8 research outputs found
鍵の部分情報の漏洩に対するRSA暗号の安全性解析
University of Tokyo(東京大学
Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting
International audienceWe analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same security level. Eventually, we present the first attacks on the protocol RSA-S2 that employs the Chinese Remainder Theorem to speed up the client's computation. The efficiency of our (heuristic) attacks has been validated experimentally
Minkowski sum based lattice construction for multivariate simultaneous Coppersmith\u27s technique and applications to RSA
We investigate a lattice construction method for the Coppersmith technique
for finding small solutions of a modular equation.
We consider its variant for simultaneous equations
and propose a method to construct a lattice
by combining lattices for solving single equations.
As applications,
we consider
a new RSA cryptanalyses.
Our algorithm can factor an RSA modulus from pairs of RSA public exponents with the common modulus
corresponding to secret exponents smaller than ,
which improves on the previously best known result by Sarkar and Maitra.
For partial key exposure situation,
we also can factor the modulus if
,
where and are bit-lengths of the secret exponent and its exposed LSBs,
respectively
Partial Key Exposure Attack on Short Secret Exponent CRT-RSA
Let be an RSA public key, where is the product of equal bitsize primes . Let be the corresponding secret CRT-RSA exponents.
Using a Coppersmith-type attack, Takayasu, Lu and Peng (TLP) recently showed that one obtains the factorization of in polynomial time, provided that . Building on the TLP attack, we show the first Partial Key Exposure attack on short secret exponent CRT-RSA. Namely, let . Then we show that a constant known fraction of the least significant bits (LSBs) of both suffices to factor in polynomial time.
Naturally, the larger , the more LSBs are required.
E.g. if are of size , then we have to know roughly a -fraction of their LSBs, whereas for of size we require already knowledge of a -LSB fraction. Eventually, if are of full size , we have to know all of their bits.
Notice that as a side-product of our result we obtain a heuristic deterministic polynomial time factorization algorithm on input
On the Optimality of Lattices for the Coppersmith Technique
We investigate a method for finding small integer solutions of a univariate modular equation,
that was introduced by Coppersmith and extended by May.
We will refer this method as the Coppersmith technique.
This paper provides a way to analyze
a general limitations of the lattice construction
for the Coppersmith technique.
Our analysis upper bounds the possible range of
that is asymptotically equal to
the bound given by the original result of Coppersmith and May.
This means that
they have already given the best lattice construction.
In addition, we investigate the optimality for the bivariate equation to solve the small inverse problem,
which was inspired by Kunihiro\u27s argument.
In particular, we show the optimality for the Boneh-Durfee\u27s equation used for RSA cryptoanalysis,
To show our results,
we establish framework for the technique
by following the relation of Howgrave-Graham,
and then concretely define the conditions in which the technique succeed and fails.
We then provide a way
to analyze the range of that satisfies these conditions.
Technically, we show that the original result of Coppersmith achieves the optimal bound for
when constructing a lattice in the standard way.
We then provide evidence which indicates that constructing a non-standard lattice is generally difficult
Finding Small Solutions of the Equation and Its Applications to Cryptanalysis of the RSA Cryptosystem
In this paper, we study the condition of finding small solutions of the equation . The framework is derived from Wiener\u27s small private exponent attack on RSA and May-Ritzenhofen\u27s investigation about the implicit factorization problem, both of which can be generalized to solve the above equation. We show that these two methods, together with Coppersmith\u27s method, are equivalent for solving in the general case. Then based on Coppersmith\u27s method, we present two improvements for solving in some special cases. The first improvement pays attention to the case where either or is large enough. As the applications of this improvement, we propose some new cryptanalysis of RSA, such as new results about the generalized implicit factorization problem, attacks with known bits of the prime factor, and so on. The motivation of these applications comes from oracle based complexity of factorization problems. The second improvement assumes that the value of is known. We present two attacks on RSA as its applications. One focuses on the case with known bits of the private exponent together with the prime factor, and the other considers the case with a small difference of the two prime factors. Our new attacks on RSA improve the previous corresponding results respectively, and the correctness of the approach is verified by experiments