Abstract
Factoring large integers is a fundamental problem in algebraic number theory and modern cryptography, which many cryptosystems, e.g. RSA, are based on. Up to now, there is no known polynomial-time algorithm to solve it with classical computers. However, in practice side-channel attacks usually cause serious damage: Even if a small proportion of bits in the secret primes is leaked, one may efficiently factor.
In this paper, we study the problem of factoring with partial known bits for multi-power RSA modulus N = p r q. In 1999, Boneh, Durfee and Howgrave-Graham showed that this problem can be solved efficiently given a \(\frac{1}{r+1}\)-fraction of the most significant bits (MSB) of p. In their attack, the unknown bits are located in one consecutive block. We propose two lattice-based approaches that extend the number of unknown blocks to arbitrary n (n ≥ 1). The advantage of our approaches is that now knowledge of a \(\frac{\ln (1+r)}{r}\)-fraction of the bits of p is already sufficient (for any n). In fact, our result is a first step towards unifying and extending previous works by Boneh-Durfee-Howgrave (Crypto’99) and Herrmann-May (Asiacrypt’08).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)
Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring n = p r q for large r. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)
Boneh, D., Shacham, H.: Fast variants of RSA. CryptoBytes 5(1), 1–9 (2002)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)
The EPOC and the ESIGN Algorithms. IEEE P1363: Protocols from Other Families of Public-Key Algorithms (1998), http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM 52(5), 91–98 (2009)
Herrmann, D.I.M.: Lattice-based Cryptanalysis using Unravelled Linearization. PhD thesis (2011)
Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)
Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than n 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)
May, A.: New RSA vulnerabilities using lattice reduction methods. PhD thesis (2003)
May, A.: Using lll-reduction for solving RSA and factorization problems. In: The LLL algorithm, pp. 315–348 (2010)
Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)
Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponent. Information Processing Letters 110(8), 336–340 (2010)
Sarkar, S., Sen Gupta, S., Maitra, S.: Partial key exposure attack on RSA – improvements for limited lattice dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)
Takagi, T.: Fast rsa-type cryptosystem modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, Y., Zhang, R., Lin, D. (2013). Factoring Multi-power RSA Modulus N = p r q with Partial Known Bits. In: Boyd, C., Simpson, L. (eds) Information Security and Privacy. ACISP 2013. Lecture Notes in Computer Science, vol 7959. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39059-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-39059-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39058-6
Online ISBN: 978-3-642-39059-3
eBook Packages: Computer ScienceComputer Science (R0)