Common Modulus Attacks on Small Private Exponent RSA and Some Fast Variants (in Practice)

In this work we re-examine two common modulus attacks on RSA. First, we show that Guo\u27s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus $N$ and private exponents each smaller than $N^{0.33}$ the attack can factor the modulus about $93\%$ of the time in practice. The success rate of the attack can be increased up to almost $100\%$ by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert\u27s lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once $n \geq 7$ instances of RSA are used. In particular, by construction, the attack can only succeed when the private exponents are each smaller than $N^{0.5-\epsilon}$, given sufficiently many instances, instead of the original bound of $N^{1-\epsilon}$. In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Tagaki\u27s variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than $N^{1/3-\epsilon}$ is unsafe. For Takagi\u27s variant, we show that three or more instances with a common modulus $N=p^rq$ is unsafe when all the private exponents are smaller than $N^{2/(3(r+1))-\epsilon}$. The results, for both variants, is obtained using Guo\u27s method and are successful almost always with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert\u27s attack can be mounted on multi-prime RSA when the private exponents are smaller than $N^{(3+r)/7r-\epsilon}$ when there are $r$ primes in the modulus

On the Security of Some Variants of RSA

The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA

Quantum Attacks on Modern Cryptography and Post-Quantum Cryptosystems

Cryptography is a critical technology in the modern computing industry, but the security of many cryptosystems relies on the difficulty of mathematical problems such as integer factorization and discrete logarithms. Large quantum computers can solve these problems efficiently, enabling the effective cryptanalysis of many common cryptosystems using such algorithms as Shor’s and Grover’s. If data integrity and security are to be preserved in the future, the algorithms that are vulnerable to quantum cryptanalytic techniques must be phased out in favor of quantum-proof cryptosystems. While quantum computer technology is still developing and is not yet capable of breaking commercial encryption, these steps can be taken immediately to ensure that the impending development of large quantum computers does not compromise sensitive data

Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting

International audienceWe analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same security level. Eventually, we present the first attacks on the protocol RSA-S2 that employs the Chinese Remainder Theorem to speed up the client's computation. The efficiency of our (heuristic) attacks has been validated experimentally

Can NSEC5 be practical for DNSSEC deployments?

NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results indicate that our redesigned NSEC5 can be viable even for high-throughput scenarioshttps://eprint.iacr.org/2017/099.pdfFirst author draf

A polynomial time attack on RSA with private CRT-exponents smaller than N0.073N^{0.073}

Wiener’s famous attack on RSA with d

Improved Factoring Attacks on Multi-Prime RSA with Small Prime Difference

In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Phi-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments

Partial key exposure attacks on multi-power RSA

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r ≥ 2. Building on Coppersmith’s method of finding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r ≤ 5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 . Extending the ideas in Sarkar’s work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least significant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkar’s result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii Abstract iii Öz iv Acknowledgments v List of Figures viii List of Tables ix Abbreviations x 1 Introduction 1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The RSA Cryptosystem 8 2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Multi-power RSA (Takagi’s Variant) . . . . . . . . . . . . . . . . . . . . . 10 2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12 2.4.2.2 Bleichenbacher’s Attack . . . . . . . . . . . . . . . . . . . 13 2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1 Håstad’s Attack . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15 2.4.3.3 Coppersmith’s Short Pad Attack . . . . . . . . . . . . . . 15 2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15 2.4.4.1 Wiener’s Attack . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17 3 Preliminaries 18 3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20 3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25 3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4 Partial Key Exposure Attacks on Multi-Power RSA 28 4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.1 Attacks when ed ≡ 1 mod ( p−1)( q−1) . . . . . . . . . . . . . . . 29 4.1.2 Attacks when ed ≡ 1 mod ( pr −pr−1)( q−1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Conclusion and Discussions 39 Bibliograph

Solving Linear Equations Modulo Unknown Divisors: Revisited

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, \begin{itemize} \item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\geq 2$). \item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring $N=p^rq$ ($r\geq 2$) with known bits problem. \item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA. \item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA. \end{itemize