Advertisement

Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Generalized cryptanalysis of RSA with small public exponent

针对公钥e小于等于N的0.5次幂的RSA算法的广义密码分析

Abstract

In this paper, we demonstrate that there exist weak keys in the RSA public-key cryptosystem with the public exponent e = N αN 0.5. In 1999, Boneh and Durfee showed that when α ≈ 1 and the private exponent d = N β < N 0.292, the system is insecure. Moreover, their attack is still effective for 0.5 < α < 1.875. We propose a generalized cryptanalytic method to attack the RSA cryptosystem with α ≤ 0.5. For \(c = \left\lfloor {\frac{{1 - \alpha }}{\alpha }} \right\rfloor \) and e γcd (mod e c), when γ, β satisfy \(\gamma < 1 + \frac{1}{c} - \frac{1}{{2\alpha c}}and\beta < \alpha c + \frac{7}{6} - \alpha \gamma c - \frac{1}{3}\sqrt {6\alpha + 6\alpha c + 1 - 6\alpha \gamma c} \), we can perform cryptanalytic attacks based on the LLL algorithm. The basic idea is an application of Coppersmith’s techniques and we further adapt the technique of unravelled linearization, which leads to an optimized lattice. Our advantage is that we achieve new attacks on RSA with α ≤ 0.5 and consequently, there exist weak keys in RSA for most α.

摘要

创新点

本文分析了RSA算法中当公钥e小于等于N的0.5次幂时可能存在的弱密钥攻击。一方面, 改进了之前当d大于e时的攻击方法, 提出了可以用于分析e小于等于N的0.5次幂时的广义攻击。另一方面, 应用展开线性化的技巧, 进一步提出了基于优化的格构造方法下的广义攻击。既可以缩小格的维数, 减少LLL算法的运行时间, 也可以提高理论分析中私钥d应满足的上界。与之前已有的攻击方法对比可以看出, 我们的方法不仅扩大了e的适用范围, 也提高了d的适用范围。

This is a preview of subscription content, log in to check access.

References

  1. 1

    Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM, 1978, 21: 120–126

  2. 2

    Coppersmith D. Finding a small root of a univariate modular equation. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, 1996. 155–165

  3. 3

    Coppersmith D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J Cryptol, 1997, 10: 233–260

  4. 4

    Howgrave-Graham N. Finding small roots of univariate modular equations revisited. In: Darnell M, ed. Crytography and Coding. Berlin: Springer, 1997. 131–142

  5. 5

    Wiener M J. Cryptanalysis of short RSA secret exponents. IEEE Trans Inform Theory, 1990, 36: 553–558

  6. 6

    Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Prague, 1999. 1–11

  7. 7

    Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans Inform Theory, 2000, 46: 1339–1349

  8. 8

    Blömer J, May A. Low secret exponent RSA revisited. In: Silverman J H, ed. Cryptography and Lattices. Berlin: Springer, 2001. 4–19

  9. 9

    May A. Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Proceedings of 22nd Annual International Cryptology Conference, Santa Barbara, 2002. 242–256

  10. 10

    Jochemsz E, May A. A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Proceedings of 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, 2006. 267–282

  11. 11

    Bleichenbacher D, May A. New attacks on RSA with small secret CRT-exponents. In: Proceedings of 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, 2006. 1–13

  12. 12

    Jochemsz E, May A. A polynomial time attack on RSA with private CRT-exponents smaller than N 0.073. In: Proceedings of 27th Annual International Cryptology Conference, Santa Barbara, 2007. 395–411

  13. 13

    Blömer J, May A. New partial key exposure attacks on RSA. In: Proceedings of 23rd Annual International Cryptology Conference, Santa Barbara, 2003. 27–43

  14. 14

    Ernst M, Jochemsz E, May A, et al. Partial key exposure attacks on RSA up to full size exponents. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 371–386

  15. 15

    Aono Y. A new lattice construction for partial key exposure attack for RSA. In: Proceedings of 12th International Conference on Practice and Theory in Public Key Cryptography, Irvine, 2009. 34–53

  16. 16

    Sarkar S. Partial key exposure: generalized framework to attack RSA. In: Proceedings of 12th International Conference on Cryptology in India, Chennai, 2011. 76–92

  17. 17

    Joye M, Lepoint T. Partial key exposure on RSA with private exponents larger than N. In: Ryan M D, Smyth B, Wang G L, eds. Information Security Practice and Experience. Berlin: Springer, 2012. 369–380

  18. 18

    Luo P, Zhou H J, Wang D S, et al. Cryptanalysis of RSA for a special case with d > e. Sci China Ser-F: Inf Sci, 2009, 52: 609–616

  19. 19

    Herrmann M, May A. Attacking power generators using unravelled linearization: When do we output too much? In: Proceedings of 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, 2009. 487–504

  20. 20

    Herrmann M, May A. Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Proceedings of 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, 2010. 53–69

  21. 21

    Herrmann M. Lattice-based cryptanalysis using unravelled linearization. Dissertation for Doctoral Degree. Germany: Ruhr-Universitat Bochum, 2011

  22. 22

    Lenstra A K, Lenstra H W, Lovasz L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534

Download references

Author information

Correspondence to Honggang Hu.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zheng, M., Hu, H. & Wang, Z. Generalized cryptanalysis of RSA with small public exponent. Sci. China Inf. Sci. 59, 32108 (2016). https://doi.org/10.1007/s11432-015-5325-7

Download citation

Keywords

  • cryptanalysis
  • RSA
  • LLL algorithm
  • Coppersmith’s techniques
  • unravelled linearization

关键词

  • 密码分析
  • RSA
  • LLL 算法
  • Coppersmith 方法
  • 展开线性化