International Conference in Cryptology in India

Progress in Cryptology -- INDOCRYPT 2015 pp 105-123 | Cite as

Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents

  • Liqiang Peng
  • Lei Hu
  • Yao Lu
  • Santanu Sarkar
  • Jun Xu
  • Zhangjie Huang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9462)


In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents \((e_l,d_{p_l},d_{q_l})\), where \(l=1,\cdots ,n\), are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when \(d_{p_l},d_{q_l}<N^{\frac{2n-3}{8n+2}}\) for all \(l=1,\cdots ,n\). We further improve this bound to \(d_{p_l}(\mathrm {or}\,d_{q_l})<N^{\frac{9n-14}{24n+8}}\) for all \(l=1,\cdots ,n\). Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs \((e_l,d_l)\) for \(l=1,\cdots ,n\) are available for a common modulus \(N=p^rq\) where \(r\ge 2\). By solving several simultaneous modular univariate linear equations, we show that when \(d_l<N^{(\frac{r-1}{r+1})^{\frac{n+1}{n}}}\), for all \(l=1,\cdots ,n\), one can factor the common modulus N.


RSA Cryptanalysis Lattice Coppersmith’s method 


  1. 1.
    Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)MATHMathSciNetCrossRefGoogle Scholar
  3. 3.
    Bosma, W., Cannon, J.J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)MATHMathSciNetCrossRefGoogle Scholar
  4. 4.
    Cohn, H., Heninger, N.: Approximate common divisors via lattices. CoRR abs/1108.2714 (2011)
  5. 5.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MATHMathSciNetCrossRefGoogle Scholar
  6. 6.
    Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  7. 7.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997) Google Scholar
  8. 8.
    Howgrave-Graham, N., Seifert, J.-P.: Extending Wiener’s attack in the presence of many decrypting exponents. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  9. 9.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  10. 10.
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  11. 11.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: ASIACRYPT 2015 (2015) (to appear).
  13. 13.
    May, A.: Secret exponent attacks on RSA-type schemes with moduli \(N={p}^{r} {q}\). In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  14. 14.
    Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  15. 15.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm - Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010) MATHGoogle Scholar
  16. 16.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MATHMathSciNetCrossRefGoogle Scholar
  17. 17.
    Sarkar, S.: Small secret exponent attack on RSA variant with modulus \(N=p^{r} q\). Des. Codes Crypt. 73(2), 383–392 (2014)MATHCrossRefGoogle Scholar
  18. 18.
    Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponent. Inf. Process. Lett. 110(8–9), 336–340 (2010)MATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    Simmons, G.J.: A weak privacy protocol using the RSA cryptalgorithm. Cryptologia 7(2), 180–182 (1983)MATHCrossRefGoogle Scholar
  20. 20.
    Sun, H., Wu, M.: An approach towards rebalanced RSA-CRT with short public exponent. IACR Cryptology ePrint Archive 2005, 53 (2005)Google Scholar
  21. 21.
    Takagi, T.: Fast RSA-type cryptosystem modulo \(p^{k}q\). In: CRYPTO 1998. vol. 1462, pp. 318–326 (1998)Google Scholar
  22. 22.
    Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Heidelberg (2014) Google Scholar
  24. 24.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)MATHMathSciNetCrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Liqiang Peng
    • 1
    • 2
  • Lei Hu
    • 1
    • 2
  • Yao Lu
    • 1
    • 3
  • Santanu Sarkar
    • 4
  • Jun Xu
    • 1
    • 2
  • Zhangjie Huang
    • 1
    • 2
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.The University of TokyoTokyoJapan
  4. 4.Indian Institute of Technology MadrasChennaiIndia

Personalised recommendations