On Some Attacks on Multi-prime RSA

  • M. Jason Hinek
  • Mo King Low
  • Edlyn Teske
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2595)


Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage that the private key computations can be speeded up using Chinese remaindering. At the same time, with a proper choice of parameters, one does not have to work with a larger modulus to achieve the same level of security in terms of the difficulty of the integer factorization problem. However, numerous attacks on specific instances on the RSA cryptosystem are known that apply if, for example, the decryption or encryption exponent are chosen too small, or if partial knowledge of the private key is available. Little work is known on how such attacks perform in the multi-prime case. It turns out that for most of these attacks it is crucial that the modulus contains exactly two primes. They become much less effective, or fail, when the modulus factors into more than two distinct primes.


Chinese Remainder Theorem Modular Exponentiation Modular Equation Public Exponent Continue Fraction Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BD00]
    D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory, 46(4):1339–1349, 2000.MathSciNetCrossRefGoogle Scholar
  2. [BDF98]
    D. Boneh, G. Durfee, and Y. Frankel. Exposing an RSA private key given a small fraction of its bits. In Advances in Cryptology — ASIACRYPT’ 98, volume 1514 of Lecture Notes In Computer Science, pages 25–34. Springer-Verlag, 1998. Revised and extended version available from Scholar
  3. [BM01]
    J. Blömer and A. May. Low secret exponent RSA revisited. In Cryptography and Lattices — Proceedings of CALC’ 01, volume 2146 of Lecture Notes In Computer Science, pages 4–19. Springer-Verlag, 2001.zbMATHGoogle Scholar
  4. [Bon99]
    D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the American Mathematical Society, 46(2):203–213, 1999.MathSciNetzbMATHGoogle Scholar
  5. [BS02]
    D. Boneh and H. Shacham. Fast variants of RSA. CryptoBytes (The technical newsletter of RSA laboratories), 5(1):1–9, 2002.Google Scholar
  6. [CHLS97]
    T. Collins, D. Hopkins, S. Langford, and M. Sabin. Public Key Cryptography Apparatus and Method. US Patent 5,848,159, Jan. 1997.Google Scholar
  7. [Cop97]
    D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology, 10(4):233–260, 1997.MathSciNetCrossRefGoogle Scholar
  8. [DN00]
    G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt’ 99. In Advances in Cryptology — ASIACRYPT 2000, volume 1976 of Lecture Notes In Computer Science, pages 14–29. Springer-Verlag, 2000.CrossRefGoogle Scholar
  9. [HG97]
    N.A. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of Lecture Notes In Computer Science, pages 131–142. Springer-Verlag, 1997.Google Scholar
  10. [Hin02]
    M. J. Hinek. Low public exponent partial key and low private exponent attacks on multi-prime RSA. Master’s thesis, University of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
  11. [HW60]
    G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University Press, fourth edition, 1960.Google Scholar
  12. [Len01]
    A. K. Lenstra. Unbelievable security: Matching AES security using public key systems. In Advances in Cryptology — ASIACRYPT 2001, volume 2248 of Lecture Notes In Computer Science, pages 67–86. Springer-Verlag, 2001.CrossRefGoogle Scholar
  13. [LLL82]
    A. Lenstra, H. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261:515–534, 1982.MathSciNetCrossRefGoogle Scholar
  14. [Low02]
    M.K. Low. Attacks on multi-prime RSA with low private exponent or medium-sized public exponent. Master’s thesis, Univ. of Waterloo, Dept. of Combinatorics and Optimization, 2002.Google Scholar
  15. [May02]
    A. May. Cryptanalysis of unbalanced RSA with small CRT-exponent. In Advances in Cryptology — CRYPTO 2002, Lecture Notes In Computer Science. Springer-Verlag, 2002.Google Scholar
  16. [Old63]
    C. D. Olds. Continued Fractions. Random House, Inc., 1963.Google Scholar
  17. [RSA78]
    R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.MathSciNetCrossRefGoogle Scholar
  18. [Sho]
    V. Shoup. Number theory library (NTL), Version 5.2.
  19. [Sti95]
    D. R. Stinson. Cryptography: Theory and Practice. CRC Press LLC, 1995.Google Scholar
  20. [SZ01]
    R. Steinfeld and Y. Zheng. An advantage of low-exponent RSA with modulus primes sharing least significant bits. In Proceedings RSA Conference 2001, Cryptographer’s Track, volume 2020 of Lecture Notes in Computer Science, pages 52–62. Springer-Verlag, 2001.zbMATHGoogle Scholar
  21. [Tur82]
    J. W. M. Turk. Fast arithmetic operations on numbers and polynomials. In H.W. Lenstra, Jr. and R. Tijdeman, editors, Computational Methods in Number Theory, Part I. Mathematisch Centrum, Amsterdam, 1982.Google Scholar
  22. [Wie90]
    M. J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory, 36(3):553–558, 1990.MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • M. Jason Hinek
    • 1
  • Mo King Low
    • 1
  • Edlyn Teske
    • 1
  1. 1.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada

Personalised recommendations