Partial Key Exposure Attack on CRT-RSA

  • Santanu Sarkar
  • Subhamoy Maitra
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5536)

Abstract

Consider CRT-RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponents dp, dq. Jochemsz and May (Crypto 2007) presented that CRT-RSA is weak when dp, dq are smaller than N0.073. As a follow-up work of that paper, we study the partial key exposure attack on CRT-RSA when some Most Significant Bits (MSBs) of dp, dq are exposed. Further, better results are obtained when a few MSBs of p (or q) are available too. We present theoretical results as well as experimental evidences to justify our claim. We also analyze the case when the decryption exponents are of different bit sizes and it is shown that CRT-RSA is more insecure in this case (than the case of dp, dq having the same bit size) considering the total bit size of dp, dq.

Keywords

RSA CRT-RSA Cryptanalysis Factorization Lattice LLL Algorithm Side Channel Attacks Weak Keys 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA Private Key Given a Small Fraction of its Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Boneh, D.: Twenty Years of Attacks on the RSA Cryptosystem. Notices of the AMS 46(2), 203–213 (1999)MathSciNetMATHGoogle Scholar
  5. 5.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less Than N 0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. Journal of Cryptology 14(2), 101–119 (2001)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Coppersmith, D.: Small Solutions to Polynomial Equations and Low Exponent Vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Cox, D., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms, 2nd edn. Springer, Heidelberg (1998)MATHGoogle Scholar
  11. 11.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Galbraith, S., Heneghan, C., Mckee, J.: Tunable Balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Jochemsz, E.: Cryptanalysis of RSA Variants Using Small Roots of Polynomials. Ph. D. thesis, Technische Universiteit Eindhoven (2007)Google Scholar
  15. 15.
    Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with new Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Jochemsz, E., May, A.: A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    May, A.: Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. LLL+ 25 Conference in honour of the 25th birthday of the LLL algorithm (2007), http://www.informatik.tu-darmstadt.de/KP/alex.html (last accessed 23 December, 2008)
  20. 20.
    Rivest, R.L., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of ACM 21(2), 158–164 (1978)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Wiener, M.: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Santanu Sarkar
    • 1
  • Subhamoy Maitra
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations