Partial key exposure attacks on multi-power RSA

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r ≥ 2. Building on Coppersmith’s method of finding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r ≤ 5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 . Extending the ideas in Sarkar’s work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least significant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkar’s result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii Abstract iii Öz iv Acknowledgments v List of Figures viii List of Tables ix Abbreviations x 1 Introduction 1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The RSA Cryptosystem 8 2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Multi-power RSA (Takagi’s Variant) . . . . . . . . . . . . . . . . . . . . . 10 2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12 2.4.2.2 Bleichenbacher’s Attack . . . . . . . . . . . . . . . . . . . 13 2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1 Håstad’s Attack . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15 2.4.3.3 Coppersmith’s Short Pad Attack . . . . . . . . . . . . . . 15 2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15 2.4.4.1 Wiener’s Attack . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17 3 Preliminaries 18 3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20 3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25 3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4 Partial Key Exposure Attacks on Multi-Power RSA 28 4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.1 Attacks when ed ≡ 1 mod ( p−1)( q−1) . . . . . . . . . . . . . . . 29 4.1.2 Attacks when ed ≡ 1 mod ( pr −pr−1)( q−1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Conclusion and Discussions 39 Bibliograph