Top

Designs, Codes and Cryptography

Published in:

03-09-2023

Practical attacks on small private exponent RSA: new records and new insights

Authors: Qiang Li, Qun-xiong Zheng, Wen-feng Qi

Published in: Designs, Codes and Cryptography | Issue 12/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

As a typical representative of the public key cryptosystem, RSA has attracted a great deal of cryptanalysis since its invention, among which a famous attack is the small private exponent attack. It is well-known that the best theoretical upper bound for the private exponent d that can be attacked is \(d\le N^{0.292}\), where N is a RSA modulus. However, this bound may not be achieved in practical attacks since the lattice constructed by Coppersmith method may have a large enough dimension and the lattice-based reduction algorithms cannot work so well in both efficiency and quality. In this paper, we propose a new practical attack based on the binary search for the most significant bits (MSBs) of prime divisors of N and the Herrmann-May’s attack in 2010. The idea of binary search is inspired by the discovery of phenomena called “multivalued-continuous phenomena”, which can significantly accelerate our attack. Together with several carefully selected parameters according to our exact and effective numerical estimations, we can improve the upper bound of d that can be practically achieved. More specifically, without the binary search method, we successfully attack RSA with a 1024-bit-modulus N when \(d\le N^{0.285}\). Moreover, by our new method, we can implement a successful attack for a 1024-bit-modulus RSA when \(d\le N^{0.292}\) and for a 2048-bit-modulus RSA when \(d\le N^{0.287}\) in about a month. We believe our method can provide some inspiration to practical attacks on RSA with mainstream-size moduli.

previous article Scheduling to reduce close contacts: resolvable grid graph decomposition and packing

next article A class of constacyclic codes are generalized Reed–Solomon codes

Available only for authorised users

Blömer J., May A.: Low secret exponent RSA revisited. In: Silverman J.H. (ed.) CaLC 2001. Lecture Notes in Computer Science, vol. 2146, pp. 4–19. Springer, Heidelberg (2001).

Blömer J., May A.: A generalized wiener attack on RSA. In: Bao F., Deng R., Zhou J. (eds.) PKC 2004. Lecture Notes in Computer Science, vol. 2947, pp. 1–13. Springer, Heidelberg (2004).

Boneh D., Durfee G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). In: Stern J. (ed.) EUROCRYPT 1999. Lecture Notes in Computer Science, vol. 1592, pp. 1–11. Springer, Heidelberg (1999).

Boneh D., Durfee G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000).CrossRefMATH

Bunder M., Tonien J.: A new attack on the RSA cryptosystem based on continued fractions. Malays. J. Math. Sci. 11(S3), 45–57 (2017).MathSciNetMATH

Coppersmith D.: Finding a small root of a univariate modular equation. In: Maurer U.M. (ed.) EUROCRYPT 1996. Lecture Notes in Computer Science, vol. 1070, pp. 155–165. Springer, Heidelberg (1996).

Coppersmith D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer U. (ed.) EUROCRYPT 1996. Lecture Notes in Computer Science, vol. 1070, pp. 178–189. Springer, Heidelberg (1996).

Coppersmith D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997).MathSciNetCrossRefMATH

de Weger B.: Cryptanalysis of RSA with small prime difference. AAECC 13, 17–28 (2002). https://doi.org/10.1007/s002000100088.MathSciNetCrossRefMATH

10.

Durfee G.: Public key cryptanalysis using algebraic and lattice methods. Ph.D. thesis. Stanford University, Stanford (2002).

11.

Hashimoto Y: On small secret key attack against RSA with high bits known prime factor. In: Cryptology ePrint Archive (2010).

12.

Herrmann M., May A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui M. (ed.) ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 5912, pp. 487–504. Springer, Heidelberg (2009).

13.

Herrmann M., May A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010. Lecture Notes in Computer Science, vol. 6056, pp. 53–69. Springer, Heidelberg (2010).

14.

Hinek M.J.: Cryptanalysis of RSA and Its Variants. CRC Press, Boca Raton (2009).CrossRefMATH

15.

Howgrave-Graham N.: Finding small roots of univariate modular equations revisited. In: Darnell M.J. (ed.) Cryptography and Coding 1997. Lecture Notes in Computer Science, vol. 1355, pp. 131–142. Springer, Heidelberg (1997).

16.

Lenstra A.K., Lenstra H.W., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982).MathSciNetCrossRefMATH

17.

Liu C., Yang C.: Factoring RSA modulo \(N\) with high bits of \(p\) known revisited. In: 2009 IEEE International Symposium on IT in Medicine & Education, vol. 1, pp. 495–500. IEEE (2009).

18.

Lu Y., Zhang R., Lin D.: Factoring RSA modulus with known bits from both \(p\) and \(q\): a Lattice method. In: Lopez J., Huang X., Sandhu R. (eds.) Network and System Security 2013. Lecture Notes in Computer Science, vol. 7873, pp. 393–404. Springer, Heidelberg (2013).

19.

Miller S.D., Narayanan B., Venkatesan R.: Coppersmith’s lattices and “focus groups’’: an attack on small-exponent RSA. J. Number Theory 222, 376–392 (2021).MathSciNetCrossRefMATH

20.

Nguyen P.Q., Stehlé D.: Floating-point LLL revisited. In: Cramer R.J.F. (ed.) EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 215–233. Springer, Heidelberg (2005).

21.

Nguyen P., Stehlé D.: LLL on the average. In: Hess F., Pauli S., Pohst M. (eds.) ANTSVII. Lecture Notes in Computer Science, vol. 4076, pp. 238–256. Springer, Heidelberg (2006).

22.

Nitaj A., Ariffin M.R.K., Adenan N.N.H., et al.: Exponential increment of RSA attack range via lattice based cryptanalysis. Multimed. Tools Appl. 81, 36607–36622 (2022).CrossRef

23.

Peng L., Hu L., Huang Z., et al.: Partial prime factor exposure attacks on RSA and its Takagi’s variant. In: Lopez J., Wu Y. (eds.) ISPEC 2015. Lecture Notes in Computer Science, vol. 9065, pp. 96–108. Springer, Cham (2015).

24.

Rivest R.L., Shamir A.: Efficient factoring based on partial information. In: Pichler F. (ed.) EUROCRYPT 1985. Lecture Notes in Computer Science, vol. 219, pp. 31–34. Springer, Heidelberg (1986).

25.

Rivest R.L., Shamir A., Adleman L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).MathSciNetCrossRefMATH

26.

Sarkar S., Maitra S.: Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors. In: Lee P.J., Cheon J.H. (eds.) ICISC 2008. Lecture Notes in Computer Science, vol. 5461, pp. 37–51. Springer, Heidelberg (2009).

27.

Sarkar S., Maitra S., Sarkar S.: RSA cryptanalysis with increased bounds on the secret exponent using less lattice dimension. In: IACR Cryptology ePrint Archive, vol. 315 (2008).

28.

Schnorr C.P.: A more efficient algorithm for lattice basis reduction. J. Algorithm. 9(1), 47–62 (1988).MathSciNetCrossRefMATH

29.

Suk A.H.: Cryptanalysis of RSA with lattice attacks. University of Illinois, Illinois, Ph.D.thesis (2003).

30.

Susilo W., Tonien J., Yang G.: The Wiener attack on RSA revisited: a quest for the exact bound. In: Australasian Conference on Information Security and Privacy. Lecture Notes in Computer Science, vol. 11547, pp. 381–398. Springer, Cham (2019).

31.

Takayasu A., Kunihiro N.: A tool kit for partial key exposure attacks on RSA. In: Handschuh H. (ed.) CT-RSA 2017. Lecture Notes in Computer Science, vol. 10159, pp. 58–73. Springer, Cham (2017).MATH

32.

Wiener M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990).MathSciNetCrossRefMATH

33.

Wong D.: https://github.com/mimoo/RSA-and-LLL-attacks.

Title: Practical attacks on small private exponent RSA: new records and new insights
Authors: Qiang Li
Qun-xiong Zheng
Wen-feng Qi
Publication date: 03-09-2023
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 12/2023
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-023-01295-5

Springer Professional

Practical attacks on small private exponent RSA: new records and new insights

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 12/2023

On the fourth weight of generalized Reed–Muller codes

A class of constacyclic codes are generalized Reed–Solomon codes

Construction of storage codes of rate approaching one on triangle-free graphs

BCH codes with larger dimensional hull

Coding and bounds for partially defective memory cells

Structural evaluation of AES-like ciphers against mixture differential cryptanalysis

Premium Partner