A new attack on RSA with a composed decryption exponent

Similar documents
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

New attacks on RSA with Moduli N = p r q

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

A New Attack on RSA with Two or Three Decryption Exponents

Applications of Lattice Reduction in Cryptography

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

New Partial Key Exposure Attacks on RSA

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

New Partial Key Exposure Attacks on RSA

Partial Key Exposure Attacks on RSA Up to Full Size Exponents

Another Generalization of Wiener s Attack on RSA

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

New Partial Key Exposure Attacks on RSA Revisited

On the Security of Multi-prime RSA

A Unified Framework for Small Secret Exponent Attack on RSA

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

A new lattice construction for partial key exposure attack for RSA

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

How to Generalize RSA Cryptanalyses

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

Partial Key Exposure: Generalized Framework to Attack RSA

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Further Results on Implicit Factoring in Polynomial Time

Cryptanalysis via Lattice Techniques

A Partial Key Exposure Attack on RSA Using a 2-Dimensional Lattice

A New Generalization of the KMOV Cryptosystem

Implicit factorization of unbalanced RSA moduli

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

CRYPTANALYSIS OF RSA WITH LATTICE ATTACKS ANDREW HOON SUK

Approximate Integer Common Divisor Problem relates to Implicit Factorization

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants

On the Design of Rebalanced RSA-CRT

Algorithmic Number Theory and Public-key Cryptography

Efficient RSA Cryptosystem with Key Generation using Matrix

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

New RSA Vulnerabilities Using Lattice Reduction Methods

Looking back at lattice-based cryptanalysis

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Lattice Reduction of Modular, Convolution, and NTRU Lattices

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

Computers and Mathematics with Applications

Twenty Years of Attacks on the RSA Cryptosystem

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

COMP4109 : Applied Cryptography

Fault Attacks Against emv Signatures

An Approach Towards Rebalanced RSA-CRT with Short Public Exponent

THE RSA CRYPTOSYSTEM

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

A new security notion for asymmetric encryption Draft #12

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

A new security notion for asymmetric encryption Draft #10

A new security notion for asymmetric encryption Draft #8

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

A Tool Kit for Partial Key Exposure Attacks on RSA

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Post Quantum Cryptography

On estimating the lattice security of NTRU

Factoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

RSA. Ramki Thurimella

Approximate Integer Common Divisors

Public Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Solving Generalized Small Inverse Problems

Public Key Algorithms

Introduction to Cybersecurity Cryptography (Part 5)

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Public Key Cryptography

The Shortest Vector Problem (Lattice Reduction Algorithms)

Cryptanalysis of RSA Signatures with Fixed-Pattern Padding

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

Public-Key Cryptosystems CHAPTER 4

Some Lattice Attacks on DSA and ECDSA

A New Vulnerable Class of Exponents in RSA

Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

MaTRU: A New NTRU-Based Cryptosystem

Key Encapsulation Mechanism From Modular Multivariate Linear Equations

Diophantine equations via weighted LLL algorithm

Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

New Variant of ElGamal Signature Scheme

CIS 551 / TCOM 401 Computer and Network Security

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Fault Attacks on RSA Signatures with Partially Unknown Messages

Protecting RSA Against Fault Attacks: The Embedding Method

Factoring RSA Modulus with Primes not Necessarily Sharing Least Significant Bits

International Journal of Advanced Research in Computer Science and Software Engineering

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Transcription:

A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr mohamed.douh@unicaen.fr 2 Université des Sciences, de Technologie et de Médecine Nouakchott - Mauritania mdouh@univ-nkc.mr Abstract. In this paper, we consider an RSA modulus N = pq, where the prime factors p, q are of the same size. We present an attack on RSA when the decryption exponent d is in the form d = Md + d 0 where M is a given positive integer and d and d 0 are two suitably small unknown integers. In 999, Boneh and Durfee presented an attack on RSA when d < N 0.292. When d = Md + d 0, our attack enables one to overcome Boneh and Durfee s bound and to factor the RSA modulus. Keywords: RSA, Cryptanalysis, Factorization, LLL algorithm, Coppersmith s method Introduction The RSA cryptosystem [3] (see also [] and [3]) was invented in 978 by Rivest, Shamir and Adleman and is today one of the most popular cryptosystems. The main parameters in RSA are the modulus N = pq, which is the product of two large primes of the same bit-size, that is q < p < 2q, and a public exponent e such that gcd(e, φ(n)) = where φ(n) is Euler s totient function. The public exponent e is related to the private exponent d by an equation of the form ed kφ(n) =. For efficiency reasons, it might be tempting to select a small RSA private exponent d. In 990, Wiener[4] showed that RSA is insecure if d < 3 N 0.25. His attack makes use of the continued fractions method and had an important impact on the design of RSA. Wiener s bound was later subsequently improved to d < N 0.292 by Boneh and Durfee[4]. Their method is based on Coppersmith s technique[6] for finding small solutions of modular polynomial equations, which in turn is based on the LLL lattice reduction algorithm [0]. A related problem is to attack the RSA cryptosystem when an amount of bits of the private exponent d are known to the adversary. This problem was introduced by Boneh, Durfee and Frankel [5] in 998. It is called the partial key exposure problem and is related to the study of side channel attacks such as fault

2 Abderrahmane Nitaj and Mohamed Ould Douh attacks, timing attacks and power analysis. In most cases, the partial key exposure attacks are based on the knowledge of the most significant bits or the least significant bits of the private exponent d. Boneh, Durfee and Frankel showed that for low public exponent e and full private exponent d, that is d N 2 n, if d = Md +d 0 where d 0 and M 2 n 4 are known, then all d can be computed in polynomial time. Their method makes use of Coppersmith s technique [6]. More partial key exposure attacks are presented by Blömer and May in [2] and by Ernst, Jochemsz, May and de Weger in [7]. These attacks extend the size of the public exponent e up to N. All partial key exposure results on RSA presented so far have in common that the private exponent d is of the shape d = Md + d 0 where M 2 n 4 and d 0 are known, or of the shape d = d + d 0 where d is known and d 0 is small. In this paper, we consider the situation with d = Md + d 0 where M is known and d and d 0 are unknown. We show that one can find the factorization of N if d and d 0 are suitably small. Namely, suppose that e = N α, M = N β, d < N δ, d 0 < N γ. We show that if δ < 4 ( 5 4γ ) 2α + 2β 2γ + 3, then there is a polynomial time algorithm to factor the modulus N, which breaks the RSA cryptosystem. The starting point of the attack is the key equation ed kφ(n) =, which can be rewritten as ed 0 kn + k(p + q ) 0 (mod Me). From the left side, we derive a polynomial f(x, y, z) = ex Ny + yz and use Coppersmith s method to solve the modular equation f(x, y, z) 0 (mod Me). When we perform the LLL algorithm in Coppersmith s method, we find three polynomials h i (x, y, z) for i 3. Since (d 0, k, p + q ) is a small solution of the equation f(x, y, z) 0 (mod Me), then, using the resultant process or the Gröbner basis computation, we can find z 0 such that z 0 = p + q. Hence using p + q = z 0 and pq = N, one can find p and q. We note that Coppersmith s method applied with multivariate polynomials relies on the following heuristic assumption which is supposed to hold true for n 3 variables. Assumption. The resultant computations for the polynomials h i (x, y, z) for i 3 yield nonzero polynomials. The rest of the paper is organized as follows. In Section 2, we give some basics on lattices, lattice reduction and Coppersmith s method. In Section 3, we present our attack on RSA when the private exponent d satisfies d = Md + d 0 with known M. We conclude in Section 4.

2 Preliminaries A new attack on RSA with a composed decryption exponent 3 In this section, we present a few basic facts about lattices, lattice basis reduction, Coppersmith s method for solving modular polynomial equations and Howgrave- Graham s theorem. Let b,, b ω R n be ω linearly independent vectors where ω and n are two positive integers satisfying ω n. The lattice L spanned by {b,, b ω } is the set of linear combinations of the vectors b,, b ω R n using integer coefficients, that is { ω } L = λ i b i x i Z. i= We say that the set {b,, b ω } is a lattice basis for L, and ω is its dimension. This is denoted as dim(l) = ω. The lattice is called full rank if ω = n. When ω = n, the determinant is equal to the absolute value of the determinant of the matrix whose rows are the basis vectors b,, b ω, that is det(l) = det(b,, b ω ) If b = ω i= λ ib i is a vector of L, the Euclidean norm of b is ( ω ) 2 b =. i= A lattice has infinitely many bases with the same determinant and it is useful to find a basis of small vectors. However, finding the shortest nonzero vector in a lattice is very hard in general. In 982, Lenstra, Lenstra and Lovász [0] invented the so-called LLL algorithm to reduce a basis and to approximate a shortest lattice vector in time polynomial in the bit-length of the entries of the basis matrix and in the dimension of the lattice. In the following theorem, we state a general result on the size of the individual reduced basis vectors. A proof can be found in []. Theorem (LLL). Let L be a lattice of dimension ω. In polynomial time, the LLL- algorithm outputs a reduced basis {v,, v ω } that satisfy for all i ω. v v 2 v i 2 ω(ω ) 4(ω+ i det(l) ω+ i, In 996, Coppersmith [6] proposed rigorous techniques to compute small roots of bivariate polynomials over the integers and univariate modular polynomials using the LLL algorithm. The methods extend heuristically to more variables. In 997, Howgrave-Graham [8] reformulated Coppersmith s techniques and proposed the following result in terms of the Euclidean norm of the polynomial f(x,..., x n ) = a i,...,i n x i xin n which is defined by λ 2 i f(x,..., x n ) = a 2 i,...,i n.

4 Abderrahmane Nitaj and Mohamed Ould Douh Theorem 2 (Howgrave-Graham). Let f(x,..., x n ) Z[x,..., x n ] be a polynomial which is a sum of at most ω monomials. Suppose that ( ) f x (0),..., x(0) n 0 (mod (Me) m ), < X,..., x (0) < X n, Then f x (0) f(x X,..., x n X n ) < (Me)m ω. ( ) x (0),..., x(0) n = 0 holds over the integers. Using Theorem, if n 2 ω(ω ) 4(ω+ n) det(l) ω+ n (Me) m ω, then ( we can find ) n polynomials v i (x,..., x n ), i n, that share the root x (0),..., x(0) n over the integers. We terminate this section by two useful results (see. [2]). Let N = pq be an RSA modulus with q < p < 2q. Then the prime factors p and q satisfy the following properties 2 N < q < N < p < 2 N, () 2 2 N < p + q < 3 2 N. (2) 2 3 The Attack In this section, we present our new attack on RSA when the private exponent is in the form d = Md + d 0 with a known integer M and suitably small unknown integers d and d 2. A typical example is M = 2 m for some positive integer m. Theorem 3. Let N = pq be an RSA modulus with q < p < 2q. Let M = N β be a positive integer and e = N α a public exponent satisfying ed kφ(n) = with d = Md + d 0. Suppose that d N δ and d 0 < N γ. Then one can factor N in polynomial time if δ < ( 5 4γ ) 2α + 2β 2γ + 3. 4 Proof. Let M be a known integer. Suppose that d = Md + d 0. The starting point is the RSA key equation ed kφ(n) = where φ(n) = N p q+. Hence e (Md + d 0 ) k(n p q+) = and Med +ed 0 kn +k(p+q ) =. Taking this equation modulo Me, we get ed 0 kn + k(p + q ) 0 (mod Me). Consider the polynomial f(x, y, z) = ex Ny + yz.

A new attack on RSA with a composed decryption exponent 5 Then (x 0, y 0, z 0 ) = (d 0, k, p + q ) is a root modulo Me. Define e = N α, M = N β, X = N γ, Y = 2N α+β+δ, Z = 3 2 2 N 2. (3) Suppose that d < N δ and d 0 < N γ where γ < β + δ. Then d = Md + d 0 < 2N β+δ. Hence, since φ(n) N, we get k = ed φ(n) < ed α+β+δ 2N < φ(n) φ(n) 2N α+β+δ = Y. On the other hand, using (2), we get p + q < 3 2 2 N 2. Summarizing, the root (x 0, y 0, z 0 ) = (d 0, k, p + q ) modulo Me of the polynomial f(x, y, z) satisfies x 0 < X, y 0 < Y, z 0 < Z. To apply Coppersmith s method [6] to find the small modular roots of the equation f(x, y, z) 0 (mod Me), we use the extended strategy of Jochemsz and May [9]. Define the set M k = 0 j t {x i y i2 z i3+j x i y i2 z i3 monomial of f m (x, y, z) and Observe that f m (x, y, z) is in the form f m (x, y, z) = m m i i =0 i 2=0 i 3=0 x i y i2 z i3 (yz) k monomial of f }. i 2 a i,i 2,i 3 x i y i2 z i3, do not depend on x, y nor z. This gives the fol- where the coefficients a i,i 2,i 3 lowing properties x i y i2 z i3 f m if i = 0,..., m, i 2 = 0,..., m i, i 3 = 0,..., i 2, x i y i2 z i3 f if i = 0,..., m k, i 2 = 0,..., m k i, i 3 = 0,..., i 2. Hence, if x i y i2 z i3 is a monomial of f m (x, y, z), then xi y i 2 z i 3 y k z k f (x, y, z) for is a monomial of i = 0,..., m k, i 2 = k,..., m i, i 3 = k,..., i 2. For 0 k m, we obtain x i y i2 z i3 M k if i = 0,..., m k, i 2 = k,..., m i, i 3 = k,..., i 2 + t. From this, we deduce x i y i2 z i3 M k+ if i = 0,...,, i 2 = k+,..., m i, i 3 = k+,..., i 2 +t.

6 Abderrahmane Nitaj and Mohamed Ould Douh For 0 k m, define the polynomials g k,i,i 2,i 3 (x, y, z) = xi y i2 z i3 y k z k f(x, y, z) k (Me) with x i y i2 z i3 M k Mk+. These polynomials reduce to the following sets k =0,..., m, k =0,..., m, i =0,..., m k, i or =0,..., m k, i 2 =k,..., m i, i 2 =k, i 3 =k, i 3 =k +,..., i 2 + t. (4) Consequently, the polynomials g k,i,i 2,i 3 (x, y, z) are in one of the following forms G k,i,i 2,i 3 (x, y, z) = x i y i2 k f(x, y, z) k (Me), for k = 0,... m, i = 0,... m k, i 2 = k,..., m i, i 3 = k, H k,i,i 2,i 3 (x, y, z) = x i z i3 k f(x, y, z) k (Me), for k = 0,... m, i = 0,..., m k, i 2 = k, i 3 = k +,..., i 2 + t. Define the lattice L spanned by the coefficients of the vectors G k,i,i 2,i 3 (x, y, z) and H k,i,i 2,i 3 (x, y, z). For m = 2 and t =, the matrix of L is presented in Table. The non-zero elements are marked with an.

A new attack on RSA with a composed decryption exponent 7 y y 2 x xy x 2 yz y 2 z xyz y 2 z 2 z xz x 2 z yz 2 xyz 2 y 2 z 3 G 0,0,0,0 (Me) 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 G 0,0,,0 0 (Me) 2 Y 0 0 0 0 0 0 0 0 0 0 0 0 0 0 G 0,0,2,0 0 0 (Me) 2 Y 2 0 0 0 0 0 0 0 0 0 0 0 0 0 G 0,,0,0 0 0 0 (Me) 2 X 0 0 0 0 0 0 0 0 0 0 0 0 G 0,,,0 0 0 0 0 (Me) 2 XY 0 0 0 0 0 0 0 0 0 0 0 G 0,2,0,0 0 0 0 0 0 (Me) 2 X 2 0 0 0 0 0 0 0 0 0 0 G,0,, 0 0 0 MeY Z 0 0 0 0 0 0 0 0 0 G,0,2, 0 0 0 0 MeY 2 Z 0 0 0 0 0 0 0 0 G,,, 0 0 0 0 0 MeXY Z 0 0 0 0 0 0 0 G 2,0,2,2 Y 2 Z 2 0 0 0 0 0 0 H 0,0,0, 0 0 0 0 0 0 0 0 0 0 (Me) 2 Z 0 0 0 0 0 H 0,,0, 0 0 0 0 0 0 0 0 0 0 0 (Me) 2 XZ 0 0 0 0 H 0,2,0, 0 0 0 0 0 0 0 0 0 0 0 0 (Me) 2 X 2 Z 0 0 0 H,0,,2 0 0 0 0 0 0 0 0 0 0 MeY Z 2 0 0 H,,,2 0 0 0 0 0 0 0 0 0 0 0 MeXY Z 2 0 H 2,0,2,3 0 0 0 0 0 0 Y 2 Z 3 Table. The coefficient matrix for the case m = 2, t =.

8 Abderrahmane Nitaj and Mohamed Ould Douh Notice that the matrix is triangular so that the values marked with the symbol do not contribute in the calculation of the determinant. Indeed, the determinant is in the form det(l) = (Me) ne X n X Y n Y Z n Z. (5) Using the bounds (4), we get n e = m Similarly, we have m i k=0 i =0 i 2=k i 3=k k m (m k) + = m(m + )(m + 2)(3m + 8t + 9). 24 n X = m i m i k=0 i =0 i 2=k i 3=k k m i + k i 2+t k=0 i =0 i 2=k i 3=k+ k i 2+t k=0 i =0 i 2=k i 3=k+ = m(m + )(m + 2)(m + 4t + 3). 24 (m k) i and n Y = m m i k=0 i =0 i 2=k i 3=k k m i 2 + k i 2+t k=0 i =0 i 2=k i 3=k+ = m(m + )(m + 2)(m + 2t + 3). 2 i 2 and finally n Z = m m i k=0 i =0 i 2=k i 3=k k m i 3 + k i 2+t k=0 i =0 i 2=k i 3=k+ = 24 (m + )(m + 2)(m2 + 3m + 4tm + 6t 2 + 6t). i 3 On the other hand, the dimension of L is ω = m m i k=0 i =0 i 2=k i 3=k k m + = (m + )(m + 2)(m + 3t + 3). 6 k i 2+t k=0 i =0 i 2=k i 3=k+

A new attack on RSA with a composed decryption exponent 9 In the following, we set t = τm. For sufficiently large m, the exponents n e, n X, n Y, n Z as well as the dimension ω reduce to n e = 24 (8τ + 3)m4 + o(m 4 ), n X = 24 (4τ + )m4 + o(m 4 ), n Y = 24 (4τ + 2τ + )m4 + o(m 4 ), n Z = 24 (6τ 2 + 4τ + )m 4 + o(m 4 ), ω = 24 (2τ + 4)m3 + o(m 3 ). (6) Applying the LLL algorithm, we get a new basis {v,..., v ω }. Using Theorem, such a bais is LLL-reduced and satisfies v v 2 v 3 2 ω(ω ) 4(ω 2) det(l) ω 2. According to Theorem 2, we need v 3 (Me)m ω. This is satisfied if From this, we deduce 2 ω(ω ) 4(ω 2) det(l) ω 2 < (Me) m ω. det(l) < (2 ω(ω ) ) ω 2 (Me) m(ω 2) < (Me) mω. 4(ω 2) ω Using (5), we get the inequality (Me) ne X n X Y n Y Z n Z < (Me) mω. Using the values (6) as well as the values (3) and taking logarithms, neglecting low order terms and after simplifying by m 4, we get 2(α + β)(3 + 8τ) + 2γ( + 4τ) + 2(α + β + δ )(2 + 4τ) + + 4τ + 6τ 2 < 2(4 + 2τ)(α + β). Transforming this inequality, we get 6τ 2 + (8δ + 8γ 4)τ + 2α + 2β + 4δ + 2γ 3 < 0. The left hand side is minimized with the value τ 0 = 3 ( 2δ 2γ). Plugging τ 0 in the former inequality, we get δ < ( 5 4γ ) 2α + 2β 2γ + 3. 4 From the three vectors v (xx, yy, zz), v 2 (xx, yy, zz), and v 3 (xx, yy, zz), we obtain three polynomials h (x, y, z), h 2 (x, y, z), h 3 (x, y, z) with the common root

0 Abderrahmane Nitaj and Mohamed Ould Douh (x 0, y 0, z 0 ). Next, we use Assumption. Let g (y, z) be the resultant polynomial of h (x, y, z) and h 2 (x, y, z) with respect of x. Similarly, let g 2 (y, z) be the resultant polynomial of h (x, y, z) and h 3 (x, y, z) with respect of x. Then, computing the resultant of g (y, z) and g 2 (y, z) with respect to y, we find a polynomial g(z) with the root z 0. Using z 0 = p+q and pq = N, the factorization of N follows. This terminates the proof. In Table 2, we present some values of δ and δ+β. Recall that M = N β, d < N δ, d 0 < N γ and d = Md + d 0 < 2N δ+β. Notice that in all the presented cases, we have δ + β > 0.292. This shows that Wiener s attack [4] as well as Boneh and Durfee s method [4] will not give the factorization of the RSA modulus in these situations. α = log N (e) β = log N (M) γ = log N (d 0) δ = log N (d ) β + δ 0.5 0. 0.03 0.53 0.4 0. 0.07 0.47 0.3 0.2 0.04 0.34 0.3 0. 0.0 0.40 0.25 0.25 0.03 0.28 0.75 0.5 0.3 0.003 0.50 0.75 0.4 0.2 0.0 0.50 0.75 0.3 0.2 0.4 0.44 0.75 0.25 0.25 0.3 0.38 Table 2. Values of δ and β + δ in terms of α, β and γ. To test the validity of Assumption, we performed several experiments with various parameters α, β and γ. We implemented the new attack on an Intel Core 2 Duo running Maple 7. All the experiments gave the factorization of the RSA modulus N. Using the trivariate polynomial f(x, y, z) = ex Ny +yz, we constructed a set of polynomials with the same root (x 0, y 0, z 0 ) and at most ω monomials. Using this set of polynomials, we constructed a basis of a lattice L and applied the LLL ALgorithm to find a set of trivariate polynomials h i (x, y, z) for i ω. The shortest three polynomials h (x, y, z), h 2 (x, y, z), h 3 (x, y, z) are such that they satisfy Theorem. Then, we forced them to verify Howgrave-Graham s Theorem 2, that is we set h (x, y, z) h 2 (x, y, z) h 3 (x, y, z) 2 ω(ω ) 4(ω 2) det(l) ω 2. This implies that the small root (x 0, y 0, z 0 ) of h (x, y, z), h 2 (x, y, z) and h 3 (x, y, z) hold over the integers. Then, we take the resultants with respect to x, and then another resultant with respect to y, which gives an univariate polynomial leading

A new attack on RSA with a composed decryption exponent to the solution z 0 = p + q. Using the RSA modulus N = pq, it is easy to find p and q and then factor N. We note that all the experiments were successful and that Asssumption was verified in all cases. We note also, that in the most of the cases, the size of the private exponent d was such that d > N 0.292 which implies that the classical method of Boneh and Durfee will not give a solution in this situation. 4 Conclusion In this paper, we consider an RSA instance N = pq with a private exponent d of the form d = Md + d 0. Unlike the partial key exposure attacks where M and d 0 are known, we suppose that M is the only known parameter. We show that when d and d 0 are suitably small, then one can find the factorization of N. The method is based on transforming the key equation ed kφ(n) = into the modular equation f(x, y, z) = ex Ny + yz 0 (mod Me) where (x 0, y 0, z 0 ) = (d 0, k, p + q ) is a small solution. Using Coppersmith s technique and the LLL algorithm, we can easily find z 0 = p + q, which leads to the factorization of N. We note that the classical attacks on RSA gives the factorization of N when d < N 0.292 as it is the case with the attack of Boneh and Durfee. Our method enables us to find the private exponent d even when d > N 0.292 depending on the possibility that d has the form d = Md + d 0 for a suitable known integer M and suitable unknown parameters d and d 0. The encryption and decryption in RSA require taking heavy exponential multiplications modulus the large integer N and many ways have been considered using special private exponent d. Once again, our results show that one should be more careful when using RSA with special private exponents. References. ANSI Standard X9.3-998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rdsa). 2. Blömer, J., May, A.: New partial key exposure attacks on RSA, Proceedings of CRYPTO 2003, LNCS 2729 (2003), pp. 27 43. Springer Verlag (2003) 3. Boneh, D.: Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (2), 203 23, (999) 4. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292, Advances in Cryptology Eurocrypt 99, Lecture Notes in Computer Science Vol. 592, Springer-Verlag, pp. (999) 5. Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) Advances in Cryptology Asiacrypt 98. Lecture Notes in Computer Science, vol. 54, pp. 25 34. Springer-Verlag (998) 6. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 0(4), pp. 233 260 (997) 7. Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) Advances in Cryptology Eurocrypt 2005. Lecture Notes in Computer Science, vol. 3494, pp. 37 386. Springer- Verlag (2005)

2 Abderrahmane Nitaj and Mohamed Ould Douh 8. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited, In Cryptography and Coding, LNCS 355, pp. 3 42, Springer-Verlag (997) 9. Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants, in: ASIACRYPT 2006, LNCS, vol. 4284, 2006, pp. 267 282, Springer-Verlag. 0. Lenstra, A.K., Lenstra, H.W., Lovász,L.: Factoring polynomials with rational coefficients, Mathematische Annalen, Vol. 26, pp. 53 534, 982.. May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. PhD thesis, University of Paderborn (2003). Available at http://wwwcs.upb.de/cs/ag-bloemer/personen/alex/publikationen/ 2. Nitaj, A.: Another generalization of Wiener s attack on RSA, In: Vaudenay, S. (ed.) Africacrypt 2008. LNCS, vol. 5023, pp. 74 90. Springer, Heidelberg (2008) 3. Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining digital signatures and public-key cryptosystems, Communications of the ACM, Vol. 2 (2), pp. 20 26 (978) 4. Wiener, M.: Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, Vol. 36, 553 558 (990)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback