Skip to main content
SpringerLink
Log in

Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9723))

Included in the following conference series:

Abstract

So far, several papers have analyzed attacks on RSA when attackers know the least significant bits of a secret exponent d as well as a public modulus N and a public exponent e, the so-called partial key exposure attacks. Aono (ACISP 2013), and Takayasu and Kunihiro (ACISP 2014) generalized the attacks when there are multiple pairs of a public/secret exponent \((e_1,d_1),\ldots ,(e_n,d_n)\) for the same public modulus N. The standard RSA is a special case of the generalization, i.e., \(n=1\). They revealed that RSA becomes more vulnerable when there are more exponent pairs. However, their results have two obvious drawbacks. First, partial key exposure situations which they considered are restrictive. They have proposed the attacks only for small secret exponents, although attacks for large secret exponents have also been analyzed for the standard RSA. Second, they could not generalize the attacks perfectly. More concretely, their attacks for \(n=1\) do not correspond to the currently known best attacks on the standard RSA.

In this paper, we propose improved partial key exposure attacks on RSA with multiple exponent pairs. Our results completely solve the above drawbacks. Our attacks are the first results for large exponents, and our attacks for \(n=1\) correspond to the currently known best attacks on the standard RSA. Our results for small secret exponents are superior to previous results when \(n=1\) and 2, and when \(n \ge 3\) and \(d_1,\ldots ,d_n>N^{3(n-1)/(3n+1)}\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    At a glance, a situation (b) seems useless, since d is defined as \(d \in \mathbb {Z}^*_{\phi (N)}\) in many cases, and \( \beta \le 1\) always holds. However, some implementations use an exponent which is larger than N. To decrypt/sign, one may use \(d+k \phi (N)\) in turn for some integer \(k>0\). This implementation offers better resistance against side-channel attacks [9] or faster calculation by setting the exponent as low Hamming weight.

  2. 2.

    In [2, 26], they use \( \delta \), not \( \beta -\delta \) as ours, to represent portions of exposed bits. However, we follow the notation from [11, 27].

  3. 3.

    From May [17] and Coron and May’s [10] results, given whole bits of d then the factorization of N is a trivial. However, it does not immediately suggest that partial key exposure attacks always work when whole bits of d are given. Indeed, Ernst et al. [11] claimed to find such improved attacks is an interesting open problem.

References

  1. Aono, Y.: A new lattice construction for partial key exposure attack for RSA. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 34–53. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  2. Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  3. Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  4. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  5. Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  6. Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  7. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  8. Coppersmith, D.: Finding small solutions to small degree polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  10. Coron, J.-S., May, A.: Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. J. Cryptol. 20(1), 39–50 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  11. Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  12. Herrmann, M., May, A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)

    Google Scholar 

  14. Howgrave-Graham, N., Seifert, J.-P.: Extending wiener’s attack in the presence of many decrypting exponents. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  15. Joye, M., Lepoint, T.: Partial key exposure on RSA with private exponents larger than N. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 369–380. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  17. May, A.: Computing the RSA secret key is deterministic polynomial time equivalent to factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  18. May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [21] (2010). http://www.cits.rub.de/permonen/may.html

  19. Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  20. Nguyen, P.Q., Valláe, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)

    MATH  Google Scholar 

  21. Peng, L., Hu, L., Lu, Y., Sarkar, S., Xu, J., Huang, Z.: Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 105–123. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  22. Sarkar, S., Sen Gupta, S., Maitra, S.: Partial key exposure attack on RSA – improvements for limited lattice dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Sarkar, S., Maitra, S.: Cryptanalysis of RSA with two decryption exponents. Inf. Process. Lett. 110, 178–181 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  24. Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponents. Inf. Process. Lett. 110, 336–340 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  25. Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  26. Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Heidelberg (2014)

    Google Scholar 

  27. Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the boneh-durfee bound. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345–362. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  28. Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

The author is supported by a JSPS Fellowship for Young Scientists. This research was supported by CREST, JST, and supported by JSPS Grant-in-Aid for JSPS Fellows 14J08237 and KAKENHI Grant Number 25280001.

Author information

Authors and Affiliations

  1. The University of Tokyo, Tokyo, Japan

    Atsushi Takayasu & Noboru Kunihiro

Authors
  1. Atsushi Takayasu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Noboru Kunihiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Atsushi Takayasu .

Editor information

Editors and Affiliations

  1. Monash University , Melbourne, Victoria, Australia

    Joseph K. Liu

  2. Monash University , Melbourne, Victoria, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Takayasu, A., Kunihiro, N. (2016). Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40367-0_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40366-3

  • Online ISBN: 978-3-319-40367-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation