Abstract
In this paper, we consider a variant of RSA schemes called Prime Power RSA with modulus N = p r q for r ≥ 2, where p, q are of the same bit-size. May showed that when private exponent \(d < {N^{\frac{r}{{{{\left( {r + 1} \right)}^2}}}}}\) or \(d < {N^{{{\left( {\frac{{r - 1}}{{r + 1}}} \right)}^2}}}\), N can be factored in polynomial time in PKC 2004. Later in 2014, Sarkar improved the bound for r ≤ 5. We propose a new cryptanalytic method to attack this RSA variant when given two pairs of public and private exponents, namely (e 1, d 1) and (e 2, d 2) with the same modulus N. Suppose that we know d 1 < N δ1 and d 2 < N δ2. Our results show that when \({\delta _1}{\delta _2} < {\left( {\frac{{r - 1}}{{r + 1}}} \right)^3}\), Prime Power RSA is insecure.
摘要
创新点
针对素数幂RSA体制, 我们利用已有的优化方法给出一种新的环境下的密码分析和结论。即当同一个RSA模数N具有2个公私钥对, 且私钥d_1 < N^{⪤lta_1}和d_2 < N^{delta_2}的情形已知, 得到结论为当delta_1*delta_2 < ((r-1)/(r+1))^3时, 素数幂RSA体制是不安全的。与之前的针对单个私钥的素数幂RSA体制的密码分析结论相比, 这是一个新结果。
Similar content being viewed by others
References
Rivest R L, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM, 1978, 21: 120–126
Coppersmith D. Finding a small root of a univariate modular equation. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, 1996. 155–165
Coppersmith D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J Cryptol, 1997, 10: 233–260
Howgrave-Graham N. Finding small roots of univariate modular equations revisited. In: Darnell M, ed. Crytography and Coding. Berlin: Springer, 1997. 131–142
Wiener M J. Cryptanalysis of short RSA secret exponents. IEEE Trans Inform Theory, 1990, 36: 553–558
Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. In: Proceedings of International Conference on the Theory and Application of Cryptographic Techniques, Prague, 1999. 1–11
Boneh D, Durfee G. Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans Inform Theory, 2000, 46: 1339–1349
Blömer J, May A. Low secret exponent RSA revisited. In: Silverman J H, ed. Cryptography and Lattices. Berlin: Springer, 2001. 4–19
Blömer J, May A. New partial key exposure attacks on RSA. In: Proceedings of 23rd Annual International Cryptology Conference, Santa Barbara, 2003. 27–43
Ernst M, Jochemsz E, May A, et al. Partial key exposure attacks on RSA up to full size exponents. In: Proceedings of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, 2005. 371–386
Aono Y. A new lattice construction for partial key exposure attack for RSA. In: Proceedings of 12th International Conference on Practice and Theory in Public Key Cryptography, Irvine, 2009. 34–53
Sarkar S. Partial key exposure: generalized framework to attack RSA. In: Proceedings of 12th International Conference on Cryptology in India, Chennai, 2011. 76–92
Joye M, Lepoint T. Partial key exposure on RSA with private exponents larger than N. In: Ryan M D, Smyth B, Wang G L, eds. Information Security Practice and Experience. Berlin: Springer, 2012. 369–380
Takagi T. Fast RSA-type cryptosystem modulo p k q. In: Proceedings of 18th Annual International Cryptology Conference, Santa Barbara, 1998. 318–326
Boneh D, Durfee G, Howgrave-Graham N. Factoring N = p r q for large r. In: Proceedings of 19th Annual International Cryptology Conference, Santa Barbara, 1999. 326–337
May A. Secret exponent attacks on RSA-type schemes with moduli N = p r q. In: Proceedings of 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 2004. 218–230
Sarkar S. Small secret exponent attack on RSA variant with modulus N = p r q. Designs Codes Cryptogr, 2014, 73: 383–392
Itoh K, Kunihiro N, Kurosawa K. Small secret key attack on a variant of RSA (due to Takagi). In: Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, 2008. 387–406
Takayasu A, Kunihiro N. Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Proceedings of 18th Australasian Conference, ACISP 2013, Brisbane, 2013. 118–135
Lenstra A K, Lenstra H W, Lovász L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zheng, M., Hu, H. Cryptanalysis of Prime Power RSA with two private exponents. Sci. China Inf. Sci. 58, 1–8 (2015). https://doi.org/10.1007/s11432-015-5409-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-015-5409-4