# Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents

• Conference paper
• First Online:
Progress in Cryptology -- INDOCRYPT 2015 (INDOCRYPT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9462))

Included in the following conference series:

• 870 Accesses

## Abstract

In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents $$(e_l,d_{p_l},d_{q_l})$$, where $$l=1,\cdots ,n$$, are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when $$d_{p_l},d_{q_l}<N^{\frac{2n-3}{8n+2}}$$ for all $$l=1,\cdots ,n$$. We further improve this bound to $$d_{p_l}(\mathrm {or}\,d_{q_l})<N^{\frac{9n-14}{24n+8}}$$ for all $$l=1,\cdots ,n$$. Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs $$(e_l,d_l)$$ for $$l=1,\cdots ,n$$ are available for a common modulus $$N=p^rq$$ where $$r\ge 2$$. By solving several simultaneous modular univariate linear equations, we show that when $$d_l<N^{(\frac{r-1}{r+1})^{\frac{n+1}{n}}}$$, for all $$l=1,\cdots ,n$$, one can factor the common modulus N.

This is a preview of subscription content, log in via an institution to check access.

## Subscribe and save

Springer+ Basic
\$34.99 /Month
• Get 10 units per month
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime

Chapter
USD 29.95
Price excludes VAT (USA)
• Available as PDF
• Read on any device
• Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
• Available as EPUB and PDF
• Read on any device
• Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

## References

1. Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013)

2. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key $$d$$ less than $$N^{0.292}$$. IEEE IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)

3. Bosma, W., Cannon, J.J., Playoust, C.: The MAGMA algebra system I: the user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)

4. Cohn, H., Heninger, N.: Approximate common divisors via lattices. CoRR abs/1108.2714 (2011)

5. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)

6. Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)

7. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355. Springer, Heidelberg (1997)

8. Howgrave-Graham, N., Seifert, J.-P.: Extending Wiener’s attack in the presence of many decrypting exponents. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999)

9. Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)

10. Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than $$N^{0.073}$$. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)

11. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

12. Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: ASIACRYPT 2015 (2015) (to appear). https://eprint.iacr.org/2014/343

13. May, A.: Secret exponent attacks on RSA-type schemes with moduli $$N={p}^{r} {q}$$. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004)

14. Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)

15. Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm - Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)

16. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

17. Sarkar, S.: Small secret exponent attack on RSA variant with modulus $$N=p^{r} q$$. Des. Codes Crypt. 73(2), 383–392 (2014)

18. Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponent. Inf. Process. Lett. 110(8–9), 336–340 (2010)

19. Simmons, G.J.: A weak privacy protocol using the RSA cryptalgorithm. Cryptologia 7(2), 180–182 (1983)

20. Sun, H., Wu, M.: An approach towards rebalanced RSA-CRT with short public exponent. IACR Cryptology ePrint Archive 2005, 53 (2005)

21. Takagi, T.: Fast RSA-type cryptosystem modulo $$p^{k}q$$. In: CRYPTO 1998. vol. 1462, pp. 318–326 (1998)

22. Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)

23. Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Heidelberg (2014)

24. Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)

## Acknowledgements

The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Key Basic Research Program of China (Grants 2013CB834203 and 2011CB302400), the National Natural Science Foundation of China (Grants 61472417, 61402469, 61472416 and 61272478), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702 and XDA06010703, and the State Key Laboratory of Information Security, Chinese Academy of Sciences. Y. Lu is supported by Project CREST, JST.

## Author information

Authors

### Corresponding author

Correspondence to Lei Hu .

## Appendix

### Appendix

Here we present the detailed calculations of $$S_{X_1},S_Y,S_{Z_1},S_{e_1}$$.

Let $$\sum \limits ^{*}$$ denotes $$\sum \limits _{i_1=0}^m\cdots \sum \limits _{i_n=0}^m\sum \limits _{j_1=0}^{m-i_1}\cdots \sum \limits _{j_n=0}^{m-i_n}$$, for any $$0\le a,b\le n$$, we have that

\begin{aligned} \sum ^{*}i_ai_b= \left\{ \begin{array}{l} \frac{1}{12*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a=b),\\ \\ \frac{1}{18*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a\ne b), \end{array} \right. \end{aligned}

and

\begin{aligned} \sum ^{*}i_aj_b= \left\{ \begin{array}{l} \frac{1}{24*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a=b),\\ \\ \frac{1}{18*2^{n-1}}*m^{2n+2}+o(m^{2n+2}),\,\,(a\ne b). \end{array} \right. \end{aligned}

Then we obtain that

\begin{aligned} \sum \limits ^{*}\sum _{k=0}^{i_1+\cdots +i_n}i_1+\cdots +i_n&= (\frac{n^2}{18}+\frac{n}{36})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}),\\ \sum \limits ^{*}\sum _{k=0}^{i_1+\cdots +i_n}j_1+\cdots +j_n&= (\frac{n^2}{18}-\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}),\\ \sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}k&=\sum ^{*}\frac{(i_1+\cdots +i_n)^2}{2}+\frac{i_1+\cdots +i_n}{2}\\&=(\frac{n^2}{36}+\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}). \end{aligned}

Moreover,

\begin{aligned} \sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}\min (i_1,k)&=\sum ^{*} (\sum _{k=0}^{i_1}k+\sum _{k=i_{1}+1}^{i_1+\cdots +i_n}i_1)\\&=\sum ^{*}(\frac{i_1(i_1+1)}{2}+i_1(i_2+\cdots +i_n))\\&=(\frac{n}{18}-\frac{1}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}). \end{aligned}

By symmetry, we have

$$\sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}\min (i_1,k)+\cdots +\min (i_n,k) =(\frac{n^2}{18}-\frac{n}{72})*\frac{m^{2n+2}}{2^{n-1}}+o(m^{2n+2}).$$

The dimension of lattice $$\mathcal {L}'$$ is

$$\mathrm {dim}(\mathcal {L}')=\sum ^{*}\sum _{k=0}^{i_1+\cdots +i_n}1=\frac{n}{6*2^{n-1}}*m^{2n+1}+o(m^{2n+1}).$$

## Rights and permissions

Reprints and permissions

© 2015 Springer International Publishing Switzerland

### Cite this paper

Peng, L., Hu, L., Lu, Y., Sarkar, S., Xu, J., Huang, Z. (2015). Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents. In: Biryukov, A., Goyal, V. (eds) Progress in Cryptology -- INDOCRYPT 2015. INDOCRYPT 2015. Lecture Notes in Computer Science(), vol 9462. Springer, Cham. https://doi.org/10.1007/978-3-319-26617-6_6

• DOI: https://doi.org/10.1007/978-3-319-26617-6_6

• Published:

• Publisher Name: Springer, Cham

• Print ISBN: 978-3-319-26616-9

• Online ISBN: 978-3-319-26617-6

• eBook Packages: Computer ScienceComputer Science (R0)