Skip to main content
SpringerLink
Log in

Partial Key Exposure Attacks on CRT-RSA: General Improvement for the Exposed Least Significant Bits

  • Conference paper
  • First Online:
Information Security (ISC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9866))

Included in the following conference series:

Abstract

Blömer and May (Crypto 2003) used Coppersmith’s lattice based method to study partial key exposure attacks on CRT-RSA, i.e., an attack on RSA with the least significant bits of a CRT exponent. The attack works for an extremely small public exponent e, however, improved attacks were proposed by Lu, Zhang, and Lin (ACNS 2014), Takayasu and Kunihiro (ACNS 2015). These attack works for \(e<N^{0.375}\). For a smaller (resp. larger) e, an attack of Lu et al. (resp. Takayasu-Kunihiro’s attack) requires less partial information to attack RSA.

In this paper, we propose a further improved attack. Indeed, our attack completely improves previous attacks in the sense that our attack requires less partial information than previous attacks for all \(e<N^{0.375}\). We solve the same modular equation as Takayasu-Kunihiro, however, our attack can find larger roots. From the technical point of view, although the Takayasu-Kunihiro lattice follows the Jochemsz-May strategy (Asiacrypt 2006), we carefully analyze the algebraic structure of the underlying polynomial and propose better lattice constructions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Lu et al. [23] also proposed an attack for \(\alpha <0.375\), however, the attack is always weaker than Takayasu-Kunihiro’s attack for all \(\alpha \).

  2. 2.

    In [38], the attack is based on the other method; Coppersmith’s method to solve integer equations [5, 9, 10]. However, we will show that their attack with the least significant bits of \(d_p\) or \(d_q\) can also be obtained from the modular method.

  3. 3.

    To be precise, the equation was formulated by Lu et al. in [23] and they solved the equation, however, Takayasu and Kunihiro corrected some mistakes of the paper and proposed an improved algorithm.

References

  1. Bleichenbacher, D., May, A.: New attacks on RSA with small secret CRT-exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theor. 46(4), 1339–1349 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  4. Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)

    Google Scholar 

  5. Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)

    Google Scholar 

  6. Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)

    Google Scholar 

  7. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  8. Coppersmith, D.: Finding small solutions to small degree polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  10. Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: a direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt 1999. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  12. Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Faugère, J.-C., Marinier, R., Renault, G.: Implicit factoring with shared most significant and middle bits. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 70–87. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  14. Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  15. Herrmann, M., May, A.: Solving linear equations modulo divisors: on factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  17. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997)

    Google Scholar 

  18. Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  19. Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(\mathit{N}^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  20. Joye, M., Lepoint, T.: Partial key exposure on RSA with private exponents larger than N. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 369–380. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  21. Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  22. Lu, Y., Peng, L., Zhang, R., Hu, L., Lin, D.: Towards optimal bounds for implicit factorization problem. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 462–476. Springer, Heidelberg (2016). doi:10.1007/978-3-319-31301-6_26

    Chapter  Google Scholar 

  23. Lu, Y., Zhang, R., Lin, D.: New partial key exposure attacks on CRT-RSA with large public exponents. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 151–162. Springer, Heidelberg (2014)

    Google Scholar 

  24. May, A.: Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  25. May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003)

    Google Scholar 

  26. May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm - Survey and Applications. Information Security and Cryptography, pp. 315–348. Springer, Heidelberg (2010)

    Google Scholar 

  27. May, A., Ritzenhofen, M.: Implicit factoring: on polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 1–14. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  28. Nguyên, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  29. Quisquater, J.J.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(2), 905–907 (1982)

    Article  Google Scholar 

  30. Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)

    Google Scholar 

  31. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  32. Sarkar, S., Maitra, S.: Partial key exposure attack on CRT-RSA. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 473–484. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  33. Sarkar, S., Maitra, S.: Approximate integer common divisor problem relates to implicit factorization. IEEE Trans. Inf. Theor. 57(6), 4002–4013 (2011)

    Article  MathSciNet  Google Scholar 

  34. Sarkar, S., Sen Gupta, S., Maitra, S.: Partial key exposure attack on RSA – improvements for limited lattice dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  35. Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. IEICE Trans. 97(A(6)), 1259–1272 (2014)

    Article  MATH  Google Scholar 

  36. Takayasu, A., Kunihiro, N.: General bounds for small inverse problems and its applications to multi-prime RSA. In: Lee, J., Kim, J. (eds.) Information Security and Cryptology - ICISC 2014. LNCS, vol. 8949, pp. 3–17. Springer, Heidelberg (2014)

    Google Scholar 

  37. Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the boneh-durfee bound. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345–362. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  38. Takayasu, A., Kunihiro, N.: Partial key exposure attacks on CRT-RSA: better cryptanalysis to full size encryption exponents. In: Malkin, T., Kolesnikov, V., Lewko, A., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 518–537. Springer, Heidelberg (2015). doi:10.1007/978-3-319-28166-7_25

    Chapter  Google Scholar 

  39. de Weger, B.: Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput. 13(1), 17–28 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  40. Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theor. 36(3), 553–558 (1990)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgement

The first author is supported by a JSPS Fellowship for Young Scientists. This research was supported by JSPS Grant-in-Aid for JSPS Fellows 14J08237, CREST, JST, and KAKENHI Grant Number 25280001.

Author information

Authors and Affiliations

  1. The University of Tokyo, Tokyo, Japan

    Atsushi Takayasu & Noboru Kunihiro

Authors
  1. Atsushi Takayasu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Noboru Kunihiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Atsushi Takayasu .

Editor information

Editors and Affiliations

  1. University of California , Davies, USA

    Matt Bishop

  2. University of Washington , Tacoma, Washington, USA

    Anderson C A Nascimento

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Takayasu, A., Kunihiro, N. (2016). Partial Key Exposure Attacks on CRT-RSA: General Improvement for the Exposed Least Significant Bits. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45871-7_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45870-0

  • Online ISBN: 978-3-319-45871-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation