On Some Attacks on Multi-prime RSA
Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage that the private key computations can be speeded up using Chinese remaindering. At the same time, with a proper choice of parameters, one does not have to work with a larger modulus to achieve the same level of security in terms of the difficulty of the integer factorization problem. However, numerous attacks on specific instances on the RSA cryptosystem are known that apply if, for example, the decryption or encryption exponent are chosen too small, or if partial knowledge of the private key is available. Little work is known on how such attacks perform in the multi-prime case. It turns out that for most of these attacks it is crucial that the modulus contains exactly two primes. They become much less effective, or fail, when the modulus factors into more than two distinct primes.
KeywordsChinese Remainder Theorem Modular Exponentiation Modular Equation Public Exponent Continue Fraction Algorithm
- [BDF98]D. Boneh, G. Durfee, and Y. Frankel. Exposing an RSA private key given a small fraction of its bits. In Advances in Cryptology — ASIACRYPT’ 98, volume 1514 of Lecture Notes In Computer Science, pages 25–34. Springer-Verlag, 1998. Revised and extended version available from http://crypto.stanford.edu/~dabo/pubs.html.CrossRefGoogle Scholar
- [BS02]D. Boneh and H. Shacham. Fast variants of RSA. CryptoBytes (The technical newsletter of RSA laboratories), 5(1):1–9, 2002.Google Scholar
- [CHLS97]T. Collins, D. Hopkins, S. Langford, and M. Sabin. Public Key Cryptography Apparatus and Method. US Patent 5,848,159, Jan. 1997.Google Scholar
- [HG97]N.A. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of Lecture Notes In Computer Science, pages 131–142. Springer-Verlag, 1997.Google Scholar
- [Hin02]M. J. Hinek. Low public exponent partial key and low private exponent attacks on multi-prime RSA. Master’s thesis, University of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
- [HW60]G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University Press, fourth edition, 1960.Google Scholar
- [Low02]M.K. Low. Attacks on multi-prime RSA with low private exponent or medium-sized public exponent. Master’s thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
- [May02]A. May. Cryptanalysis of unbalanced RSA with small CRT-exponent. In Advances in Cryptology — CRYPTO 2002, Lecture Notes In Computer Science. Springer-Verlag, 2002.Google Scholar
- [Old63]C. D. Olds. Continued Fractions. Random House, Inc., 1963.Google Scholar
- [Sho]V. Shoup. Number theory library (NTL), Version 5.2. http://www.shoup.net/ntl.
- [Sti95]D. R. Stinson. Cryptography: Theory and Practice. CRC Press LLC, 1995.Google Scholar
- [Tur82]J. W. M. Turk. Fast arithmetic operations on numbers and polynomials. In H.W. Lenstra, Jr. and R. Tijdeman, editors, Computational Methods in Number Theory, Part I. Mathematisch Centrum, Amsterdam, 1982.Google Scholar