New attacks on RSA with Moduli N = p^r q

International audienceWe present three attacks on the Prime Power RSA with mod-ulus N = p^r q. In the first attack, we consider a public exponent e satisfying an equation ex − φ(N)y = z where φ(N) = p^(r−1 )(p − 1)(q − 1). We show that one can factor N if the parameters |x| and |z| satisfy |xz| < N r(r−1) (r+1)/ 2 thereby extending the recent results of Sakar [16]. In the second attack, we consider two public exponents e1 and e2 and their corresponding private exponents d1 and d2. We show that one can factor N when d1 and d2 share a suitable amount of their most significant bits, that is |d1 − d2| < N r(r−1) (r+1) /2. The third attack enables us to factor two Prime Power RSA moduli N1 = p1^r q1 and N2 = p2^r q2 when p1 and p2 share a suitable amount of their most significant bits, namely, |p1 − p2| < p1/(2rq1 q2)

Exponential Increment of RSA Attack Range via Lattice Based Cryptanalysis

The RSA cryptosystem comprises of two important features that are needed for encryption process known as the public parameter $e$ and the modulus $N$. In 1999, a cryptanalysis on RSA which was described by Boneh and Durfee focused on the key equation $ed-k\phi(N)=1$ and $e$ of the same magnitude to $N$. Their method was applicable for the case of $d<N^{0.292}$ via Coppersmith’s technique. In 2012, Kumar et al. presented an improved Boneh-Durfee attack using the same equation which is valid for any e with arbitrary size. In this paper, we present an exponential increment of the two former attacks using the variant equation $ea-\phi(N)b=c$. The new attack breaks the RSA system when $a$ and $|c|$ are suitably small integers. Moreover, the new attack shows that the Boneh-Durfee attack and the attack of Kumar et al. can be derived using a single attack. We also showed that our bound manage to improve the bounds of Ariffin et al. and Bunder and Tonien

A Unified Framework for Small Secret Exponent Attack on RSA

We address a lattice based method on small secret exponent attack on RSA scheme. Boneh and Durfee reduced the attack into finding small roots of a bivariate modular equation: $x(N+1+y)+1 ¥equiv 0 mod e)$, where $N$ is an RSA moduli and $e$ is the RSA public key. Boneh and Durfee proposed a lattice based algorithm for solving the problem. When the secret exponent $d$ is less than $N^{0.292}$, their method breaks RSA scheme. Since the lattice used in the analysis is not full-rank, the analysis is not easy. Bl¥ omer and May gave an alternative algorithm. Although their bound $d ¥leq N^{0.290}$ is worse than Boneh--Durfee result, their method used a full rank lattice. However, the proof for their bound is still complicated. Herrmann and May gave an elementary proof for the Boneh--Durfee\u27s bound: $d ¥leq N^{0.292}$. In this paper, we first give an elementary proof for achieving the bound of Bl¥ omer--May: $d ¥leq N^{0.290}$. Our proof employs unravelled linearization technique introduced by Herrmann and May and is rather simpler than Bl¥ omer--May\u27s proof. Then, we provide a unified framework to construct a lattice that are used for solving the problem, which includes two previous method: Herrmann--May and Bl¥ omer--May methods as a special case. Furthermore, we prove that the bound of Boneh--Durfee: $d ¥leq N^{0.292}$ is still optimal in our unified framework

Practical Attacks on Small Private Exponent RSA: New Records and New Insights

As a typical representative of the public key cryptosystem, RSA has attracted a great deal of cryptanalysis since its invention, among which a famous attack is the small private exponent attack. It is well-known that the best theoretical upper bound for the private exponent d that can be attacked is d ≤ N^0.292 , where N is a RSA modulus. However, this bound may not be achieved in practical attacks since the lattice constructed by Coppersmith method may have a large enough dimension and the lattice-based reduction algorithms cannot work so well in both efficiency and quality. In this paper, we propose a new practical attack based on the binary search for the most significant bits (MSBs) of prime divisors of N and the Herrmann-May’s attack in 2010. The idea of binary search is inspired by the discovery of phenomena called “multivalued-continuous phenomena”, which can significantly accelerate our attack. Together with several carefully selected parameters according to our exact and effective numerical estimations, we can improve the upper bound of d that can be practically achieved. We believe our method can provide some inspiration to practical attacks on RSA with mainstream-size moduli

A cryptanalytic attack on the LUC cryptosystem using continued fractions

The LUC cryptosystem is a modification of the RSA cryptosystem based on Lucas sequences. In this paper we extend the Verheul - van Tilborg and Dujella variants of the Wiener attack on RSA to the LUC cryptosystem. We describe an algorithm for finding a secret key $d$ of the form $d = r q_{m+1} pm s q_m$, for some $mgeq -1$ and nonnegative integers $r$ and $s$, using continued fractions. We derive bounds for $r$ and $s$ using results on Diophantine approximations

A new attack on RSA with a composed decryption exponent

In this paper, we consider an RSA modulus $N=pq$, where the prime factors $p$, $q$ are of the same size. We present an attack on RSA when the decryption exponent $d$ is in the form $d=Md_1+d_0$ where $M$ is a given positive integer and $d_1$ and $d_0$ are two suitably small unknown integers. In 1999, Boneh and Durfee presented an attack on RSA when $d<N^{0.292}$. When $d=Md_1+d_0$, our attack enables one to overcome Boneh and Durfee\u27s bound and to factor the RSA modulus

On Deterministic Polynomial-time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorise N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task.Defence Science Journal, 2012, 62(2), pp.122-126, DOI:http://dx.doi.org/10.14429/dsj.62.171

New vulnerability of RSA modulus type N = p2q

This paper proposes new attacks on modulus of type N = p2q. Given k moduli of the form Ni = p2iqi for k ≥ 2 and i = 1, …, k, the attack works when k public keys (Ni, ei) are such that there exist k relations of the shape eix – Niyi = zi – (ap2i + bq2i)yi or of the shape eixi – Niy = zi – (ap2i + bq2i)y where the parameters x, xi, y, yi and zi are suitably small in terms of the prime factors of the moduli. The proposed attacks utilizing the LLL algorithm enables one to factor the k moduli Ni simultaneously