656 research outputs found
Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting
International audienceWe analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same security level. Eventually, we present the first attacks on the protocol RSA-S2 that employs the Chinese Remainder Theorem to speed up the client's computation. The efficiency of our (heuristic) attacks has been validated experimentally
On the Security of Some Variants of RSA
The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as
elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security
of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of
RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA
Approximate Divisor Multiples -- Factoring with Only a Third of the Secret CRT-Exponents
We address Partial Key Exposure attacks on CRT-RSA on secret exponents with small public exponent . For constant it is known that the knowledge of half of the bits of one of suffices to factor the RSA modulus by Coppersmith\u27s famous {\em factoring with a hint} result. We extend this setting to non-constant . Somewhat surprisingly, our attack shows that RSA with of size is most vulnerable to Partial Key Exposure, since in this case only a third of the bits of both suffices to factor in polynomial time, knowing either most significant bits (MSB) or least significant bits (LSB).
Let and . On the technical side, we find the factorization of in a novel two-step approach. In a first step we recover and in polynomial time, in the MSB case completely elementary and in the LSB case using Coppersmith\u27s lattice-based method. We then obtain the prime factorization of by computing the root of a univariate polynomial modulo for our known . This can be seen as an extension of Howgrave-Graham\u27s {\em approximate divisor} algorithm to the case of {\em approximate divisor multiples} for some known multiple of an unknown divisor of . The point of {\em approximate divisor multiples} is that the unknown that is recoverable in polynomial time grows linearly with the size of the multiple .
Our resulting Partial Key Exposure attack with known MSBs is completely rigorous, whereas in the LSB case we rely on a standard Coppersmith-type heuristic. We experimentally verify our heuristic, thereby showing that in practice we reach our asymptotic bounds already using small lattice dimensions. Thus, our attack is highly efficient
Partial Key Exposure Attack on Short Secret Exponent CRT-RSA
Let be an RSA public key, where is the product of equal bitsize primes . Let be the corresponding secret CRT-RSA exponents.
Using a Coppersmith-type attack, Takayasu, Lu and Peng (TLP) recently showed that one obtains the factorization of in polynomial time, provided that . Building on the TLP attack, we show the first Partial Key Exposure attack on short secret exponent CRT-RSA. Namely, let . Then we show that a constant known fraction of the least significant bits (LSBs) of both suffices to factor in polynomial time.
Naturally, the larger , the more LSBs are required.
E.g. if are of size , then we have to know roughly a -fraction of their LSBs, whereas for of size we require already knowledge of a -LSB fraction. Eventually, if are of full size , we have to know all of their bits.
Notice that as a side-product of our result we obtain a heuristic deterministic polynomial time factorization algorithm on input
A Gentle Tutorial for Lattice-Based Cryptanalysis
The applicability of lattice reduction to a wide variety of cryptographic situations makes it an important part of the cryptanalyst\u27s toolbox. Despite this, the construction of lattices and use of lattice reduction algorithms for cryptanalysis continue to be somewhat difficult to understand for beginners. This tutorial aims to be a gentle but detailed introduction to lattice-based cryptanalysis targeted towards the novice cryptanalyst with little to no background in lattices. We explain some popular attacks through a conceptual model that simplifies the various components of a lattice attack
Partial Key Exposure Attack on Common Prime RSA
In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes and defined as and for a large prime . Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA
On the Improvement of Wiener Attack on RSA with Small Private Exponent
RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus N=pq, it is difficult to determine the prime factors p and q efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is 2r+8 bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from 2r+8 bits to 2r+2 bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to 2r-6 bits when we extend Weiner's boundary r bits. It means that our result is 214 times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits
Small CRT-Exponent RSA Revisited
Since May (Crypto\u2702) revealed the vulnerability of the small CRT-exponent RSA using Coppersmith\u27s lattice-based method, several papers have studied the problem and two major improvements have been made. (1) Bleichenbacher and May (PKC\u2706) proposed an attack for small when the prime factor is significantly smaller than the other prime factor ; the attack works for . (2) Jochemsz and May (Crypto\u2707) proposed an attack for small and when the prime factors and are balanced; the attack works for . Even a decade has passed since their proposals, the above two attacks are still considered as the state-of-the-art, and no improvements have been made thus far.
A novel technique seems to be required for further improvements since it seems that the attacks have been studied with all the applicable techniques for Coppersmith\u27s methods proposed by Durfee-Nguyen (Asiacrypt\u2700), Jochemsz-May (Asiacrypt\u2706), and Herrmann-May (Asiacrypt\u2709, PKC\u2710). In this paper, we propose two improved attacks on the small CRT-exponent RSA: a small attack for (an improvement of Bleichenbacher-May\u27s) and a small and attack for (an improvement of Jochemsz-May\u27s).
The latter result is also an improvement of our result in the proceeding version (Eurocrypt \u2717); . We use Coppersmith\u27s lattice-based method to solve modular equations and obtain the improvements from a novel lattice construction by exploiting useful algebraic structures of the CRT-RSA key generation equation. We explicitly show proofs of our attacks and verify the validities by computer experiments. In addition to the two main attacks, we also propose small attacks on several variants of RSA
Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound
Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent and factoring an RSA modulus , have been proposed such as Blömer and May (Crypto\u2703), Ernst et al. (Eurocrypt\u2705), and Aono (PKC\u2709). Due to Boneh and Durfee\u27s small secret exponent attack, partial key exposure attacks should always work for even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh-Durfee\u27s attack. In particular, known partial key exposure attacks fail to work for with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponents is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for and with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh-Durfee bound, i.e., they always work for . At a high level, we obtain the improved attacks by fully utilizing unravelled linearization technique proposed by Herrmann and May (Asiacrypt\u2709). Although Herrmann and May (PKC\u2710) already applied the technique to Boneh-Durfee\u27s attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques
A Tool Kit for Partial Key Exposure Attacks on RSA
Thus far, partial key exposure attacks on RSA have been intensively studied using lattice based Coppersmith\u27s methods. In the context, attackers are given partial information of a secret exponent and prime factors of (Multi-Prime) RSA where the partial information is exposed in various ways. Although these attack scenarios are worth studying, there are several known attacks whose constructions have similar flavor. In this paper, we try to formulate general attack scenarios to capture several existing ones and propose attacks for the scenarios. Our attacks contain all the state-of-the-art partial key exposure attacks, e.g., due to Ernst et al. (Eurocrypt\u2705) and Takayasu-Kunihiro (SAC\u2714, ICISC\u2714), as special cases. As a result, our attacks offer better results than previous best attacks in some special cases, e.g., Sarkar-Maitra\u27s partial key exposure attacks on RSA with the most significant bits of a prime factor (ICISC\u2708) and Hinek\u27s partial key exposure attacks on Multi-Prime RSA (J. Math. Cryptology \u2708). We claim that our contribution is not only generalizations or improvements of the existing results. Since our attacks capture general exposure scenarios, the results can be used as a tool kit; the security of some future variants of RSA can be examined without any knowledge of Coppersmith\u27s methods
- …