Partial Key Exposure on RSA with Private Exponents Larger Than N

  • Marc Joye
  • Tancrède Lepoint
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7232)

Abstract

In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N. When it comes to implementation, d can be enlarged to a value larger than N so as to improve the performance (by lowering its Hamming weight) or to increase the security (by preventing certain side-channel attacks). This paper studies this extended setting and quantifies the number of bits of d required to mount practical partial key exposure attacks. Both the cases of known most significant bits (MSBs) and least significant bits (LSBs) are analyzed. Our results are based on Coppersmith’s heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.

Keywords

RSA cryptosystem cryptanalysis key exposure Coppersmith’s methods lattice reduction 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000), extended abstract in Proc. of EUROCRYPT 1998Google Scholar
  4. 4.
    Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Cohen, G.D., Lobstein, A., Naccache, D., Zémor, G.: How to Improve an Exponentiation Black-Box. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 211–220. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetMATHCrossRefGoogle Scholar
  9. 9.
    Coron, J.S.: Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Coron, J.S.: Finding Small Roots of Bivariate Integer Polynomial Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Coron, J.S.: Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  16. 16.
    Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  19. 19.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. Journal of Cryptographic Engineeering 1(1), 5–27 (2011)CrossRefGoogle Scholar
  20. 20.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  21. 21.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetMATHCrossRefGoogle Scholar
  22. 22.
    May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. thesis, University of Paderborn (2003)Google Scholar
  23. 23.
    Miller, G.L.: Riemann’s hypothesis and tests for primality. Journal of Computer and System Sciences 13(3), 300–317 (1976)MathSciNetMATHCrossRefGoogle Scholar
  24. 24.
    Sarkar, S.: Partial Key Exposure: Generalized Framework to Attack RSA. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 76–92. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  25. 25.
    Sarkar, S., Sen Gupta, S., Maitra, S.: Partial Key Exposure Attack on RSA – Improvements for Limited Lattice Dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2–16. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Shoup, V.: Number Theory Library (Version 5.5.2). A library for doing Number Theory (2011), http://www.shoup.net/ntl
  27. 27.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 51–67. Plenum Press (1984)Google Scholar
  28. 28.
    Simmons, G.J.: The Subliminal Channel and Digital Signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  29. 29.
    Stein, W.A., et al.: Sage Mathematics Software (Version 4.7). The Sage Development Team (2011), http://www.sagemath.org
  30. 30.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MathSciNetMATHCrossRefGoogle Scholar
  31. 31.
    Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. John Wiley & Sons (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Marc Joye
    • 1
  • Tancrède Lepoint
    • 2
    • 3
  1. 1.Technicolor, Security & Content Protection LabsCesson-Sévigné CedexFrance
  2. 2.CryptoExpertsParisFrance
  3. 3.Laboratoire d’Informatique de l’École Normale SupérieureParis Cedex 05France

Personalised recommendations