Abstract
Recently, Nitaj and Douh presented a new attack on RSA with a composed decryption exponent. To be specific, they assumed that the decryption exponent in RSA is of the form \(d=Md_1+d_0\) where \(M\) is a known positive integer and \(d_0\) and \(d_1\) are two suitably small unknown integers. They gave a lattice-based decryption exponent recovery attack on this kind of RSA when the exponent \(d\) is under a larger bound than the well-known one \(N^{0.292}\) given by Boneh and Durfee. In this paper, we reconsider the same problem and present a new attack by using the unravelled linearization technique proposed by Herrmann and May at Asiacrypt 2009. Our result is theoretically better than that of Nitaj and Douh and more importantly, is more efficient in terms of the dimension of lattice involved in the attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)
Herrmann, M., May, A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)
Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)
Lenstra, A., Lenstra, H.W., Lovász, J.L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003)
Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)
Nguyên, P.Q., Stehlé, D.: LLL on theaverage. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)
Nitaj, A., Douh, M.O.: A new attack on RSA with a composed decryption exponent. Int. J. Crypt. Inf. Secur. (IJCIS) 3(4), 11–21 (2013)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Schnorr, C.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(23), 201–224 (1987)
Wiener, M.: Cryptanalysis of short RSA secret exponents. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 372–372. Springer, Heidelberg (1990)
Acknowledgements
The authors would like to thank the anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Key Basic Research Program of China (2013CB834203), the National Natural Science Foundation of China (Grants 61472417), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702, and the State Key Laboratory of Information Security, Chinese Academy of Sciences.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Dimension and Determinant of the Lattice \(L\)
The dimension of the lattice \(L\) in Sect. 4.2 is
The determinant of \(L\) is
where the \(s_x\), \(s_y\), \(s_z\), \(s_u\) and \(s_e\) are as follows:
For sufficiently large \(m\) and \(t=\tau m\), the above values can be rewritten as:
B Dimension and Determinant of the Lattice in [14]
Denote the lattice in [14] as \(L'\). For integers \(m\) and \(t\), the dimension of \(L'\) is given as:
and the determinant is given as:
where the \(n_x\), \(n_y\), \(n_z\) and \(n_e\) are as follows:
and \(\bar{X}\), \(\bar{Y}\) and \(\bar{Z}\) are the bound of the roots.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Huang, Z., Hu, L., Xu, J. (2015). Attacking RSA with a Composed Decryption Exponent Using Unravelled Linearization. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)