Skip to main content
SpringerLink
Log in

Partial Key Exposure on RSA with Private Exponents Larger Than N

  • Conference paper
Information Security Practice and Experience (ISPEC 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7232))

Abstract

In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N. When it comes to implementation, d can be enlarged to a value larger than N so as to improve the performance (by lowering its Hamming weight) or to increase the security (by preventing certain side-channel attacks). This paper studies this extended setting and quantifies the number of bits of d required to mount practical partial key exposure attacks. Both the cases of known most significant bits (MSBs) and least significant bits (LSBs) are analyzed. Our results are based on Coppersmith’s heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000), extended abstract in Proc. of EUROCRYPT 1998

    Google Scholar 

  4. Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  5. Cohen, G.D., Lobstein, A., Naccache, D., Zémor, G.: How to Improve an Exponentiation Black-Box. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 211–220. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  6. Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)

    Google Scholar 

  7. Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)

    Google Scholar 

  8. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  9. Coron, J.S.: Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  10. Coron, J.S.: Finding Small Roots of Bivariate Integer Polynomial Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  11. Coron, J.S.: Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  12. Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  14. Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)

    Google Scholar 

  16. Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  18. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Google Scholar 

  19. Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. Journal of Cryptographic Engineeering 1(1), 5–27 (2011)

    Article  Google Scholar 

  20. Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  21. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  22. May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. thesis, University of Paderborn (2003)

    Google Scholar 

  23. Miller, G.L.: Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences 13(3), 300–317 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  24. Sarkar, S.: Partial Key Exposure: Generalized Framework to Attack RSA. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 76–92. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  25. Sarkar, S., Sen Gupta, S., Maitra, S.: Partial Key Exposure Attack on RSA – Improvements for Limited Lattice Dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  26. Shoup, V.: Number Theory Library (Version 5.5.2). A library for doing Number Theory (2011), http://www.shoup.net/ntl

  27. Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 51–67. Plenum Press (1984)

    Google Scholar 

  28. Simmons, G.J.: The Subliminal Channel and Digital Signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1985)

    Chapter  Google Scholar 

  29. Stein, W.A., et al.: Sage Mathematics Software (Version 4.7). The Sage Development Team (2011), http://www.sagemath.org

  30. Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)

    Article  MathSciNet  MATH  Google Scholar 

  31. Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. John Wiley & Sons (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technicolor, Security & Content Protection Labs, 1 avenue de Belle Fontaine, 35576, Cesson-Sévigné Cedex, France

    Marc Joye

  2. CryptoExperts, 41 boulevard des Capucines, 75002, Paris, France

    Tancrède Lepoint

  3. Laboratoire d’Informatique de l’École Normale Supérieure, 45 rue d’Ulm, 75230, Paris Cedex 05, France

    Tancrède Lepoint

Authors
  1. Marc Joye
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tancrède Lepoint
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, University of Birmingham, UK

    Mark D. Ryan

  2. Toshiba Corporation, 1, Komukai-Toshiba–Cho, 212-8582, Saiwai-ku, Kawasaki, Japan

    Ben Smyth

  3. School of Computer Science & Software Engineering, University of Wollongong, Northfields Avenue, 2522, Wollongong, NSW, Australia

    Guilin Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Joye, M., Lepoint, T. (2012). Partial Key Exposure on RSA with Private Exponents Larger Than N . In: Ryan, M.D., Smyth, B., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2012. Lecture Notes in Computer Science, vol 7232. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29101-2_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29101-2_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29100-5

  • Online ISBN: 978-3-642-29101-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation