# On Some Attacks on Multi-prime RSA

## Abstract

Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage that the private key computations can be speeded up using Chinese remaindering. At the same time, with a proper choice of parameters, one does not have to work with a larger modulus to achieve the same level of security in terms of the difficulty of the integer factorization problem. However, numerous attacks on specific instances on the RSA cryptosystem are known that apply if, for example, the decryption or encryption exponent are chosen too small, or if partial knowledge of the private key is available. Little work is known on how such attacks perform in the multi-prime case. It turns out that for most of these attacks it is crucial that the modulus contains exactly two primes. They become much less effective, or fail, when the modulus factors into more than two distinct primes.

## Keywords

Chinese Remainder Theorem Modular Exponentiation Modular Equation Public Exponent Continue Fraction Algorithm## References

- [BD00]D. Boneh and G. Durfee. Cryptanalysis of RSA with private key
*d*less than*N*^{0.292}.*IEEE Transactions on Information Theory*, 46(4):1339–1349, 2000.MathSciNetCrossRefGoogle Scholar - [BDF98]D. Boneh, G. Durfee, and Y. Frankel. Exposing an RSA private key given a small fraction of its bits. In
*Advances in Cryptology — ASIACRYPT’ 98*, volume 1514 of*Lecture Notes In Computer Science*, pages 25–34. Springer-Verlag, 1998. Revised and extended version available from http://crypto.stanford.edu/~dabo/pubs.html.CrossRefGoogle Scholar - [BM01]J. Blömer and A. May. Low secret exponent RSA revisited. In
*Cryptography and Lattices — Proceedings of CALC’ 01*, volume 2146 of*Lecture Notes In Computer Science*, pages 4–19. Springer-Verlag, 2001.zbMATHGoogle Scholar - [Bon99]D. Boneh. Twenty years of attacks on the RSA cryptosystem.
*Notices of the American Mathematical Society*, 46(2):203–213, 1999.MathSciNetzbMATHGoogle Scholar - [BS02]D. Boneh and H. Shacham. Fast variants of RSA.
*CryptoBytes (The technical newsletter of RSA laboratories)*, 5(1):1–9, 2002.Google Scholar - [CHLS97]T. Collins, D. Hopkins, S. Langford, and M. Sabin. Public Key Cryptography Apparatus and Method. US Patent 5,848,159, Jan. 1997.Google Scholar
- [Cop97]D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.
*Journal of Cryptology*, 10(4):233–260, 1997.MathSciNetCrossRefGoogle Scholar - [DN00]G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt’ 99. In
*Advances in Cryptology — ASIACRYPT 2000*, volume 1976 of*Lecture Notes In Computer Science*, pages 14–29. Springer-Verlag, 2000.CrossRefGoogle Scholar - [HG97]N.A. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In
*Cryptography and Coding*, volume 1355 of*Lecture Notes In Computer Science*, pages 131–142. Springer-Verlag, 1997.Google Scholar - [Hin02]M. J. Hinek. Low public exponent partial key and low private exponent attacks on multi-prime RSA. Master’s thesis, University of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
- [HW60]G. H. Hardy and E. M. Wright.
*An Introduction to the Theory of Numbers*. Oxford University Press, fourth edition, 1960.Google Scholar - [Len01]A. K. Lenstra. Unbelievable security: Matching AES security using public key systems. In
*Advances in Cryptology — ASIACRYPT 2001*, volume 2248 of*Lecture Notes In Computer Science*, pages 67–86. Springer-Verlag, 2001.CrossRefGoogle Scholar - [LLL82]A. Lenstra, H. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients.
*Mathematische Annalen*, 261:515–534, 1982.MathSciNetCrossRefGoogle Scholar - [Low02]M.K. Low. Attacks on multi-prime RSA with low private exponent or medium-sized public exponent. Master’s thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
- [May02]A. May. Cryptanalysis of unbalanced RSA with small CRT-exponent. In
*Advances in Cryptology — CRYPTO 2002*, Lecture Notes In Computer Science. Springer-Verlag, 2002.Google Scholar - [Old63]C. D. Olds.
*Continued Fractions*. Random House, Inc., 1963.Google Scholar - [RSA78]R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems.
*Communications of the ACM*, 21(2):120–126, 1978.MathSciNetCrossRefGoogle Scholar - [Sho]V. Shoup. Number theory library (NTL), Version 5.2. http://www.shoup.net/ntl.
- [Sti95]D. R. Stinson.
*Cryptography: Theory and Practice*. CRC Press LLC, 1995.Google Scholar - [SZ01]R. Steinfeld and Y. Zheng. An advantage of low-exponent RSA with modulus primes sharing least significant bits. In
*Proceedings RSA Conference 2001, Cryptographer’s Track*, volume 2020 of*Lecture Notes in Computer Science*, pages 52–62. Springer-Verlag, 2001.zbMATHGoogle Scholar - [Tur82]J. W. M. Turk. Fast arithmetic operations on numbers and polynomials. In H.W. Lenstra, Jr. and R. Tijdeman, editors,
*Computational Methods in Number Theory, Part I*. Mathematisch Centrum, Amsterdam, 1982.Google Scholar - [Wie90]M. J. Wiener. Cryptanalysis of short RSA secret exponents.
*IEEE Transactions on Information Theory*, 36(3):553–558, 1990.MathSciNetCrossRefGoogle Scholar