New Attacks on RSA with Small Secret CRT-Exponents

  • Daniel Bleichenbacher
  • Alexander May
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)

Abstract

It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p–1 and q–1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus N=pq with unbalanced prime factors p and q. Based on Coppersmith’s method, he showed that there is a polynomial time attack provided that q < N0.382. We will improve this bound to q < N0.468. Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N. More precisely, we show that there is a polynomial time attack if \(d_{p}, d_{q} \leq min\{(N/e)^{\frac{2}{5}},N^{\frac{1}{4}}\}\). The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu.

Keywords

RSA small exponents lattices Coppersmith’s method 

References

  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Boneh, D., Shacham, H.: Fast Variants of RSA. CryptoBytes 5(1), 1–9 (2002)Google Scholar
  3. 3.
    Cohen, H., et al.: PARI/GP, http://www.pari.math.u-bordeaux.fr
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable Balancing of RSA, full version of [5], online, available at http://www.isg.rhul.ac.uk/~sdg/full-tunable-rsa.pdf
  7. 7.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Shoup, V.: NTL: A Library for doing Number Theory, online, available at http://www.shoup.net/ntl/index.html
  11. 11.
    STORK, Strategic Roadmap for Crypto, http://www.stork.eu.org/index.html
  12. 12.
    Sun, H.-M., Wu, M.-E.: An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, Cryptology ePrint Archive: Report 2005/053, online, available at http://eprint.iacr.org/2005/053
  13. 13.
    Sun, H.-M., Hinek, M.J., Wu, M.-E.: An Approach Towards Rebalanced RSACRT with Short Public Exponent, revised version of [12], online, available at http://www.cacr.math.uwaterloo.ca/techreports/2005/cacr2005-35.pdf
  14. 14.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Daniel Bleichenbacher
    • 1
  • Alexander May
    • 1
  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations