Abstract
In this paper, we demonstrate that there exist weak keys in the RSA public-key cryptosystem with the public exponent e = N α ≤ N 0.5. In 1999, Boneh and Durfee showed that when α ≈ 1 and the private exponent d = N β < N 0.292, the system is insecure. Moreover, their attack is still effective for 0.5 < α < 1.875. We propose a generalized cryptanalytic method to attack the RSA cryptosystem with α ≤ 0.5. For \(c = \left\lfloor {\frac{{1 - \alpha }}{\alpha }} \right\rfloor \) and e γc ≡ d (mod e c), when γ, β satisfy \(\gamma < 1 + \frac{1}{c} - \frac{1}{{2\alpha c}}and\beta < \alpha c + \frac{7}{6} - \alpha \gamma c - \frac{1}{3}\sqrt {6\alpha + 6\alpha c + 1 - 6\alpha \gamma c} \), we can perform cryptanalytic attacks based on the LLL algorithm. The basic idea is an application of Coppersmith’s techniques and we further adapt the technique of unravelled linearization, which leads to an optimized lattice. Our advantage is that we achieve new attacks on RSA with α ≤ 0.5 and consequently, there exist weak keys in RSA for most α.
摘要
创新点
本文分析了RSA算法中当公钥e小于等于N的0.5次幂时可能存在的弱密钥攻击。一方面, 改进了之前当d大于e时的攻击方法, 提出了可以用于分析e小于等于N的0.5次幂时的广义攻击。另一方面, 应用展开线性化的技巧, 进一步提出了基于优化的格构造方法下的广义攻击。既可以缩小格的维数, 减少LLL算法的运行时间, 也可以提高理论分析中私钥d应满足的上界。与之前已有的攻击方法对比可以看出, 我们的方法不仅扩大了e的适用范围, 也提高了d的适用范围。
Similar content being viewed by others
References
Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM, 1978, 21: 120–126
Coppersmith D. Finding a small root of a univariate modular equation. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, 1996. 155–165
Coppersmith D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J Cryptol, 1997, 10: 233–260
Howgrave-Graham N. Finding small roots of univariate modular equations revisited. In: Darnell M, ed. Crytography and Coding. Berlin: Springer, 1997. 131–142
Wiener M J. Cryptanalysis of short RSA secret exponents. IEEE Trans Inform Theory, 1990, 36: 553–558
Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Prague, 1999. 1–11
Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans Inform Theory, 2000, 46: 1339–1349
Blömer J, May A. Low secret exponent RSA revisited. In: Silverman J H, ed. Cryptography and Lattices. Berlin: Springer, 2001. 4–19
May A. Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Proceedings of 22nd Annual International Cryptology Conference, Santa Barbara, 2002. 242–256
Jochemsz E, May A. A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Proceedings of 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, 2006. 267–282
Bleichenbacher D, May A. New attacks on RSA with small secret CRT-exponents. In: Proceedings of 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, 2006. 1–13
Jochemsz E, May A. A polynomial time attack on RSA with private CRT-exponents smaller than N 0.073. In: Proceedings of 27th Annual International Cryptology Conference, Santa Barbara, 2007. 395–411
Blömer J, May A. New partial key exposure attacks on RSA. In: Proceedings of 23rd Annual International Cryptology Conference, Santa Barbara, 2003. 27–43
Ernst M, Jochemsz E, May A, et al. Partial key exposure attacks on RSA up to full size exponents. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 371–386
Aono Y. A new lattice construction for partial key exposure attack for RSA. In: Proceedings of 12th International Conference on Practice and Theory in Public Key Cryptography, Irvine, 2009. 34–53
Sarkar S. Partial key exposure: generalized framework to attack RSA. In: Proceedings of 12th International Conference on Cryptology in India, Chennai, 2011. 76–92
Joye M, Lepoint T. Partial key exposure on RSA with private exponents larger than N. In: Ryan M D, Smyth B, Wang G L, eds. Information Security Practice and Experience. Berlin: Springer, 2012. 369–380
Luo P, Zhou H J, Wang D S, et al. Cryptanalysis of RSA for a special case with d > e. Sci China Ser-F: Inf Sci, 2009, 52: 609–616
Herrmann M, May A. Attacking power generators using unravelled linearization: When do we output too much? In: Proceedings of 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, 2009. 487–504
Herrmann M, May A. Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Proceedings of 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, 2010. 53–69
Herrmann M. Lattice-based cryptanalysis using unravelled linearization. Dissertation for Doctoral Degree. Germany: Ruhr-Universitat Bochum, 2011
Lenstra A K, Lenstra H W, Lovasz L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zheng, M., Hu, H. & Wang, Z. Generalized cryptanalysis of RSA with small public exponent. Sci. China Inf. Sci. 59, 32108 (2016). https://doi.org/10.1007/s11432-015-5325-7
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-015-5325-7