Majid Mumtaz,Ping Luo

DOI: https://doi.org/10.1109/icccs52626.2021.9449268

2021-01-01

Abstract:RSA public key cryptosystem is the “de-facto” standard, provides confidentiality and privacy security services over the internet. At Eurocrypt 1999, Boneh and Durfee proposed a polynomial time attacks on RSA small decryption key exponent. Their attacks worked by exploiting the lattice and sub lattice structure using lattice based Coppersmith's method to solve a modular polynomials, when d <; N 0.284 and d <; N 0.292 respectively. In this work, we propose a new attack on some special case of Boneh and Durfee's attack method with respect to large decryption exponent (i.e. d = N > e = N α , where α and ε are the encryption and decryption exponents respectively) for some α ≤ ε. The condition d > φ(N) - N ε satisfies our devised attack and the experimental outcome certifies that an RSA cryptosystem with large decryption exponent successfully revealed the weak keys through lattice basis reduction method.

Ping Luo,HaiJian Zhou,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0014-z

2009-01-01

Abstract:In this paper, we study the RSA public key cryptosystem in a special case with the private exponent d larger than the public exponent e . When N 0.258 ⩽ e ⩽ N 0.854 , d > e and satisfies the given conditions, we can perform cryptanalytic attacks based on the LLL lattice basis reduction algorithm. The idea is an extension of Boneh and Durfee’s researches on low private key RSA, and provides a new solution to finding weak keys in RSA cryptosystems.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1016/j.pnsc.2008.09.013

2009-01-01

Abstract:Boneh and Durfee have developed a cryptanalytic algorithm on low private key RSA. The algorithm is based on lattice basis reduction and breaks RSA with private key d < N-0.292. Later on, an improved version by Blomer and May enhanced the efficiency, while reaching approximately this same upper bound. Unfortunately, in both the algorithms, there is a critical error in theoretical analysis, leading to the overestimated upper bound N-0.292. In this paper we present a more precise analytical model, with which the theoretical upper bound on d is modified to approximately d < N-0.277 for ordinary RSA systems with a 1024-bit public key (N,e). (C) 2009 National Natural Science Foundation of China and Chinese Academy of Sciences. Published by Elsevier Limited and Science in China Press. All rights reserved.

Mu-En Wu,Raylin Tso,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-642-34601-9_28

2012-01-01

Abstract:In RSA equation: ed=k·φ(N)+1, we may guess on partial bits of d or p+q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p+q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p+q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N0.284+Δ, where Δ is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to d<N0.328 for an 1024-bit RSA modulus. This is a 37 bits improvement over Boneh and Durfee's boundary.

Shixiong Wang,Minghao Sun

DOI: https://doi.org/10.3390/math12213411

IF: 2.4

2024-11-01

Mathematics

Abstract:Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith's method for finding small roots of bivariate modular polynomial equations.

mathematics

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1109/csie.2009.890

2009-01-01

Abstract:Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA systems. A typical application is Boneh-Durfee's seminal work for breaking low private key RSA (and its successors in other applications). Although it's well known that this technique is not guaranteed to succeed, there is no thorough proof yet when it fails. In this paper, we summarize the Boneh-Durfee-like algorithms using generalized terminology. We also show that when the number of solutions in given bounded range is larger than $8(w/3)^7$, where $w$ is the dimension of the lattice involved in the reduction procedure, then the algorithm always fails. As a result, it is proven that MSB (Most Significant Bits)partial key exposure attacks on low public key RSA using this technique is difficult, if we have not sufficient private key exposed.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

Hung-Min Sun,Cheng-Ta Yang,Mu-En Wu

DOI: https://doi.org/10.1587/transfun.e92.a.912

2009-01-01

Abstract:In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However. in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order Of magnitude as phi(N). Sun et al. devised three RSA variants Using unbalanced prime factors p and q to lower the computational cost. Unfortunately. Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances With Unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the Security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, We provide the security analysis and feasibility analysis of the proposed schemes.

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener sug- gested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA en- cryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e =2 511 +1such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

Wan Nur Aqlili Ruzai,Muhammad Rezal Kamel Ariffin,Muhammad Asyraf Asbullah,Amir Hamzah Abd Ghafar

DOI: https://doi.org/10.1016/j.jksuci.2024.102074

IF: 9.006

2024-05-25

Journal of King Saud University - Computer and Information Sciences

Abstract:RSA stands as a widely adopted method within asymmetric cryptography, commonly applied for digital signature validation and message encryption. The security of RSA relies on the challenge of integer factorization, a problem considered either computationally infeasible or highly intricate, especially when dealing with sufficiently large security parameters. Effective exploits of the integer factorization problem in RSA can allow an adversary to assume the identity of the key holder and decrypt such confidential messages. The keys employed in secure hardware are particularly significant due to the typically greater value of the information they safeguard, such as in the context of securing payment transactions. In general, RSA faces various attacks exploiting weaknesses in its key equations. This paper introduces a new vulnerability that enables the concurrent factorization of multiple RSA moduli. By working with pairs (Ni,ei) and a fixed value y satisfying the Diophantine equation eixi2−y2φ(Ni)=zi , we successfully factorized these moduli simultaneously using the lattice basis reduction technique. Notably, our research expands the scope of RSA decryption exponents considered as insecure.

computer science, information systems

Hung-Min Sun,Cheng-Ta Yang

DOI: https://doi.org/10.1007/978-3-540-30580-4_14

2005-01-01

Abstract:In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt'99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N0.25 and N0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length $\frac{1}{2}\log _{2}N+56$. The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt'2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.

Hung-Min Sun,Mu-En Wu,Huaxiong Wang,Jian Guo

DOI: https://doi.org/10.1007/978-3-540-70500-0_7

2008-01-01

Abstract:An $\left( \alpha ,\beta ,\gamma \right) $-LSBS RSA denotes an RSA system with primes sharing 驴least significant bits, private exponent dwith βleast significant bits leaked, and public exponent ewith bit-length 驴. Steinfeld and Zheng showed that LSBS-RSA with small eis inherently resistant to the BDF attack, but LSBS-RSA with large eis more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS-RSA by reducing the cost of exhaustive search for k, where kis the parameter in RSA equation: $ed=k\cdot \varphi \left( N\right) +1$. Consequently, the complexity of the BDF attacks on LSBS-RSA can be further reduced. Denote 驴as the multiplicity of 2 in k. Our method gives the improvements, which depend on the two cases:1In the case $\gamma \leq \min \left\{ \beta ,2\alpha \right\} -\sigma $, the cost of exhaustive search for kin LSBS-RSA can be simplified to searching kin polynomial time. Thus, the complexity of the BDF attack is independent of 驴, but it still increases as 驴increases.1In the case $\gamma \min \left\{ \beta ,2\alpha \right\} -\sigma $, the complexity of the BDF attack on LSBS-RSA can be further reduced with increasing 驴or β.More precisely, we show that an LSBS-RSA is more vulnerable under the BDF attack as $\max \left\{ 2\alpha ,\beta \right\} $ increases proportionally with the size of N. In the last, we point out that although LSBS-RSA benefits the computational efficiency in some applications, one should be more careful in using LSBS-RSA.

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Majid Mumtaz,Luo Ping

DOI: https://doi.org/10.1016/j.ins.2020.05.075

IF: 8.1

2020-01-01

Information Sciences

Abstract:Standard RSA cryptosystem becomes vulnerable, when private key d < N-0.292 is used inside CryptoChips of constrained devices, thus an alternate scheme is the Common Prime RSA (CP-RSA) variant, which provides cryptographic (decryption/signing) operations. In this paper, we perform a cryptanalytic attack on CP-RSA using lattice basis reduction method that is used to exploit possible vulnerabilities of RSA small private key attacks. In addition, we performed detail experiments on CP-RSA weak or overestimated bounds and compare results to the past studies. Our implemented cryptanalytic attack implicates more precise and direct method to exploit the CP-RSA existing theoretical and experimental bounds. Also, our results prove that CP-RSA is an effective approach that provides resistance against standard RSA small private key attacks. (C) 2020 Elsevier Inc. All rights reserved.

Santosh Kumar RPrakash KlncKrishna SrmDr. R. Santosh Kumar is an Associate Professor in the Department of Computer Science and Engineering at the Vasavi College of Engineering. His research interests are Cryptology,Machine Learning,and data science. He published nearly 15 articles in various International Journals. He is a member of IEI,CRSI,and IAENG. He has guided more than 20 undergraduate projects.Dr. KLNC Prakash received his Ph.D. from JNTU Hyderabad in 2020. His areas of interest are data mining,Machine learning and Neural Networks. He has published more than 15 international journals in the area of data mining and machine learning. He has guided more than 20 undergraduate projects.Dr. Sureddi R.M. Krishna received his Ph.D. from JNTU Hyderabad in 2017. His areas of interest include Network Security and Routing in Manet system. He has published in 20 international and 5 national level conferences. He has guided more than 14 undergraduate 10 post-graduate projects. He is an IEEE professional member,and a CSI and IFERP member. He is a Cisco Networking Instructor for various courses like CCNA,Python,Cyber Ops,etc.

DOI: https://doi.org/10.1080/01611194.2023.2271463

2024-01-06

Cryptologia

Abstract:Multi-prime RSA (MPRSA) is an extended version of RSA in which the modulus is the product of three or more distinct prime numbers. As with the RSA, this variant is also scrutinized for vulnerabilities. The main goal of the attacks on MPRSA is to test the strength of MPRSA compared to that of RSA to determine whether MPRSA can be used in place of RSA. We apply two famous attacks on RSA to MPRSA by constructing lattices using the Jochemsz and May approach. In comparison to RSA, MPRSA is less vulnerable to both attacks.

mathematics, applied,computer science, theory & methods,history & philosophy of science

Mu-En Wu,Chien-Ming Chen,Yue-Hsun Lin,Hung-Min Sun

DOI: https://doi.org/10.1155/2014/650537

2014-01-01

The Scientific World JOURNAL

Abstract:RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus N = pq, it is difficult to determine the prime factors p and q efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is 2r + 8 bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from 2r + 8 bits to 2r + 2 bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to 2r - 6 bits when we extend Weiner's boundary r bits. It means that our result is 2(14) times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits.

K. R. Raghunandan,Rovita Robert Dsouza,N. Rakshith,Surendra Shetty,Ganesh Aithal

DOI: https://doi.org/10.1007/978-981-15-3514-7_60

2020-08-14

Abstract:Public key cryptography generates two distinct keys: one for encryption and another separate but related key for decryption. There exists only one private key for every public key to decipher the message. A variant of RSA, called the Dual RSA, has two different key pairs having separate private and public key exponents. Security of the RSA is compromised using mathematical attacks, by the factorization of ‘n’. This paper proposed an enhanced approach to Dual RSA with the help of Pell’s equation and a fake modulus key. The algorithm eliminates the distribution of ‘n’, whose factors compromise the RSA algorithm. Also, the solutions to Pell’s equation are shared instead of the public key components. A comparative analysis is carried out with respect to RSA, Dual RSA and the proposed algorithm based on the complexity of each step of the algorithm. It is observed that the proposed system provides more security to the public key exponents and the system modulus ‘n’, than RSA and Dual RSA.

Gilda Rech Bansimba,Regis Freguin Babindamana,Basile Guy R. Bossoto

2023-05-09

Abstract:In this paper we present new arithmetical and algebraic results following the work of Babindamana and al. on hyperbolas and describe in the new results an approach to attacking a RSA-type modulus based on continued fractions, independent and not bounded by the size of the private key $d$ nor the public exponent $e$ compared to Wiener's attack. When successful, this attack is bounded by $\displaystyle\mathcal{O}\left( b\log{\alpha_{j4}}\log{(\alpha_{i3}+\alpha_{j3})}\right)$ with $b=10^{y}$, $\alpha_{i3}+\alpha_{j3}$ a non trivial factor of $n$ and $\alpha_{j4}$ such that $(n+1)/(n-1)=\alpha_{i4}/\alpha_{j4}$. The primary goal of this attack is to find a point $\displaystyle X_{\alpha}=\left(-\alpha_{3}, \ \alpha_{3}+1 \right) \in \mathbb{Z}^{2}_{\star}$ that satisfies $\displaystyle\left\langle X_{\alpha_{3}}, \ P_{3} \right\rangle =0$ from a convergent of $\displaystyle\frac{\alpha_{i4}}{\alpha_{j4}}+\delta$, with $P_{3}\in \mathcal{B}_{n}(x, y)_{\mid_{x\geq 4n}}$. We finally present some experimental examples. We believe these results constitute a new direction in RSA Cryptanalysis using continued fractions independently of parameters $e$ and $d$.

Cryptography and Security,Number Theory

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speed up RSA decryption. Then, Wiener suggested another RSA variant, Rebalanced RSA-CRT, to further accelerate RSA-CRT decryption by shifting decryp- tion cost to encryption cost. However, such an approach makes RSA encryption very time- consuming because the public exponent e in Rebalanced RSA-CRT is of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N) ?W e solve this problem by designing two variants of Rebalanced RSA-CRT, Scheme A and Scheme B. In Scheme A, we focus on designing a variant in which dp and dq are of 160 bits, and e =2 567 +1. Thus the encryption time is reduced to about 1 2.7 of the time required by the original Rebalanced RSA-CRT. Scheme B is a variant in which dp and dq are of 198 bits, and e =2 511 +1 .T hus its encryption is about 3 times faster than that of Rebalanced RSA-CRT, but the decryption is a little slower than that of Rebalanced RSA-CRT.

Hung-Min Sun,Mu-En Wu,Yao-Hsin Chen

DOI: https://doi.org/10.1007/978-3-540-72738-5_8

2007-01-01

Abstract:In the RSA system, balanced modulus Ndenotes a product of two large prime numbers pand q, where qpq. Since Integer-Factorization is difficult, pand qare simply estimated as ${\sqrt{N}}$. In the Wiener attack, $2\sqrt{N}$ is adopted to be the estimation of p+ qin order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N. The estimated values are called "EPFs of N", and are denoted as pEand qE. Thus pEand qEcan be adopted to estimate p+ qmore accurately than by simply adopting $2\sqrt{N}$. In addition, we show that the Verheul and Tilborg's extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p+ q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2r+ 8 bits down to 2r茂戮驴 10 bits, where rdepends on Nand the private key d. The security boundary of private-exponent dcan be raised 9 bits again over Verheul and Tilborg's result.