RSA with Balanced Short Exponents and Its Application to Entity Authentication

  • Hung-Min Sun
  • Cheng-Ta Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3386)


In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt’99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N 0.25 and N 0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length \(\frac{1}{2}\log _{2}N+56\). The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt’2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.


RSA Short Exponent Attack Lattice Reduction Entity Authentication 


  1. 1.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Cavallar, S., Dodson, B., Lenstra, A.K., Lioen, W., Montgomery, P.L., Murphy, B., te Riele, H., Aardal, K., Gilchrist, J., Guillerm, G., Leyland, P., Marchand, J., Morain, F., Muffett, A., Putnam, C., Putnam, C., Zimmermann, P.: Factorization of 512-bit RSA key using the number field sieve. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 1–18. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA schemes with short secret exponent from asiacrypt ’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Herstein, I.N.: Topics in Algebra. Xerox Corporation (1975)Google Scholar
  7. 7.
    Hong, H.S., Lee, H.K., Lee, H.S., Lee, H.J.: The better bound of private key in RSA with unbalanced primes. Applied Mathematics and Computation 139, 351–362 (2003)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
  9. 9.
    Joye, M., Quisquater, J.J., Yen, S.M., Yung, M.: Security paradoxes: how improving a cryptosystem may weaken it. In: Proceedings of the Ninth National Conference on Information Security, pp. 27–32 (1999)Google Scholar
  10. 10.
    Lenstra, A., Lenstra, H., Lovasz, L.: Factoring polynomial with rational coefficients. Mathematiche Annalen 261, 515–534 (1982)MATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Lenstra Jr., H.W.: Factoring integers with elliptic curves. Annuals of Mathematics 126, 649–673 (1987)Google Scholar
  12. 12.
    Pinch, R.: Extending the Wiener attack to RSA-type cryptosystems. Electronics Letters 31, 1736–1738 (1995)CrossRefGoogle Scholar
  13. 13.
    Pollard, J.: Theorems of factorization and primality testing. Proc. Cambridge Philos. Soc. 76, 521–528 (1974)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM 21, 120–126 (1987)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Rivest, R., Silverman, R.D.: Are strong primes needed for RSA? The 1997 RSA Laboratories Seminar series, Seminar Proceedings (1997)Google Scholar
  16. 16.
    Sakai, R., Morii, M., Kasahara, M.: New key generation algorithm for RSA cryptosystem. IEICE Transactions on Fundamentals E77-A, 89–97 (1994)Google Scholar
  17. 17.
    Sun, H.-M., Yang, W.-C., Laih, C.-S.: On the design of RSA with short secret exponent. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 150–164. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  18. 18.
    Sun, H.M., Yang, W.C., Laih, C.S.: On the design of RSA with short secretexponent. Journal of Inforamtion Science and Engineering 18(1), 1–18 (2002)Google Scholar
  19. 19.
    Verheul, E., van Tilborg, H.: Cryptanalysis of less short RSA secret exponents. Applicable Algebra in Engineering, Communication and Computing 8, 425–435 (1997)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering, Communication and Computing 13, 17–28 (2002)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Hung-Min Sun
    • 1
  • Cheng-Ta Yang
    • 2
  1. 1.Department of Computer ScienceNational Tsing Hua UniversityHsinchuTaiwan
  2. 2.Department of Computer Science and Information EngineeringNational Cheng Kung University 

Personalised recommendations