On the Security of Some Variants of RSA

The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA

Approximate Divisor Multiples -- Factoring with Only a Third of the Secret CRT-Exponents

We address Partial Key Exposure attacks on CRT-RSA on secret exponents $d_p, d_q$ with small public exponent $e$. For constant $e$ it is known that the knowledge of half of the bits of one of $d_p, d_q$ suffices to factor the RSA modulus $N$ by Coppersmith\u27s famous {\em factoring with a hint} result. We extend this setting to non-constant $e$. Somewhat surprisingly, our attack shows that RSA with $e$ of size $N^{\frac 1 {12}}$ is most vulnerable to Partial Key Exposure, since in this case only a third of the bits of both $d_p, d_q$ suffices to factor $N$ in polynomial time, knowing either most significant bits (MSB) or least significant bits (LSB). Let $ed_p = 1 + k(p-1)$ and $ed_q = 1 + \ell(q-1)$. On the technical side, we find the factorization of $N$ in a novel two-step approach. In a first step we recover $k$ and $\ell$ in polynomial time, in the MSB case completely elementary and in the LSB case using Coppersmith\u27s lattice-based method. We then obtain the prime factorization of $N$ by computing the root of a univariate polynomial modulo $kp$ for our known $k$. This can be seen as an extension of Howgrave-Graham\u27s {\em approximate divisor} algorithm to the case of {\em approximate divisor multiples} for some known multiple $k$ of an unknown divisor $p$ of $N$. The point of {\em approximate divisor multiples} is that the unknown that is recoverable in polynomial time grows linearly with the size of the multiple $k$. Our resulting Partial Key Exposure attack with known MSBs is completely rigorous, whereas in the LSB case we rely on a standard Coppersmith-type heuristic. We experimentally verify our heuristic, thereby showing that in practice we reach our asymptotic bounds already using small lattice dimensions. Thus, our attack is highly efficient

Partial Key Exposure Attack on Short Secret Exponent CRT-RSA

Let $(N,e)$ be an RSA public key, where $N=pq$ is the product of equal bitsize primes $p,q$. Let $d_p, d_q$ be the corresponding secret CRT-RSA exponents. Using a Coppersmith-type attack, Takayasu, Lu and Peng (TLP) recently showed that one obtains the factorization of $N$ in polynomial time, provided that $d_p, d_q \leq N^{0.122}$. Building on the TLP attack, we show the first Partial Key Exposure attack on short secret exponent CRT-RSA. Namely, let $N^{0.122} \leq d_p, d_q \leq N^{0.5}$. Then we show that a constant known fraction of the least significant bits (LSBs) of both $d_p, d_q$ suffices to factor $N$ in polynomial time. Naturally, the larger $d_p,d_q$, the more LSBs are required. E.g. if $d_p, d_q$ are of size $N^{0.13}$, then we have to know roughly a $\frac 1 5$-fraction of their LSBs, whereas for $d_p, d_q$ of size $N^{0.2}$ we require already knowledge of a $\frac 2 3$-LSB fraction. Eventually, if $d_p, d_q$ are of full size $N^{0.5}$, we have to know all of their bits. Notice that as a side-product of our result we obtain a heuristic deterministic polynomial time factorization algorithm on input $(N,e,d_p,d_q)$

One Truth Prevails: A Deep-learning Based Single-Trace Power Analysis on RSA–CRT with Windowed Exponentiation

In this paper, a deep-learning based power/EM analysis attack on the state-of-the-art RSA–CRT software implementation is proposed. Our method is applied to a side-channel-aware implementation with the Gnu Multi-Precision (MP) Library, which is a typical open-source software library. Gnu MP employs a fixed-window exponentiation, which is the fastest in a constant time, and loads the entire precomputation table once to avoid side-channel leaks from multiplicands. To conduct an accurate estimation of secret exponents, our method focuses on the process of loading the entire precomputation table, which we call a dummy load scheme. It is particularly noteworthy that the dummy load scheme is implemented as a countermeasure against a simple power/EM analysis (SPA/SEMA). This type of vulnerability from a dummy load scheme also exists in other cryptographic libraries. We also propose a partial key exposure attack suitable for the distribution of errors inthe secret exponents recovered from the windowed exponentiation. We experimentally show that the proposed method consisting of the above power/EM analysis attack, as well as a partial key exposure attack, can be used to fully recover the secret key of the RSA–CRT from the side-channel information of a single decryption or a signature process

Small CRT-Exponent RSA Revisited

Since May (Crypto\u2702) revealed the vulnerability of the small CRT-exponent RSA using Coppersmith\u27s lattice-based method, several papers have studied the problem and two major improvements have been made. (1) Bleichenbacher and May (PKC\u2706) proposed an attack for small $d_q$ when the prime factor $p$ is significantly smaller than the other prime factor $q$; the attack works for $p<N^{0.468}$. (2) Jochemsz and May (Crypto\u2707) proposed an attack for small $d_p$ and $d_q$ when the prime factors $p$ and $q$ are balanced; the attack works for $d_p, d_q<N^{0.073}$. Even a decade has passed since their proposals, the above two attacks are still considered as the state-of-the-art, and no improvements have been made thus far. A novel technique seems to be required for further improvements since it seems that the attacks have been studied with all the applicable techniques for Coppersmith\u27s methods proposed by Durfee-Nguyen (Asiacrypt\u2700), Jochemsz-May (Asiacrypt\u2706), and Herrmann-May (Asiacrypt\u2709, PKC\u2710). In this paper, we propose two improved attacks on the small CRT-exponent RSA: a small $d_q$ attack for $p<N^{0.5}$ (an improvement of Bleichenbacher-May\u27s) and a small $d_p$ and $d_q$ attack for $d_p, d_q < N^{0.122}$ (an improvement of Jochemsz-May\u27s). The latter result is also an improvement of our result in the proceeding version (Eurocrypt \u2717); $d_p, d_q < N^{0.091}$. We use Coppersmith\u27s lattice-based method to solve modular equations and obtain the improvements from a novel lattice construction by exploiting useful algebraic structures of the CRT-RSA key generation equation. We explicitly show proofs of our attacks and verify the validities by computer experiments. In addition to the two main attacks, we also propose small $d_q$ attacks on several variants of RSA

Partial Key Exposure Attack on Common Prime RSA

In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes $p$ and $q$ defined as $p=2ga+1$ and $q=2gb+1$ for a large prime $g$. Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA

Solving Linear Equations Modulo Unknown Divisors: Revisited

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, \begin{itemize} \item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\geq 2$). \item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring $N=p^rq$ ($r\geq 2$) with known bits problem. \item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA. \item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA. \end{itemize

Partial key exposure attacks on multi-power RSA

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r ≥ 2. Building on Coppersmith’s method of finding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r ≤ 5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 . Extending the ideas in Sarkar’s work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least significant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkar’s result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii Abstract iii Öz iv Acknowledgments v List of Figures viii List of Tables ix Abbreviations x 1 Introduction 1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The RSA Cryptosystem 8 2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Multi-power RSA (Takagi’s Variant) . . . . . . . . . . . . . . . . . . . . . 10 2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12 2.4.2.2 Bleichenbacher’s Attack . . . . . . . . . . . . . . . . . . . 13 2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1 Håstad’s Attack . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15 2.4.3.3 Coppersmith’s Short Pad Attack . . . . . . . . . . . . . . 15 2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15 2.4.4.1 Wiener’s Attack . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17 3 Preliminaries 18 3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20 3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25 3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4 Partial Key Exposure Attacks on Multi-Power RSA 28 4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.1 Attacks when ed ≡ 1 mod ( p−1)( q−1) . . . . . . . . . . . . . . . 29 4.1.2 Attacks when ed ≡ 1 mod ( pr −pr−1)( q−1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Conclusion and Discussions 39 Bibliograph

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent $d$ and factoring an RSA modulus $N$, have been proposed such as Blömer and May (Crypto\u2703), Ernst et al. (Eurocrypt\u2705), and Aono (PKC\u2709). Due to Boneh and Durfee\u27s small secret exponent attack, partial key exposure attacks should always work for $d<N^{0.292}$ even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh-Durfee\u27s attack. In particular, known partial key exposure attacks fail to work for $d<N^{0.292}$ with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponents $d$ is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for $d<N^{0.5625}$ and $d<N^{0.368}$ with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh-Durfee bound, i.e., they always work for $d<N^{0.292}$. At a high level, we obtain the improved attacks by fully utilizing unravelled linearization technique proposed by Herrmann and May (Asiacrypt\u2709). Although Herrmann and May (PKC\u2710) already applied the technique to Boneh-Durfee\u27s attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques

An efficient variant of the RSA cryptosystem

We describe an efficient combination of two variants of RSA cryptosystem (MPrime and Rebalanced RSA) analysed by Boneh and Schacham. The decryption process resultant is (for 2048-bits moduli) about 8 times faster than that presented by Quisquater and Couvreur and about 27 times faster than original cryptosystem