Boneh and Durfee showed that when α ≈ 1 and the private exponent d = N β < N 0.292, the system is insecure. Moreover, their attack is still effective for 0.5 < α < 1.875. We propose a generalized cryptanalytic method to attack the RSA cryptosystem with α ≤ 0.5. For \(c = \left\lfloor {\frac{{1 - \alpha }}{\alpha }} \right\rfloor \) and e γc ≡ d (mod e c), when γ, β satisfy \(\gamma < 1 + \frac{1}{c} - \frac{1}{{2\alpha c}}and\beta < \alpha c + \frac{7}{6} - \alpha \gamma c - \frac{1}{3}\sqrt {6\alpha + 6\alpha c + 1 - 6\alpha \gamma c} \), we can perform cryptanalytic attacks based on the LLL algorithm. The basic idea is an application of Coppersmith’s techniques and we further adapt the technique of unravelled linearization, which leads to an optimized lattice. Our advantage is that we achieve new attacks on RSA with α ≤ 0.5 and consequently, there exist weak keys in RSA for most α.

Mengce Zheng,Noboru Kunihiro,Yuanzhi Yao

DOI: https://doi.org/10.1016/j.tcs.2021.08.001

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:RSA (Rivest-Shamir-Adleman) cryptosystem is the most popular asymmetric key cryptographic algorithm used in computer science and information security. Recently, an RSA-like cryptosystem was proposed using a novel product that arises from a cubic field connected to the cubic Pell equation. The relevant key equation is e d ≡ 1 mod ( p 2 + p + 1 ) ( q 2 + q + 1 ) with N = p q. This RSA variant is claimed to be robust against the Wiener's attack and hence the bit-size of the private key could be shorter, namely d < N 1 / 4. In this paper, we explore the further security analysis and investigate the potential small private exponent attack. We show that such RSA variant is particularly vulnerable to the lattice-based method. To be specific, we can carry out the lattice-based small private exponent attack if d < N 2 − 2, which is less secure than the standard RSA. Furthermore, we conduct numerical experiments to verify the validity of the proposed attack.

Ping Luo,HaiJian Zhou,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0014-z

2009-01-01

Abstract:In this paper, we study the RSA public key cryptosystem in a special case with the private exponent d larger than the public exponent e . When N 0.258 ⩽ e ⩽ N 0.854 , d > e and satisfies the given conditions, we can perform cryptanalytic attacks based on the LLL lattice basis reduction algorithm. The idea is an extension of Boneh and Durfee’s researches on low private key RSA, and provides a new solution to finding weak keys in RSA cryptosystems.

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener sug- gested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA en- cryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e =2 511 +1such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

L. Sreenivasulu Reddy

DOI: https://doi.org/10.1080/09720529.2020.1734292

2020-05-07

Journal of Discrete Mathematical Sciences and Cryptography

Abstract:The RSA public key cryptographic strength (either security of encryption and decryption schemes or efficiency of algorithms) depends upon the complexity in factorizing the largest integer into odd primes. For every chosen integer, the RSA's strength varies. RSA key generation space is the group of non-negative integers relatively prime to ϕ(n) and encryption, decryption spaces are both equal to the group of integers relatively prime to n. Operational time and data storage are two of its efficiency aspects. To reduce the operational time along with reduction data storage is a difficult task in RSA public key cryptography. In addition that the Security of RSA public key cryptography for an adversary with polynomial bounds computations is another biggest task. In this paper, we are going to propose a new kind of public key cryptographic system, nearly four times more efficient in data storage and operational time to that of RSA and probably one fourth of security complexity of RSA. This new crypto system is possible only based on one of the strong pseudo prime test :Rabin-Miller test. So, name it as RM-RSA. In this way,we are going to compare the efficiency of that RM-RSA and previously our proposed S-RSA in "Solovay-Strassen test in a RSA Pubic key Cryptosystem".

Wan Nur Aqlili Ruzai,Muhammad Rezal Kamel Ariffin,Muhammad Asyraf Asbullah,Amir Hamzah Abd Ghafar

DOI: https://doi.org/10.1016/j.jksuci.2024.102074

IF: 9.006

2024-05-25

Journal of King Saud University - Computer and Information Sciences

Abstract:RSA stands as a widely adopted method within asymmetric cryptography, commonly applied for digital signature validation and message encryption. The security of RSA relies on the challenge of integer factorization, a problem considered either computationally infeasible or highly intricate, especially when dealing with sufficiently large security parameters. Effective exploits of the integer factorization problem in RSA can allow an adversary to assume the identity of the key holder and decrypt such confidential messages. The keys employed in secure hardware are particularly significant due to the typically greater value of the information they safeguard, such as in the context of securing payment transactions. In general, RSA faces various attacks exploiting weaknesses in its key equations. This paper introduces a new vulnerability that enables the concurrent factorization of multiple RSA moduli. By working with pairs (Ni,ei) and a fixed value y satisfying the Diophantine equation eixi2−y2φ(Ni)=zi , we successfully factorized these moduli simultaneously using the lattice basis reduction technique. Notably, our research expands the scope of RSA decryption exponents considered as insecure.

computer science, information systems

Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1109/icccs52626.2021.9449268

2021-01-01

Abstract:RSA public key cryptosystem is the “de-facto” standard, provides confidentiality and privacy security services over the internet. At Eurocrypt 1999, Boneh and Durfee proposed a polynomial time attacks on RSA small decryption key exponent. Their attacks worked by exploiting the lattice and sub lattice structure using lattice based Coppersmith's method to solve a modular polynomials, when d <; N 0.284 and d <; N 0.292 respectively. In this work, we propose a new attack on some special case of Boneh and Durfee's attack method with respect to large decryption exponent (i.e. d = N > e = N α , where α and ε are the encryption and decryption exponents respectively) for some α ≤ ε. The condition d > φ(N) - N ε satisfies our devised attack and the experimental outcome certifies that an RSA cryptosystem with large decryption exponent successfully revealed the weak keys through lattice basis reduction method.

Tianjie Cao,Xianping Mao,Dongdai Lin

DOI: https://doi.org/10.1007/11689522_29

2006-01-01

Abstract:Modadugu, Boneh and Kim proposed two RSA key generation protocols (MBK Protocols) to generate the RSA keys efficiently on a low-power handheld device with the help of the untrusted servers, and the servers do not get any useful information about the keys they helped generation. The security of MBK Protocols is based on the assumption that the two servers are unable to share information with each other. To resists a ”collusion attack” ,namely the attack which the two servers collude to share information in MBK Protocols, Chen et al. proposed two improved protocols and claimed that their protocols are secure against such collusion attack. This paper shows that Chen et al.'s standard RSA key generation protocol cannot resist collusion attack and then cannot be used in practice.

Soeren Kleine,Andreas Nickel,Torben Ritter,Krishnan Shankar

2024-03-25

Abstract:We introduce a new probabilistic public-key cryptosystem which combines the main ingredients of the well-known RSA and Rabin cryptosystems. We investigate the security and performance of our new scheme in comparison to the other two.

Cryptography and Security,Number Theory

M. Anwar,Mustafa Ismail,H.M. Bahig

2024-03-10

Abstract:In this paper, we present attacks on three types of RSA modulus when the least significant bits of the prime factors of RSA modulus satisfy some conditions. Let $p,$ and $q$ be primes of the form $p=a^{m_1}+r_p$ and $q=b^{m_2}+r_q$ respectively, where $a,b,m_{1},m_{2} \in \mathbb{Z^+}$ $r_p,$ and $ r_q$ are known. The first attack is when the RSA modulus is $N=pq$ where $m_1$ or $m_2$ is an even number. If $\left(r_{p}r_{q}\right)^\frac{1}{2}$ is sufficiently small, then $N$ can be factored in polynomial time. The second attack is when $N=p^{s}q,$ where $q>p$ and $s$ divides $m_2.$ If $r_pr_q$ is sufficiently small, then $N$ can be factored in polynomial time. The third attack is when $N=p^{s+l}q^{s},$ where $p>q,$ $s,l \in \mathbb{Z^+},$ $l < \frac{s}{2}$ and $s$ divides $m_1l.$ If $a^{m_1}>qa^{\frac{m_1l}{s}},$ and $lr^3_p$ is sufficiently small, then $N$ can be factored in polynomial time.

Number Theory

Hung-Min Sun,M. Jason Hinek,Mu-En Wu

2005-01-01

Abstract:In 1982, Quisquater & Couvreur proposed a variant of RSA based on the Chinese Remainder Theorem, called RSA-CRT, to speed up RSA decryption. In 1990, Wiener suggested another variant, called Rebalanced RSA-CRT, which further speeds up RSA decryption by shifting decryption costs to encryption costs. However, this approach essentially maximizes the encryption time since the public exponent e in Rebalanced RSA-CRT is generally about the same order of magnitude as the RSA modulus. In this work1, we introduce two variants of Rebalanced RSA-CRT in which the public exponent e is much smaller than the modulus, thus reducing the encryption costs, while maintaining low decryption costs. For a 1024-bit modulus, our first variant (Scheme A) offers encryption times that are at least 2.6 times faster than that in the original Rebalanced RSA-CRT, while the second variant (Scheme B) offers encryption times at least 3 times faster. In both variants, the decrease in encryption costs is obtained at the expense of slightly increased decryption costs and increased key generation costs. Thus, the variants proposed here are best suited for applications which require low encryption/decryption costs but do not require key generation on the fly.