Cryptanalysis of Prime Power RSA with two private exponents

Abstract

In this paper, we consider a variant of RSA schemes called Prime Power RSA with modulus N = p ^r q for r ≥ 2, where p, q are of the same bit-size. May showed that when private exponent \(d < {N^{\frac{r}{{{{\left( {r + 1} \right)}^2}}}}}\) or \(d < {N^{{{\left( {\frac{{r - 1}}{{r + 1}}} \right)}^2}}}\), N can be factored in polynomial time in PKC 2004. Later in 2014, Sarkar improved the bound for r ≤ 5. We propose a new cryptanalytic method to attack this RSA variant when given two pairs of public and private exponents, namely (e ₁, d ₁) and (e ₂, d ₂) with the same modulus N. Suppose that we know d ₁ < N ^δ1 and d ₂ < N ^δ2. Our results show that when \({\delta _1}{\delta _2} < {\left( {\frac{{r - 1}}{{r + 1}}} \right)^3}\), Prime Power RSA is insecure.

摘要

创新点

针对素数幂RSA体制, 我们利用已有的优化方法给出一种新的环境下的密码分析和结论。即当同一个RSA模数N具有2个公私钥对, 且私钥d_1 < N^{⪤lta_1}和d_2 < N^{delta_2}的情形已知, 得到结论为当delta_1*delta_2 < ((r-1)/(r+1))^3时, 素数幂RSA体制是不安全的。与之前的针对单个私钥的素数幂RSA体制的密码分析结论相比, 这是一个新结果。