67 research outputs found
New attacks on RSA with Moduli N = p^r q
International audienceWe present three attacks on the Prime Power RSA with mod-ulus N = p^r q. In the first attack, we consider a public exponent e satisfying an equation ex − φ(N)y = z where φ(N) = p^(r−1 )(p − 1)(q − 1). We show that one can factor N if the parameters |x| and |z| satisfy |xz| < N r(r−1) (r+1)/ 2 thereby extending the recent results of Sakar [16]. In the second attack, we consider two public exponents e1 and e2 and their corresponding private exponents d1 and d2. We show that one can factor N when d1 and d2 share a suitable amount of their most significant bits, that is |d1 − d2| < N r(r−1) (r+1) /2. The third attack enables us to factor two Prime Power RSA moduli N1 = p1^r q1 and N2 = p2^r q2 when p1 and p2 share a suitable amount of their most significant bits, namely, |p1 − p2| < p1/(2rq1 q2)
Exponential Increment of RSA Attack Range via Lattice Based Cryptanalysis
The RSA cryptosystem comprises of two important features that are needed for encryption process known as the public parameter and the modulus . In 1999, a cryptanalysis on RSA which was described by Boneh and Durfee focused on the key equation and of the same magnitude to . Their method was applicable for the case of via Coppersmith’s technique. In 2012, Kumar et al. presented an improved Boneh-Durfee attack using the same equation which is valid for any e with arbitrary size. In this paper, we present an exponential increment of the two former attacks using the variant equation . The new attack breaks the RSA system when and are suitably small integers. Moreover, the new attack shows that the Boneh-Durfee attack and the attack of Kumar et al. can be derived using a single attack. We also showed that our bound manage to improve the bounds of Ariffin et al. and Bunder and Tonien
A Unified Framework for Small Secret Exponent Attack on RSA
We address a lattice based method on small secret exponent
attack on RSA scheme. Boneh and Durfee reduced the attack into
finding small roots of a bivariate modular equation: , where is an RSA moduli and is the RSA
public key. Boneh and Durfee proposed a lattice based algorithm
for solving the problem. When the secret exponent is less than
, their method breaks RSA scheme. Since the lattice used
in the analysis is not full-rank, the analysis is not easy.
Bl¥ omer and May gave an alternative algorithm. Although their
bound is worse than Boneh--Durfee result,
their method used a full rank lattice. However, the proof for
their bound is still complicated. Herrmann and May gave an
elementary proof for the Boneh--Durfee\u27s bound: .
In this paper, we first give an elementary proof for achieving the
bound of Bl¥ omer--May: . Our proof employs
unravelled linearization technique introduced by Herrmann and May
and is rather simpler than Bl¥ omer--May\u27s proof. Then, we
provide a unified framework to construct a lattice that are used
for solving the problem, which includes two previous method:
Herrmann--May and Bl¥ omer--May methods as a special case. Furthermore, we prove that the bound of Boneh--Durfee: is still optimal in our unified framework
Practical Attacks on Small Private Exponent RSA: New Records and New Insights
As a typical representative of the public key cryptosystem, RSA has
attracted a great deal of cryptanalysis since its invention, among which
a famous attack is the small private exponent attack. It is well-known
that the best theoretical upper bound for the private exponent d that
can be attacked is d ≤ N^0.292
, where N is a RSA modulus. However,
this bound may not be achieved in practical attacks since the lattice constructed
by Coppersmith method may have a large enough dimension and
the lattice-based reduction algorithms cannot work so well in both efficiency
and quality. In this paper, we propose a new practical attack based
on the binary search for the most significant bits (MSBs) of prime divisors
of N and the Herrmann-May’s attack in 2010. The idea of binary search
is inspired by the discovery of phenomena called “multivalued-continuous
phenomena”, which can significantly accelerate our attack. Together with
several carefully selected parameters according to our exact and effective
numerical estimations, we can improve the upper bound of d that
can be practically achieved. We believe our method can provide some
inspiration to practical attacks on RSA with mainstream-size moduli
A cryptanalytic attack on the LUC cryptosystem using continued fractions
The LUC cryptosystem is a modification of the RSA cryptosystem based on Lucas sequences.
In this paper we extend the Verheul - van Tilborg and Dujella variants
of the Wiener attack on RSA to the LUC cryptosystem. We describe an
algorithm for finding a secret key of the form , for some and nonnegative integers and , using continued fractions.
We derive bounds for and using results on Diophantine approximations
A new attack on RSA with a composed decryption exponent
In this paper, we consider an RSA modulus , where the prime factors , are of the same size. We present an attack on RSA when the decryption exponent is in the form where is a given positive integer and and are two suitably small unknown integers. In 1999, Boneh and Durfee presented an attack on RSA when . When , our attack enables one to overcome Boneh and Durfee\u27s bound and to factor the RSA modulus
On Deterministic Polynomial-time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorise N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task.Defence Science Journal, 2012, 62(2), pp.122-126, DOI:http://dx.doi.org/10.14429/dsj.62.171
New vulnerability of RSA modulus type N = p2q
This paper proposes new attacks on modulus of type N = p2q. Given k moduli of the form Ni = p2iqi for k ≥ 2 and i = 1, …, k, the attack works when k public keys (Ni, ei) are such that there exist k relations of the shape eix – Niyi = zi – (ap2i + bq2i)yi or of the shape eixi – Niy = zi – (ap2i + bq2i)y where the parameters x, xi, y, yi and zi are suitably small in terms of the prime factors of the moduli. The proposed attacks utilizing the LLL algorithm enables one to factor the k moduli Ni simultaneously
- …