Skip to main content

Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents

  • Conference paper
  • First Online:
Progress in Cryptology -- INDOCRYPT 2015 (INDOCRYPT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9462))

Included in the following conference series:

Abstract

In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents \((e_l,d_{p_l},d_{q_l})\), where \(l=1,\cdots ,n\), are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when \(d_{p_l},d_{q_l}<N^{\frac{2n-3}{8n+2}}\) for all \(l=1,\cdots ,n\). We further improve this bound to \(d_{p_l}(\mathrm {or}\,d_{q_l})<N^{\frac{9n-14}{24n+8}}\) for all \(l=1,\cdots ,n\). Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs \((e_l,d_l)\) for \(l=1,\cdots ,n\) are available for a common modulus \(N=p^rq\) where \(r\ge 2\). By solving several simultaneous modular univariate linear equations, we show that when \(d_l<N^{(\frac{r-1}{r+1})^{\frac{n+1}{n}}}\), for all \(l=1,\cdots ,n\), one can factor the common modulus N.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  2. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  3. Bosma, W., Cannon, J.J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)

    Article  MATH  MathSciNet  Google Scholar 

  4. Cohn, H., Heninger, N.: Approximate common divisors via lattices. CoRR abs/1108.2714 (2011)

  5. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)

    Article  MATH  MathSciNet  Google Scholar 

  6. Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  7. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997)

    Google Scholar 

  8. Howgrave-Graham, N., Seifert, J.-P.: Extending Wiener’s attack in the presence of many decrypting exponents. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  9. Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

    Article  MATH  MathSciNet  Google Scholar 

  12. Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: ASIACRYPT 2015 (2015) (to appear). https://eprint.iacr.org/2014/343

  13. May, A.: Secret exponent attacks on RSA-type schemes with moduli \(N={p}^{r} {q}\). In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  14. Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  15. Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm - Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)

    MATH  Google Scholar 

  16. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MATH  MathSciNet  Google Scholar 

  17. Sarkar, S.: Small secret exponent attack on RSA variant with modulus \(N=p^{r} q\). Des. Codes Crypt. 73(2), 383–392 (2014)

    Article  MATH  Google Scholar 

  18. Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponent. Inf. Process. Lett. 110(8–9), 336–340 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  19. Simmons, G.J.: A weak privacy protocol using the RSA cryptalgorithm. Cryptologia 7(2), 180–182 (1983)

    Article  MATH  Google Scholar 

  20. Sun, H., Wu, M.: An approach towards rebalanced RSA-CRT with short public exponent. IACR Cryptology ePrint Archive 2005, 53 (2005)

    Google Scholar 

  21. Takagi, T.: Fast RSA-type cryptosystem modulo \(p^{k}q\). In: CRYPTO 1998. vol. 1462, pp. 318–326 (1998)

    Google Scholar 

  22. Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Heidelberg (2014)

    Google Scholar 

  24. Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Acknowledgements

The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Key Basic Research Program of China (Grants 2013CB834203 and 2011CB302400), the National Natural Science Foundation of China (Grants 61472417, 61402469, 61472416 and 61272478), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702 and XDA06010703, and the State Key Laboratory of Information Security, Chinese Academy of Sciences. Y. Lu is supported by Project CREST, JST.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Lei Hu .

Editor information

Editors and Affiliations

Appendix

Appendix

Here we present the detailed calculations of \(S_{X_1},S_Y,S_{Z_1},S_{e_1}\).

Let \(\sum \limits ^{*}\) denotes \(\sum \limits _{i_1=0}^m\cdots \sum \limits _{i_n=0}^m\sum \limits _{j_1=0}^{m-i_1}\cdots \sum \limits _{j_n=0}^{m-i_n}\), for any \(0\le a,b\le n\), we have that

$$\begin{aligned} \sum ^{*}i_ai_b= \left\{ \begin{array}{l} \frac{1}{12*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a=b),\\ \\ \frac{1}{18*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a\ne b), \end{array} \right. \end{aligned}$$

and

$$\begin{aligned} \sum ^{*}i_aj_b= \left\{ \begin{array}{l} \frac{1}{24*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a=b),\\ \\ \frac{1}{18*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a\ne b). \end{array} \right. \end{aligned}$$

Then we obtain that

$$\begin{aligned} \sum \limits ^{*}\sum _{k=0}^{i_1+\cdots +i_n}i_1+\cdots +i_n&= (\frac{n^2}{18}+\frac{n}{36})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}),\\ \sum \limits ^{*}\sum _{k=0}^{i_1+\cdots +i_n}j_1+\cdots +j_n&= (\frac{n^2}{18}-\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}),\\ \sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}k&=\sum ^{*}\frac{(i_1+\cdots +i_n)^2}{2}+\frac{i_1+\cdots +i_n}{2}\\&=(\frac{n^2}{36}+\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}). \end{aligned}$$

Moreover,

$$\begin{aligned} \sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}\min (i_1,k)&=\sum ^{*} (\sum _{k=0}^{i_1}k+\sum _{k=i_{1}+1}^{i_1+\cdots +i_n}i_1)\\&=\sum ^{*}(\frac{i_1(i_1+1)}{2}+i_1(i_2+\cdots +i_n))\\&=(\frac{n}{18}-\frac{1}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}). \end{aligned}$$

By symmetry, we have

$$ \sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}\min (i_1,k)+\cdots +\min (i_n,k) =(\frac{n^2}{18}-\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}). $$

The dimension of lattice \(\mathcal {L}'\) is

$$ \mathrm {dim}(\mathcal {L}')=\sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}1=\frac{n}{6*2^{n-1}}*m^{2n+1}+o(m^{2n+1}). $$

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Peng, L., Hu, L., Lu, Y., Sarkar, S., Xu, J., Huang, Z. (2015). Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents. In: Biryukov, A., Goyal, V. (eds) Progress in Cryptology -- INDOCRYPT 2015. INDOCRYPT 2015. Lecture Notes in Computer Science(), vol 9462. Springer, Cham. https://doi.org/10.1007/978-3-319-26617-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26617-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26616-9

  • Online ISBN: 978-3-319-26617-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics