Abstract
We present lattice-based attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than N β and the decryption exponent d is small modulo p - 1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over ℤ that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to \( \beta < \frac{{3 - \sqrt 5 }} {2} \approx 0.382 \).Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p - 1 provided that β ≤ 0.23.
Chapter PDF
Similar content being viewed by others
References
D. Bleichenbacher, “On the Security of the KMOV public key cryptosystem”, Proc. of Crypto’ 97
D. Boneh, “Twenty years of attacks on the RSA cryptosystem”, Notices of the AMS, 1999
D. Boneh, G. Durfee, “Cryptanalysis of RSA with private key d less than N 0.292”, IEEE Trans. on Information Theory, vol. 46(4), 2000
D. Coppersmith, “Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities”, Journal of Cryptology 10(4), 1997
G. Durfee, P. Nguyen, “Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt’ 99”, Proc. of Asiacrypt’ 2000
M. Gruber, C.G. Lekkerkerker, “Geometry of Numbers”, North-Holland, 1987
N. Howgrave-Graham, “Finding small roots of univariate modular equations revisited”, Proc. of Cryptography and Coding, LNCS 1355, Springer-Verlag, 1997
C. Jutla, “On finding small solutions of modular multivariate polynomial equations”, Proc. of Eurocrypt’ 98
A. Lenstra, H. Lenstra and L. Lovasz, “Factoring polynomials with rational coefficients”, Mathematische Annalen, 1982
N. Modadugu, D. Boneh, M. Kim, “Generating RSA Keys on a Handheld Using an Untrusted Server”, INDOCRYPT 2000, pp. 271–282, 2000
R. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems”, Communications of the ACM, volume 21, 1978
I.R. Shafarevich, “Basic Algebraic Geometry”, Springer-Verlag, 1994
A. Shamir, “RSA for paranoids”, CryptoBytes vol. 1, no. 3, pp. 1–4, 1995
C.L. Siegel, “Lectures on the Geometry of Numbers”, Springer Verlag, 1989
H.-M. Sun, W.-C. Yang and C.-S. Laih, “On the design of RSA with short secret exponent”, Proc. of Asiacrypt’ 99, LNCS vol. 1716, pp. 150–164, 1999
E. Verheul, H. van Tilborg, “Cryptanalysis of less short RSA secret exponents”, Applicable Algebra in Engineering, Communication and Computing, Springer Verlag, vol. 8, 1997
M. Wiener, “Cryptanalysis of short RSA secret exponents”, IEEE Transactions on Information Theory, vol. 36, 1990
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
May, A. (2002). Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45708-9_16
Download citation
DOI: https://doi.org/10.1007/3-540-45708-9_16
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44050-5
Online ISBN: 978-3-540-45708-4
eBook Packages: Springer Book Archive